PCI Is Just the Starting Line
But that's not really the problem.
The bigger issue is that merchant environments have changed dramatically over the last decade, while many compliance programs still operate the same way they did years ago.
That was one of the key themes from our recent webinar with Xplor Pay, where we discussed how PSPs are adapting to increasingly complex merchant environments and what it takes to build a compliance program that actually scales.
The Environment Has Changed
Ten years ago, many merchants were processing payments through a terminal.
Today, payments are embedded into software platforms, ecommerce experiences, mobile applications, and a growing number of third-party integrations.
As Rory Marr from Xplor Pay noted:
"Payments really has evolved from just being a commodity, a back office utility... into a larger part of their overall tech stack."
That shift has created a new challenge for PSPs.
The issue isn't that merchants don't care about compliance.
It's that many merchants struggle to understand their payment environment well enough to know what applies to them, what they're responsible for, and where to start.
What a Strong Program Looks Like
The PSPs that are scaling successfully aren't solving PCI with more emails, more calls, or more manual follow-up.
They're making compliance easier to navigate.
That means:
Clear guidance for merchants
Consistent processes across the portfolio
Fewer disconnected touchpoints
Better visibility for internal teams
Compliance built into the merchant experience
As John Shipley from Xplor Pay explained:
"Consistency doesn't necessarily mean one size fits all."
The goal isn't forcing every merchant through the same process.
The goal is creating a standardized framework that can adapt to different merchant environments while remaining easy to manage at scale.
PCI Is the Foundation. Not the Finish Line.
One of the most interesting parts of the discussion was how the conversation has evolved beyond PCI alone.
Today, merchants are facing challenges that extend well beyond payment card compliance — from card testing attacks and website compliance concerns to broader security and fraud risks.
As a result, many PSPs are expanding their focus from compliance programs to merchant protection programs.
The question is no longer:
"How do we help merchants complete PCI?"
It's becoming:
"How do we help merchants reduce risk across their business?"
That's a very different conversation.
3 Takeaways for PSPs
1. Merchant environments are more complex than ever.
Integrated payments, software platforms, ecommerce, and third-party tools have changed the way merchants operate. Compliance programs need to evolve alongside them.
2. Standardization is what makes PCI scalable.
The providers seeing the most success are creating consistent experiences across their portfolios rather than managing compliance one merchant at a time.
3. PCI should be part of a broader merchant protection strategy.
The strongest programs don't stop at compliance. They help merchants navigate the wider risks impacting their businesses today.
The Bottom Line
The PSPs that stand out over the next few years won't be the ones talking most about compliance.
They'll be the ones that make compliance easier for merchants while building more value around it.
Because in today's environment, PCI isn't the finish line.
It's the starting point.