A little more than a year into his role as Executive Director, Lance Johnson provides an update on where the PCI Security Standards Council (PCI SSC) started and where it’s headed, including a strategic look at top priorities and what stakeholders can expect in 2019, and a message for Participating Organizations.
You’ve now been in your role as PCI SSC Executive Director for over a year. What are some of your key takeaways from this past year?
Lance Johnson: First is how much the organization has grown. In just 12 years we’ve gone from a single standard and two programs, a handful of assessors and a few dozen Participating Organizations (PO) to 14 standards, nearly two dozen programs, 800 POs and thousands of assessors. And it’s not just the numbers that have increased, but also the scope of work and engagement. The PCI Council and its folio of standards, supporting programs and resources has grown and evolved to meet the needs of the changing payments landscape and the challenges posed by new technologies, channels and ever-expanding threats.
But the biggest takeaway is that the work is never done. As innovation and evolution change payments now and, in the future, the PCI Council will have to be equally flexible and evolve. As successful as it’s been (and it has!), we will always be challenged to jettison that which is past its useful life and update and expand for where the industry is going.
Has the PCI SSC mission changed since the organization was formed?
Lance Johnson: The core mission to provide the standards and tools to protect payment data and prevent compromise is the same, but the scope has changed to address new channels and technologies. This includes a move beyond exclusively talking about payment “card” data. While cards are still the foundation, they are only part of the ecosystem. Payments now occur independently of physical cards. The data is similar but no longer requires the use of a physical card. This simple expansion has enabled everything from e-commerce to m-commerce and more. So, the mission is the same, but the scope and ecosystem have changed.
How is this mission and new scope shaping PCI SSC’s strategic priorities for 2019 and beyond?
Lance Johnson: Our strategic priorities are always rooted in our mission. We know that this is an evolving, changing, dynamic environment – to address it properly, we must evolve with it to achieve our mission.
I like to think about this in terms of building blocks. Every time we see a new opportunity/need, or a gap, we build a block to fill that gap - a new process or a new standard. At the same time, as cracks appear on existing blocks and need to be repaired, we issue updates and revisions to continue to evolve our standards.
We are building the blocks that fill the gaps and maintaining the blocks so that their cracks don’t become a problem. Our focus is to ensure that our existing standards and programs remain relevant and effective and to provide security requirements, practices and tools for new areas. If you look at our recent efforts, they’ve been focused on new technologies or operating models. That’s why there is so much emphasis on mobile commerce and software security.
What does this mean for the PCI Data Security Standard (PCI DSS) moving forward?
Lance Johnson: The 12 core requirements of the PCI DSS continue to provide the critical foundation for protecting payment data and preventing compromise. We’ll continue to maintain the PCI DSS to address any “cracks” and evolve it to meet the needs of the changing payments landscape, based on industry feedback. Development of PCI DSS v4.0 is a top priority for us in 2019 and 2020.
At the same time, we will continue our efforts around standards that not only protect payment data, but also help remove valuable payment data from the system in the first place. These currently include PCI 3DS Security, Token Service Provider (TSP) and Point-to-Point Encryption (P2PE) Standards.
What can stakeholders expect to see from the PCI Council in 2019?
Lance Johnson: More of the same - new and updated standards and tools to support practitioners, users, deployers and assessors of legacy payment methods and new payments. This includes revisions to the P2PE and PIN Transaction Security Point of Interaction (PTS POI) Standards; new standards for software security and contactless payments on COTS; and new assessor programs to support the Card Production and Provisioning, PIN Security and Software Security Standards.
With these updates, you can expect a greater emphasis on addressing processes. Software-based PIN Entry on COTS (SPoC) and the new Software Security Framework are great examples. Both look beyond the device or instance and encompass areas beyond what we would have traditionally looked at – creating more flexibility for vendors and deployers, with the goal of maintaining and improving overall security.
We will also continue to foster industry involvement and greater participation globally, with focused efforts in the growing markets of Brazil, India and Japan, and an improved request for comments (RFC) process designed to make it easier for PCI SSC stakeholders to be involved in the development of PCI Security Standards.
What’s one thing you’d like to tell PCI SSC Participating Organizations?
Lance Johnson: Be involved. Be active. Help us. We can only address the needs and issues we know about. You are the eyes and ears we need to better understand and develop security standards and programs that address those needs. We need you to use your voices.