In his keynote address to the 2018 North America Community Meeting, Lance Johnson shares his vision for the PCI Security Standards Council. We discuss key points from his presentation below.
Although you just started as the Executive Director to the PCI SSC this year, you’ve actually been involved with the Council since its inception. Can you share a little bit about your background?
Lance Johnson: While this is my first North America Community Meeting as Executive Director, it’s not where my history with the Council begins. In fact, this is a homecoming. I was with the Council on day 1, for the first 5 years on the Executive Committee helping to guide and foster its growth and evolution. Looking back at where we started, compared to where we are today, is truly astonishing.
Since then, I have been in the industry in several roles - helping organizations understand security and payments and building operations that were secure. I most recently headed an operation that had to comply with these various standards.
So why did I come back to the Council? Simply - I have unfinished business. This community has achieved tremendous success in improving how payment security works, but our job is not done. I look to what we can and should aspire to achieve, and I want to help us, this community, move forward to safe payments.
What is your vision for the PCI SSC?
Lance Johnson: Simply put - a payment ecosystem with no worries. Challenges for the security of payments have gotten bigger and broader. To achieve payments with no worries we need to achieve three things. First, the payment is secure. A merchant and processor won’t have to worry about a breach or its consequences. Making sure payments are secure is important for the health and viability of the future of payments. Second, payment security needs to become frictionless. We need to remove the burden that comes with securing data, so a merchant and customer can focus on the transaction, not the payment. Finally, we need to set a realistic timeline. My vision is to achieve this in ten years. I believe that by working collaboratively - something that has made the Council a success thus far - we can achieve this goal.
Global collaboration is a major priority for the Council. Can you talk a little bit about why collaboration is so important to payment security?
Lance Johnson: The single biggest success of the Council is not all the documents, standards and programs we’ve created; it’s the PCI community we’ve built, including Participating Organizations, assessors, taskforces and beyond. We are all focused on the same core issues of secure payments, and through the PCI SSC we’ve enabled collaboration among diverse organizations across the globe.
We want to hear from this community about the challenges facing the industry. My #1 priority in this role as Executive Director is to listen, learn and understand your issues so that we, as an organization, can address them. We can’t secure the future of payments unless we are acting as a community, learning from each other. We invite you to be active and engaged in the Council. One significant way you can provide your insight to the Council is to join our Board of Advisors. You can learn more about our BOA and nominate yourself today by visiting our Board of Advisors page.
As payment technologies and threats evolve, how can the Council shift to enable protection of payment data?
Lance Johnson: Back when I started, the #1 type of fraud in the world was lost and stolen fraud. The biggest fundamental change has been the introduction of the internet and open networks. Criminals went from one-on-one crime to stealing aggregated data. The structure to protect this data simply didn’t exist at the time – the data was fractured and uncoordinated. This was the genesis of the PCI Security Standards Council and the PCI Data Security Standard.
As payments continued to evolve, so did the Council. New form factors were introduced, e-commerce grew, mobile payments came on the scene. Each new technology introduces new ways for criminals to steal data, and as such, our standards and programs evolve to protect that data. The end game is clear - to make payment data useless in the hands of criminals, to devalue it. We are on the path to do that, and EMV Chip technology, point-to-point encryption and tokenization technologies help us get there. But ultimately, it’s the collaboration in the payments industry that is key to achieving that goal.