Getting real about 100% compliance

23rd PCI London
26 January 2022, Online

Full compliance with PCI DSS is plunging. But does it matter?
Is partial compliance enough? Or does falling compliance reveal a darker truth about cybersecurity in general?


According to Verizon’s latest PSR,
 

“Fewer and fewer organizations are demonstrating the ability to keep a minimum baseline of security controls in place. In 2019, from the total population of organizations assessed on PCI DSS compliance, only 27.9% of organizations achieved 100% compliance during their interim compliance validation.

This is a further 8.8 percentage-point (pp) drop from the year before, when only 36.7% of organizations demonstrated full compliance…The compliance downturn in 2019 isn’t the result of changes to the PCI DSS requirements.

A marked decrease in sustainability has been noted by the PSR for several years… As before, security testing—Requirement 11—continues to be the requirement that organizations experience the most difficulty with keeping in place.”


PCI DSS version 3.2.1 consists of 12 PCI DSS Key Requirements, 79 base requirements, 252 control requirements, and 440 test procedures. It’s no great surprise then that full compliance proves challenging. So what about less?

The measure of good security is not total compliance with a standard or set of regulations. And there are plenty of critical areas, MiFID 2 for example, where key institutions are very far from complete compliance.

The question then becomes, which parts of the PCI DSS standard are the most important? Where should compliance officers focus their limited resources? Where are the weak points in people’s compliance regimes? Has remote working caused any of the drop in compliance reported? And what kinds of technologies can help plug the gaps?

The Verizon report also goes big picture. It notes that cybersecurity overall continues to be plagued by underinvestment on the one hand and an overly complex solutions ecosystem on the other. Companies cannot be expected to keep up with the pace of digital transformation, the continuous development of new security tools, the vast increase in their attack surfaces and in the sophistication of attackers. They have their own businesses to run and that is hard enough in today’s environment.

Blaming management, as Verizon seems to do, is not the answer. The answer is that the current model of security and compliance is broken.

The security ecosystem, creating as it does security stacks of up to 70 tools, is not fit for purpose. And standards / regulations, by creating more and more complex rules to cope with markets they lag and do not understand, become less and less relevant to the risks they are trying to mitigate.
 

So is the right answer for PCI DSS simply to look at your own risks and then comply with the parts of the standard that pertain to them?

PCI London will look at how we all need a new kind of compliance and a new kind of security. Join our real-life case studies and in-depth technical sessions from the security and privacy teams at some of the world’s most admired brands.

View details of the previous in-person edition here

  • Sustaining selective, risk-based compliance

    • Firms need to know where the greatest risks to their data lie and how best to mitigate them.
    • To do this they need network and process visibility, third-party visibility and good technology to cover new payments channels and platforms.
    • What are the solutions and tools that can help?

  • Ensuring new technologies are compliant and secure

    • The world of payments is in flux.
    • From Klarna to Stripe, from Wise to wallets, the tools we use to make payments and the channels through which card data flows are changing.
    • How much do these innovations change the nature of PCI DSS compliance?

  • Reducing the cost of PCI DSS compliance

    • Most companies have limited resources to devote to one small dataset (card data).
    • They need solutions that can be applied more widely, they need automation, and they need pro-business solutions.
    • So which products make the grade?

  • Building continuous, cost-effective testing

    • “Security testing retains its traditional place at the bottom of the PCI DSS compliance list in terms of full compliance” in the Verizon report.
    • But testing - and regular testing - is clearly a critical component of ensuring effectiveness and maintaining compliance.
    • Why is security testing so challenging for organisations and how can the process be made more achievable?

  • Aligning PCI DSS, GDPR and other efforts

    • Companies have spent significantly on PCI DSS, then poured more resources into GDPR and other compliance initiatives.
    • What commonalities tie their different compliance goals together and which technologies can save them money while keeping them secure?
    • How can companies streamline their compliance efforts to optimise their use of resources?

  • What’s happening with PCI DSS 4.0

    • All compliance regimes evolve as the wider marketplace does. Keeping up is a constant struggle.
    • But with PCI DSS 4.0 promising a new risk-based approach, will yet another round of investment be needed?
    • Join us to gain insights into how your peers are preparing for the new version and the changes it will bring.

Who attends

Job titles

PCI Security Manager
Group PCI Compliance Manager
Compliance Manager & Deputy CISO
Programme Manager PCI DDS EMEA
Head of Information Security & Business Continuity
Global PCI Lead
Group Information Security Manager
Group Risk & Compliance Manager
PCI Compliance Manager
Data Compliance Manager
Head of Third Party Assurance and PCI Compliance
Chief Security Officer (CSO)
IT Group Compliance Manager
Chief Information Security Officer (CISO)
Senior Security Architect
CISO
Senior Director of Compliance
Head of Risk and Compliance
I.T. Compliance Manager
Head of Information Security Compliance
Head of PCI
Head of Payments, Information Risk & Security
Payments Security Manager
PCI Programme Manager
Compliance manager
PCI Compliance Officer
GDPR Manager
Head of PCI
Senior PCI Compliance Manager
Head of Payment Security
Head of Payment Security & Governance
Senior PCI Compliance Manager
PCI Service Delivery Manager
ICT Audit & Compliance Officer
CISO
PCI DSS Project Manager
Senior Security Governance & Compliance Manager
Head of Payments
CSO
PCI Programme Manager
PCI Manager
PCI Project Manager
PCI DSS Compliance Manager
PCI DSS Compliance Manager
PCI DSS Programme Manager
Head of IT Security
CISO
PCI Lead/Architect
Head of Cyber Security
Senior Data Governance Manager
Payments PCI Programme Manager
Senior Manager, Payments Compliance, Risk & Regulatory
DPO
Senior Director, International Privacy & IT Security
Group Manager Security & Fraud - Information Risk
Group Data Protection Officer
Senior Manager, Card Payment Security Program
IT Compliance Manager
Data Governance Manager and DPO
Manager, Information Security Compliance - PCI
AR Manager - PCI Officer
Global Compliance Officer
Senior Payments Risk Manager
IT Security & Compliance Manager
Director, Global Information Security and Incident Response
Fraud and Payments Manager
Business Information Security Officer
Global PCI Compliance
Program Manager - Information Security and Payment Compliance
PCI Compliance & Risk Manager
Head of Compliance & MLRO
CISO
CISO
PCI - Business Lead & Technical Architect
Global Information Security Officer
Group Information Security Policy, Risk & Vendor Manager
Head of Payment Compliance
Head of Cyber & Information Security
Head of IT Security and Data Protection
Global PCI Compliance
Director Information Security and IT Compliance
Global PCI Lead
PCI Compliance Manager
Head of Privacy & Data Protection
PCI Compliance Manager
BISO
Senior Special Agent - Global Security
Head of Information Security
Head of Information Security
Global Information Security & PCI Compliance Manager
Head of IT Infrastructure
Director, Head of I.T. Security & Risk Management Systems
Chief Data Protection Officer
CTO
PCI Project Manager
GDPR Programme Manager
UK&IE Information Security and Data Privacy Manager
Senior Manager IT Security, Risk & Governance
PCI Assurance Manager
Group Data Protection Officer
Director of Cyber Security

Companies

Clarks
JD Sports
John Lewis Partnership
Saint-Gobain UK & Ireland
Stagecoach Rail
HM Revenue & Customs
Maersk
Nationwide Building Society
NEXT
Superdrug Stores
Transport for London
Ladbrokes Coral Group
Boden
PhotoBox
The Shaw Trust
AXA
Odeon Cinemas
ticketmaster
Lloyds Banking Group
BBC
Close Brothers Premium Finance
Just Eat
Dixons Carphone
Cancer Research UK
The Co-operative Group
Royal Bank of Scotland
The Go-Ahead Group
Bank of America Merrill Lynch
HMV
Santander
Vodafone
Capital One
Direct Line Group
Ikea Group
The Economist
Simplyhealth Group
Rugby Football Union
Sky Betting & Gaming
Lastminute .com
William Hill
Argos
LUSH
Comic Relief
Waterstones
Specsavers
Paddy Power Betfair
easyJet
Thames Water
BP
TalkTalk
British Airways
The Works Stores
Marks & Spencer
Hiscox
Sony
Allianz
Travis Perkins
Asda
Greggs
Marriott Hotels
Millennium Hotels & Resorts
Sainsbury's
ASOS.com
Admiral Group
DVLA
Waitrose
Camelot Group
TUI Group
Bupa Global
Burberry
Virgin Media
American International Group
Selfridges
Which?
Lycamobile
Royal Mail
National Trust
EE
Pearson
Carnival
Barclays
RSPB
JP Morgan Chase
Halfords
Travelodge
Cineworld
giffgaff
LV= Liverpool Victoria
British Heart Foundation
InterFlora
Metro Bank
The Caravan and Motorhome Club
Enterprise Holdings
Dermalogica
Ocado
Ann Summers
River Island
Barnardo's
Sky
Unilever
Addison Lee
Whitbread
Tesco
Addleshaw Goddard LLP
Arriva
RAC
Bet365
WH Smith
Debenhams

Industries

Casinos/Gaming
Travel/Leisure/Hospitality
Other Industry
Retail
Charity
Telecommunications
Construction
Food/Beverage/Tobacco
Media
Hardware
Water/Sewage
Food/Beverage/Tobacco
Electricity
Healthcare Services
Telecommunications
Telecommunications
Real Estate
Manufacturer
Regional Government
Telecommunications
Other Industry
Water/Sewage
Casinos/Gaming
Institute
Retail
Banking
Education
Construction
Electronic/Electrical Equipment
Automobiles/Parts
Real Estate
Education
Electricity
Retail
Retail
Healthcare Services
Media
Pharmaceuticals
Casinos/Gaming
Electricity
Automobiles/Parts
Regional Law Enforcement
Charity
Healthcare Services
Construction
Retail
Household/Personal Products
Charity
Oil/Gas
Education
Insurance
Water/Sewage
Transportation/Shipping
Real Estate
Electricity
Household/Personal Products
Transportation/Shipping
Automobiles/Parts
Central Government
Retail
Insurance
Legal
Food/Beverage/Tobacco
Household/Personal Products
Legal
Manufacturer
Banking
Construction
Banking
Retail
Banking
Institute
Regional Government
Charity
Casinos/Gaming
Oil/Gas
Insurance
Travel/Leisure/Hospitality
Electronic/Electrical Equipment
Retail
Travel/Leisure/Hospitality
Insurance
Retail
Construction
Construction
Accounting/Auditing
Oil/Gas
Association
Transportation/Shipping
Oil/Gas
Retail
Casinos/Gaming
Media
Association
Regional Law Enforcement
Media
Central Government
Real Estate
Construction
Travel/Leisure/Hospitality
Education
Media
Household/Personal Products
Legal
Charity
Retail
Pharmaceuticals
Food/Beverage/Tobacco
Other Industry