The PCI Security Standards Council North America Community Meeting brings together members of the payment industry and provides updates from the PCI SSC, insights on industry trends, and strategies on best practices. LBMC Managers Andy Kerr and Kyle Hinterberg share the top six takeaways from this year’s meeting in Toronto covering topics such as:
- PCI 4.0 Preparation and New Changes
- Quarterly ASV Scans Requirements
- Ways to Participate with the PCI Council
- New PCI Programs & Features
- SAQ Updates
- and more!
Webinar Duration: 17:18
Speakers:
- Andy Kerr, QSA, GSNA, CEH, CISSP – Manager
- Kyle Hinterberg, QSA, CISSP, CISA – Manager
LBMC Managers Andy Kerr and Kyle Hinterberg attended the PCI Security Standards Council North America Community Meeting in Toronto. While not everyone could attend in person, Andy and Kyle are sharing their top six insights for organizations navigating the ever-evolving landscape of PCI compliance.
1. PCI DSS 4.0 is Here — Start Preparing Now
With a March 2025 enforcement deadline, PCI DSS 4.0 brings significant changes. While many organizations are taking a wait-and-see approach, Kyle and Andy emphasized the importance of starting now. Early engagement gives organizations time to evaluate the expanded controls, identify gaps, and avoid a last-minute scramble.
2. Quarterly ASV Scans Are Under the Microscope
One of the most talked-about updates was the increased focus on quarterly ASV scans. The PCI Council emphasized the need for accurate scoping and follow-through on scan failures. Andy highlighted that simply completing scans isn’t enough—there needs to be a process for remediation and rescan, especially for high or critical findings.
3. Get Involved: The PCI Council Wants Your Input
The Council encouraged more participation from assessors, merchants, and service providers. Feedback directly influences future versions of PCI standards. Kyle stressed that contributing to RFCs (Request for Comments) and joining working groups is a great way to stay informed and shape the direction of compliance standards.
4. New Programs and Features from the PCI Council
Exciting updates include the launch of a new AI working group and updates to the mobile payments program. These initiatives are focused on adapting to new technologies and making compliance more practical across various environments, including cloud and hybrid models.
5. Updates to Self-Assessment Questionnaires (SAQs)
Organizations relying on SAQs will see notable changes. The PCI SSC provided clarifications around SAQ applicability and content updates aligned with PCI DSS 4.0. Andy pointed out that merchants should reassess which SAQ applies and prepare for added responsibilities in their annual self-assessment process.
6. Compliance Is More Than a Checkbox — It’s a Continuous Journey
The overarching theme of the conference was clear: compliance isn’t static. Both Kyle and Andy reinforced that successful PCI programs require ongoing awareness, governance, and executive support. Staying proactive and not reactive is the best way to align security and compliance goals.