The PCI Security Standards Council (PCI SSC) recently announced the nomination period for the next PCI SSC Board of Advisors. The Board of Advisors represents PCI SSC Participating Organizations worldwide to ensure global industry involvement in the development of PCI Security Standards. As strategic partners, they bring industry, geographical and technical insight to PCI Council plans and projects. In this post, we talk with 2018 - 2020 PCI SSC Board of Advisor Member Stacy Hughes, Chief Information Security Officer, at Global Payments about the role of the PCI SSC Board of Advisors in shaping payment security globally.
What do you see as the greatest challenge to payment security in 2020?
Stacy Hughes: COVID-19 dramatically changed the payments ecosystem. While the shift to digital banking was already taking place before the pandemic, the health crisis catalyzed “innovation acceleration” in the market. The trial and adoption of new, safe commerce technologies exploded as in-person engagement was discouraged or even prohibited. The accelerated shift to digital and contactless payments caused businesses and their workforces to completely rethink how they operate in a secure and compliant manner.
How does the PCI SSC Board of Advisors impact payment security?
Stacy Hughes: The Board of Advisors plays an important role in payment security, discussing current threats and challenges in the industry. Through discussions with industry participants, the PCI SSC can align their priorities and initiatives to provide more effective payment security guidance. For example, at the outset of the pandemic, the PCI SSC was in contact with each one of the Board of Advisors members seeking input and determining how they could be of assistance. The feedback given to the PCI SSC resulted in various, instructional and consultative blog posts and the publication of essential industry guidance. The entire payments industry benefited, and the advice was invaluable to each of our organizations.
Why did you run for the PCI SSC Board of Advisors?
Stacy Hughes: Global Payments ran for the PCI SSC Board of Advisors to be a voice for merchants, issuers and consumer processing servicing industries, ranging from large multinational corporations to small and mid-market merchants. We enable 100 countries with cross-border payments and support more than 140 different payment methods; therefore, security is embedded in all aspects of everything we do. Representing Global Payments, in addition to all of our customers, while collaborating with nearly 30 other various organizations on payment security risk in the ever-evolving payments landscape, is invaluable.
How has serving on the PCI SSC board benefited your company and your customers?
Stacy Hughes: It has enabled us to work collaboratively across the payments ecosystem with merchants, issuers, and financial institutions to help solve complex challenges in the industry and influence upcoming standards, programs, and educational opportunities from the council. Additionally, this enables us with the opportunity to provide a voice to our customers whose feedback may not have been heard in the context of their broader needs in their industry/vertical. Lastly, receiving Board insight into the evolving threat landscape allows us to adapt our control posture more effectively.
What accomplishments of the 2018-2020 Board of Advisors are you most proud of?
Stacy Hughes: There are so many on the standards front, however here are a few highlights:
Global Executive Assessor Roundtable (GEAR): Based on feedback from the Board of Advisors, we created the accessors roundtable. This initiative has provided valuable input in hearing the challenges of security and compliance from both sides of an issue and working together on how to resolve them. Where there was once a dividing line, together we can better mitigate payment cyber risk.
Women and minorities are still a relatively small percentage of professionals in the payments security industry: One of our key objectives as a board advisor was to continue to promote diversity and inclusion in the world of cybersecurity. We are continuing to see increased numbers of women get involved in cybersecurity. It is exciting to see the diverse backgrounds of the women who are getting involved, making an impact, and simultaneously encouraging others to engage and get involved. We hope to continue this positive trend in the industry.
More agility driven by the pandemic: The PCI SSC has taken a proactive approach in working closely with the Board members to obtain feedback in order to rapidly address challenges. Some of the feedback has resulted in publishing blogs to create awareness about the increase in phishing and social engineering attacks, guidance on working remotely, management of service providers undergoing remote assessments, to inspecting and physically cleaning point of sale devices. All of these initiatives have helped enable the industry to pivot in this newly changed COVID world.
Small Merchant Business Taskforce: At the suggestion of the Board, the taskforce was formed by the Council a few years ago to help understand the questions and challenges in payment security for small merchants. The taskforce has worked together to provide guidance in a graphical format on best practices for safely accepting payments to our small merchants and ultimately achieving PCI DSS compliance. The taskforce continues to work to identify ways to assist small merchants with PCI DSS, such as aligning FAQs with the new PCI DSS v4.0.
Changes in the Request for Comment (RFC) process: Introducing transparency in the comments submitted into the RFC process, in addition to enhancing the comment portal. These enhancements have made the review and comment process for standards and documentation easier and more accessible, and thus, more effective.
Also on the blog: Make a Difference: Serve on the 2021-2022 PCI SSC Board of Advisors