Protecting the global payments ecosystem: updates from PCI Security Standards Council

We recently interviewed Úna Dillon, Regional Director, Europe at PCI Security Standards Council, about the challenges of her new role and the organisation’s most important updates and challenges when it comes to fraud.

Can you elaborate on your new role as Regional Director, Europe at the PCI Security Standards Council? How can you leverage your previous experience at the MRC for this new position and what do you bring new to the table?

I am very excited to step into the role of Regional Director for Europe at the PCI Security Standards Council. As Regional Director, I will serve as the primary liaison with European payment security stakeholders. In this role, I will drive awareness and growth of the Council, with an emphasis on educating stakeholders on the importance of data security for payments and supporting the adoption of PCI SSC standards within Europe. The position gives me the opportunity to further strengthen collaboration with European stakeholders and ensure the PCI standards continue to address the unique needs for the payments ecosystem in this region.

As Vice President of Advocacy & Education at the Merchant Risk Council (MRC), I navigated complex regulatory landscapes, drove payment fraud prevention strategies, and created opportunities for innovative payment solution providers across the ecosystem. My time at the MRC gave me a deep understanding of the payments ecosystem and helped me build strong partnerships across industry players, from merchants to payment service providers, and financial regulators. That perspective is invaluable as I move into this role, as it allows me to bridge the viewpoints of different stakeholders and ensure the work we a’re doing at the PCI Council is practical, effective, and aligned with the realities of the market.

What I bring to the table is the ability to listen to the community, facilitate dialogue, and translate the insights gained, into action. I see my role as helping stakeholders in Europe to better understand the requirement of the 15 PCI standards and how they support innovation, security, and trust in payments across Europe, and beyond.

Can you discuss about the activity and role of the PCI Security Standards Council and provide some updates for the following six months in terms of regulations/standards/compliance in the card industry?

The PCI SSC plays a central role in protecting the global payments ecosystem. Our mission is to enhance global payment account data security by developing industry-driven security standards, promoting education and awareness, and fostering collaboration among stakeholders to prevent and protect against cyberattacks and data breaches.

We don’t do this in isolation:; the Council works closely with merchants, service providers, financial institutions, technology vendors, and card brands to make sure the standards remain relevant, practical, and globally applicable. Our Board of Advisors consists of 64 organisations from across the globe and representing all the companies responsible for enabling merchants to sell and consumers to buy, in a secure and safe environment.

The Council began its activity in 2006 with the PCI data security standard (PCI DSS), which consists of 12 requirements. With the evolution of payments came the need for further standards to ensure the security of terminals, cardholder data environments, point of sale and PIN pad use, providing encryption requirements, software security, and much more. There are now 15 standards in total, and we work together with stakeholders to ensure all security needs for the payment environment are met.

What makes us a little different than many standards bodies, is not only that the PCI Council deliver and maintain these standards, but we also provide guidance documents, training, certification courses, and helpful resources for those seeking to secure their customer and payment experience.

When it comes to compliance with the standards and related requirements, this is a matter for organisations other than the PCI Council. The PCI SSC is not involved in the compliance of our standards. The standards are enforced through contractual obligations between businesses (merchants, service providers) and the most important payment card brands – Visa, Mastercard, American Express, Discover, JCB, and UnionPay.

In practice, enforcement works through the card brands defining rules for those organisations that store, process, or transmit cardholder data. In most cases, oversight is delegated to the acquiring banks. The acquirers are contractually responsible for ensuring their merchants comply with PCI standards. They may require merchants to complete a self-assessment questionnaire (SAQ), or to undergo a Qualified Security Assessor (QSA) audit, depending on the transaction volume and risk level. Many merchants are also required to perform quarterly network scans by an approved Scanning Vendor (ASV).

Merchants and service providers are put into compliance levels (1-4 for merchants), based on annual transaction volume. Higher levels require more strict validation and reporting.

The PCI standard assessments are not one-timers. Compliance must be validated annually (or quarterly for scans). Acquiring banks and the card brands can request proof of compliance at any time.

While PCI standards enforcement is contractual and not legal, card brands require it, banks enforce it, and non-compliant merchants face penalties and even termination of their card processing.

Some governments and regulators embed PCI standards, especially the PCI DSS, into legal or regulatory frameworks making it legally significant. For example, in Europe, PCI DSS is not law, but regulators, e.g. under GDPR, can look at PCI DSS as a recognised best practice.

Looking ahead, our focus in Europe will be on supporting the industry’s understanding of the standards and ensuring organisations have the resources and clarity they need to implement requirements. We will also continue engaging with stakeholders on emerging areas such as contactless payments, clouds services, and evolving regulatory frameworks. In fact, our European Community meeting will be held take place in Amsterdam, from October 14-16 2025, where we will bring together some of the top payments experts in Europe. You can register here.

From your point of view, what are the card industry’s most pressing matters in terms of security and fraud prevention and how can PCI further mitigate and help solutioning these concerns?

One of the most pressing challenges in the payments industry today is the sophistication and scale of fraud attempts. Criminals are constantly adapting, especially with the advent of AI, from exploiting new digital channels to targeting vulnerabilities in ecommerce, cloud environments, and third-party service providers.

For me, the key priorities are ensuring strong data protection across all channels, addressing risks in ecommerce and mobile transactions and supporting organisations in building a culture of security that goes beyond simply meeting minimum compliance requirements.

The PCI Security Standards Council can play a vital role by keeping the standards future-ready, providing clear guidance for implementation, and working hand-in-and with stakeholders across the ecosystem to promote best practices. Our collaborative approach, bringing together all relevant payments stakeholders means we are well positioned to help the industry mitigate today’s threats and anticipate tomorrow’s challenges. Getting involved with the PCI Council is easy. Our Participating Organisation programmes are available to all relevant companies. You can find more details here.

Ultimately, our goal is to reduce fraud, strengthen trust, and support innovation in payments while keeping security at the core.

 

About the author

Úna Dillon is Regional Director Europe for the PCI Security Standards Council. She has 28 years in the payments industry and has held various roles, including payments advisor to Financial Regulators, policy makers, standards bodies, and card schemes, influencing change globally. Advisor on the European Commission Payments Systems Market Expert Group, Úna was on the Board of EMVCo and Chair of the European Payments Council Card Fraud Prevention Expert Group. 

 

 

About the PCI SSC

 The PCI Security Standards Council (PCI SSC) leads a global, cross-industry effort to increase payment security by providing industry-driven, effective data security   standards, and programmes that help businesses detect, mitigate, and prevent cyberattacks and breaches. Subscribe to the PCI Perspectives Blog. Listen to  the Coffee with the Council podcast. Join the wider discussion in person at PCI Community meetings in Amsterdam and Bangkok.