February 2025 - A Wise Man Will Make More Opportunities Than He Finds

Francis Bacon, the renowned English philosopher, statesman, scientist, and author, once said:

"A wise man will make more opportunities than he finds."

This suggests that wisdom isn’t just about accumulating knowledge with age but about learning to navigate and shape life more effectively – essentially, adapting. So the question is, do we truly become wiser, or do we simply get better at playing the game?

That question has been on my mind lately - not just working and technology-related but personally.

You see, I’m writing this article using as much technology as possible, following a shoulder operation that currently leaves me only able to type with one finger on my left hand (not that I've had the other 3 fingers and the thumb removed, just more that I'm that bad). Now that I'm off the strong painkillers and can finally string a few sentences together, I thought I'd make good use of my current situation.

For those interested in the backstory, it goes back to a mountain biking accident in 2021, the moment I realised (rather painfully) that I don’t bounce quite like I used to. That day, I dislocated my shoulder, and ever since, I’ve had ongoing issues. Last week, I finally had an operation to fix it: something called an Open Stabilisation (Latarjet Procedure). Hopefully, this procedure will stop the ongoing dislocations.

For now, if you see me at an event, please try not to rip my arm off when shaking my hand!

If I think back to that day in 2021, would I do anything differently? Probably. Maybe follow my mate who has done the trail a few more times than me instead of launching off first into the trail. Would it have slowed me down and prevented the fall? Maybe. So what will I do differently next time? Hopefully, later this year, I’ll avoid the black route and take the red one instead. I’ll focus on improving my skills, and if I do come off the bike again, I’ll remember to duck and roll – rather than crash straight into the ground.

(Please don’t tell my wife. If she had her way, I wouldn’t be getting back on a bike at all!)

So How Does This Relate to This Month’s Topic?

Well, I’ve had a bit of time to think while off work, and it’s got me reflecting on the use of technology and the changes ahead, particularly automation, AI, and specifically Agentic AI. Just as I’ve had to rethink how I ride my bike and adapt my approach, in the workplace, we’re facing a rapidly evolving landscape.

We need to become more efficient and improve how we protect our companies, our employees, and the data we process on behalf of customers. These challenges are developing fast, and like that mountain bike trail, if we’re not careful, we could hit obstacles we weren’t expecting.

If wisdom truly comes with age, then maybe it’s not just about learning from past mistakes but adapting to new challenges with a fresh perspective. Just like I’ll be taking a different approach on the trails, we need to rethink how we navigate the evolving landscape of technology and security. The key isn’t just avoiding the falls, it’s learning how to get back up, adjust, and move forward smarter. So, as we explore the road ahead, the real question is: how will we use our experiences to shape the future, rather than just reacting to it?

Topic 1: The Power of Shared Wisdom

Sharing knowledge and experiences with others doesn’t just help them learn; it can open up opportunities you never expected. This ties directly to Francis Bacon’s quote about making more opportunities than you find; wisdom isn’t just about what we know but how we use it to guide and support others. By engaging in meaningful discussions, sharing lessons learned, and collaborating with peers, we not only help others navigate challenges but often uncover new insights and opportunities for ourselves along the way.

Action - Join the PCI & Payment Security Merchant Group – A Collaborative Global Community for Merchants

At the end of 2024, the UK Merchant Payments Compliance Working Group transitioned to Vendorcom, ensuring a more structured and sustainable future for merchant collaboration. The relaunch of the PCI & Payment Security Merchant User Group was marked by a highly successful meeting in December, hosted by myself @ 英国电信集团 offices in Birmingham. With an ambitious 2025 programme featuring virtual and face-to-face meetings, as well as an online collaboration portal, this group is dedicated to helping merchants navigate the complex and ever-changing landscape of PCI and payment security compliance.

Joining this merchant-only peer group provides an invaluable opportunity to stay ahead of evolving security threats, compliance changes, and payment innovations. As PCI DSS requirements continue to develop and cyber threats grow in sophistication, having a trusted forum to exchange ideas, share experiences, and engage with industry leaders is more critical than ever. This group offers a unique space for merchants to access practical insights, expert guidance, and direct engagement with key stakeholders, including acquirers and the PCI Security Standards Council.

Our first session for 2025 will be a virtual meeting on Tuesday, 25th February, from 14:00 – 17:00 GMT facilitated by Paul Rodgers . At December’s meeting, merchants expressed a strong interest in hearing directly from Acquirers, making this the focal point of our next discussion. The session will also include merchant-only discussions and a regular update from Jeremy King at the PCI Security Standards Council. Participation in the User Group is free for merchants, and companies are welcome to have multiple representatives, so feel free to share this invitation with colleagues involved in PCI & payment security.

We look forward to your participation in shaping the future of merchant payment security. This isn’t just a UK Merchant Forum—it’s open to merchants globally. A diverse, international perspective is crucial, and I’ll be reaching out to my contacts to encourage wider participation. We need a global viewpoint to tackle the challenges ahead, and I’ll be feeding back merchant needs and priorities to the PCI Council, Acquirers, and technology partners. If you’re interested in joining, or want more details, please reach out—we’d love to have you involved!

To find out more Register HERE or scan the QR Code in the banner image above.

Topic 2: The Updated PCI DSS SAQ A – Industry Challenges and the Need for Clarity

We continue the theme of sharing knowledge and collaborating effectively as we dive into this next topic.

A lot has happened in the last few weeks following the update to SAQ A, particularly the removal of requirements 6.4.3, 11.6.1, and 12.3.1, alongside the introduction of new eligibility criteria. It’s been a while since an SAQ update has caused this much noise. While it’s great to see the community come together, one thing is clear: we urgently need guidance and industry consensus on what needs to be considered.

Over the past few weeks, I’ve engaged in webinars, working groups, and open discussion forums, where the general sentiment has been that this change was rushed through without sufficient industry consultation. Worse still, no detailed guidance was released alongside it, leaving merchants, QSAs, and acquirers struggling to interpret what this actually means in practice.

"Knowledge itself is power." – Francis Bacon

With the knowledge and feedback from the industry, I can’t help but wonder: Could we have introduced the new SAQ A in a way that was clearer, more structured, and ultimately smoother for all stakeholders? The rapid rollout of these changes has sparked widespread confusion, and with hindsight, we can see that a more collaborative, consultative approach could have prevented much of the uncertainty we now face. By leveraging collective industry expertise, engaging with key stakeholders earlier, and ensuring clear, practical guidance was available from day one, this transition could have been far less disruptive. The question now is: How do we use this knowledge to course-correct and ensure a more effective path forward?

So, rather than repeating what others have already done by summarising the changes, I want to focus on what I believe are the real concerns and what needs to be done about them. I'll break this down into the key areas that, in my view, must be addressed for the community to move forward effectively:

1. Terminology Confusion: “Susceptible” vs. “Vulnerable”

The introduction of the term “susceptible” in the updated SAQ A eligibility criteria has sparked considerable debate due to its lack of a formal definition within PCI DSS. The lack of clarity around what “susceptible” means, particularly in contrast to “vulnerable”, has led to varying interpretations by merchants, QSAs, ISAs, and acquirers. Does it imply any potential risk, or does it specifically refer to realistic exposure? Without an industry-wide threshold for assessment, businesses face inconsistent interpretations that could lead to unnecessary security burdens or gaps in compliance.

Action:

? Provide an official definition of "susceptible" in PCI DSS guidance.

? Clarify how it differs from “vulnerable.”

? Offer concrete examples to avoid subjective assessments by QSAs and merchants.

2. Ambiguous Eligibility Wording (TPSP vs. Merchant Site)

The new SAQ A eligibility criteria introduces unclear language regarding the responsibility of merchants versus Third-Party Service Providers (TPSPs). The SAQ specifies that merchants must ensure their payment page is delivered by a PCI DSS-compliant TPSP, a well-understood requirement. However, the SAQ also states that the merchant must confirm their site is not susceptible to attack, which raises confusion. Does this refer to the merchant’s own website, or does it continue referencing the TPSP’s site? The lack of explicit wording creates uncertainty, leaving merchants and QSAs unsure about who is responsible for ensuring security.

Action:

? Clarify the scope by explicitly stating "merchant site" where necessary.

? Ensure that merchants clearly understand their responsibilities vs. the TPSP’s.

3. Uncertainty in Scope: Entire Site vs. Payment Page

Historically, SAQ A focused on ensuring the payment page, often embedded via iFrame or redirect, was protected. However, the revised eligibility criteria now require merchants to confirm their entire “site” is not susceptible to attack, raising concerns that the scope has expanded dramatically. What exactly constitutes a “site” under PCI DSS? Does this mean the entire e-commerce platform, including marketing pages, blogs, and other non-payment-related elements? The industry urgently needs clarification, especially for merchants using Single Page Applications (SPAs), where content dynamically loads across multiple sections. Without clear definitions, QSAs and merchants are left guessing about where compliance responsibilities begin and end.

Action:

? Confirm that SAQ A merchants must evaluate their full website or only payment pages.

? Provide specific guidance for merchants using SPAs.

? Clarify if previous compliance with 6.4.3 and 11.6.1 is sufficient.

4. Small Merchants at Risk of False Attestations

The updated SAQ A criteria place a new and potentially unrealistic burden on small merchants, particularly Level 3 and Level 4 merchants, who often lack the security expertise or resources to assess the susceptibility of their own websites. Many of these businesses assume their Payment Service Provider (PSP) handles compliance, leading to the risk of false attestations. Furthermore, acquirers and payment processors, who oversee thousands of merchants, are not equipped to handle an influx of support requests from small businesses trying to interpret complex security obligations. If PCI SSC does not provide clear and accessible guidance, these changes could create more uncertainty and unintentional non-compliance across the industry.

Action:

? Clarify if SAQ A merchants are impacted by these changes.

? Define the role of PSPs in assisting merchants.

? Provide practical compliance guidance for small businesses to avoid confusion.

5. Impact on Third-Party Scripts & Service Providers

Modern e-commerce websites rely heavily on third-party scripts for functions like fraud detection, analytics, customer tracking, and chatbot services. However, the new requirement raises critical concerns: If any third, fourth, fifth, or sixth-party script is compromised, does that mean the entire site is now considered susceptible to attack? This question is especially significant for large enterprises that use dozens, if not hundreds, of third-party services; for example, a large e-commerce retailer may have 128 third-party scripts running. Additionally, does this mean all script providers are now in scope for PCI DSS 12.8.x? If so, how should merchants engage script-party providers to ensure compliance, and will they be required to obtain contractual guarantees about security? These unanswered questions present significant operational and legal challenges for merchants and service providers alike.

Action:

? Define whether third, fourth, fifth, or sixth-party scripts fall under PCI DSS 12.8.x.

? Clarify whether merchants must monitor every script used on their site.

? Provide guidance on contractual security obligations for third-party scripts.

6. Unclear Evidence for Proving “Non-Susceptibility”

One of the most urgent concerns arising from the SAQ A changes is the lack of clarity on how merchants can prove their site is “not susceptible” to attack. Currently, QSAs, acquiring banks, and security professionals are left debating what evidence should be considered sufficient. Should merchants be required to conduct penetration testing? Will automated script monitoring tools be enough? Would implementing security controls like Content Security Policy (CSP), Subresource Integrity (SRI), or Web Application Firewalls (WAFs) satisfy this requirement? More critically, for small merchants, who will validate these controls, can they self-attest, or must a QSA independently verify compliance? Without concrete guidance, the industry is facing major inconsistencies in assessments, with some organisations imposing excessive security measures while others do the bare minimum.

Action:

? Define acceptable security controls (penetration tests, CSP, SRI, etc.).

? Clarify whether merchants can self-attest or require QSA verification.

? Provide guidance on frequency and scope of security testing.

The current level of uncertainty is unworkable; it is unfair to enforce compliance without clear instructions. I urge the prioritisation of official guidance, and until such time, I would request that the relevant parties consider delaying adoption of the new SAQ A Template until these issues are fully resolved.

?? Key Urgent Requirements:

? Define "susceptible" vs. "vulnerable" with concrete examples.

? Confirm whether the entire site is in scope or just payment-related pages.

? Clarify if 6.4.3 and 11.6.1 compliance satisfies this requirement.

? Provide guidance for SAQ A merchants.

? Define acceptable security controls for proving non-susceptibility.

? Address third-party scripts and provider responsibilities.

? Release official guidance before enforcement begins.

? Ensure clear assessor guidance to prevent inconsistencies.

? Update FAQ 1331 to prevent widespread confusion.

Do you think my summary covers everything, or is there anything I’ve missed? Also, what are your thoughts on Susceptible and Site?

Having used various tech tools to write this month’s article, will I continue using them? Probably - this process has definitely made my life easier.

On that note, I want to share how this article came together. Instead of writing it the traditional way, I took a different approach: recording my thoughts as speech, transcribing them, and then using AI tools to refine, format, and check the language. It's been truly transformative. The whole process was much faster than I expected, and the final result feels just as strong, if not better, than if I had written it manually. This is definitely a method I’ll be using more often!

So, now over to you, if you're a merchant, make sure you REGISTER for the event on 25th Feb 2025 to be part of this ongoing discussion. And whether you’re a merchant, QSA, or just interested in compliance, I’d love to hear your thoughts on the SAQ A changes - drop them in the comments below!

#WisdomInAction #AdaptAndThrive #AIandAutomation #PCICompliance #CyberSecurity# #PaymentSecurity #MerchantCollaboration #TechForGood #FutureOfPayments #LearningFromExperience

Disclaimer:

The views and opinions expressed in this LinkedIn article are solely my own and do not necessarily reflect the views, opinions, or policies of my current or any previous employer, organisation, or any other entity I may be associated with.