The following is a guest post from Troy Leach, Former Executive on the PCI Security Standards Counsel and Chief Strategy Officer at CSA.
As I walked into the Moscone Center last month, I realized that this was likely my 20th year at the RSAC. It often feels like a mini-reunion. In fact, I stopped to speak to several individuals who were helpful to me in the early days of PCI DSS as we first established the programs and standards and now who serve as CEOs for other cybersecurity companies.
So this year’s theme of “Many Voices. One Community” resonated with me.
And from that community came some very interesting conversations and the trends these industry veterans were seeing that I’d like to share.
If last year was the acceptance that GenAI was well on its way to being entrenched within the enterprise, RSAC 2025 was the recognition that AI agents will become transformative for business operations—able to perform extensive, autonomous tasks, either directly or in coordination with other agents. And since the conference, we’ve seen the announcement that Microsoft will adopt Google’s A2A protocol, accelerating an industry standard for agent-to-agent communication.
AI Will Introduce Production Code Faster Than Expected
Amongst the AI buzz is an excitement that machines will vastly improve the design, development, and accuracy of code to minimize vulnerabilities in future software. And several industry surveys at the conference quoted the optimism that most cybersecurity professionals believe AI will do more to empower SOCs and GRC teams than assist cybercriminals.
I wish I shared that hope, but I don’t—at least not yet. I think, for the near term, the greater accessibility of non-technical users with malicious intent and accessibility to disruptive GPTs (e.g. GhostGPT, WolfGPT etc.) will outpace the readiness for teams to include AI tools into security practices.
Even if three-quarters of enterprises claim to have AI security tools implemented over the next 12-18 months, there will be a long learning (and re-training) curve ahead.
There will also be greater ease in finding vulnerabilities in client-side software to exploit. Vulnerabilities that may not be enumerated within the National Vulnerability Database (NVD) as of yet. So monitoring for anomalies and quickly responding will become table stakes for e-commerce companies.
Real-time monitoring for suspicious patterns, detecting changing e-skimming techniques, and automating some incident response is imperative. And that was reinforced by many colleagues in San Francisco.
E-Skimming: The Evolving Threat Landscape
E-skimming attacks dominated my security discussions at RSA 2025, perhaps due to my history with PCI and the new browser script requirements (6.4.3 and 11.6.1) that went into effect at the end of March.
The new PCI DSS v4.x requirements include greater focus on the security of client-side webpages involved in payments, specifically targeting the rising threat of online skimming.
New Magecart-like attacks exemplify this threat’s persistence and adaptability. Most recently, I’ve heard of successful attacks that hijack 404 error pages to code in e-commerce sites. Or trick an AI chatbot on the site to consume a malicious link.
The key objective is to assure the payment page scripts are properly authorized, checked for integrity, and monitored for tampering. Companies should be:
- Conducting comprehensive inventories of all software, especially payment page scripts
- Implementing change detection mechanisms for HTTP headers and payment pages
- Regular monitoring for unauthorized changes
- Training security and governance teams on how to respond to incidents
Regardless of any PCI DSS obligation, businesses are at risk of becoming victims to these attacks due to lack of visibility into the software stack within a customer’s device.
Third-Party Risk Expanding
But simply gathering all elements of software is becoming more complex every day. At the RSA Conference, I heard many security pros speak of the movement to collect a Software Bill of Material. Made more possible by the functionality and tireless effort of AI.
I am more optimistic that AI will be able to regularly track and document the software dependencies better than what has historically been captured. It was a low bar to step over anyway.
With more than half of enterprises expected to increase the number of software providers by next year, organizations should have already in place procedures to identify and authorize new providers or software they introduce into your production environment.
Continuous Monitoring is the New Baseline
The final theme I heard at RSAC was about Third-party Risk Management (TPRM) tools and best practices. Modern TPRM requires continuous monitoring capabilities that can detect real-time changes in vendor security postures. Effective TPRM frameworks must include real-time monitoring solutions for ongoing risk assessment, conducting periodic audits to validate third-party compliance with security policies, and reviewing vendor performance while adjusting risk controls as needed.
For example, payment processing environments face unique challenges because third-party scripts and services directly interact with cardholder data. PCI DSS requires organizations to maintain information about which requirements are managed by each service provider, and which are managed by the entity. This shared security responsibility model demands clear delineation of who/how controls are managed and continuous validation of vendor compliance.
For e-commerce channels specifically, risk managers must address:
- Script management: All third-party JavaScript libraries require authorization and integrity verification
- Data flow mapping: Understanding exactly how cardholder data moves through webpages and dependencies that vendors that influence
- Incident response coordination: Establishing clear protocols for vendor-related security incidents
- Compliance validation: Regular verification of vendor PCI DSS certifications and security controls
Building Resiliency and Proactive Oversight
Overall, it seems that the “strategy speak” of having proactive risk management may have tooling available to finally address the issues. And leadership understanding for its value to the business.
There is greater recognition that third-party services can provide better security posture as long as there is good transparency and understanding of security responsibilities.
The convergence of AI capabilities, enhanced PCI DSS requirements, and sophisticated attack techniques create both opportunities and risk obligations for security leaders.
We must not lose sight of the fact that security is and has always been, a strategic enabler of digital commerce. RSAC 2025 demonstrated that we have more maturity, as an industry, and gray hairs among my long-time colleagues, to recognize how protecting payments more holistically supports business growth and innovation.