This week, the payments security community gathered in Fort Worth, Texas, for the highly anticipated 2025 PCI SSC North America Community Meeting. Held from September 16–18, the event brought together Council staff, industry experts, and stakeholders from across North America to discuss the latest in payment card security, technical updates, and collaborative opportunities.
Setting the Stage: Why the PCI Community Meeting Matters
Every year, the PCI SSC North America Community Meeting is more than just a conference; it’s a crucial gathering spot that wouldn’t be the same without the varied perspectives from across the industry, including yours. This event sparks innovation, deepens relationships, and guarantees that the standards safeguarding cardholder data stay strong and up-to-date in a rapidly changing environment.
Key Themes and Highlights
1. Technical and Security Updates
A central focus of this year’s meeting was on the latest technical and security developments in the payments ecosystem. Council staff and industry leaders shared insights on evolving threats, compliance requirements, and best practices for securing payment data. Attendees learned about upcoming changes to PCI standards and how these will impact merchants, service providers, and solution vendors.
2. Engaging Sessions and Expert Speakers
The agenda featured a robust lineup of sessions led by renowned speakers and subject matter experts. Topics ranged from practical guidance on implementing PCI DSS v4.0 to deep dives into emerging technologies such as tokenization, cloud security, and AI-driven fraud prevention. Panel discussions and interactive workshops encouraged lively debate and knowledge sharing among participants.
3. Community Collaboration
Collaboration remains a pledge of the PCI Community Meeting. This year’s event emphasized the importance of active participation within the PCI ecosystem. Attendees were encouraged to join Special Interest Groups (SIGs), contribute to standards development, and network with peers facing similar challenges.
4. Looking Ahead: A Global Perspective
While the focus was on North America, the meeting also previewed upcoming PCI SSC events in Europe and Asia-Pacific, highlighting the global nature of payment security challenges and the need for international cooperation.
My Presentation: Busting PCI Myths
A personal highlight this year came unexpectedly when I was asked at the last minute to fill in for a tech talk slot. I presented “Busting PCI Myths: Practical Truths for Real Security,” a topic I’m passionate about after nearly two decades as a QSA and PCI advisor.
During my talk, I addressed some of the most persistent misconceptions that continue to circulate in the industry:
- “We’re too small for PCI DSS to apply.”
Reality: If you accept, store, or transmit cardholder data, or could affect its security, PCI DSS applies, no matter your size. Attackers often target small businesses. - “We outsource card processing, so we’re off the hook.”
Reality: Outsourcing can reduce your PCI scope, but you still have responsibilities. You must validate your own compliance and ensure your vendors are secure. - “Filling out an SAQ makes us compliant.”
Reality: The SAQ is a tool, not a shield. True compliance means actually meeting every applicable control, not just checking boxes. - “PCI compliance is too expensive.”
Reality: The cost of non-compliance fines, lost business, and reputational damage far outweighs the investment in security. - “PCI compliance means we’re secure.”
Reality: Compliance is the foundation, not the fortress. Security requires ongoing vigilance and improvement. - “I only need ASV scanning on my payment page.”
Reality: All external interfaces that could impact cardholder data must be scanned by an ASV.
The key takeaway? Don’t let PCI myths lull you into a false sense of security. Real protection comes from understanding your true responsibilities and building strong, layered defenses.
Ongoing Challenges: Requirements 6.4.3 and 11.6.1
Just like last year, there was significant discussion and some confusion around PCI DSS requirements 6.4.3 and 11.6.1. These requirements introduce critical mandates for monitoring and tamper detection, even for merchants completing the simplest SAQ-A. Many attendees were seeking practical guidance on how to implement these controls effectively, especially in cloud environments and where third-party service providers are involved.
Final Thoughts
The 2025 PCI SSC North America Community Meeting reaffirmed its status as the premier forum for shaping the future of payment security. Whether you’re a seasoned QSA or new to PCI, the event is a reminder that compliance is a journey, not a checkbox. If you missed it, I highly recommend checking out the PCI SSC website for session recordings and resources.
Let’s continue to bust myths, share knowledge, and work together to build a stronger, more secure payments ecosystem.
Did you attend the meeting or have thoughts on some of the new requirements? Share your experiences in the comments below!
