The payment sector is confronted with unique cyber security pressure due to the highly sensitive and valuable data it contains and processes daily.
The sector is forced to develop its cyber security practices faster than most industries. Many experts emphasize the model of strict controls and cooperation between rival organizations as a benchmark for others to follow.
A fundamental part of this process is the PCI Security Standards Council (PCI SSC), a global forum that brings together stakeholders of the payment industry to stimulate the approval of best practical data security.
A cornerstone of this mission is the development of the Payment Card Industry Data Security Standard (PCI DSS), which sets cyber security guidelines and requirements for companies that handle payment card information.
The first iteration of the PCI DSS was released in December 2004. Since then it has been updated several times to take into account changing attack techniques and new technologies.
A new version of De Standaard, 4.0, was published in March 2022, which contained a number of changes to the current version 3.2.1.
This included expanding the requirement to implement Multi-Factor Authentication (MFA) for all access to the card holder’s data environment and for the first time explicit considerations for API security.
Version 4.0 is enforced from March 31, 2024.
PCI SSC announces new executive director
In January 2024, the PCI SSC announced the appointment of Gina Gobeyn as his new executive director, the first woman to maintain the role.
Gbeyn spent almost two decades in the sector with 18 years at Financial Services Company Discover, where she recently served as Chief Risk Management Officer, Payment services.
Now at the council, one of the immediate priorities of Gbeyn will supervise compliance with the new PCI DSS version.
After the appointment, GoBeyn spoke against Infosecurity Magazine about its new position and navigating by cyber security changes and challenges in the payment industry.
Infosecurity Magazine: What are the unique cyber security challenges that the payment industry is confronted with?
Gina Gobeyn: emerging technologies and innovation such as artificial intelligence (AI), biometry and cryptocurrencies reform our industry, together with the increase in the popularity of mobile payments and contactless transactions.
Threats such as malware, ransomware and phishing attempts continue to increase the risk of breaches of security.
Since the payment industry is changing at a light pace, it is more important than ever that the standard security standards and supporting programs that change. As an industry, it is important that all sectors of the payment industry come together to take on these challenges.
IM: Which best practices of cyber security in the payment industry can other sectors learn?
GG: Collaboration is the core of the PCI SSC mission to secure payment data and that will remain the focus if we go into the future. By working together, we learn about threat trends and we can adjust our standards while we create new to stay one step ahead of the criminals.
Our model shows the kind of success that can happen when a worldwide community comes together to take on major challenges. The PCI SSC was originally made at the request of the trading community and over the years we have evolved and our standards have grown in collaboration with the global payment community.
It is an incredible record of success. Due to the PCI SSC, payments are safer today. Cooperation has remained a priority for PCI SSC because the payment industry itself has undergone transformative changes.
IM: What are your most important priorities in your new role at PCI SSC?
GG: I am excited and deeply honored to lead the PCI SSC. I have had a chair in the front row at Discover for almost 18 years to see the incredible value that the PCI SSC has brought to the payment industry around the world. The PCI security standards are recognized all over the world as the gold standard for securing payments and I intend to maintain that reputation.
In addition, the Council recently established a new participation model that makes extensive input from the global payment industry possible and brings more experts in the field of stakeholders to the table for payments. This collaboration is crucial for our success. There are more ways for payments for payments to get in touch with us today than ever before and it is important that we continue to grow that participating organizational program.
Moreover, we will continue to concentrate on improving and developing our standards in a relevant and meaningful way for our community. We are about to retire our PCI DSS version 3.2.1 on March 31, 2024 and to fully convert it to V4.0.
This has been big news for our industry. We are also focused on our mobile and software security standards, because they remain considerable when tackling the trends in how people make payments today.
IM: What does the future of PCI SSC stand out?
GG: We will have more to share in the coming months about how our 15 PCI SSC standards will evolve in the coming years. But the conversion of PCI DSS V3.2.1 to V4.0 will be an important event for our industry this year. We work to ensure that the industry understands the latest changes and is willing to get the coming deadlines for PCI DSS V4.0.
Our mobile payment standard, mobile payments on COTS (MPOC) will also continue to create news, because it is a standard with a lot of interest around the world.
Finally, our software security standards are an important priority because so many payments today depend on software that must be safe developed and maintained to protect payments.
IM: What are your biggest worries within CyberSecurity today?
GG: Our greatest concern is the always present criminal element that continues to work to create new ways to attack payments. The number of cyber criminals is growing while the number of cyber professionals continues to struggle to keep up.
Everyone involved in payments must ensure that they remain vigilant and make cyber security a top priority. We simply cannot abandon our vigilance. We must remain agile and adapt to changes in payments and in payment technology.
IM: What are the greatest successes that you think the cyber security industry is experiencing today?
GG: For payments we work closely with our stakeholders and to solve difficult challenges. We are proud of the record involvement of our community in the development of PCI DSS V4.0 and the high level of interest in our standards and programs.
The PCI SSC has been successful in taking a lot of risk off the table and we continue to train the market over the best ways to protect payment data. Those efforts are underway and will continue to evolve, but we are extremely satisfied with the progress that we have made as an industry, and the increase in cooperation that is so essential for these efforts.
IM: If you could give advice to colleague leaders of cyber security, what would that be?
GG: Get involved in a collaboration with the industry. Working together is so important. So much of the success that we have had on the PCI SSC over the years is because we have the right people in the room to work together on heavy challenges.
For everyone in the payment industry we would invite them to participate in our participating organizational program and to be part of our wonderful global community. My message to them would be that we need you more than ever. Be part of the solution for payment security.