ℹ️
Reference Content: This is a copy of content from the PCI Security Standards Council blog, preserved for tracking changes over time.
View Original →

The AI Exchange: Innovators in Payment Security Featuring PCA Cyber Security

By Alicia Malone

The AI Exchange: Innovators in Payment Security Featuring PCA Cyber Security


Welcome to the PCI Security Standards Council’s blog series, The AI Exchange: Innovators in Payment Security. This special, ongoing feature of our PCI Perspectives blog offers a resource for payment security industry stakeholders to exchange information about how they are adopting and implementing artificial intelligence (AI) into their organizations.  

In this edition of The AI Exchange, PCA Cyber Security Chief Technology Officer, Vlad Ryabyshkin, offers insight into how his company is using AI, and how this rapidly growing technology is shaping the future of payment security. 

How has your AI strategy evolved over the past 12–18 months? 

Whenever it is efficient and helps us stay compliant, the AI-enabled workflows are leveraged for security assessment, vulnerability analysis, and payment terminal code analysis. PCA also uses AI to automate routine tasks, speed up communication, and integrate security services into our partners’ product lifecycle. This allows PCA experts to focus on the most complex and high-value challenges while improving PTS (Product Traceability Systems) Supply Chain Actors’ speed to compliance and accelerating their time to market – all while reducing operational costs.

Due in large part to this strategic shift, PCA Cyber Security’s in house, AI-driven TICAP (Threat Intelligence Collection & Analysis Platform) now supports automated threat analysis, risk classification, and conversational querying of complex security data, making cybersecurity operations more accessible and actionable even for non-specialist teams.

To ensure strong data security and privacy, we invest in on-premises LLMs, focusing on long-term gains through faster workflows and higher service quality. 

What is one AI initiative that has already delivered a measurable impact, and what made it successful? 

PCA Cyber Security’s most successful AI initiative is the automation of the Underground Observation and Adversary Research workflows as part of the TICAP platform. We have achieved three measurable outcomes: 

  • Expanded visibility: increased threat coverage by 30% without increasing headcount.
  • Accelerated delivery: reduced the reporting cycle from 4 weeks to 2, doubling the delivery speed.
  • Enhanced client proactivity: clients can now receive actionable intelligence 30% faster, with a critical window to implement defensive measures before an exploit hits production. 

The key to this success was strictly prioritizing data privacy via on-premises LLMs, ensuring that any sensitive security assessment results and client data remain entirely within our secure perimeter. 

How are you approaching AI governance, particularly around data privacy and security? 

We take data privacy and security seriously here at PCA. We operate and frequently work with highly sensitive client data, including prototypes, firmware source code, and information related to the security status of payment infrastructures. This imposes strict requirements on data governance and significantly limits the use of public LLM solutions.

We never rely on publicly available LLM models. All AI-enabled components touching production data are built on self-hosted models deployed within PCA Cyber Security’s own infrastructure. In addition, we enforce a strict isolation principle, the AI's temporary processing memory entirely cleared and isolated for each and every client project. This guarantees that data from one environment cannot bleed into or influence another.

While this approach introduces substantial costs and limitations using AI models for secondary or low-priority tasks, the protection of clients’ information remains the highest priority for PCA Cyber Security, and in our opinion, for the whole industry. 

What challenges have become more apparent as AI capabilities have matured? 

The maturity of AI has brought a paradox: as technology becomes more capable, there is a tendency to over-rely on it. The challenge for us has been twofold: internally, we’ve had to develop advanced QC methodologies to audit AI-generated intelligence, ensuring that increased speed doesn't come at the cost of accuracy.

Externally, a major part of my role is expectation management. We must be transparent with partners and clients about the 'black box' nature of certain LLMs deployments and where they are being used during a project. The AI provides scalability for threat intelligence - PCA human experts provide the 'ground truth’. Educating clients on what AI cannot yet do - such as understanding the nuanced physical constraints of a specific payment terminal, or chaining vulnerabilities - is just as important as showing what it can do. 

What advice would you provide for an organization moving from early AI adoption to broader implementation? 

Treat AI as a core architectural and procedural component, not a feature. As an organization matures its AI strategy, I would suggest: 

  • Move from “Copilots” to Agents: Instead of passive assistants waiting for prompts, focus on autonomous AI agents that can execute complex security tasks and deliver validated results.
  • Implement AI-native CI/CD: Integrate AI into development and security workflows to automate vulnerability research and threat modeling throughout the lifecycle.
  • Prioritize Business Process: A strong model alone is not enough - AI must fit seamlessly into analysts’ and engineers’ daily workflow. This is achieved through pilot projects and grassroot ideas.
  • Take the 'AI-Native' competition seriously: startups are rebuilding security services from ground up. The industry requires scalable, secure, and privacy-protected production environments. 

Ultimately, AI won't be a 'silver bullet,' but it will be the foundation of how we scale expert-level security to the entire payment ecosystem. 

What AI trend are you most excited about? 

Any excitement is tempered by a healthy dose of realism. While AI is lowering the entry barrier for attackers, we are equally focused on using it to strengthen defenders’ capabilities. Beyond just technical execution, there are some specific trends worth watching: 

  • Shift to Behavioral Intelligence: Using LLMs to analyze user and system interactions in real-time helps identify pain points and proactively anticipate security needs.  
  • Hyper-Personalized Security Communication: AI can transform technical findings into role-specific intelligence, from executive-level strategy to developer-focused remediation guidance.
  • Agentic In-House Innovation: I’m most excited about the 'agentic' evolution. Autonomous AI systems can already support underground research and vulnerability triage, allowing human experts to focus entirely on the 'unsolvable' edge cases, pushing the boundaries of what’s possible in embedded security. 

Finally, we are moving toward a future where solutions aren't just tools, but intelligent extensions of clients’ security teams, powered by AI agents. 

View More Content on Artificial Intelligence

Learn More About PCA Cyber Security