PCI council eyes wider data protection role beyond payments

The Payment Card Industry Security Standards Council (PCI SSC), the body responsible for payment card security standards, is looking to extend its data security standard to protect a wider range of data beyond credit card numbers.

In an interview with Computer Weekly, Yew Kuann Cheng, regional vice-president for the PCI SSC, said the organisation is considering feedback from its stakeholders who have called for the Payment Card Industry Data Security Standard (PCI DSS) to be applied to other kinds of data.

“A lot of them have described PCI DSS as the gold standard,” Cheng said, “but they’ve asked why couldn’t PCI do more to raise awareness of the standard and its application in the non-payments data space? We’ve taken that feedback seriously. It is a longer-term engagement we’re having with our stakeholders.”

PCI DSS is a global security standard designed to protect cardholder data and secure all credit and debit card transactions. Its primary goals are to prevent data breaches and reduce payment card fraud. It was established in 2006 by five major credit card payment companies: Visa, Mastercard, American Express, Discover and JCB.

While not a law, PCI DSS is a requirement for organisations that process, store or transmit cardholder information. The payment brand companies establish, manage and monitor compliance and validation requirements to ensure organisations maintain a secure payment environment for their customers.

The call for PCI DSS to be applied to non-payments data stems from the standard’s success in driving data security. While data breaches have reached an all-time high, Cheng noted that major incidents involving payment data are rare. “Data breaches from large merchants that were happening almost every week decades ago have significantly decreased,” he said.

Meanwhile, the PCI SSC continues to refine its standards through feedback from across the payments industry, including credit card payment giants like Visa and Mastercard, major financial institutions such as JP Morgan Chase, and the security assessors who audit them.

Cheng cited a recent adjustment in PCI DSS version 4.0 as an example, where an initial requirement to patch vulnerabilities rated “critical” and “high” within 30 days was calibrated to focus only on critical ones after businesses highlighted the operational burden.

“We had to calibrate this, because at the end of the day, security is all about balance,” said Cheng, adding that the move allows organisations to prioritise patching of vulnerabilities based on their risk appetite and operating constraints.

The PCI SSC has also adapted to the fast-moving technology landscape, releasing standards such as the mobile payments on commercial off-the-shelf devices (MPoC) standard to ensure mobile devices used for payment acceptance are adequately protected and monitored.

Cheng noted that the MPoC standard is particularly beneficial in scenarios like queue-busting in retail, where staff can use mobile phones as point-of-sale devices. Major tech giants including Apple and Google have shown interest in the standard, with Apple recently upgrading to a higher-level PCI membership.

On the artificial intelligence (AI) front, the PCI SSC supports the use of AI for automated vulnerability management and has released a set of guidelines on using AI responsibly, covering areas such as data handling protocols and client communications.

Cheng noted that global companies such as Salesforce, a PCI SSC principal member, are already using AI to automate compliance processes across different markets. “Through their Agentforce platform, they can keep track of all the changes in regulations and even propose what changes they need to make in their internal policies to comply,” Cheng explained.

This saves significant time and resources, but Cheng said the council’s guidance on AI still places ultimate responsibility on humans. “There needs to be adequate oversight over the capabilities of the AI platform, and people need to be accountable if something falls through the cracks,” he added, noting that Salesforce requires its director of security compliance to sign off on policy changes proposed by AI agents.

Cheng said as a standard-setting organisation, PCI SSC does not provide implementation guides because every company’s IT infrastructure and application landscape is different. Instead, it relies on security assessors who work directly with each organisation to assess environments against the PCI standards that may apply to their unique environment.