The PCI Security Standards Council's first annual report highlights that threats to payment systems are accelerating in sophistication and scale. The report emphasizes the council's increased focus on global collaboration, training, and transparency to address these risks. It notes that payment security has become a core business concern, moving beyond niche compliance. The evolving, complex payments ecosystem introduces risks like fragmentation between innovation and security.
Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
PCI Council Says Threats to Payments Systems Are Speeding Up
The PCI Security Standards Council experienced a record year in many regards, but its first annual report shows it needs to work even faster to stay ahead of attackers.
A new report on the payment card industry reflects an increased dependency on global coordination to address threats that are growing more sophisticated and expanding the remit for the trade group itself.
The PCI Security Standards Council's (PCI SSC) 2025 annual report highlights training, education, collaboration, and outreach initiatives conducted throughout the year to advance payment security worldwide for merchants, retailers, and vendors. It is the first time the group has published a report since its founding in 2006.
Boosting transparency around the council's purpose and direction warranted the report, says Gina Gobeyn, executive director of the PCI SSC. As the report notes, the pace of change in payments is speeding up, and so are the threats.
"We wanted to tell the story of why we exist, what we're focused on, and how we work with the global payments ecosystem to advance payment security," Gobeyn says.
The council works to secure mobile, data, device, software, and card products for a variety of sectors by continually updating standards and compliance requirements. To that end, it offers programs to "train, test, and qualify organizations" against those standards.
With financial profits in mind, threat actors are going right to the source — physical cards, digital payment cards, or the processing systems. Attacks target point-of-sale systems and use payment card-skimming campaigns, "jackpotting," and credential theft to gain access to sensitive databases. Recent victims range from high-end retailers to professional football fans.
'A Deeper Transformation'
The report notes global collaboration is behind initiatives to safeguard payments worldwide. Some data remained consistent with the previous year, like the number of new training participants, while others marked milestones. The 2025-2027 board of advisers grew to include 64 member organizations, multiple training sessions were held in Dubai for the first time in nine years, and the council launched an India-South Asia board.
The inaugural PCI SSC report is far more significant than it might first appear, says Gary Penolver, CTO and co-founder of Quod Orbis, who works with financial institutions on cyber-risk and compliance. The council formally documented its yearly progress, strategic priorities, and global impact in a single transparent report, which he views as a sign of "maturity," aligning PCI SSC with other major regulatory and standards bodies.
"For the payment card industry, this move reflects a deeper transformation," Penolver says. "Payments have shifted from being a niche technical compliance issue to a core, board-level business and security concern across global organizations."
What Does the PCI Landscape Look Like?
While complying with new PCI standards proves challenging for many organizations, the payment card industry remains a big target. Earlier this month, payment processing vendor BridgePay Network Solutions disclosed it suffered a ransomware attack that led to prolonged disruptions.
PCI SSC's annual report reinforces that the payment security industry is at a pivotal moment, says PCI SSC's Gobeyn, noting how the challenges and opportunities are tightly connected. Pace and scale are at the heart of the challenge because payments continue to evolve rapidly, she adds, describing the PCI as an "increasingly complex ecosystem" as new players and technologies emerge.
"That complexity can introduce real risk," she says. "We see the potential for fragmentation — different approaches, uneven adoption, and, of course, the potential for growing gaps between innovation and security."
Fragmentation Challenges
Penolver is also concerned about fragmentation caused by an interconnected payment ecosystem. The issue creates exposure; therefore, organizations should benchmark their internal controls against global guidance, he recommends. Participation in industry forums and feedback cycles can address fragmentation challenges, he says.
"There is a growing imperative to look beyond local initiatives to align with global best practice," he tells Dark Reading. "Payment ecosystems differ by market, but vulnerabilities travel fast."
Indeed, threat actors operate without regard for borders, but payment infrastructures are deeply interconnected across issuing banks, merchants, service providers, and technology vendors. Internationally coordinated defensive strategies can help reduce fragmentation and enable organizations to adopt best practices more effectively, Penolver says.
Global Coordination Proves Increasingly Difficult
Threats are becoming more sophisticated; technologies like artificial intelligence (AI) are powerful enablers for innovations that can also be leveraged for malicious intent, Gobeyn warns. Organizations can use AI and automation in fraud detection, but they must embrace technological change responsibly, Penolver adds. That means implementing robust governance and data protection controls to reduce risk and not shift it.
Because threats and the payment ecosystem extend globally, coordination can become more difficult, Gobeyn says. Global collaboration is a focal point of the inaugural report and the council's mission moving forward, but it must evolve in order to accomplish these goals. Factors include developing a more structured product delivery model and engaging stakeholders earlier and more often, Gobeyn says.
"We are working to remove waste from our processes, better understand the impact of change, scale our delivery, and, quite frankly, get it right faster," she says.
Meridiano
