The payments sector faces unique cybersecurity pressures due to the highly sensitive and valuable data it holds and processes on a daily basis.
The sector has been forced to evolve its cybersecurity practices faster than most industries. Many experts highlight its model of tight controls and collaboration between rival organizations as a benchmark for others to follow.
A fundamental part of this process is the PCI Security Standards Council (PCI SSC), a global forum that brings together payments industry stakeholders to drive adoption of data security best practices.
A cornerstone of this mission has been the development of the Payment Card Industry Data Security Standard (PCI DSS), which sets cybersecurity guidelines and requirements for businesses handling payment card information.
The first iteration of the PCI DSS was released in December 2004. Since then it has been updated on multiple occasions to account for changing attack techniques and new technologies.
A new version of the standard, 4.0, was published in March 2022, which contained a number of changes to the current version 3.2.1.
This included expanding the requirement to implement multi-factor authentication (MFA) for all access into the cardholder data environment, and for the first time explicitly encompassing considerations for API security.
Version 4.0 will be enforced from March 31, 2024.
PCI SSC Announces New Executive Director
In January 2024, the PCI SSC announced the appointment of Gina Gobeyn as its new executive director, the first woman to hold the role.
Gobeyn has spent almost two decades in the sector with 18-years spent at financial services company Discover, where she recently served as the Chief Risk Management Officer, Payment Services.
Now with the Council, one of Gobeyn’s immediate priorities will be overseeing and assisting compliance with the new PCI DSS version.
Following the appointment, Gobeyn spoke to Infosecurity Magazine about her new position, and navigating cybersecurity changes and challenges in the payments industry.
Infosecurity Magazine: What are the unique cybersecurity challenges faced by the payments industry?
Gina Gobeyn: Emerging technologies and innovation such as artificial intelligence (AI), biometrics, and cryptocurrencies are reshaping our industry, along with the rise in popularity of mobile payments and contactless transactions.
Threats such as malware, ransomware, and phishing attempts continue to increase the risk of security breaches.
As the payments industry changes at a lightening pace, it is more important than ever that payment security standards and supporting programs keep up with that change. As an industry, it is important that all sectors of the payment industry come together to address these challenges.
IM: What cybersecurity best practices in the payments industry can other sectors learn from?
GG: Collaboration is at the heart of the PCI SSC’s mission to secure payment data and that will continue to be the focus as we move into the future. By working together, we learn about threat trends and can adapt our standards while creating new ones to stay a step ahead of the criminals.
"Emerging technologies and innovation such as artificial intelligence (AI), biometrics, and cryptocurrencies are reshaping our industry"
Our model shows the type of success that can happen when a global community comes together to tackle big challenges. The PCI SSC was originally created at the request of the merchant community and through the years we have evolved and grown our standards in collaboration with the global payment community.
It is an incredible record of success. Because of the PCI SSC, payments are safer today. Collaboration has remained a priority for PCI SSC as the payments industry itself has undergone transformative changes.
IM: What are your main priorities in your new role at PCI SSC?
GG: I am excited and deeply honored to be leading the PCI SSC. I have had a front row seat for nearly 18 years at Discover in seeing the incredible value the PCI SSC has brought to the payments industry throughout the world. Around the globe, the PCI Security Standards are recognized as the gold standard for securing payments and I intend to maintain that reputation.
Additionally, the Council recently instituted a new participation model that allows for expanded input from the global payments industry and brings more payment stakeholder experts to the table. This collaboration is crucial for our success. There are more ways for payment stakeholders to engage with us today than ever before and it is important that we continue to grow that Participating Organization program.
Furthermore, we will continue to focus on enhancing and developing our standards in a relevant and meaningful way for our community. We are about to retire our PCI DSS version 3.2.1 on 31 March 2024 and convert completely to v4.0.
This has been big news for our industry. We are also focused on our mobile and software security standards as these remain significant in addressing the trends in how people are making payments today.
IM: What does the future of PCI SSC standards look like?
GG: We will have more to share in the coming months on how our 15 PCI SSC standards will evolve over the next few years. But the conversion from PCI DSS v3.2.1 to v4.0 will be a major event for our industry this year. We work to make sure the industry understands the latest changes and is prepared to meet the upcoming deadlines for PCI DSS v4.0.
Our mobile payment standard, Mobile Payments on COTS (MPoC) will also continue to create news as it is a standard with significant interest around the world.
Finally, our software security standards are an important priority because so many payments today rely on software that needs to be developed and maintained securely to protect payments.
IM: What are your biggest concerns within cybersecurity today?
GG: Our biggest concern is the ever-present criminal element that continues to work to create new ways to attack payments. The number of cyber-criminals is growing while the number of cyber professionals continues to struggle to keep up.
Anyone who is involved with payments needs to make sure they are remaining vigilant and to make cybersecurity a top priority. We simply cannot let our guard down. We must remain agile and adapt to changes in payments and in payment technology.
IM: What are the biggest successes that you think the cybersecurity industry is experiencing today?
GG: For payments, we are working closely with our stakeholders and solving difficult challenges. We are proud of the record involvement from our community in the development of PCI DSS v4.0 and the high level of interest in our standards and programs.
The PCI SSC has been successful in taking a lot of risk off the table and we continue to educate the marketplace on the best ways to protect payment data. Those efforts are ongoing and will continue to evolve, but we are enormously gratified with the progress we have made as an industry, and the increase in collaboration that is so vital to these efforts.
IM: If you could give one piece of advice to fellow cybersecurity leaders, what would it be?
GG: Get involved in a collaborative way with the industry. Working together is so important. So much of the success we have had at the PCI SSC over the years is because we got the right people in the room to collaborate on tough challenges.
For anyone in the payments industry, we would invite them to join our Participating Organization program and become part of our wonderful global community. My message to them would be that we need you more than ever. Be part of the payment security solution.