Compliance

PCI DSS Approaching 20: Reflections from the 2025 PCI Community Meeting

A Barratt 2 png

Andrew Barratt

VP, Technology, Coalfire

September 23, 2025
Web Image PCI Blog

As a member of the Global Executive Assessor Roundtable (GEAR) and now one of the longest-standing QSAs in the world I had the privilege of joining the PCI community in Fort Worth, Texas, for the 2025 Community Meeting.

This year felt like more than just another gathering. With the PCI Security Standards Council approaching its 20th anniversary in 2026, the event gave us the chance to reflect on how far we’ve come and to look ahead at the future of payment security.

What stood out wasn’t just the history of PCI DSS, but the momentum around new technologies, global collaboration, and unsurprisingly the growing role of AI.

20 Years of PCI DSS: A Milestone Worth Reflecting On

PCI DSS has grown into one of the most widely deployed cybersecurity standards in the world. It now supports hundreds of thousands of service providers and likely millions of retailers globally. At its core, the standard has ensured that data security remains central to every payment transaction.

For me, having spent much of my career working with organizations to implement, assess, and mature security programs, it’s been remarkable to watch the PCI ecosystem evolve into one of the most influential cybersecurity frameworks of our time. I still remember my very first v1 DSS assessment in Istanbul, Turkey, working with a regional payment processor. What struck me was how disciplined and organized the client was as they took the process incredibly seriously, but every single piece of evidence was printed, filed, and laid out across 12 large box files on a boardroom table. Today, by contrast, we have GRC platforms, robotic process automation, and even AI-driven tools seamlessly gathering and organizing evidence. The technology has changed dramatically, but the seriousness of that moment and the Turkish coffee has stayed with me.

The Evolution of Standards

Over the years, the PCI ecosystem has adapted to keep pace with evolving threats:

  • Point-to-Point Encryption (P2PE) is now well established across face-to-face retail globally.
  • EMV protocols have strengthened cardholder authentication, reducing fraud at the point of sale.
  • The Secure Software Framework (SSF) is emerging as a key solution for e-commerce challenges.

These aren’t just technical updates they represent the Council’s ability to evolve while maintaining trust across a diverse global payment landscape.

The AI Question: Hype vs. Practical Use

One of the hottest topics in Fort Worth was agentic AI.

I lost count of how many times I was asked about AI during the week. From my perspective as someone who has worked with clients managing compliance at scale and served on the Global Executive Assessor Roundtable (GEAR), which works closely alongside the Board of Advisors the conversation often risks getting lost in the hype.

Use cases for AI in cardholder data environments remain limited, but interest is surging in compliance management: streamlining evidence gathering, automating routine tasks, and simplifying large-scale programs.

The key question is whether agentic AI requires new controls, or whether existing standards can be adapted. My view is straightforward: if implemented correctly treating AI platforms like any other secure application is the right approach. The challenge is really taking the time to understand their capabilities and reach.

The real danger is over-rotating on the hype curve, rather than focusing on the actual touch points where AI agents interact with systems, APIs, users and data.

Global Collaboration Matters More Than Ever

Another strong theme was collaboration. PCI DSS is increasingly being adopted into law worldwide, embedding itself into regulatory frameworks. That makes international coordination essential.

From the U.S. to Europe, and beyond, payment systems face both shared and unique challenges. The upcoming European Community Meeting in the Netherlands will likely highlight regional differences such as Europe’s early adoption of EMV and its diverse payment ecosystems while reinforcing the need for shared standards and approaches.

Looking Ahead: PCI DSS at 20

As PCI DSS enters its 20th year, the focus is clear:

  • Strengthen global collaboration.
  • Adapt standards to new technologies, including AI.
  • Support organizations in scaling compliance programmes across regions and industries.

For those of us who have been part of the PCI journey since its early days, it’s a reminder of how far we’ve come and how much further we can go.

Final Thought

The PCI DSS story isn’t just about standards it’s about community, collaboration, and continuous adaptation. As the hype around AI and other technologies grows, our task is to stay grounded: applying rigorous, proven security principles while embracing the innovations that will define the next 20 years of payment security.

From my perspective, that balance between innovation and discipline is what will keep PCI DSS not just relevant, but vital, in the years ahead.