• United States




10 years of PCI: Building the payment security of tomorrow by learning from our past

Nov 01, 20164 mins
Cisco SystemsData and Information SecurityInternet Security

How can we fight against fraud in the future in a much more complex ecosystem? The answer may be in the next generation of security technology and strategy.

When the PCI Council first started 10 years ago, we had one goal – create and disseminate a global standard for cardholder data security. One that would align the existing payment brand compliance requirements, eliminate conflicts of security preference and provide a consistent voice for how to protect the confidentiality of account data. We’ve done that, and significantly improved payment security throughout the transaction process, all over the world.

Today, as an industry, we are seeing the results of these efforts – awareness for payment security is now elevated to the boardroom, the vast majority of account data is encrypted and sensitive operations are isolated from the general organizational procedures.

But the world of payments is moving at a fast clip. We’ve seen a true renaissance in the past five years when it comes to innovation for payment use and acceptance, and we can expect this to continue. Now more than 22 million merchants can accept payments at more than 42 million locations around the world. With these new merchants and newer payment channels comes new opportunity for criminals to exploit a broader attack surface to steal digital data and credentials.

[ MORE ON PCI: PCI DSS – it takes a village ]

So how can we fight against fraud in the future in a much more complex ecosystem? The answer may be in the next generation of security technology and strategy. Developing these key areas will be critical as payment security and compliance evolve:

Dynamic data and authentication

We have a luxury in payments that the account numbers are arbitrary and can change if necessary. With the introduction of payment tokens that generate ever-changing numbers we will reduce the incentive for theft of that information as it holds no value to perpetrate fraud. Additionally, we now have the ability to use many forms of dynamic authentication not previously available to verify our customers, employees and others accessing company systems. By using these random data attributes we can move away from relying exclusively on static authentication mechanisms like overly-used passwords.

Continuous awareness and protection

Our apps are getting smarter. Our phones and everyday devices are getting smarter. Why shouldn’t our security solutions evolve alongside the technology that is becoming better at self-learning? Engineering should include runtime security that doesn’t require as much manual intervention. I expect we will see more use of security methods beyond reactive monitoring controls that can develop threat modeling of their own environment and prevent new types of exploits immediately upon discovery.

Additionally, we have yet to see significant improvement in self-detection of data breaches and poor recognition of exfiltration of sensitive data from our systems to unknown destinations. Verizon’s 2016 Data Breach Investigation Report emphasizes the need for improvement in this critical area, noting that that less than 20% of investigated breaches were self-discovered.  

Automating PCI DSS compliance documentation

For me, one of the more disappointing aspects of the last 10 years has been the lack of a repeatable, automated process for documenting changes in the flow of datagrams or changes to technology assets that impact PCI DSS compliance. I still often hear that this is a highly manual process that creates gaps of knowledge between assessments. The more we can automate the documentation, and have confidence in the accuracy of that reporting, the better informed security leaders can be about the true current state of the environments we are asked to protect.

Measure success and identify opportunities for improvement

Too often the use of metrics has been underutilized in demonstrating to senior leadership auxiliary improvements to an organization, operational efficiency and overall reduction of risk. As reporting evolves, I’m optimistic that better formulas for overall security will significantly progress and be used not only for help with future investments but also as critical data points for cyber insurers and other external partners.

Better service provider security

We’ve made significant strides in the past 10 years when it comes to the growing dependency on third parties to manage data and technology. We’ve witnessed the maturation of service-level agreements with cloud service providers and a willingness to be more transparent regarding the security of their environments. There is greater awareness of their role to support compliance initiatives and creating security as a service to differentiate themselves from competition. These are critical areas since we expect cloud data centers to process 86 percent of total workload by 2019, according to a recent Cisco survey.

We have great opportunities to improve the future of payment security and compliance through the evolution of these technologies and processes. In future blog posts I will explore each of these areas and share how we can develop strategy to better secure customers’ account data, while also minimizing the effort to demonstrate good security practices are in place and functioning as expected.


Troy Leach is the chief technology officer for the PCI Security Standards Council. In his role, Leach partners with council representatives, participating organizations and industry leaders to develop comprehensive standards and strategies to secure payment card data and the supporting infrastructure.

Leach is a congressional subject matter expert on payment security and the current chairman of the Council's Standards Committee. Prior to joining the PCI Council, Leach has held various positions in IT management, software development, systems administration, network engineering, security assessment, forensic analytics and incident response for data compromise. Leach holds a master of science in telecommunications and network management as well as a graduate degree in information security management from Syracuse University.

The opinions expressed in this blog are those of Troy Leach and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.