.svg)
Payment card security was born out of crisis. In the late 1980s and 90s, a $750M fraud wave pushed major card brands, from Visa to Mastercard, to act fast. The result was the Payment Card Industry Data Security Standard (PCI DSS)—the first unified baseline to protect cardholder data.
And since then, PCI DSS has done exactly what it was meant to do. From v1.0 to today’s v4.x, it has replaced fragmented security requirements with a global standard, helping to secure millions of payment environments and restoring trust in digital transactions.
This year’s PCI Community Meeting marks nearly two decades of tremendous progress (since the PCI Security Standards Council’s establishment) worth celebrating, but the threat landscape and cyber risk exposure facing merchants is rapidly expanding. How do we continue to defend merchants when the rules of payment security are being rewritten in real time?
Consumers are tapping their phones at checkout, authenticating payments with faces, and soon carrying numberless cards. That’s great for convenience, but it also creates new challenges. What protects the merchant when attackers no longer need a card number—the key asset PCI DSS protects—to cause damage?
Compliance Builds the Base, But Resilience Demands More
PCI DSS was designed to safeguard credit card data, not every aspect of a business. And today, attackers exploit more than just primary account numbers (PANs). They hijack employee accounts, probe vendor access, compromise devices, and use ransomware to shut down operations. And as payment rails expand rapidly beyond PAN-based payments, risk to businesses and their customers likewise is expanding rapidly.
Small and medium-sized businesses are especially vulnerable. 74% self-manage cybersecurity or rely on untrained helpers. Nearly a quarter (23%) use weak passwords, or don’t have security measures in place for internet-connected devices (22%). When incidents hit, the impact is severe: 55% say they’d suffer downtime, 36% would lose customers, and 22% would lose sales.
At the same time, cybercriminals are moving faster. 81% now use AI tools to sharpen their attacks1, and over half (53%) of cybersecurity leaders admit AI has opened new attack points they’re unprepared to defend against.
PCI compliance reduces exposure on one key front and remains non-negotiable. But on its own, it won’t stop these other evolving payment security risks. That’s why merchants need to evolve their approaches to include risk-directed security.
Bridging Compliance and Cyber Defense
As payment methods evolve and attacks accelerate, PCI compliance remains essential—but it can’t be the ceiling. That’s where Mastercard’s Compliance and Validation Exemption Program (C-VEP) comes in.
C-VEP was designed specifically for small and mid-sized businesses, which are often the most exposed, yet the least resourced. Instead of requiring SMBs to focus only on validation paperwork, C-VEP shifts the emphasis to practical defenses against today’s top threats: malware, credential theft, online fraud, and business impersonation.
By participating in C-VEP, merchants gain:
- Built-in Security Tools that are easy to use and don’t require dedicated technical staff.
- Continuous Risk Scoring that highlights vulnerabilities before they become incidents.
- Targeted Threat Reduction that closes gaps quickly when risks are identified.
The value isn’t just fewer compliance tasks—it’s that C-VEP delivers on PCI DSS’s original intent: protecting merchants and consumers by making strong security achievable for every business.
As the only Mastercard Preferred C-VEP provider, VikingCloud helps acquirers and processors bring this program to their portfolios—turning compliance obligations into a path toward resilience.
A Shift Toward Risk-Directed Security
PCI DSS v4.0 made compliance smarter and more flexible, but update cycles will never move as quickly as modern threats. Risk-directed security fills that gap.
It builds on PCI standards by prioritizing defenses based on 3 factors:
- Likelihood of exploitation.
- Level of exposure.
- Potential business impact.
Instead of once-a-year, manual compliance reporting on past audits, risk-directed security—like C-VEP, delivers automated, active, real-time monitoring. No internal technical expertise required. The result: continuous visibility into your entire threat surface, inside and out. It adapts to your business model, your sites, and your technology to equip you with the tools to mitigate evolving threats—without impacting operations. In practice, that means it:
- Acknowledges the gap between baseline compliance and active threat defense.
- Assesses risks continuously—monthly, not annually.
- Expands your view beyond PCI’s scope to include people, partners, and platforms (i.e. social media, credentials, etc.).
- Prioritizes remediation by impact, not ease of completion.
- Closes security gaps, maintaining an ongoing cycle of gap remediation as new vulnerabilities surface.
The result is a living defense program—constantly adjusting as new threats emerge.
Preparing for the Next Era of Payment Protection
The PCI Community Meeting honors the PCI DSS’s legacy and impact while preparing for the future. PCI compliance will continue to be a cornerstone of payment security, but as payment methods evolve and AI-driven threats grow, merchants need to go further.
That’s where the next era begins:
- Risk-directed security gives organizations continuous visibility and adaptive defenses that move at the speed of modern threats.
- C-VEP, designed by Mastercard and built by VikingCloud, ensures that SMBs—the most targeted and resource-constrained—can defend against real-world risks while meeting PCI obligations in a more practical way.
Together, these approaches strengthen PCI’s foundation, ensuring merchants can protect not just cardholder data, but also the people, systems, and operations their businesses depend on.
VikingCloud is proud to help lead this shift—equipping merchants with tailored risk profiles, continuous monitoring, and programs like C-VEP that turn compliance into true resilience.
Because compliance is the foundation, but resilience is the goal.
We’ll be diving into this topic more at the PCI EU Community Meeting in Amsterdam, on Thursday, 16 October from 11:50am - 12:10pm on the Main Stage.
1 The State of AI-Powered Cybercrime: Threat & Mitigation Report 2025, GIREM and Tekion, June 25, 2025. Available via media coverage at: https://mediabrief.com/girem-and-tekion-unveil-2025-report-highlighting-22812-crore-losses.
.png)