PCI SSC Executive Director Discusses New Board and 2021 Priorities
With the start of a new year, PCI SSC Executive Director Lance Johnson welcomes the new 2021-2022 Board of Advisors, provides an update on the Council’s top priorities, and offers insight into what stakeholders can expect in 2021.
PCI SSC recently announced its 2021-2022 Board of Advisors. What’s new about the Board this term?
Lance Johnson: First, I would like to extend a warm welcome to all of our new and returning Board of Advisors members. I would also like to thank all of our Participating Organizations who participated in the election process. As with past Boards, the new Board includes some of the world’s leading companies from all sectors in the payments space. This year, we’ve expanded stakeholder involvement in global retail, mobile, software security, and new technology industry sectors.
The new Board of Advisors will be instrumental in helping the Council address major changes in the coming years. Not only are we still addressing the changes caused or accelerated by the pandemic, such as remote working and mobile payments, but we are also facing the introduction of a major upgrade in our Data Security Standard (DSS), PCI DSS v4.0. The new Board represents a balanced cross section of the payments industry and many of them are primary drivers of these changes. As leaders in payments or payment facilitation, they will be crucial in helping the Council understand and address the new challenges ahead and supporting new technologies.
As we start 2021, what can we expect in the year ahead?
Lance Johnson: Like 2020, this will be another year of change and adaptation, although I expect we will be building on what we’ve learned and evolving our practices. This is especially true as we move from temporary solutions to more permanent procedures in our guidance. Operating remotely is going to continue to be a key focus. This is not new, but it has fresh momentum. Whether it’s working remotely, managing remotely, assessing remotely, or training remotely, this year will see new work methods, practices, and procedures throughout the industry.
What will the priorities of the Council be for 2021?
Lance Johnson: We will see continued effort focused on meeting the industry’s payment security needs especially in the areas of PCI DSS v4.0, mobile payments, and software security practices, which remain significant priorities for us. The update of PCI DSS 4.0 will be big news in the payments industry in 2021 and 2022. PCI DSS v4.0 is currently under development and has received significant industry feedback and input via our Request for Comments (RFCs) process. Our first RFC for the draft of PCI DSS v4.0 in 2020 generated over 3,000 comments from industry stakeholders. We are currently reviewing and responding to feedback from the second RFC, which concluded in November, adding over 1,800 more comments, making PCI DSS v4.0 the most well reviewed and commented-on standard that the Council has ever produced.
Another major focus will be mobile. While mobile payment practices are not new, the pandemic has forced many businesses to adopt contactless and mobile payments faster than they would have under normal circumstances. With the changing nature of how consumers made payments in 2020, mobile will continue to be a heightened priority for the PCI SSC. The development of new standards and programs in mobile will also be a key focus for us in 2021.
Additionally, the PCI SSC will continue to promote the adoption of our Software Security Framework, and its two standards and programs, as we move towards the retirement of the Payment Application Data Security Standard (PA-DSS) program, which is scheduled for October 2022.
What message would you like to share with PCI’s Participating Organizations?
Lance Johnson: We are looking forward to your continued participation with the Council in the year ahead. Collaboration is at the heart of everything we do, and you play an active part in our success. We invite you to stay engaged with us; keep offering that valuable feedback through our Request For Comments process; take advantage of our training programs – we have new Secure Software Assessor and Secure Software Lifecycle Assessor classes now available, in addition to many others; connect with us at our annual Community Meetings; stay informed about all of our involvement opportunities through our weekly newsletter and our PCI Perspectives blog. We are confident that with your collaboration and engagement we will have a promising year ahead.