TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources CYBER RISK Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know. PCI Council Says Threats to Payments Systems Are Speeding Up The PCI Security Standards Council experienced a record year in many regards, but its first annual report shows it needs to work even faster to stay ahead of attackers. Arielle Waldman,Features Writer, Dark Reading February 25, 2026 4 Min Read SOURCE: TONY TALLEC VIA ALAMY STOCK PHOTO A new report on the payment card industry (PCI) reflects an increased dependency on global coordination to address threats that are growing more sophisticated, and expanding the remit for the trade group itself. The PCI Security Standards Council (SSC) 2025 annual report highlighted training, education, collaboration, and outreach initiatives conducted throughout the year to advance payment security worldwide for merchants, retailers, and vendors. It is the first time the group has published a report since its founding in 2006. Boosting transparency around the council's purpose and direction warranted the report, reveals Gina Gobeyn, executive director of the PCI Security Standards Council. As the report notes, the pace of change in payments is speeding up, and so are the threats. "We wanted to tell the story of why we exist, what we’re focused on, and how we work with the global payments ecosystem to advance payment security," Gobeyn says. The council works to secure mobile, data, device, software, and card products for a variety of sectors by continually updating standards and compliance requirements. To that end, it offers programs to "train, test, and qualify organizations" against those standards. Related:Dark Patterns Undermine Security, One Click at a Time With financial profits in mind, threat actors are going right to the source – physical or digital payment cards, or the processing systems. Attacks target point-of-sale systems, utilize payment card-skimming campaigns and "jackpotting," as well as credential theft to gain access to sensitive databases. Recent victims range from high-end retailers to professional football fans. 'This Move Reflects a Deeper Transformation' The report notes global collaboration is delivering initiatives to safeguard payments worldwide. Some data remained consistent with the previous year, like the number of new training participants, while others marked milestones. The 2025-2027 board of advisors grew to include 64 member organizations, multiple training sessions were held in Dubai for the first time in nine years, and the council launched an India-South Asia board. The inaugural PCI SSC report is far more significant than it might first appear, reveals Gary Penolver, Quod Orbis CTO and co-founder. The council formally documented its yearly progress, strategic priorities, and global impact in a single transparent report, he adds. He views it as a sign of "maturity," bringing PCI SSC into line with other major regulatory and standards bodies. "For the payment card industry, this move reflects a deeper transformation," he says. "Payments have shifted from being a niche technical compliance issue to a core, board-level business and security concern across global organisations." Related:Consumers Reluctant to Shop at Stores That Don't Take Security Seriously What Does the PCI Landscape Look Like? While complying with new PCI standards proves challenging for many organizations, the payment card industry remains a big target. Earlier this month, payment processing vendor BridgePay Network Solutions disclosed it suffered a ransomware attack that led to prolonged disruptions. PCI SSC's 2025 annual report reinforced that the payment security industry is at a pivotal moment, says Gobeyn, noting how the challenges and opportunities are tightly connected. Pace and scale are at the heart of the challenge, because payments continue to evolve rapidly, she adds, describing the PCI as an "increasingly complex ecosystem" as new players and technologies emerge. "That complexity can introduce real risk," she says. "We see the potential for fragmentation – different approaches, uneven adoption, and of course the potential for growing gaps between innovation and security." 'Vulnerabilities Travel Fast' Fragmentation caused by an interconnected payment ecosystem is also a concern for Penolver. The issue creates exposure, therefore, organizations should benchmark their internal controls against global guidance, he recommends. Participation in industry forums and feedback cycles can address fragmentation challenges, he adds. Related:Europe's GCVE Raises Concerns Over Fragmentation in Vulnerability Databases "There is a growing imperative to look beyond local initiatives to align with global best practice," he tells Dark Reading. "Payment ecosystems differ by market, but vulnerabilities travel fast." Pertinently, he adds that threat actors operate without regard for borders, but payment infrastructures are deeply interconnected across issuing banks, merchants, service providers, and technology vendors. Internationally coordinated defensive strategies can help reduce fragmentation and enable organizations to adopt best practices more effectively, advises Penolver. Global Coordination Proves Increasingly Difficult Threats are becoming more sophisticated; technologies like artificial intelligence are powerful enablers for innovations that can also be leveraged for malicious intent, warns Gobeyn. Organizations can use AI and automation in fraud detection, but they must embrace technological change responsibly, adds Penolver. That means implementing robust governance and data protection controls to reduce risk and not shift it. Because threats and the payment ecosystem extend globally, coordination, while essential, can become more difficult, says Gobeyn. Global collaboration is a focal point of the inaugural report and the council's mission moving forward, but it must evolve in order to accomplish these goals. Factors include developing a more structured product delivery model and engaging stakeholders earlier and more often, says Gobeyn. "We are working to remove waste from our processes, better understand the impact of change, scale our delivery, and quite frankly, get it right faster," she says. About the Author Arielle Waldman Features Writer, Dark Reading Arielle spent the last decade working as a reporter, transitioning from human interest stories to covering all things cybersecurity related in 2020. Now, as a features writer for Dark Reading, she delves into the security problems enterprises face daily, hoping to provide context and actionable steps. She looks for stories that go past the initial news to understand where the industry is going. She previously lived in Florida where she wrote for the Tampa Bay Times before returning to Boston where her cybersecurity career took off at SearchSecurity. When she's not writing about cybersecurity, she pursues personal projects that include a mystery novel and poetry collection. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like CYBER RISK Industrial System Cyberattacks Surge as OT Stays Vulnerable by Robert Lemos, Contributing Writer FEB 25, 2025 CYBER RISK Zambia's Updated Cyber Laws Prompt Surveillance Warnings by Robert Lemos, Contributing Writer APR 23, 2025 CYBER RISK Even Resilient Organizations Can Be Blind to AI Threats by Arielle Waldman MAY 01, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Edge Picks APPLICATION SECURITY AI Agents in Browsers Light on Cybersecurity, Bypass Controls CYBER RISK Browser Extensions Pose Heightened, but Manageable, Security Risks CYBERSECURITY OPERATIONS Video Convos: Agentic AI, Apple, EV Chargers; Cybersecurity Peril Abounds ENDPOINT SECURITY Extension Poisoning Campaign Highlights Gaps in Browser Security Latest Articles in The Edge CYBER RISK PCI Council Says Threats to Payments Systems Are Speeding Up FEB 25, 2026 IOT Connected & Compromised: When IoT Devices Turn Into Threats FEB 19, 2026 CYBER RISK A CISO's Playbook for Defending Data Assets Against AI Scraping FEB 18, 2026 CYBERSECURITY OPERATIONS How to Stay on Top of Future Threats With a Cutting-Edge SOC FEB 11, 2026 Read More The Edge Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466. Home| Cookie Policy| Privacy| Terms of Use