27th PCI London: Meeting the challenge of 4.0.1

PCI DSS v4.0.1, the challenge of continuous assurance and the rise of AI

21st January 2026 •  Park Plaza Victoria, London, UK

Meeting the demands of 4.0.1 is hard and non-stop technology innovation isn’t helping. What are the best organisations doing?

 

Tougher than you thought? How organisations have responded to PCI DSS v4.0.1

Early adopters of PCI DSS v4.0.1 have reported that the journey has been harder and more resource-intensive than expected. Many organisations underestimated how broad their cardholder data environments (CDEs) are, and how many connected systems — from backup servers to monitoring tools — fall within scope. Discovering these dependencies late in the process has led to costly remediation.

Technical complexity is high. Stronger authentication requirements, stricter cryptography, more comprehensive logging, and expanded monitoring have required major upgrades.

The “Customized Approach” has caused some confusion. PCI DSS v4.0.1 allows organisations to propose alternative controls that meet the intent of requirements, rather than follow the exact “Directed Approach.” While flexible, this option has been difficult to operationalise.

Future-dated requirements are a double-edged sword. Those who delayed action are now facing resource bottlenecks.

Third-party and vendor risk is a critical weak spot. Payment data often passes through vendors, processors, or cloud providers. Many contracts do not yet bind these third parties to PCI DSS v4.0.1-level obligations. Service providers with older systems often cannot support the required controls without significant investment.

Documentation and evidence demands have grown. Under v4.0.1, compliance chiefs must maintain logs, configuration records, change histories, and detailed evidence of testing.
Organisations that treated compliance as an annual “checkbox” exercise have had to rethink their entire documentation approach.

E-commerce merchants have faced new requirements to control third-party scripts. Without monitoring for script tampering, merchants risk data skimming attacks. Those who implemented script inventories, integrity checks, and content security policies have both met the new standard and improved customer security.

Across sectors, compliance chiefs have reported similar pain points: vendor contract weaknesses, underestimation of scope, confusion over customized controls, and the heavy lift of continuous monitoring.

In parallel with PCI DSS v4.0.1, the PCI SSC has begun addressing the impact of artificial intelligence on compliance and payment security. The core message is simple: AI can help, but it cannot replace human accountability. In assessments and in payment environments, the Council makes clear that human accountability, traceability, and resilience planning are non-negotiable.

For solution providers, the opportunity is clear. Compliance chiefs are actively searching for tools and partners who can:

  • Automate compliance evidence collection and reporting.
  • Deliver robust access control, encryption, and monitoring aligned with v4.0.
  • Provide script monitoring and integrity solutions for e-commerce.
  • Integrate AI safely into assessments and payment ecosystems.
  • Help manage vendor and third-party risks.

 

PCI London will continue our look at PCI DSS 4.01 and the progress compliance teams are making.
Join our real-life case studies and in-depth technical sessions from the PCI compliance leaders at a broad cross-section of organisations and sectors.

 

View details of the previous event

  • Tackling PCI DSS v4.0’s new requirements

    • From targeted risk analyses to stronger authentication, encryption updates, and enhanced testing, v4.0.1 introduces significant new technical and procedural demands.
    • Organisations must understand not just what has changed, but how to implement it effectively.
    • What tools should they look at?

  • Aligning PCI with broader security frameworks

    • Compliance chiefs are under pressure to show that PCI DSS maps into broader obligations — NIST, ISO, operational resilience, regulatory expectations.
    • Integrating PCI into the enterprise risk stack turns compliance from burden into advantage.
    • But is PCI DSS really the right standard for this?

  • From point-in-time to continuous compliance

    • PCI DSS v4.0.1 moves away from annual audits towards ongoing monitoring and evidence.
    • Compliance chiefs must adapt to continuous assurance, with tools and processes that prove security every day, not once a year.
    • This has implications across the security and compliance estate, from basic workflows to complex risk management. Can you help?

  • Reducing the cost of PCI DSS compliance

    • Most companies have limited resources to devote to one small dataset (card data).
    • They need solutions that can be applied more widely, they need automation, and they need pro-business solutions.
    • So, how do you derive PCI DSS compliance from your existing security processes?

  • New challenges in managing third-party risks

    • Processors, merchants, and cloud providers all bring PCI DSS obligations. Weak contracts, unclear SLAs, and limited audit rights create blind spots.
    • Third-party management is one of the toughest and most critical challenges under v4.0. But then it’s probably the hardest challenge in cybersecurity and operational risk too.
    • Any success stories?

  • Technology challenges in hybrid environments

    • Payment systems now span legacy POS, APIs, mobile, and cloud providers.
    • Extending PCI DSS controls across such diverse and interconnected environments is complex — especially when vendors or legacy systems can’t easily comply.
    • How can organisations comply in this situation?

  • New technologies – a challenge to compliance?

    • The world of payments is in flux.
    • From Klarna to Stripe, from Wise to wallets, the tools we use to make payments and the channels through which card data flows are changing.
    • How much do these innovations change the nature of PCI DSS compliance and can you help??

  • Automation, AI & continuous assurance

    • Manual evidence gathering and fragmented monitoring won’t scale.
    • AI and automation offer opportunities to streamline assessments, monitor scope, detect anomalies, and embed PCI DSS into day-to-day security operations — but only if used responsibly.
    • So, what is best practice here?

  • Aligning PCI DSS, GDPR and broader GRC efforts

    • Companies have spent significantly on PCI DSS, then poured more resources into GDPR and other compliance initiatives.
    • What commonalities tie their different compliance goals together and which technologies can save them money while keeping them secure?
    • How can companies streamline their compliance efforts to optimise their use of resources?

  • Securing Cloud and other critical third-party dependencies

    • PCI DSS 4.0 allows firms to choose their path to delivering the security and privacy objectives set by the standard.
    • It then specifies how organisations can demonstrate that their chosen solutions do indeed deliver those outcomes.
    • How can you help?

  • Vulnerability Management and remediation

    • Firms need to know where the greatest risks to their data lie and how best to mitigate them.
    • To do this, they need network and process visibility, third-party visibility and good technology to cover new payments channels and platforms.
    • Can your solutions help them?

  • Technology investment decisions are getting harder

    • All compliance regimes evolve as the wider marketplace does. Keeping up is a constant struggle.
    • But with PCI DSS 4.0.1 promising a new risk-based approach, will yet another round of investment be needed?
    • What solutions can ease the transition?

Who attends

Job titles

Head of Digital Security
Head of Infrastructure Service Delivery
Information Security Officer
Senior GDPR & PCI Specialist
Senior Infosec Specialist
Principal Security Analyst
Lead Equity Research Analyst
Data Protection GDPR Manager
Compliance Officer
Security Architect, Senior Vice President
CISO
Programme Manager
Director of Financial Operations
Data Compliance Manager
Financial crime Executive
Assistant Director of IT
PCI DSS Support Function Manager
Digital Criminal Justice Lead
Senior Customer Success Manager
Global PCI Analyst
Director of Security
Card Scheme Compliance Manager
Data Protection Officer
PCI ISA - Compliance Consultant
Head of Compliance / MLRO (SMF16/17)
Senior InfoSec Compliance Analyst - Payment, Governance, Risk & Compliance
Senior Information Security Analyst
Senior Project Manager
Senior Information Technology Security Analyst
PCI Assurance Manager
Director of Security & Trust
Information Security Governance, Risk and Compliance Lead
CISO
Information Security Officer
Senior Information Compliance & Control Manager
Director of Technology & Information Security
HoD Information Security, Governance and Compliance
Manager - International, Payment Security & Governance
Operational Audit Manager
Information Security Officer
Group Information Security Manager
Head of IT Risk Governance
Principal Enterprise Architect
Information Technology Compliance Manager
Information Security Analyst
Security & Compliance Manager
Senior Security GRC Analyst
IT Security
Cyber Security Project Manager
Infosec Lead
Senior Tech Manager, Info Sec, Risk & Compliance
IT Security Administrator
Scheme Compliance Analyst
Head of Payments, Consumer Finance and Fraud
Chief Information Security Officer
Cyber Security Manager
Senior Systems Support Specialist
Senior Solution Engineering Manager
Director - Fraud Risk, Payments & Digital
Compliance and Security Analyst
Cyber Defence Manager
Security and Compliance Officer
Director of Information Security
Compliance Manager
Information Security Policy and Standards Manager
Payment Security Manager
Head of Solution Engineer Zoom Phone
Compliance and Audit Manager
IT Security Assurance & Compliance Senior Lead
Card Systems Specialist
Security Operations
Senior Network and Security Specialist
Global head of Security Compliance
Information Security Manager
Cyber Security Risk and Compliance
Payment Operations and Assurance Manager
International Director
Cyber Security Specialist | PCI ISA
Data Protection Officer
Digital Safety Compliance Analyst
Head of IT Security, Risk and Compliance
Principal Product Manager
Cyber Security and Compliance Manager
PCI Assurance Professional
Network Engineer
Cyber Security Analyst
Head of Data Protection and Privacy
Data Protection Compliance Manager
Security Design and Assurance Specialist
Schemes Compliance Manager
PCI Compliance Manager
PCI DSS Compliance Support Coordinator
Data Security Compliance Officer
IT Risk and Compliance Analyst
Compliance and Security Officer
PCI Compliance & Risk Manager
Senior Security Architect
Governance and Compliance Manager
Head of Product Compliance
Information Security, Risk and Compliance Manager
Team Lead, Card Systems UK and Ireland
Senior IT Risk Manager
PCI DSS Compliance Lead
Senior Cyber Security Analyst
Data Compliance Assistant
Head Of Billing
Information Security Auditor
Senior Security Architect
ICT Audit manager & Data Protection Officer
Head of IT Programme Management & Information Security
Senior Security GRC Expert
Group Data Protection Officer
Information Security Specialist
Cyber Security Assurance Specialist
Information Security Manager
Head of Information and Cyber Security
Information Security Analyst
Senior Information Security Analyst
Senior Risk Manager
Risk & Compliance Director
Director of Customer Data Security
Head of Compliance
Systems Consultant
CISO, Compliance Manager
CISO, Compliance Manager
Payments Compliance Product Owner
Global PCI Compliance lead
Solutions Architect
Program Specialist
Banking & Income Systems Manager
Vice President, EMEA & UK/I for Cyber Hygiene
Information Security Officer
Detective Superintendent Head of Economic Crime
Information Security Analyst
Information Security Officer and Infosec Lead
Director of Finance
Director of Compliance
Senior Compliance Officer - Finance
Head of Compliance, Director and MLRO
Senior Information Security Analyst
GRC Analyst
Data Protection Manager
Fraud & Payments Manager
Senior Special Agent - Global Security
Director of Cyber Security & Compliance
CISO
Head of Audit
Global PCI Lead
Head of Technology
Lead Security Architect
Security Compliance Manager
PCI Compliance Analyst
Senior Security Consultant
Cyber Security Architect
Project Manager
Information Security Risk and Assurance Specialist
IT Manager
PCI Manager
Senior Manager Security Governance & Compliance
Accounting Manager
Global Cybersecurity Lead
Head of IT Audit (Tech & Cyber Security) - UK HUB
Security, Risk and Compliance Director
Group Information Security Officer
Project Manager - Cyber Security
Head of Risk and Compliance
Information Security Analyst
Communications and Product Manager
IT Manager
Senior Analyst Developer

Companies

Royal Society for the Protection of Birds (RSPB)
Sky
Boden
Soho House Group
Just Eat
First Rate Exchange Services
Arete Research
HM Courts & Tribunals Service (HMCTS)
Village Hotel Club
Citigroup
Domino's Pizza
Sky
BBC
Taylor Wimpey
CIMB
Millennium Hotels & Resorts
NatWest Group
Metropolitan Police Service
CashFlows
BP
Feeld
CashFlows
Caravan and Motorhome Club
The Access Group
Persia International Bank plc
Live Nation International
Travis Perkins
Sky
MarkerStudy
Barclaycard
Reed & Mackay
pladis Global
Footasylum
Formula 1
Driver and Vehicle Licensing Agency (DVLA)
Atcore Technology
Currys plc
Live Nation International
Sky
Collinson Group
Ocado
Bupa Global
BT
SSP
WHSmith
SilverRail Technologies
Sky
Anderson Zaks
Greene King
CashFlows
Just Eat
The Appointment Group
Paysafe Group
OVO Group
WHSmith
Tesco Mobile
Atcore Technology
EVO Payments
Standard Chartered Bank
Transport for Greater Manchester (TfGM)
Travelex Holdings
HSS Hire Service Holdings Limited
Reward Gateway
FIS Global
Hutchison 3G UK Ltd t/as Three UK
Vodafone
Zoom Technologies
South Western Railway
Mars
Valero Energy Corporation
Cancer Research UK (CRUK)
Public Health England
Reed Exhibitions
National Trust
Manchester Airports Group (MAG)
Transport for London (TfL)
PCI Security Standards Council
Santander
Imperial Brands Plc
easyJet
Homebase
Paysafe Group
Tate
BT
CertSure
First Rate Exchange Services
Manchester Airports Group (MAG)
Driver and Vehicle Licensing Agency (DVLA)
Cancer Research UK (CRUK)
Paysafe Group
Direct Line Group
Imperial College London
Caravan and Motorhome Club
The Walt Disney Company
Kent County Council
Transport for London (TfL)
John Lewis Partnership
Whitbread PLC
Kindred Group
Airwair International Ltd - Dr Martens
Valero Energy Corporation
Diligenta
Virgin Media
Sky
Taylor Wimpey
Glow Financial Services
Paragon Customer Communications
Amazon Web Services
Publica Group
Azzurri Group
Wise
Quintessentially
Vanquis Bank
Howdens Joinery
London North Eastern Railway
Diligenta
Ocado Technology
Dunelm Group plc
Transaction Network Services
ERGO Travel Insurance Services Ltd
Elavon
Moneyboat
Atcore Technology
Direct Line Group
Direct Line Group
British Airways
The TJX Companies
Parliament UK
PCI Security Standards Council
Oxfordshire County Council
Deutsche Bank Group
Anderson Zaks
Metropolitan Police Service
JD Sports Fashion plc
Specsavers
WSH Group
Starling Bank
King's College
Payabl.
Marie Curie Cancer Care
NEXT
Phoenix Group
FitFlop
American Express
Lumanity
Ted Baker
Waterstones
BP
ClearCourse LLP
BP
Pennon Group
Anglian Water Services
Co-operative Bank plc
The University of Manchester
The Travel Corporation
Hutchison 3G UK Ltd t/as Three UK
Mayflower Theatre Trust LTD
RSA Insurance Group
BT
CertSure
HSBC
BNP Paribas Group
ZEAL Network
Harvey Nichols Group Limited
Sky
Thredd
National Trust
Barclaycard
DorisIT
Royal Holloway University of London

Industries

Charity
Media
Retail
Travel/Leisure/Hospitality
Retail
Banking
Other Industry
Central Government
Travel/Leisure/Hospitality
Banking
Retail
Media
Media
Real Estate
Banking
Travel/Leisure/Hospitality
Banking
Regional Law Enforcement
Security Product Vendor
Oil/Gas
Other Industry
Security Product Vendor
Travel/Leisure/Hospitality
Software
Banking
Travel/Leisure/Hospitality
Construction
Media
Insurance
Banking
Travel/Leisure/Hospitality
Manufacturer
Retail
Automobiles/Parts
Central Government
Travel/Leisure/Hospitality
Retail
Travel/Leisure/Hospitality
Media
Insurance
Transportation/Shipping
Healthcare Services
Telecommunications
Food/Beverage/Tobacco
Retail
Software/Hardware
Media
Banking
Food/Beverage/Tobacco
Security Product Vendor
Retail
Travel/Leisure/Hospitality
Software/Hardware
Electricity
Retail
Telecommunications
Travel/Leisure/Hospitality
Banking
Banking
Transportation/Shipping
Banking
Household/Personal Products
Media
Banking
Telecommunications
Telecommunications
Security Product Reseller
Transportation/Shipping
Food/Beverage/Tobacco
Oil/Gas
Charity
Central Government
Other Industry
Charity
Transportation/Shipping
Transportation/Shipping
Regulator
Banking
Manufacturer
Transportation/Shipping
Household/Personal Products
Software/Hardware
Education
Telecommunications
Construction
Banking
Transportation/Shipping
Central Government
Charity
Software/Hardware
Insurance
Education
Travel/Leisure/Hospitality
Media
Regional Government
Transportation/Shipping
Retail
Travel/Leisure/Hospitality
Casinos/Gaming
Retail
Oil/Gas
Consultancy
Media
Media
Real Estate
Banking
Software
Security Product Vendor
Central Government
Retail
Banking
Travel/Leisure/Hospitality
Banking
Retail
Travel/Leisure/Hospitality
Consultancy
Software
Retail
Software
Insurance
Software
Banking
Travel/Leisure/Hospitality
Insurance
Insurance
Transportation/Shipping
Retail
Central Government
Regulator
Regional Government
Banking
Banking
Regional Law Enforcement
Retail
Retail
Real Estate
Banking
Education
Banking
Charity
Retail
Banking
Retail
Banking
Research
Retail
Retail
Oil/Gas
Software/Hardware
Oil/Gas
Water/Sewage
Water/Sewage
Banking
Education
Travel/Leisure/Hospitality
Telecommunications
Other Industry
Insurance
Telecommunications
Construction
Banking
Banking
Casinos/Gaming
Retail
Media
Banking
Charity
Banking
Education
Education


Venue

Park Plaza Victoria, London

vpp

Location:
Park Plaza Victoria
239 Vauxhall Bridge Road, London, UK, SW1V 1EQ
Telephone: 0333 400 6140

Directions:
Please click here