Meet Úna Dillon: Shaping Europe’s Payment Security Future at PCI SSC
Úna Dillon is the new Regional Director, Europe, at the PCI Security Standards Council (SSC). She brings over 28 years of experience in financial services and payment security, having worked with major European banks, card schemes, and payment associations on regulatory compliance and risk management. Before joining the PCI SSC, Úna worked for the Merchant Risk Council (MRC) leading the Advocacy initiatives, bringing the eCommerce merchant perspective right to the table at Financial Regulators globally. Her passion lies in bridging the gap between technical security requirements and practical business implementation. Banking & Finance sat down with Úna to discuss her plans and how the PCI SSC is adapting to Europe’s evolving regulatory landscape.
What are your top priorities for PCI SSC in Europe over the next 12-18 months?
“My primary goals are to strengthen our engagement with European stakeholders to ensure PCI standards remain relevant and practical for a diverse European market, to foster closer collaboration between the PCI SSC and European payments bodies to create a harmonized approach to payment security, and ensure the Council is recognized as evolving to meet the ever-changing requirements of the industry.
What I bring to the table is the ability to listen to the community, facilitate dialogue, and to translate the insights gained, into action. I see my role as helping stakeholders in Europe to better understand the requirement of the fifteen PCI standards and how they support innovation, security, and trust in payments across Europe, and beyond.”
What do you think is most challenging about the unique payment security landscape in Europe?
“The most challenging aspect of the unique payment security landscape in Europe stems from the extraordinary diversity and fragmentation of payment methods and markets across the continent.
Europe stands out globally because consumers and businesses rely on a wide range of local and national payment preferences rather than a single dominant system. You have local payment methods like iDEAL, blik, Bizum, Cartes Bancaires, alongside international card brands like Visa and Mastercard as well as instant account-to-account options, digital wallets, instant transfers and emerging options like Wero.
On top of that, over the past 20 years, Europe has been at the forefront of innovations such as Chip & PIN, NFC payments, and SCA (strong customer authentication). Each time payments advance, there are new security considerations that must be addressed in the PCI standards and guidance. The PCI Council plays a pivotal role in helping the industry rise to these challenges through global, effective, industry-driven standards and this is where the great work of the PCI Council truly shines.
As a global forum, uniting payments stakeholders, including strong European representation on the PCI Board of Advisors, Participating Organizations, and dedicated regional leadership, the Council develops and evolves flexible standards like the Payment Card Industry Data Security Standard (PCI DSS), which is now on version 4.0.1, that provide a unified baseline for securing cardholder data worldwide, while accommodating diverse implementations such as those in Europe”
When it comes to cybercrime and security, banks nowadays are prime phishing targets. Why do they remain such an attractive target?
“Banks remain highly attractive targets for cybercriminals due to the high-value nature of the assets they protect and manage. They have direct access to substantial financial resources, handling vast sums of money through transactions, accounts, and payment systems. The nature of today’s breaches can enable immediate theft of large payouts, compared to other sectors.
At the PCI Council, we recognize these persistent challenges and emphasize how PCI DSS and related standards provide a critical, adaptable foundation for protecting cardholder data amid such threats. By requiring strong controls like encryption, access restrictions, and continuous monitoring, the standards help banks and the broader payments ecosystem to reduce breach likelihood, limit damage, and maintain resilience.”
PCI DSS v4.0.1 now explicitly requires anti-phishing mechanisms (Requirement 5.4). What does that mean for banks in practice?
“PCI DSS (v4.0.1) introduces Requirement 5.4 which explicitly requires organizations to implement processes and automated mechanisms to detect, and protect personnel against, phishing attacks. In practice, for banks that handle vast volumes of sensitive cardholder data, customer communications, and internal systems, the requirement means moving beyond human-dependent controls, to layered, technology-driven protections that reduce the risk of successful phishing attacks, leading to credential compromise, malware deployment, or unauthorized access to the cardholder data environment (CDE).
Practical implications include the deployment of email authentication protocols to prevent spoofing of the bank’s domains, a common tactic in phishing campaigns, to trick customers into revealing credentials or clicking malicious links. Beyond email authentication, banks need secure mail gateways, advanced threat protection solutions, or anti-phishing filters that automatically scan and block phishing attempts before they reach user in-boxes.
While staff training and customer awareness remain essential (Requirement 12.6 now emphasizes ongoing education on phishing and social engineering), requirement 5.4 strengthens resilience by reducing the likelihood of internal compromise that could expose cardholder data, and by protecting customer-facing communications to maintain trust and avoid reputational damage.
We see this requirement as a forward-looking enhancement that acknowledges phishing and its
role as one of the most consistent threats to payment security.”
What are the biggest obstacles banks face when embedding PCI DSS into their broader governance and risk structures?
“PCI DSS v4.0.1 has requirements around risk-based elements, e.g. targeted risk analysis which are now in effect, so banks need to consider the complexity of scope definition and maintenance in large, interconnected environments.
Banks often manage legacy infrastructures with payment data flowing through core banking systems, digital channels, APIs, cloud services, and third-party integrations. Banks are required to accurately scope the CDE, confirm it annually, and keep it isolated while aligning with enterprise-wide risk frameworks.
Resources are a constant issue for most payment organizations. Full integration of the requirements needs investment in people, tools, and processes such as continuous monitoring, targeted analyses, and embedding PCI controls into BAU operations.
Dealing with organization silos can be a challenge when making changes to systems and processes. The scope of PCI DSS requirements and control implementation responsibilities may exist in different areas of the business, depending on the organization. For some it is in the Finance department, for others it is in Fraud, Risk, Compliance, and even in Internal Audit in some companies. PCI DSS can be treated as a payment-specific compliance exercise rather than a core component of enterprise risk management. Bridging the gap and distributing accountability across all relevant business units and teams requires strong governance and a culture of security.
At the PCI Council, we actively address these challenges through collaborative resources, guidance e.g. Targeted Risk Analysis Guidance, and community engagement that helps banks map PCI DSS into existing governance frameworks. By treating PCI DSS not as an isolated project but as a foundation layer that strengthens overall risk position, banks can reduce breach risks, enhance regulatory alignment, and maintain customer trust in an increasingly interconnected payment landscape.”
To what extent can PCI DSS serve as a practical framework for meeting broader compliance requirements?
“In the realm of payment security and overall information security, PCI DSS serves as a highly practical and effective framework for meeting broader compliance requirements, often acting as a strong foundational baseline that overlaps substantially with many enterprise-wide standards.
While PCI DSS is focused on protecting cardholder data, its core 12 requirements deliver mature, prescriptive controls across critical security domains that translate well to broader risk management.
Many PCI DSS controls may map directly or closely to elements within other compliance frameworks, e.g. ISO 27001. Implementing PCI DSS encourages continuous risk-based security processes. This fosters a proactive position that naturally supports broader compliance goals, such as reducing the risk of breaches, improving incident detection/ response, and embedding security governance.
At the Council, we emphasize how PCI DSS, through its collaborative, industry-vetted evolution, delivers tangible security value that extends beyond payments. The Council’s resources and focus on adaptable, intent-based requirements help organizations to integrate these controls into enterprise risk programs efficiently. This makes PCI DSS not just a compliance checkbox but a practical accelerator for stronger, more unified security across organizations, ultimately enhancing protection for all sensitive data, building customer trust, and streamlining efforts in an increasingly inter-connected threat landscape.”
About PCI SSC
The PCI Security Standards Council (PCI SSC) is a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. Our role is to enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders. We achieve this with a strategic framework to guide our decision-making process and ensure that every initiative is aligned with our mission and supports the needs of the global payments industry. Website: pcisecuritystandards.org
By Jan Jaap Omvlee, Banking & Finance Magazine