18th PCI London, 24 January 2019, London, UK
From compliance to business risk management
"PCI compliance standards are slipping across global businesses and this simply can’t continue. Consumers and suppliers alike trust brands to secure their payment data, so we must act now to remedy this state of affairs. We urge businesses to reassess their measurement methodologies for PCI control effectiveness, and to concentrate on managing the sustainability of their data protection ... There is a clear link between PCI DSS compliance and an organization's ability to defend itself against cyberattacks," Rodolphe Simonetti, Global Managing Director for Security Consulting, Verizon
When the Panama Papers finally proved that law firms were a cybersecurity issue, it simply confirmed a truth the key participants had known for many years. The effect though was finally to bring the issue to the attention of enough senior stakeholders at firms, their clients and the regulators that things began to change. Firms accepted that stakeholder demands were here to stay, that their own narrow view was out of step with business realities and that security could be turned into a competitive advantage.
This is where we are with PCI DSS. We all know that after almost 15 years of the existence of the PCI DSS standards, around half of the relevant companies are still non-compliant.
Indeed, after documenting improvements in the overall level of PCI DSS compliance for several years in a row, Verizon’s 2018 Payment Security Report has revealed a decline in organizations' level of full PCI DSS compliance for the first time. In the 2018 report, 52.5 percent of organizations were compliant with PCI-DSS, declining from the 55.4 percent that was reported last year.
Things can look even worse at a sector level: according to a recent SecurityScorecard report of more than 1,500 domains, "over 90 percent of the retail domains analysed indicated non-compliance with PCI DSS standards."
And recent events in the UK have shown us that for a variety of reasons, even large, highly-regulated companies fail annual compliance and many have never complied at all.
Those events are a serious challenge to the old ways of doing things in PCI DSS, but a huge opportunity for those willing to adapt to the new environment.
Our PCI London events have always tried to highlight tipping points in security and compliance and to help practitioners adapt to them not just by looking at the narrow PCI DSS marketplace, but by bringing in speakers and solution providers who represent the future.
So this January we will look at the inconvenient truths of PCI DSS in a new light and explore ways to leverage them - and recent hacks - to improve security, privacy and the career paths of PCI DSS professionals. Including:
PCI DSS compliance status has emerged as a significant contributor to wider business risk involving press, stakeholders and statutory regulators, rather than just a technical compliance issue. How can you move from compliance to true risk management?
Scrutiny is unfamiliar and the knee-jerk reaction is to reject criticism as the uninformed carping of non-experts. That won't cut it. We will help you understand the new environment. What happens when compliance hits the press? How do class action suits work and why are they more important than PCI or GDPR fines?
The end of "PCI DSS is a journey, compliance is just an ideal". Stakeholders and regulators do not accept that operational risk management works like this. What must change?
Identifying the critical compliance problems; providing realistic suggestions for solutions.
The truth about combining GDPR/PCI: for the PCI DSS non-compliant, is the answer from GDPR to PCI and not the other way round?
So far, organisations have been prepared to risk a breach and cross that bridge when they come to it. But now, investors and fund managers are actively paying attention to your security and compliance, whether you've been breached or not. If they don't like what they see, your share prices will take a hit.
The problem of third-parties: recent hacks involved out of date third-party technology. How can firms avoid that problem, as well as identifying where technology can best be applied to the compliance process?
Prioritising (and getting) compliance investment. It's clear that compliance is hard, and equally that companies have been unable to devote sufficient resources to improving compliance levels.
The PCI DSS standard has been around since 2004. Compliance has always been a moving target as technology rushes ahead. Digital transformation, new payment, banking and e-Commerce platforms complicate things further, as do acquisitions and other core business issues.
This 18th edition of PCI London will help you chart a path through a new and unfamiliar environment fraught with risk, but also loaded with opportunity. See you on January 24.