Building Trust Through Collaboration: Key Takeaways from the 2025 PCI SSC Europe Community Meeting

The 2025 PCI Security Standards Council (PCI SSC) Europe Community Meeting in Amsterdam brought together payment security leaders from across the globe for a week that reflected the maturity and the growing complexity of the payments ecosystem, as well as the challenges that lie ahead.

In Amsterdam, a city defined by the bridges that connect its canals, the metaphor felt fitting. The payments ecosystem depends on the same principle: trust built through connection and maintained not once a year, but every day through transparency and collaboration.

2025 PCI SSC Europe Community Meeting

This spirit of interconnectedness shaped the event. The presentations made it clear that to build and maintain trust in an increasingly complex digital landscape, the industry must adapt to threats emerging from new fronts. Over the course of the week, three major themes crystallized: the urgent need to secure the client-side attack surface, the dual challenge of governing and leveraging Artificial Intelligence (AI), and the critical importance of preparing for the post-quantum future of cryptography. Let's dive into the top takeaways from the event.

The browser is still the battleground

One of the themes that resonated most with us was the necessity for merchants to reframe where they focus their defensive efforts. Instead of taking a traditional approach, thinking solely in terms of protecting data in transit or at rest, merchants should instead think in terms of defending data at the point of input - meaning the instant a user interacts with a web page or checkout form.

During one of the presentations, Verizon’s 2024 Payment Security Report was referenced, painting a clear picture of how merchant websites have evolved into sprawling digital ecosystems. In their analysis of more than 7,000 websites, Verizon found that payment pages alone host tens of thousands of third-party and fourth-party scripts - nearly 52,000 in total - many with direct access to sensitive personal or payment data. That figure has surged by almost 50% in just two years.

This proliferation means each script can become a potential entry point for e-skimming or Magecart-style attacks, and Verizon’s report only emphasises the absolute need for organisations to authorise, monitor, and do proper script inventory if they are to secure all scripts running on their payment pages. 

This drives home the message Jscrambler has been championing for years: protecting consumers begins before their data ever leaves the browser.

AI takes center stage 

If there was one topic that dominated virtually every presentation, it was AI. With applications ranging from automating compliance workflows to accelerating risk assessments, AI was presented as both a catalyst and a concern for payment security.

Recognizing the need for merchants to manage their expanding third-party script ecosystem, we at Jscrambler took the opportunity to showcase the latest evolution of our Webpage Integrity (WPI) solution: an AI-assistant designed to bring clarity to the client-side and further help our clients address PCI DSS requirements 6.4.3 and 11.6.1.

By leveraging AI-driven risk analysis, actionable recommendations, an interactive AI chat, and instant justification, clients can make quick, informed authorization decisions for every script running on their payment pages. This new enhancement to the Jscrambler Client-Side Protection Platform takes the guesswork out of script authorizations, significantly accelerating and simplifying the compliance process.

Crucially, in line with the calls for greater AI governance, this module is optional, ensuring the client always retains complete control over the script authorization process.

During the conference, Candice Pressinger, Director of Customer Data Security at Elavon Merchant Services/US Bancorp, outlined how AI is fundamentally changing the fraud landscape. Candice argued that traditional, post-transaction fraud detection is no longer sufficient. Instead, AI-driven pre-authentication fraud screening is becoming essential, and leveraging capabilities such as machine learning, behavioural biometrics, and link analysis is key to identifying high-risk activity in real-time.

This proactive approach focuses on stopping bad actors before a fraudulent transaction even takes place, thereby preventing payment data breaches at the gate. It's an empowering shift toward pre-emptive security: a core philosophy we at Jscrambler have been advocating - defense at the client side, before sensitive data ever leaves the user's browser.

At the C-Suite Roundtable, executives from Block, Flywire, and Schwarz Group provided a look at how major merchant players are adapting to AI innovation. “There is the risk of using AI tools,” said Block’s CISO, “but there is also the risk of not using them.” That duality has become the defining challenge for leadership: balancing speed with control, or innovation with accountability.

Flywire’s CISO emphasized the importance of a defensive AI-enabled culture, describing how her teams conduct AI hackathons to explore safe use cases within a controlled environment. Schwarz’s CISO, on the other hand, reminded everyone of the adversarial side of the equation, saying that if we want to get better at using AI to defend ourselves, then “It’s important to understand how attackers are using AI.”

The message was consistent across sessions: AI is reshaping how security is practiced, and organizations are beginning to recognize that defending against AI-enabled attacks requires using AI defensively as well. Nonetheless, security experts warn that the use of AI-enabled tools must be governed by clear policies and robust technical controls.

Quantum and the future of cryptography

While AI dominated much of the conversation, quantum computing and cryptography surfaced as a second-order thread, with clear implications for the next decade of payments security.

Quantum capabilities’ rapid advancement shows how today’s public key cryptography may no longer be sufficient to protect payment ecosystems. The Federal Reserve Bank of Atlanta warns that quantum computers may render current encryption methods obsolete, and many real-time payment systems still rely on RSA or ECC algorithms, which are vulnerable to future quantum attacks.

One of the proposed paths forward is hybrid quantum-safe cryptography, which uses both a standard classical algorithm (such as RSA or ECC) and a quantum-resistant algorithm simultaneously. This can ensure ease during the cryptographic transition, without sacrificing resilience. Kalpana Singh, Cryptography Expert at Worldline, argued that a hybrid quantum-safe cryptography approach is an investment in future operational stability.

Another interesting take on quantum computing cryptography was given by Susan Langford (PhD), Senior Cryptographer at Utimaco. Dr. Susan offered a nuanced take: “Quantum won’t really impact key management, but that’s still where most attacks happen.” Her point underscored a broader truth that extends beyond cryptography: the real vulnerabilities in our systems often come not from the technology we build, but from the people and processes that manage it - this is an adagio most security experts can relate to.

Lessons from Formula 1

Few talks captured the audience’s attention quite like Bernie Collins’, a former Formula 1 strategy engineer. Drawing on her experience with the tracks, she unpacked how this data-driven motorsport mirrors the high-stakes decision-making security teams face every day under extreme pressure.

“Plan A rarely happens,” Collins said. “There are too many variables.” Her point resonated with anyone who has ever managed a live incident or product rollout. She went on to say that race strategists succeed by interpreting real-time signals, trusting their experts, and adapting quickly when conditions shift - skills that every security leader should master as well.

Another obvious parallel drawn between F1 and security was data. In F1, hundreds of telemetry inputs are analysed continuously to fine-tune decisions on car setup, pit stops, and race pace. In cybersecurity and payments, it’s infrastructure telemetry and transaction data that tell the story. The teams that win are those that brief before- and debrief after every race, not only when something goes sideways.

As Collins put it, “The only thing you learn while you’re winning is how to smile.” In the context of payment security, it’s a reminder that long-lasting resilience is built in reflection. This means analyzing what worked, identifying the gaps, and determining how to improve before the next race.

Call-to-action: Unity 

In her keynote, PCI SSC Executive Director Gina Gobeyn captured the spirit of the week with a simple truth: Amsterdam’s canals and bridges are more than landmarks; they’re symbols of connection. The payments industry, she argued, must build its own bridges of trust through shared purpose and collaboration.

“Eendracht maakt macht,” she said, invoking the Dutch motto meaning “unity makes strength.”

The message struck a chord. The payments ecosystem has never been more connected, or more dependent on that connection for its resilience. This interdependence comes with risks: making sure AI systems are governed responsibly, managing increasingly complex and intertwined digital supply chains, and preparing for the challenges of the quantum era - no player can face these alone.

The next phase of PCI’s evolution will rely as much on collaboration as it does on technology.

Looking ahead

The 2025 PCI SSC Europe Community Meeting echoed a message being promoted by several eminent voices in the payments channel: security and compliance are merging into a single, continuous discipline, where one cannot be without the other. Throughout the event, three dominant themes emerged:

• Client-side attack surfaces are a big part of merchants’ concerns and require more visibility and control

• AI calls for new governance models, not just more capabilities

• Cryptography’s future is already here, and the industry needs to adapt in order to be ready 

For merchants and service providers, the message is clear: stay observant and collaborate with the payments industry. That means constant monitoring of what’s happening in the browser and across payment flows, shared accountability across suppliers and third parties, and investment in forward-looking controls.

After all, this is an industry that moves fast, and you can’t build trust by being proactive once a year during audit season. Instead, trust is built by securing every moment data changes hands.