Coffee with the Council Podcast: A Mid-Year Update from the Council Featuring Lance Johnson

Welcome to our podcast series, Coffee with The Council. I’m Alicia Malone, senior manager of public relations for the PCI Security Standards Council. Today, we’ll be giving a mid-year update on Council activities and what you need to know for the second half of 2022. My guest for this episode is Lance Johnson, executive director of PCI SSC. Welcome, Lance.

Lance Johnson: Hi, Alicia.

Alicia Malone: So, last time we spoke, you gave our listeners a great preview of what we can expect from the PCI Security Standards Council in 2022. And, now that we are at the halfway point of the year, I wanted to bring you back to discuss what we’ve accomplished so far and what’s still ahead for the Council. So, let’s start with perhaps the biggest news of 2022, the release of PCI DSS v4.0. How did that go? And, how was that received by our industry?

Lance Johnson: PCI DSS v4.0 is a major evolution of the standard. It is a critical next step for how the standard needs to actually represent the needs of the industry. It adds new requirements, it adds new ways of assessing the industry, it provides a substantive amount of additional information, hopefully making it easier for people to understand what they need to do and how they need to do it. It’s such a critical foundation for us going into the future. We’re putting more energy into making sure that it works.

To date, over 2,100 people have downloaded a copy of the standard. And more importantly, we’ve had a significant registration for our transition training from v3.2.1 to v4.0. So far, we’ve had 600 people registered to do the transition training. And, even though it’s only been open a week as of today, we had over 100 people actually fully meet the requirements and pass the exams. So, they are now allowed to go ahead and assess against v4.0, which is astonishing – in one week, 100 entities.

But equally surprising to us, we did something new with v4.0. We knew it was going to be a big change. So, we added in a separate event specifically with v4.0. And that is our PCI DSS v4.0 Global Symposium. And that symposium was set up so that any of the entities who are going to rely on v4.0 going into the future would have an opportunity to get some advanced information on how to read it, how to interpret it, and how to apply it. And through last week, we’ve already had over 3,000 people register and over 2,400 people actually started to log in and go through the symposium. It’s about six to seven hours’ worth of content. And it provides really in depth understanding of what the new standard is.

All in all, it’s been an extraordinary time for that particular standard – the interest in adopting, the interest in understanding how the standard evolves from the old standard to the new model. It is truly an unbelievable and an exciting period for the Data Security Standard and for the Council in working with the industry on making sure those payments are secure using it.

Alicia Malone: Another exciting update pertaining to our standards that you mentioned earlier this year is the release of a brand new standard, the Mobile Payments on COTS, or MPoC. What is the latest on that?

Lance Johnson: Well, I’m really excited about Mobile Payments on COTS, or MPoC, because it represents really much of where the industry is and where the industry is going. In many ways, it represents the future. Mobile payments is that foundation that we saw coming of age during the pandemic. And, we knew it was coming before, but now it’s not just coming, it’s here. The whole idea that an organization can use a simple, familiar device – COTS device, a Commercial Off-The-Shelf device – in a variety of different ways for conducting their business, whether they buy it themselves and download some software, have it configured by a service provider, or actually receive the device from their service provider. This whole change in how payments are going to be processed and how payments are processed, is fundamental to the shift in the industry away from the hardwired devices to devices which are always available, always turned on and transactions can occur anywhere.

MPoC is an evolution from our prior efforts in that area, SPoC and CPoC, that represents a significant expansion, a deepening and broadening of what we’re trying to provide to the industry as far as guidance around how to implement these devices and these business models. And it really is somewhat of a harbinger of what the future is going to be in how payments are going to evolve. It’s going to be really a foundation by which we would see a number of different aspects evolve from.

And, I think the industry agrees, not just in having already adopted these devices and these business models, but in the very response from the industry on our standard. We’ve had two Requests For Comments on the standard so far. And in those two, we’ve had 1,000 comments. That’s exceptional. It really does represent a significant change in how we do our business by having all of this information come in. But this really shows how involved the industry, as a whole is, in this particular standard in trying to get it into the best possible shape. And we’re still working on it. We do expect the standard to be released close to the end of this year. And as we get closer, there’ll be more information on it. But it is one of those foundational standards for our future representing how payments are changing and how payments are expected to change. And we really have high expectations for the value of this as a baseline for a number of different future modules to be based on it as well.

So, as we are looking forward, as I said a moment ago, we do expect there will be some changes in the industry. And, I don’t want to miss reminding everybody that as we are going through the end of the year, as new things are being released, such as MPoC and PCI DSS v4.0 this year, some old standards, which have maybe outlived their usefulness, are now being retired, in particular PA-DSS. If you look at our website, you’ll see a countdown clock. But really what the countdown clock says is that in October of this year, October 28, we are going to replace PA-DSS formally with our Software Security Standard. Right now, we’re going through the last phases of closing out PA-DSS. It just demonstrates how much the industry is evolving and how we need to make sure that as we’re going forward, we’re not just looking at new things, we’re also addressing things which may have outlived their usefulness, such as PA-DSS.

Alicia Malone: So, you mentioned the countdown clock on our website. And, speaking of our website, I’m sure our listeners have noticed some improvements to the look and feel and functionality of it. What can you tell us about this new redesign?

Lance Johnson: So, Alicia, I’m glad you asked that. We really are looking at how to better serve our stakeholders and the industry. And, if you look at some of the tools that we’ve used over the years, when we introduced them, they were state of the art. But some of them have been so effective that we haven’t updated them in a while. And that includes our website. So, this year, we took it upon ourselves to bring our website into the 2020s. And by that, it included a change in how it is designed, some of the underlying characteristics, certainly better representation of how the information is presented, making it easier to search for content, all of these things are really about making sure that we’re providing information in the most effective and easy to consume way.

And it’s not the only thing we’re doing, we’ve got a number of other projects which will be visible through the end of the year that I hope everybody will have an opportunity to look at as well. But the website itself, it is the window the industry has into the work that the Council does. It is the single most important venue for us to communicate information out to the industry. And, as such, it was the first that we needed to make sure was updated to meeting the needs of the industry, going into the 2020s and beyond.

Alicia Malone: Definitely engagement with our industry and stakeholders continues to remain a top priority for the Council. What kinds of other engagement opportunities are happening at the moment?

Lance Johnson: Wow, there are probably more than I could list in just a few minutes. But I think probably one which I need to call out, because it’s such a critical part of how we engage with the industry, is our Board of Advisors. Our Board of Advisors is a group of organizations and individuals who represent the industry in a broad range of domains, both geographically and commercially. They sit on our Board of Advisors for two years. And in that time, they have an opportunity to engage in detail with us on a number of subjects and on our standards and our working activities and provide us truly that insight into what the industry needs; that feedback on what we do right and what we do wrong or what we can improve on. I think everybody recognizes just how fundamentally important our Board of Advisors is to our success.

Now, the current board was seated in January of 2021. And I think everybody thinking back can remember that in January 2021, the world was in the throes of the early pandemic days. And with that, it really created a number of challenges on how we worked with people. We stopped having face to face meetings during that period, we spent more time on the phone, we spent more time on video conferencing.

All told, while those are very effective ways, one of the things that was clear to us is we had missed something in that period of time. So, while we would normally be going through an election process now for a new Board to be seated in January 2023, the request was made. And we looked at the request with an appropriate interest to say, is there any way we can take the current Board of Advisors and extend their period of time so they can work more on those fundamental issues that they are committed to working on and provide that input that they didn’t have much of an opportunity based on just the consequences of dealing with the changed world?

And looking at all of those, we actually said that makes a lot of sense. We don’t want to undermine the integrity of the Board. So, we have announced that the current Board of Advisors, who would normally be ending their tenure on December 31st, are now going to be extended through the end of May. And a new Board is going to be selected in the first or second quarter of next year to be seated in June. That will give the current Board a chance to work on some of the things that may not have gotten as much attention by them as they wanted and to close out some of the efforts that were started and really meet their expectations and our needs from them through the end of their session, which now is five months longer. It’s really an important aspect of that particular Board that we get their input and we maintain their contributions to the council. So that’s how we’re approaching it.

A second area is our GEAR. And for those who are not familiar with GEAR, GEAR stands for Global Executive Assessor Roundtable. And then with that, it is somewhat of a companion group to our Board of Advisors, but where our Board of Advisors are really created for the benefit and for input from the business entities who are working in the industry, the GEAR is really representative of the assessors who are doing the work assessing against the various standards. As a matter of fact, to be on the GEAR, you have to represent and do work in multiple standards. It cannot just be PCI DSS, it must be across a multiple number of programs. And they, too, are in the process now of being elected and re-seated in a new GEAR that will be starting in the next month or so.

And this is critically important at this time. As I said, with both PCI DSS v4.0 now starting to get some momentum behind it and the new standards coming on, GEAR gives us that detailed insight into how the assessors look at it. So, this upcoming GEAR will carry on with their really critical contributions around how we need to look at our standards and look at our programs and adjust them for the needs of not just what we expect, which is to protect data, but also in how they can be implemented in a way that the assessors can do that effectively and do it efficiently.

Alicia Malone: Another significant engagement opportunity for our industry are at the annual Community Meetings. Are those still happening in-person this year? And what can we expect?

Lance Johnson: So, Alicia, this is probably one of the most exciting things to be able to announce in the last 45 days is that, unlike the last two years where we closed everything down and we’re restricted, we are going to be having our big community events in September and October of this year. We are changing a little bit of how we’re approaching them. We’re going to make sure that there is a lot of content that is available online, but yes, we are going to be having our North America Community Meeting in Toronto, Canada, September 13 through the 15. And we’re going to be having our European Community Meeting in Milan, Italy, October 18 to the 20. These are going to be our first foray back into wholesale meetings post-COVID. And we’re more than looking forward to it. We are absolutely ecstatic on having the ability to do these again.

Registration is open and we’re watching very closely. And so far, it seems that the industry itself is very excited about being part and having the opportunity to get back together in-person to network with all of their colleagues, be in-person to hear presentations and ask questions of the presenters. It is absolutely an exciting opportunity for anyone to come attend, be in-person, meet the people that you say you have heard on the webinars, see the presentations in-person, ask questions, meet vendors, ask some of the experts that are in the industry. This is really going to be one of those premier points for the year for us and for the industry as well.

Alicia Malone: This is very exciting news, and we are definitely looking forward to the in-person Community Meetings once again. Before we close, is there anything else that you’d like to share with our listeners today?

Lance Johnson: There are a couple things. So, I hope everybody recognizes that the Council is in the process of changing its personality and focusing more on everything that you, in the industry, need. Putting a lot of effort into gaining and working on your input on our standards and our activities is just part of that. Listening to where you say that the issues are, which is really something that we get both from our outreach, but also when you do and can come to our Community Meetings.

And, by the way, on the Community Meetings, we’re going to be doing something new this year. We’re opening it up to anyone. So, anyone who wants to come, any person who has an interest in payments and data security can attend the CMs. And I say that, even though it’s just a small step, it probably indicates how the Council itself is going to change over the next couple of years. It represents that opening and more inclusive effort that we want for the industry as it works with us in the Council and as we represent the needs of the industry.

So for that, I think really, if we just focus on right now, the Council is excited about where the industry is and we’re working to be more engaging, more inclusive, and looking at opportunities to bring in more information from the stakeholders around the world and expand the range of stakeholders that are participating with us.

Alicia Malone: Thank you so much for joining us on Coffee with The Council, Lance.

Lance Johnson: Okay. Thank you, Alicia. I always look forward to having a chance to sit down and just talk because I really am excited about where the Council is and where we’re going and what that means with our partnership with the industry. So, thank you.

Like what you’ve heard? Subscribe to PCI SSC’s “Coffee with the Council” podcast by visiting any of the following platforms: Spotify, Anchor, Pocket Casts, or Google Podcasts. Coming soon, the podcast will also be available on Apple Podcasts and RadioPublic.