In the UK, there is currently no direct legal requirement for companies to adopt a dedicated Artificial Intelligence (AI) policy. Yet, with AI now being rapidly integrated into business operations - particularly within payments - the question arises: should organisations start embedding AI governance into established compliance and security frameworks such as PCI DSS?
The PCI Security Standards Council has already recognised this shift. In a recent publication, the Council highlighted that AI is increasingly being used in the design, management, and operation of payment systems. It also acknowledged the unique challenges AI poses: its ability to adapt and “learn” makes it difficult to fully understand the risks or anticipate how such systems may behave over time. To respond, the Council has introduced a set of guiding principles for the responsible use of AI in payment environments.
This is significant. PCI DSS has always been the cornerstone for securing payment data, but AI introduces new layers of complexity that extend beyond traditional risks. Should it therefore now be considered best practice for companies not only to implement AI policies but to align them directly with PCI DSS frameworks?
An AI-specific policy framework could provide organisations with several advantages:
Risk awareness: Educating employees on the risks AI presents, from bias to misuse, helps reduce the chance of legal, financial, or reputational harm.
Access control: Clear rules on how much access AI systems receive (least privilege principle) minimise unnecessary exposure.
System approval: Defining which AI tools are permitted, particularly on company-owned devices, helps prevent shadow AI usage.
Security vigilance: Acknowledging that AI systems themselves may become targets for malicious attacks, including data theft or manipulation, ensures these risks are considered upfront.
These considerations feel particularly relevant as PCI DSS already mandates Incident Response Plans and Security Awareness Programmes. But are these measures sufficient in the age of AI? Perhaps not. As we see training methods evolve - such as the growing popularity of “AI Escape Rooms” that simulate AI-related cyber incidents - it seems the industry is beginning to recognise the need for AI-specific awareness and preparedness.
There is also a wider regulatory backdrop. GDPR already covers aspects of AI through provisions on automated decision-making and data handling. While not AI-exclusive, these clauses remind organisations that processing personal data with AI requires special care, transparency, and strong safeguards. A company-wide AI policy could bridge this gap by ensuring responsible data use, reinforcing human oversight, and embedding governance across the entire lifecycle of AI systems.
Looking ahead, the EU AI Act - formally adopted on 21 May 2024 and due to enter into force on 1 August 2024 - marks a landmark step in regulating AI. It sets obligations based on the risk category of AI systems, ranging from transparency to outright restrictions on high-risk use cases. Organisations that begin integrating AI governance into their PCI DSS and wider compliance frameworks now will be far better positioned to adapt to this evolving landscape.
So, is it time to embed AI policies into PCI DSS frameworks?
The evidence suggests yes. By proactively creating structured AI governance policies, aligned with both PCI DSS and emerging regulations, organisations can increase resilience, protect customer trust, and remain agile in a rapidly changing environment. Crucially, employee education must be at the centre of this effort - because while AI is powerful, it is not accountable. Responsibility remains firmly with humans.
Three Things Companies Should Do Now:
1.) Develop an AI governance policy aligned with PCI DSS and covering risk, access, and permitted use.
2.) Update security awareness training to include AI-related risks and scenarios, ensuring staff are prepared.
3.) Monitor regulatory developments (such as the EU AI Act) and proactively adjust compliance practices.
To see how the PCI Security Standards Council is approaching this challenge, read their AI Principles for Securing the Use of AI in Payment Environments here.
If you would like to get in touch with us to discuss how we can support your cybersecurity needs - please reach out to us: hello@onecybervalley.com
By 1 Cyber Valley | October 1st, 2025 | Sara Higgins