PCA Cyber Security Is Now a PCI SSC Associate Participating Organization (APO)

PCA Cyber Security has joined the PCI Security Standards Council as an Associate Participating Organization (APO).

Organizations partner with PCA Cyber Security, a PCI SSC Associate Participating Organization (APO), for payment device penetration testing services including end-to-end lifecycle protection through pre-compliance and post-launch penetration testing, continuous vulnerability monitoring, and product-focused threat intelligence.

PCA Cyber Security will now bring over six years of experience providing PCI DSS 4.0.1-compliant penetration testing to help shape the security standards that govern how payment data is protected across devices, terminals, and connected infrastructure worldwide.

Offering Best-In-Class Payment Device Penetration Testing

Today, payment functionality is embedded into fuel pumps, EV chargers, smart retail kiosks, ATMs, and a growing range of connected devices. Each one introduces hardware interfaces, firmware, supply chain dependencies, and remote management channels that attackers can target.

PCI PTS POI v7.0, published in 2025, is a reflection of just how much payments technology has changed. It brings new compliance requirements for biometric interfaces, third-party app isolation on terminals, and stronger cryptography across device security functions.

For standards like those overseen by PCI to keep evolving in line with threats, they need to be developed and informed by people like the team at PCA Cyber Security, who conduct and analyze real attacks on covered devices every day.

Since 2019, PCA Cyber Security’s team has been testing PTS devices including payment terminals, PIN pads, and self-service devices. PCA Cyber Security has also tested devices that process payments, such as fuel pump terminals, EV charging payment systems, and more.

In many of PCA Cyber Security’s assessments, which are supported by real threat intelligence, they see new and sometimes surprising ways these systems can be attacked in practice. On the PCI Security Standards Council, PCA Cyber Security will bring that experience directly into how the standards are created.

"We see payment security evolving far beyond traditional IT environments," said William Bartram, PCA Cyber Security's General Manager. "Joining the PCI SSC means bringing our embedded security and threat intelligence expertise directly into the standards development process.”

PCA Cyber Security’s core goal is to help ensure that PCI standards continue to address real-world attack techniques and the rapidly expanding payment ecosystem, while also raising awareness of the range of PCI standards that exist.

Most people in the payments industry know PCI DSS, the standard governing how businesses store and process card data. Fewer are familiar with the full scope of what the PCI SSC oversees, such as their standard for device security, PCI PTS, which PCA Cyber Security specializes in testing.

PCA Cyber Security Is Driving Compliance Towards Security-By-Design

With PCI and other regulatory frameworks, PCA Cyber Security believes compliance should never be the endgame.

Your organization’s immediate business plans might require compliance, but in the long term, its viability depends on building real resilience against threats that could damage your reputation, production systems, or compliance posture.

The product environment is evolving rapidly (unsurprisingly, only a small minority of companies feel truly prepared for emerging compliance requirements), and many of the compliant devices PCA Cyber Security tests still contain exploitable vulnerabilities.

Keeping up with the need to innovate without introducing a new wave of unknown risks means testing earlier and more deeply. Product companies need to understand root causes and the ways in which product technologies and IT entitlements create a connected risk posture rather than siloed ones.

PCA Cyber Security’s direct experience is that a device can meet every requirement on an audit checklist and still be vulnerable if no one tests whether an attacker could intercept the debug interface, replace a firmware update in transit, exploit a third-party app running on the terminal, or exploit any of dozens of other potential attack vectors.

Truly resilient devices are those that bring in security as a fundamental part of the design process and whose manufacturers and users continuously monitor vulnerabilities and execute regular penetration tests after market launch. PCA Cyber Security sees a major difference between these and devices where security is an afterthought.

That's the perspective PCA Cyber Security wants to bring to discussions within the PCI community. PCA Cyber Security has practical, technically grounded field experience that can benefit the entire connected device ecosystem.

Gina Gobeyn, Executive Director of the PCI Security Standards Council, welcomed PCA's involvement: "By joining as an Associate Participating Organization, PCA Cyber Security has the opportunity to play an active part in improving payment security globally by helping drive awareness and adoption of PCI Security Standards."