Press Release

Global Cybersecurity Leaders Collaborate on Security Standards and Solutions for the Future of Payment Security

Annual meeting emphasizes payments industry participation and cybersecurity knowledge as critical to securing payment acceptance in new and emerging payment channels and increasing payment security globally

VANCOUVER, 19 September 2019 —The new PCI Software Security Framework, soon to be released PCI Standard for contactless payments on commercial off-the-shelf (COTS) mobile devices, and development of PCI Data Security Standard Version 4.0 (PCI DSS v4.0) led the agenda at the PCI Security Standards Council’s annual North America Community Meeting. More than 1,200 PCI SSC stakeholders participated in this week’s event, which provides a forum for industry collaboration, information-sharing, and knowledge-building to help drive understanding and adoption of PCI Security Standards globally.

Executive Director Lance J. Johnson kicked off the agenda with a keynote address reaffirming the importance of the Council’s mission and the critical role that PCI SSC stakeholders play in achieving it.

“The Council’s mission to enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders is the same today as it was when the organization was founded. What has changed, is the scope of PCI SSC activities needed to support an increasingly complex and global payments ecosystem,” said Johnson.

Introducing the Strategic Framework that guides the Council’s efforts to ensure they are aligned with its mission and support the needs of the global payments industry, he added, “The Strategic Framework reaffirms the Council’s mission and extends it to include four strategic pillars: increase industry participation and knowledge, evolve security standards and validation, secure emerging payment channels and increase standards alignment and consistency. In a rapidly changing environment, stakeholders can be certain that these pillars will be constants in the Council’s efforts to provide standards and resources for securing payment data.” Johnson talks more about the Strategic Framework in a post on the PCI Perspectives blog: Executive Director Q&A: PCI SSC Strategic Framework.

Chief Technology Officer Troy Leach continued the discussion in his presentation by illustrating examples of the Strategic Framework in action with examples such as next year’s revision to the PCI Data Security Standard (DSS) and recent changes in community engagement. “The updated Request for Comment process exemplifies how critical global industry participation is when developing the next generation of security standards to evolve alongside a quickly changing world of payments.”

Key initiatives discussed at the meeting included:

  • PCI Software Security Framework – Programs Open for SSF Assessors in October Modern software development requires objective-focused security to support more nimble development and update cycles than traditional software development practices. Introduced earlier this year, the PCI Software Security Framework (SSF) recognizes this evolution with an approach that supports both traditional and modern payment software. It provides a new methodology for validating software security and a separate secure software lifecycle qualification for vendors with robust security development practices. PCI SSC qualifies companies and individuals within those companies to perform SSF assessments. SSF Assessor Company qualification is open to any company that meets the qualification requirements. The Council will begin accepting applications in October. For more information read PCI Perspectives Blog: Software Security Framework Information.
  • Contactless Payments on COTS – Publication of New Standard by Year-EndAs part of its efforts to support secure payment acceptance in new and emerging payment channels, the Council is developing new security requirements for solutions that enable contactless, or “tap and go”, transactions on merchant COTS devices.  The Contactless Payments on COTS (CPoC) Standard is planned for publication by the end of 2019, with the program to follow in 2020. For more information, read PCI Perspectives Blog Contactless Payments on COTS Information.
  • PCI Data Security Standard Version 4.0 – Request for Comments Opens in October
    With version 4.0 of the PCI DSS, the Council is evolving the standard to support a range of evolving payment environments, technologies, and methodologies for achieving security. As part of the development process, PCI SSC stakeholders are invited to review and provide feedback on a first draft of the standard during a Request for Comments (RFC) scheduled to open in October. For more information, read PCI Perspectives Blog: 5 Questions About PCI DSS v4.0.
  • P2PE Standard and Program – Publishing December 2019The next evolution of the PCI Point-to-Point Encryption (P2PE) Standard and Program will simplify the requirements and add flexibility to support effective implementation by stakeholders. P2PE v3.0 and its supporting Program are due for release in December 2019, for more information, read PCI Perspectives Blog: 3 Things to Know about P2PE v3.0.
  • Upcoming Request for CommentsNewly revised in 2019 to increase industry participation, the Council’s Request for Comments (RFC) periods are avenues for PCI SSC stakeholders to provide feedback on existing and new PCI Security Standards. Upcoming RFC periods for Participating Organizations include PCI DSS 4.0 occurring in October and PTS POI v6.0 in December. For more information visit the RFC page: Request for Comments.

Additional highlights from the North American Community Meeting in Vancouver are available on the PCI Perspectives Blog.


About the PCI Security Standards Council
The PCI Security Standards Council (PCI SSC) leads a global, cross-industry effort to increase payment security by providing industry-driven, flexible and effective data security standards and programs that help businesses detect, mitigate and prevent cyberattacks and breaches. Connect with the PCI SSC on LinkedIn. Join the conversation on Twitter @PCISSC. Subscribe to the PCI Perspectives Blog.