Harnessing AI to Enhance PCI DSS and Cyber Assurance: Insights from the North America & European PCI Community Meetings

Following my attendance at the 2024 North America (Boston) and European (Barcelona) Payment Card Industry (PCI) Community Meetings, where I had the opportunity to listen to an insightful keynote speech with Tom Koulopoulos, Industry Leading Futurist, Artificial Intelligence Specialist and Dr Bruce McCabe, The Global Futurist, I left with one key action: explore how we can leverage AI to do more with less. This is an ever-pressing need in today's landscape, as most organisations are grappling with increasing complexity in cybersecurity while managing limited resources.

One of my major takeaways from the event was that AI won't replace everyone! Instead, AI will replace the repetitive, often mundane tasks that dominate cybersecurity and compliance processes, freeing up human talent for more strategic, value-driven work. And paradoxically, this may lead to needing more people—not fewer—because AI will enable us to process, analyse, and monitor more data than ever before. As a result, we will be able to scale our efforts, increasing sampling and assuring more, but this also requires skilled oversight to manage these expanded capabilities.

The AI Toolbox: Tools and Methods for PCI DSS and Cyber Assurance

So, here are some examples of how we can use Artificial Intelligence (AI) effectively to transform Payment Card Industry Data Security Standard v4.0.1 (PCI DSS) compliance and cyber assurance programmes? I believe that AI can be integrated into key processes, while mapping these efforts against PCI DSS, the National Institute of Standards and Technology (NIST), Critical Security Controls (CIS) controls, and the UK Cyber Assurance Framework (CAF).

AI technology offers a range of tools and capabilities that can revolutionise how we manage security, compliance, and risk. These include:

1. AI-Powered Threat Detection and Incident Response

Tools like Splunk, IBM QRadar, or Azure Sentinel use AI to detect anomalies and respond to incidents in real-time. These systems can track access to cardholder data and other critical systems, correlating logs across your infrastructure. (NOTE: None of the companies or tools mentioned in my article are sponsors or affiliated with me.)

• PCI DSS Alignment: Requirement 10 (Track and monitor access to network resources)
• NIST Framework: Detect (DE), Continuous Monitoring (DE.CM)
• CIS Controls: Control 6 (Audit Log Management)
• UK Cyber Assurance Objective: Objective 5 (Continuous monitoring and resilience)

2. Vulnerability Management

AI-enhanced vulnerability scanners like Tenable.io or Qualys automatically prioritise risks based on real-time threat intelligence. These tools streamline the identification of vulnerabilities, ensuring that critical issues are addressed promptly.

• PCI DSS Alignment: Requirement 6.3 (Identify vulnerabilities)
• NIST Framework: Identify (ID), Risk Assessment (ID.RA)
• CIS Controls: Control 3 (Continuous Vulnerability Management)
• UK Cyber Assurance Objective: Objective 1 (Secure and defendable infrastructure)

3. User Behaviour Analytics (UBA)

Tools like Darktrace and Exabeam use machine learning to monitor normal user behaviour, alerting you when deviations occur that could signal insider threats or compromised accounts.

• PCI DSS Alignment: Requirement 8.2.1 (Unique ID for computer access)
• NIST Framework: Detect (DE), Detect Anomalies and Events (DE.AE)
• CIS Controls: Control 16 (Account Monitoring)
• UK Cyber Assurance Objective: Objective 3 (Unauthorised access prevention)

4. Endpoint Detection and Response (EDR)

AI-driven EDR solutions such as CrowdStrike and Carbon Black monitor endpoint activities for malware, ransomware, and zero-day threats, enabling proactive protection and remediation.

• PCI DSS Alignment: Requirement 5 (Protect against malware)
• NIST Framework: Protect (PR), Continuous Monitoring (DE.CM)
• CIS Controls: Control 7 (Malware Defences)
• UK Cyber Assurance Objective: Objective 4 (Malware protection)

5. Data Loss Prevention (DLP)

AI-based DLP tools like Forcepoint DLP monitor data usage and prevent unauthorised transfers of sensitive cardholder data, ensuring compliance with PCI requirements around data transmission.

• PCI DSS Alignment: Requirement 4.2 (Protect cardholder data in transit)
• NIST Framework: Protect (PR), Data Security (PR.DS)
• CIS Controls: Control 13 (Data Protection)
• UK Cyber Assurance Objective: Objective 3 (Data confidentiality)

6. Automated Penetration Testing

AI-driven pen-testing platforms like Cobalt or Pentera simulate attacks on your systems, identifying vulnerabilities that could be exploited in real-world scenarios.

• PCI DSS Alignment: Requirement 11.4 (Regular testing of security systems)
• NIST Framework: Protect (PR), Security Testing (PR.IP-12)
• CIS Controls: Control 20 (Penetration Testing)
• UK Cyber Assurance Objective: Objective 1 (Security resilience testing)

7. Compliance Automation

Governance, Risk, and Compliance (GRC) platforms such as ServiceNow GRC automate the monitoring, reporting, and management of compliance with PCI DSS requirements, making it easier to track and demonstrate compliance over time.

• PCI DSS Alignment: Requirement 12.8 (Security policies for 3rd Party Organisations, & employees/contractors)
• NIST Framework: Governance (ID.GV), Protect (PR.IP)
• CIS Controls: Control 17 (Security Awareness and Training)
• UK Cyber Assurance Objective: Objective 2 (Proactive governance and compliance)

Mapping AI Capabilities to Compliance Frameworks

Incorporating AI into your PCI and cyber assurance programme doesn’t just streamline processes; it ensures you're better aligned with the world’s leading cybersecurity frameworks. Here's how:

• PCI DSS: AI tools help automate and scale efforts to protect cardholder data, whether it's through continuous monitoring (e.g., AI-driven SIEMs), vulnerability management, or regular security testing.
• NIST Cybersecurity Framework: AI aligns well with NIST’s risk-based approach, supporting key functions like Identify (ID), Protect (PR), Detect (DE), and Respond (RS). AI helps organisations automate risk assessments, protect systems, and detect and respond to incidents in real-time.
• CIS Controls: The Centre for Internet Security emphasises prioritisation of high-impact actions, and AI tools provide exactly that by automating tasks like vulnerability management and incident detection.
• UK Cyber Assurance Framework: AI technologies align with key objectives around securing infrastructure by design, ensuring data confidentiality, and continuous monitoring to enhance resilience.

Looking Forward: Staying Ahead of the Curve

One thing became clear during the PCI Community Meetings: AI is not a replacement for the security workforce. Instead, it is a tool that will enable us to scale our operations, allowing us to sample more data, monitor more endpoints, and ultimately assure much more. By automating the repetitive tasks, we can empower security professionals to focus on higher-value activities—developing strategies, overseeing critical incidents, and ensuring robust governance frameworks.

It’s also possible that, as AI increases our capacity to manage larger volumes of data and incidents, we’ll need more people to manage the higher volumes of work AI makes possible. This is a forward-thinking approach that allows us to stay ahead of the increasing complexity in cybersecurity and compliance, while maintaining the highest levels of assurance.

The future of PCI and cyber assurance is not just about meeting today’s challenges but anticipating tomorrow’s. By integrating AI into your compliance and security operations, you’ll not only ensure that you’re doing more with less but also that you’re staying one step ahead of evolving threats.

Let’s continue to be proactive, forward-thinking, and agile in the face of change. AI offers us a way to scale our efforts, ensuring that we’re ready for the challenges of the future.

Feel free to connect if you’d like to dive deeper into how AI can help your organisation achieve more with less in the world of cybersecurity and PCI compliance! Let’s stay ahead of the curve together.

#Cybersecurity #AIinSecurity #PCICompliance #CyberAssurance #ComplianceAutomation #RiskManagement #FutureOfWork #DataSecurity #DigitalTransformation #AIandHumanCollaboration

Disclaimer:

The views and opinions expressed in this LinkedIn article are solely my own and do not necessarily reflect the views, opinions, or policies of my current or any previous employer, organisation, or any other entity I may be associated with.