Guest post Martin Petrov, Chief Technology Officer, Payments Compliance at Integrity360
It is tempting to view payments compliance as the finish line, a signal that a business is secure. But in practice, compliance is just the starting point. It provides a baseline security level, not a digital fortress. Standards are designed to raise the floor and eliminate obvious vulnerabilities, but they cannot cover every emerging threat or nuance – such as a supplier getting breached or a shortcut taken by an engineer at 2 a.m. That is where organisations risk becoming complacent or overly literal in their interpretations.
True security demands a harder question than: “Are we compliant”? It demands: “Would this stop an attacker today?” That demands understanding not just what control requirements state, but why they exist. Multi-factor authentication (MFA), for example, is not just a checkbox; it is a concept rooted in stopping unauthorised access. Compliance must be interpreted in context: against the weakest vendor, the most exposed system, the riskiest business process, and the evolving threat landscape. Too many breaches have exploited gaps that audits never covered because compliance became the ceiling, not the floor.
Regional and cultural factors also play a part. In Northern Europe, payments compliance frameworks like PCI DSS are often seen as a baseline to exceed, with layered defences added beyond the minimum. In other regions, standards such as PCI DSS or ISO/IEC 27001 are treated more as a destination. Certification becomes the end goal – a badge to display, not a baseline to exceed. These differences matter because they determine whether compliance protects you or just protects your reputation.
The supplier slip-up that could cost you everything
One of the most urgent blind spots is the supply chain. You can harden and patch all of your own systems, mandate MFA, and lock down every endpoint. But a vendor’s default service account, an abandoned test tenant, or an over-permissioned API can undermine everything. As integrations and dependencies grow, so does the potential blast radius. And while many organisations know who their suppliers are, far fewer know what access they have, how often they are reviewed, or whether they follow the same standards. Supplier risk must now be managed as rigorously as internal operations; tiered, tested, and tightly controlled.
The three-body problem: when PCI DSS, GDPR, and the EU AI Act collide
Then there is the pace of innovation, particularly in areas like artificial intelligence (AI). For European compliance officers, this creates a three-body problem: the EU AI Act, PCI DSS, and GDPR orbiting each other with overlapping – but misaligned – requirements. And unlike physics, there is no elegant equation to solve it. Meanwhile, global response remains inconsistent, and the tension between innovation and oversight is only going to grow.
The organisations that succeed in this environment will not just meet standards; they will go further and question whether they are compliant on paper but vulnerable in practice. By treating compliance as a foundation, not a finish line, organisations will unlock new ways to stay secure and trusted. The question is, what does that really look like?
What good is a lock if no one checks the door?
One of the easiest traps for modern security teams is assuming that tools alone provide protection. But no matter how advanced the platform or how rigid the policy, it is people and processes that hold it all together – or let it fall apart. This is especially true in payments compliance, where new platforms and integrations emerge faster than policies can adapt.
Organisations that treat compliance as a checklist often over-rely on technology, by trusting automated scans, secure settings, or third-party certifications to keep them safe. But without context and human judgement, these defences can create a false sense of security and leave the business exposed.
In the best security teams, compliance is part of the culture. Risk and DevOps teams stay in sync through constant feedback. Procurement acts as a line of defence, with a clear view of which suppliers matter most and where the risks lie. These teams know when to push back, even if it means slowing things down. And across the business, people are empowered to speak up when something feels off, whether it is a shortcut, a setting, or a workaround that could open the door to risk.
Compliance is not the end of the story
The gap between being compliant and being protected has never mattered more. Payments compliance standards offer a necessary starting point, but they cannot keep pace with every new integration, supplier dependency, or regulatory shift. Resilient organisations recognise this. They treat compliance as one layer in a broader strategy, one that includes cultural alignment, human awareness, and operational agility.
The difference shows up not in the paperwork, but in the response to real threats. While compliant organisations pass audits, protected ones prevent breaches. That is the shift the payments industry needs: from ticking boxes to asking better questions, and from chasing certification to building capability, resilience, and responsiveness.
Because, at the end of the day, it is not about being compliant. It is about being resilient.
See more stories here.
