This October 2024 the PCI SSC Europe Community Meeting was held in the beautiful city of Barcelona (Spain). In this article we tell you the main topics covered, the changes that are coming in terms of card data protection standards and the experiences of merchants and service providers in the implementation of security controls in payment channels.

As is tradition, every year the Payment Card Industry Security Standards Council (PCI SSC) celebrates its Community Meeting in different regions of the world. This 2024 this event took place in Boston (USA), Barcelona (Spain) and Hanoi (Vietman) for the North American, European and Asia-Pacific regions, respectively.
For those of you who do not know them, Community Meetings (CM) of the PCI SSC are an open space for discussion and meeting between providers of security technology solutions, payment card brands, acquiring companies, service providers (TPSPs), merchants and – mainly – QSA advisory companies (QSA Companies), where experiences in the implementation and monitoring of security controls for the protection of payment card data are analyzed.
From October 8 to 10 2024, the PCI SSC Community Meeting European in Barcelona with almost 600 participants, dozens of sponsors and high-level speakers, where some new standards were announced, new trends in the payment media market were analyzed and experiences were shared in the implementation of the controls of the new version of PCI DSS (v4.0.1). Some of the most relevant points of this event are shared below:
Automation: The objective to be achieved
Unlike previous years, two workshops were introduced this year (workshops) that were held in parallel in the days before the main event. These workshops aimed to enable attendees to discuss and share experiences on the following topics:
- Assessment Evidence Collection Techniques (Evidence-gathering techniques in compliance assessments), where the different strategies for the collection of evidence of compliance in the controls of the standards were analyzed, including the capture of evidence in shared environments or in the cloud, the importance in the communication between the advisor and the evaluated entity, the different legal implications in the management of evidence and the retention processes.
- Approaches for Monitoring Third Party Service Providers (Approaches for monitoring service providers), where the importance in the existence of updated supplier inventories, the criticality in the definition of roles and responsibilities in the "matrices of responsibility", the joint work between the contracting area and the regulatory compliance personnel of the entity and the processes of due diligence, onboarding, monitoring and offboarding suppliers.

Although these two themes are very different, surprisingly one conclusion was transverse to both: The need to automate controls to optimize time, cost and effort in monitoring tasks. With increasing complexity, assets in the environment, elements to review and the potential human element as an error factor, it is imperative that organizations identify and deploy automated controls to maintain tolerable compliance lines, while minimizing errors and optimizing results.
Grouping and simplification: The new route of the PCI SSC
One of the most important issues related to the future of standards managed by the PCI SSC was the roadmap of updates. It is undeniable that as time progresses, payment technologies also advance along with their related risks, attack techniques and security controls to manage them. Maintaining a data protection standard aligned with reality and the environment you are trying to protect is a key point so that the established controls do not lose validity and last over time.

Currently, the PCI SSC has published 15 standards and maintains different compliance programmes, additional reference documents and frequently used questions (FAQs). At the time, this approach was valid, but nowadays, where cloud architectures, the use of certified providers, the minimization of responsibilities and security maturity are common in any environment, it is necessary to rethink the objectives and needs of the standards.

In that vein, the PCI SSC established 8 main protection objectives (security in physical devices, key management operations, payments with cards or other payment instruments, security of the environment, security in the software process and development, mobile security, security in payment solutions and frameworks for emerging technologies) and will proceed to relate each of the current standards with those areas. As a result:
- New controls will be established for the management of third-party payment applications that are installed on Point of Interaction (POI) devices.
- The standard PCI PIN (whose controls are also part of P2PE Domain 5) will migrate to a new standard, whose tentative name will be Key Management Operations (KMO), which shall define generic controls for the operation and administration of cryptographic keys. It is expected that this new standard will be included as a requirement of compliance with other standards where cryptographic operations are carried out.
- As for physical security, it is expected that all controls distributed throughout the current standards will be centralized in a new standard whose tentative name will be Environmental Security Standard (ESS). As with KMO, if a standard includes environmental protection controls, ESS compliance is most likely required.
- Components of Software Development Kits (SDK), mainly 3DS, will be integrated into the standard PCI Secure Software.

The publication dates of these new standards and the definition of their migration periods and associated programs (if applicable) will be announced in the near future.
Security in development and authentication issues: Access points for criminals
One of the most interesting sessions was the QSA advisor session, which is usually done remotely, but this time it was done in person during the event. This session reviewed the different efforts of the PCI SSC to receive feedback (feedback) by the associated entities, best practices, case studies and finally a question and answer session were reviewed, where he confirmed that there will be no Technical FAQs for PCI DSS and that it is expected that in the medium term update the concept of ‘robust cryptography’ (strong cryptographand) to include Newly published post-quantum cryptography algorithms by NIST.
A very interesting topic that was discussed in this session was the statistics of incidents analyzed by the PCI Forensic Investigators (PFI). It presented the most common causes of security incidents related to payment cards and the PCI DSS standard controls that had the most problems, confirming that the main problems came from errors in the software development process (requirement 6) and user identification and authentication (requirement 8).

The withdrawal of Triple DES and the migration to AES: Chronicle of a Death Foretold
As we had already advanced you in PCI Hispano, the Triple DES algorithm was listed as obsolete by the NIST and its use is not permitted in U.S. and Canadian government agencies. This decision has affected not only those agencies, but will have a broad impact on the payment media industry, where Triple DES (or TDEA) is present in almost all payment-related encryption mechanisms.
One of the recurring themes was the process of migration from TDEA to AES, which requires the early definition of an action plan, the reservation of a budget for its execution and the joint work between the different entities involved in the flow of sensitive data to replace the affected keys minimizing the downtime and impact on the operation.

Even though the PCI SSC has not yet formally ruled on TDEA, entities were called upon to prepare proactively, as this is an inevitable change.
Other interesting topics
Apart from the topics mentioned above, other areas discussed at this event were:
- Use of cryptography services provided by third parties (including HSM-as-a-Service) and its impact on compliance with standards.
- Impact of new technologies (such as artificial intelligence and machine learning) and infrastructure management as code (Infrastructure-as-Code) in the scope of PCI DSS.
- Experiences in the implementation of monitoring controls scripts on payment pages.
- Massification of payment solutions using mobile devices commercial off-the-shelf (COTS) and standard controls PCI Mobile Payments on COTS (Mpocc).

Conclusion
Whether you are a merchant, a payment industry service provider, a security solution vendor or a QSA company, this event is a must-have, not only for the technical information shared but also for the contacts and people you know. Personally, I was finally able to personally meet two excellent professionals and followers of PCI Hispano (Álvaro Reig Planet and Javier Trives from Necomplus), reuniting with old friends (Marc of Tebar of Schwarz, Manuel Fernandez (disambiguation y Alberto Spain Botech), as well as share with my colleagues Integrity360 (Daniel Vivar y Manuel Vallina) and with many other QSA advisors and industry staff. It's been a pleasure to see you.

Finally, it is impossible to end without mentioning the sessions of networking and additional activities that complement the technical sessions, which are always welcome in this type of events.

If you were at the event, leave us your comments below if you want to share your opinions or if there are any topics that you have forgotten to mention in this article.
See you in Amsterdam in 2025 🙂
Thank you very much David and great review, See you in Amsterdam!!
Thank you, David. Great summary. I hope to see you in Amsterdam.