No payment security, no digital business

21st PCI London
21 January 2021, Online
 

Can PCI DSS 4.0 solve the compliance conundrum?

Securing online business and the online payments ecosystem has never been more important - so why are standards slipping?

 

 


It’s a cliché of our pandemic era that businesses must digitalise or die. It’s less often explained what this means in practice. But attacks like Garmin, the recent hack of Germany's state-owned vehicle fleet, which provides chauffeurs for parliamentarians and is run by the Bundeswehr military, and February’s DDoS attack (the largest in history) on AWS, illustrate that ‘going digital’ is seriously concrete.

It’s taking orders or bookings for your product or service online or via mobile; it’s accepting payments and providing refunds over the same channels; it’s collecting data that sits in digital shops; it’s developing digital services around even physical products and charging for them online via recurring subscriptions. Even the humble pizza merchant now takes all their orders via app, so a DDoS attack shuts down a physical food company and a breach of payment data pushes customers made disloyal by hunger to more reliable offerings.

Into this environment, accelerated dramatically by COVID, comes the latest Verizon Payment Security report. It concluded that "fewer and fewer organizations are demonstrating the ability to keep a minimum baseline of security controls in place". In 2018, it noted that the percentage of organisations demonstrating full PCI DSS compliance had dropped dramatically to the lowest level since 2013 - and in 2019, that percentage fell yet again by 8.8 percentage points.

These merchants are not alone in their complacency: in the US only a third of major fuel merchants have fully implemented basic EMV and a fifth are still in the planning stage – and the deadline has had to be extended to April 2021.

All the while, the Magecart group is coming up with new skimming techniques to steal payment card data from the e-commerce sites of small and midsized businesses; other fraudsters have figured out how to use the Telegram app as a fast and easy way to steal payment card data from ecommerce sites; and larger companies are putting data at risk with flawed public Cloud migrations, as demonstrated by the $80 million fine recently imposed on Capital One by the US OCC for last year’s card data breach.

Into this melée comes PCI DSS 4.0 at some point in 2021. What exactly will it look like? Are people waiting for what they hope will be a major revamp that takes the practical realities of the digital revolution into account? Is that why compliance with the current standard is dropping so fast? Or has the need to digitalise created a mass of new firms who should be compliant but who have just not had time yet? Survive first, comply later?


For seasoned PCIers, PCI London 2021 will examine the reasons for current non-compliance, suggest cost-effective solutions and lift the lid on PCI DSS 4.0; for newly digitalised businesses it will provide critical insights and information on combatting fraud, and ensuring payment security and card data privacy.

  • Card-based fraud is evolving

    • Detecting card-based fraud, including card not present fraud, requires identity proofing and address verification/authentication to cover everything from account creation to login to payment
    • Case management tools are also needed to deal with frauds once they've occurred
    • COVID-19 has led to a rise in fraud, both friendly and otherwise - so how do you build, manage and scale these capabilities?
  • Taking a risk-based approach

    • PCI DSS 4.0 promises a new and risk-based approach to card data security
    • This is in contrast to the previous framework, which could be treated as a tick-box exercise
    • But what does 'risk-based' mean in practice?
    • How do we ensure that organisations (a) commit more fully to compliance and (b) genuinely progress from their tick-box mentality?
  • The problem of privacy

    • PCI DSS is one take on the issue of keeping specific payment-related data safe
    • But the GDPR and CCPA approach the issue from different perspectives - GDPR focuses on people's personal privacy, and the CCPA is concerned with unauthorised monetisation of personal data
    • A comprehensive data privacy and security process must take each of them into account - so what's the most effective way to ensure all your bases are covered?
  • Vulnerability management

    • Requirement 6 is the leading cause of analysed PFI cases and contributes to 32.7% of Verizon's reviewed data breaches.
    • Ensuring all system components and software are protected from known vulnerabilities seems to be the biggest challenge.
    • Why is vulnerability management so hard to stay on top of, and what are the potential solutions?
  • Getting e-Commerce right

    • Website, webstore and mobile app security and compliance are now mission-critical parts of businesses that were recently resolutely physical and analogue. This creates a host of security and monitoring challenges.
    • As businesses go digital, they can find themselves locked into rapid app-development cycles - how do you make sure security and compliance don't get left behind in the rush to stay ahead?
    • Relying on third parties doesn't get you off the hook either, as we've seen with platforms like Magento - vulnerabilities must still be patched and required migrations must be completed in good time.
    • What are the key challenges for securing these platforms, and the most effective tools and strategies?
  • Innovations in detection and security

    • In addition to familiar technologies like 3D Secure and tokenisation, a new generation of real-time tools is now available.
    • AI and neural net technology are being used to detect anomalous transactions, device telemetry and broader behavioural analysis are being used to detect bots and confirm identity, and advances are being made in biometrics.
    • As these developments become more widely available, what do professionals at organisations of all sizes need to know?
  • PCI DSS in the Cloud

    • The core controls of PCI DSS 3.2.1 around cloud and serverless computing were not designed for the IT environments of 2021.
    • Cloud configuration errors have been a key component in many of the high-profile breaches of the last few years. With the shift to Cloud-based storage and workloads having sped up to deal with WFH, how can we avoid repeating these mistakes?
    • PCI DSS 4.0 will introduce an updated set of requirements and approaches to securing these environments - what do you need to know?
  • Fixing the authentication control gap

    • Organisations continue to struggle with remote access requirements, and with managing the requirements for unique user IDs.
    • Although multi-factor authentication has long been a favoured solution, PCI DSS 4.0 is likely to see it become a key requirement.
    • What are the issues with implementation, and what are the least painful (and costly) solutions?
  • The view from the contact centre

    • Accessing a secure payments mechanism via a contact centre should be a straightforward outsourcing decision for organisations large and small.
    • But your contact centre is potentially your biggest PCI DSS and card data loss risk.
    • What do you need to know about keeping your contact centre secure and compliant? What solutions and strategies should they have in place to ensure card data integrity?

Who attends

Job titles

PCI Security Manager
Group PCI Compliance Manager
Compliance Manager & Deputy CISO
Programme Manager PCI DDS EMEA
Head of Information Security & Business Continuity
Global PCI Lead
Group Information Security Manager
Group Risk & Compliance Manager
PCI Compliance Manager
Data Compliance Manager
Head of Third Party Assurance and PCI Compliance
Chief Security Officer (CSO)
IT Group Compliance Manager
Chief Information Security Officer (CISO)
Senior Security Architect
CISO
Senior Director of Compliance
Head of Risk and Compliance
I.T. Compliance Manager
Head of Information Security Compliance
Head of PCI
Head of Payments, Information Risk & Security
Payments Security Manager
PCI Programme Manager
Compliance manager
PCI Compliance Officer
GDPR Manager
Head of PCI
Senior PCI Compliance Manager
Head of Payment Security
Head of Payment Security & Governance
Senior PCI Compliance Manager
PCI Service Delivery Manager
ICT Audit & Compliance Officer
CISO
PCI DSS Project Manager
Senior Security Governance & Compliance Manager
Head of Payments
CSO
PCI Programme Manager
PCI Manager
PCI Project Manager
PCI DSS Compliance Manager
PCI DSS Compliance Manager
PCI DSS Programme Manager
Head of IT Security
CISO
PCI Lead/Architect
Head of Cyber Security
Senior Data Governance Manager
Payments PCI Programme Manager
Senior Manager, Payments Compliance, Risk & Regulatory
DPO
Senior Director, International Privacy & IT Security
Group Manager Security & Fraud - Information Risk
Group Data Protection Officer
Senior Manager, Card Payment Security Program
IT Compliance Manager
Data Governance Manager and DPO
Manager, Information Security Compliance - PCI
AR Manager - PCI Officer
Global Compliance Officer
Senior Payments Risk Manager
IT Security & Compliance Manager
Director, Global Information Security and Incident Response
Fraud and Payments Manager
Business Information Security Officer
Global PCI Compliance
Program Manager - Information Security and Payment Compliance
PCI Compliance & Risk Manager
Head of Compliance & MLRO
CISO
CISO
PCI - Business Lead & Technical Architect
Global Information Security Officer
Group Information Security Policy, Risk & Vendor Manager
Head of Payment Compliance
Head of Cyber & Information Security
Head of IT Security and Data Protection
Global PCI Compliance
Director Information Security and IT Compliance
Global PCI Lead
PCI Compliance Manager
Head of Privacy & Data Protection
PCI Compliance Manager
BISO
Senior Special Agent - Global Security
Head of Information Security
Head of Information Security
Global Information Security & PCI Compliance Manager
Head of IT Infrastructure
Director, Head of I.T. Security & Risk Management Systems
Chief Data Protection Officer
CTO
PCI Project Manager
GDPR Programme Manager
UK&IE Information Security and Data Privacy Manager
Senior Manager IT Security, Risk & Governance
PCI Assurance Manager
Group Data Protection Officer
Director of Cyber Security

Companies

Clarks
JD Sports
John Lewis Partnership
Saint-Gobain UK & Ireland
Stagecoach Rail
HM Revenue & Customs
Maersk
Nationwide Building Society
NEXT
Superdrug Stores
Transport for London
Ladbrokes Coral Group
Boden
PhotoBox
The Shaw Trust
AXA
Odeon Cinemas
ticketmaster
Lloyds Banking Group
BBC
Close Brothers Premium Finance
Just Eat
Dixons Carphone
Cancer Research UK
The Co-operative Group
Royal Bank of Scotland
The Go-Ahead Group
Bank of America Merrill Lynch
HMV
Santander
Vodafone
Capital One
Direct Line Group
Ikea Group
The Economist
Simplyhealth Group
Rugby Football Union
Sky Betting & Gaming
Lastminute .com
William Hill
Argos
LUSH
Comic Relief
Waterstones
Specsavers
Paddy Power Betfair
easyJet
Thames Water
BP
TalkTalk
British Airways
The Works Stores
Marks & Spencer
Hiscox
Sony
Allianz
Travis Perkins
Asda
Greggs
Marriott Hotels
Millennium Hotels & Resorts
Sainsbury's
ASOS.com
Admiral Group
DVLA
Waitrose
Camelot Group
TUI Group
Bupa Global
Burberry
Virgin Media
American International Group
Selfridges
Which?
Lycamobile
Royal Mail
National Trust
EE
Pearson
Carnival
Barclays
RSPB
JP Morgan Chase
Halfords
Travelodge
Cineworld
giffgaff
LV= Liverpool Victoria
British Heart Foundation
InterFlora
Metro Bank
The Caravan and Motorhome Club
Enterprise Holdings
Dermalogica
Ocado
Ann Summers
River Island
Barnardo's
Sky
Unilever
Addison Lee
Whitbread
Tesco
Addleshaw Goddard LLP
Arriva
RAC
Bet365
WH Smith
Debenhams

Industries

Retail
Travel/Leisure/Hospitality
Other Industry
Casinos/Gaming
Charity
Telecommunications
Construction
Food/Beverage/Tobacco
Media
Hardware
Water/Sewage
Food/Beverage/Tobacco
Electricity
Healthcare Services
Telecommunications
Telecommunications
Real Estate
Manufacturer
Regional Government
Telecommunications
Other Industry
Water/Sewage
Casinos/Gaming
Institute
Retail
Banking
Education
Construction
Electronic/Electrical Equipment
Automobiles/Parts
Real Estate
Education
Electricity
Retail
Retail
Healthcare Services
Media
Pharmaceuticals
Casinos/Gaming
Electricity
Automobiles/Parts
Regional Law Enforcement
Charity
Healthcare Services
Construction
Retail
Household/Personal Products
Charity
Oil/Gas
Education
Insurance
Water/Sewage
Transportation/Shipping
Real Estate
Electricity
Household/Personal Products
Transportation/Shipping
Automobiles/Parts
Central Government
Retail
Insurance
Legal
Food/Beverage/Tobacco
Household/Personal Products
Legal
Manufacturer
Banking
Construction
Banking
Retail
Banking
Institute
Regional Government
Charity
Casinos/Gaming
Oil/Gas
Insurance
Travel/Leisure/Hospitality
Electronic/Electrical Equipment
Retail
Travel/Leisure/Hospitality
Insurance
Retail
Construction
Construction
Accounting/Auditing
Oil/Gas
Association
Transportation/Shipping
Oil/Gas
Retail
Casinos/Gaming
Media
Association
Regional Law Enforcement
Media
Central Government
Real Estate
Construction
Travel/Leisure/Hospitality
Education
Media
Household/Personal Products
Legal
Charity
Retail
Pharmaceuticals
Food/Beverage/Tobacco
Other Industry