22nd PCI London
30 June 2021, Online
Proving the value of PCI 4.0 in the business
Secure payments are the bedrock of digital business. So how can PCI DSS be incorporated into a broader payment security programme?
The deluge of digital payments precipitated by the pandemic, both B2C and B2B, has been enabled by a complex ecosystem of new and traditional payment providers and platforms. Whether push or pull, these payments represent a series of opportunities for cybercriminals.
They can hack the authentication and authorisation processes at various points in the transaction, targeting POS devices, e-Commerce shops, mobile payment devices, credit cards and the data transfers between parties at the initiation of the payment; they can target refund and money reversal processes; and they can target the clearing and settlement process and the underlying bank infrastructure.
Building a secure payment lifecycle was always complicated. But the introduction of new less-regulated fintech intermediaries, new payment methods, and the supposed plug-and-play convenience of PSD2 and APIs has made security harder. And companies’ desire for data enrichment via cookies and browser plugins (or yet more APIs), to give them better market and customer insight introduces more access and authorisation headaches.
Today’s payment processes cannot be made cybersecure by following a single framework, regulation or industry standard.
Instead, companies must accept the complexity of the payments ecosystem, identify the key points in their own specific e-Commerce and digital payments lifecycles, and secure each of these to ensure both the security and privacy of all client data and payments, but also their own integrity and fraud resilience.
To do this, firms need to adopt continuous monitoring of their whole payment ecosystem to detect attacks immediately and stop further damage quickly.
They need to ensure that their standards for authentication and access are up to the task both of preventing external hacks and imposing security discipline on internal application developers.
And the days of annual or semi-annual control environment testing and regulatory audits are long gone.
No cybersecurity or compliance professional should be relying on the mandatory minima.
And they also need to understand where their responsibilities mesh with those of the providers of ‘back-end’ security solutions such as point-to-point encryption (P2PE), and tokenization. Indeed, a key decision is how to transfer as much of their payment security risk as they can from their company to their payments provider partners.
At PCI London June we will be looking at how companies must secure the entire payment lifecycle from first click to last cash movement.
- Who should be responsible for this process?
- How do cybersecurity and compliance create a joined-up framework to keep their companies and their customers safe?
- And how do PCI DSS professionals leverage their existing knowledge to build the foundations of a comprehensive payments lifecycle security and privacy process?
Following the response to January’s 21st PCI London Summit, we are hosting this Special Edition to discuss the new challenges in the world of cards and payment data. As we continue to deal with the public health crisis and plan for post-pandemic working environments, Brexit has changed our relationship with the key regional privacy laws, WFH has created new challenges around security and fraud, and digitalization – including crypto and digital currencies – are changing the fundamentals of the way money is used and moved. Furthermore, as PCI 4.0 comes into effect we will be asking the market what are they looking for, what are their priorities, what are the challenges they are facing, what should PCI 4.0 and future PCI directives address, and how can the PCI DSS model be used to drive broader privacy and security goals in your payments processes?