Proving the value of PCI 4.0 in the business

22nd PCI London
30 June 2021, Online

Proving the value of PCI 4.0 in the business

Secure payments are the bedrock of digital business. So how can PCI DSS be incorporated into a broader payment security programme?


The deluge of digital payments precipitated by the pandemic, both B2C and B2B, has been enabled by a complex ecosystem of new and traditional payment providers and platforms.  Whether push or pull, these payments represent a series of opportunities for cybercriminals.

They can hack the authentication and authorisation processes at various points in the  transaction, targeting POS devices, e-Commerce shops, mobile payment devices, credit cards  and the data transfers between parties at the initiation of the payment; they can target refund  and money reversal processes; and they can target the clearing and settlement process and  the underlying bank infrastructure.

Building a secure payment lifecycle was always complicated. But the introduction of new less-regulated fintech intermediaries, new payment methods, and the supposed plug-and-play  convenience of PSD2 and APIs has made security harder. And companies’ desire for data  enrichment via cookies and browser plugins (or yet more APIs), to give them better market and  customer insight introduces more access and authorisation headaches.

Today’s payment processes cannot be made cybersecure by following a single framework,  regulation or industry standard.

Instead, companies must accept the complexity of the  payments ecosystem, identify the key points in their own specific e-Commerce and digital  payments lifecycles, and secure each of these to ensure both the security and privacy of all  client data and payments, but also their own integrity and fraud resilience.

To do this, firms need to adopt continuous monitoring of their whole payment ecosystem to  detect attacks immediately and stop further damage quickly.

They need to ensure that their  standards for authentication and access are up to the task both of preventing external hacks  and imposing security discipline on internal application developers.

And the days of annual or semi-annual control environment testing and regulatory audits are long gone.

No cybersecurity or compliance professional should be relying on the mandatory minima.

And they also need to understand where their responsibilities mesh with those of the  providers of ‘back-end’ security solutions such as point-to-point encryption (P2PE), and tokenization. Indeed, a key decision is how to transfer as much of their payment security risk as  they can from their company to their payments provider partners.

At PCI London June we will be looking at how companies must secure the entire payment  lifecycle from first click to last cash movement.

  • Who should be responsible for this process?
  • How do cybersecurity and compliance create a joined-up framework to keep their  companies and their customers safe?
  • And how do PCI DSS professionals leverage their existing knowledge to build the  foundations of a comprehensive payments lifecycle security and privacy process?

Mission Statement:

Following the response to January’s 21st PCI London Summit, we are hosting this Special Edition to discuss the new challenges in the world of cards and payment data. As we continue to deal with the public health crisis and plan for post-pandemic working environments, Brexit has changed our relationship with the key regional privacy laws, WFH has created new challenges around security  and fraud, and digitalization – including crypto and digital currencies – are changing the fundamentals of the way money is used and moved. Furthermore, as PCI 4.0 comes into effect we will be  asking the market what are they looking for, what are their priorities, what are the challenges they are facing, what should PCI 4.0 and future PCI directives address, and how can the PCI DSS model be  used to drive broader privacy and security goals in your payments processes?

View details of the previous edition here

  • Foiling card-based fraud

    • To detect card-based fraud, you need identity proofing and address verification and authentication, to cover everything from account creation, to login, to payment.
    • You also need case management tools to deal with frauds once they've occurred.
    • COVID-19 has upped the stakes further.
    • So how do you build and manage these capabilities?

  • Test, test and test again

    • A once-a-year audit no longer cuts it in a world in which Google struggles with zero-day exploits, Microsoft falls behind with Exchange Server security and SolarWinds is a vector for the wider hacking of security vendors.
    • Attackers want card and other payment data, and their methods evolve daily.
    • So what does an appropriate testing regime look like today?

  • Securing the store

    • Website, webstore and mobile app security and compliance are now mission-critical parts of businesses that until very recently were resolutely physical and analogue.
    • The immediate need to move to online business channels creates a host of security and monitoring problems.
    • What are the key challenges and what are the best turnkey solutions?

  • Post-Brexit privacy problems

    • Data privacy regulation, and in particular the rigorous demands of the EU GDPR, have driven resourcing into compliance functions.
    • Where firms understand the benefits of the PCI DSS model in helping with broader compliance, PCI professionals have benefitted from this process.
    • But with the UK's exit from the EU, what happens to the focus on privacy?

  • Getting Cloud right

    • Payments infrastructure is migrating to third-party cloud providers. Payments-as-a-service is even being adopted by the world's largest global banks.
    • So, if the core security and regulatory arguments have been won, is there any reason not to adopt a Cloud payments solution?
    • How do you choose one and how do you maintain security and compliance?

  • Keeping up with the criminals

    • Requirement 6 is a problem. It's the leading cause of analyzed PFI cases and contributes to 32.7% of Verizon's reviewed data breaches.
    • In particular, ensuring all system components and software are protected from known vulnerabilities seems to present the greatest challenge.
    • So how can you solve the vulnerability management issue?

  • Picking the right payments partners

    • No company can avoid having to engage with a multitude of different providers of payments services.
    • Understanding your own security and privacy responsibilities is hard enough; ensuring that the suppliers upon whom you rely are also fully secure and compliant is harder still.
    • What are the best ways to de-risk the payments process using third parties?

  • Accidents with apps and APIs

    • As business go digital, they often find themselves locked into rapid app-development cycles.
    • It's hard to say no to the CIO and CFO especially when times are tough. But insecure and non-compliant apps linked to payments or any element of an in-scope environment are an accident waiting to happen.
    • How do you make sure it doesn't?

  • Managing the security stack

    • The use of multiple, disparate systems to implement PCI DSS compliance is common and often the result of the evolution of the compliance programme and of the business over long periods.
    • But complex stacks are hard to manage and cause control breakdowns.
    • What are the holistic solutions out there?

  • Authentication and access

    • Digitalisation has pushed access and authentication to the top of security chiefs' priorities.
    • From enterprise-wide worries right down to payment and banking, effective identity verification continues to be a key challenge facing business owners, payment providers, and card issuers.
    • What are the best solutions?

  • Why PCI DSS 4.0 matters

    • PCI DSS 4.0 promises us a new and risk-based approach to card data security.
    • This is contrasted with the previous framework which could be treated as a tick-box exercise.
    • But what does 'risk-based' mean in practice? And what makes sure that organisations (a) commit more fully to compliance and (b) themselves change their tick-box mentality?

  • Contact centre compliance

    • Accessing a secure payments mechanism via a contact centre should be a straightforward outsourcing decision for companies large and small.
    • But your contact centre is potentially your biggest PCI DSS and card data loss risk.
    • So what should you be looking for in a contact centre? And what solutions should they have in place to ensure card data integrity?

Who attends

Job titles

PCI Security Manager
Group PCI Compliance Manager
Compliance Manager & Deputy CISO
Programme Manager PCI DDS EMEA
Head of Information Security & Business Continuity
Global PCI Lead
Group Information Security Manager
Group Risk & Compliance Manager
PCI Compliance Manager
Data Compliance Manager
Head of Third Party Assurance and PCI Compliance
Chief Security Officer (CSO)
IT Group Compliance Manager
Chief Information Security Officer (CISO)
Senior Security Architect
CISO
Senior Director of Compliance
Head of Risk and Compliance
I.T. Compliance Manager
Head of Information Security Compliance
Head of PCI
Head of Payments, Information Risk & Security
Payments Security Manager
PCI Programme Manager
Compliance manager
PCI Compliance Officer
GDPR Manager
Head of PCI
Senior PCI Compliance Manager
Head of Payment Security
Head of Payment Security & Governance
Senior PCI Compliance Manager
PCI Service Delivery Manager
ICT Audit & Compliance Officer
CISO
PCI DSS Project Manager
Senior Security Governance & Compliance Manager
Head of Payments
CSO
PCI Programme Manager
PCI Manager
PCI Project Manager
PCI DSS Compliance Manager
PCI DSS Compliance Manager
PCI DSS Programme Manager
Head of IT Security
CISO
PCI Lead/Architect
Head of Cyber Security
Senior Data Governance Manager
Payments PCI Programme Manager
Senior Manager, Payments Compliance, Risk & Regulatory
DPO
Senior Director, International Privacy & IT Security
Group Manager Security & Fraud - Information Risk
Group Data Protection Officer
Senior Manager, Card Payment Security Program
IT Compliance Manager
Data Governance Manager and DPO
Manager, Information Security Compliance - PCI
AR Manager - PCI Officer
Global Compliance Officer
Senior Payments Risk Manager
IT Security & Compliance Manager
Director, Global Information Security and Incident Response
Fraud and Payments Manager
Business Information Security Officer
Global PCI Compliance
Program Manager - Information Security and Payment Compliance
PCI Compliance & Risk Manager
Head of Compliance & MLRO
CISO
CISO
PCI - Business Lead & Technical Architect
Global Information Security Officer
Group Information Security Policy, Risk & Vendor Manager
Head of Payment Compliance
Head of Cyber & Information Security
Head of IT Security and Data Protection
Global PCI Compliance
Director Information Security and IT Compliance
Global PCI Lead
PCI Compliance Manager
Head of Privacy & Data Protection
PCI Compliance Manager
BISO
Senior Special Agent - Global Security
Head of Information Security
Head of Information Security
Global Information Security & PCI Compliance Manager
Head of IT Infrastructure
Director, Head of I.T. Security & Risk Management Systems
Chief Data Protection Officer
CTO
PCI Project Manager
GDPR Programme Manager
UK&IE Information Security and Data Privacy Manager
Senior Manager IT Security, Risk & Governance
PCI Assurance Manager
Group Data Protection Officer
Director of Cyber Security

Companies

Clarks
JD Sports
John Lewis Partnership
Saint-Gobain UK & Ireland
Stagecoach Rail
HM Revenue & Customs
Maersk
Nationwide Building Society
NEXT
Superdrug Stores
Transport for London
Ladbrokes Coral Group
Boden
PhotoBox
The Shaw Trust
AXA
Odeon Cinemas
ticketmaster
Lloyds Banking Group
BBC
Close Brothers Premium Finance
Just Eat
Dixons Carphone
Cancer Research UK
The Co-operative Group
Royal Bank of Scotland
The Go-Ahead Group
Bank of America Merrill Lynch
HMV
Santander
Vodafone
Capital One
Direct Line Group
Ikea Group
The Economist
Simplyhealth Group
Rugby Football Union
Sky Betting & Gaming
Lastminute .com
William Hill
Argos
LUSH
Comic Relief
Waterstones
Specsavers
Paddy Power Betfair
easyJet
Thames Water
BP
TalkTalk
British Airways
The Works Stores
Marks & Spencer
Hiscox
Sony
Allianz
Travis Perkins
Asda
Greggs
Marriott Hotels
Millennium Hotels & Resorts
Sainsbury's
ASOS.com
Admiral Group
DVLA
Waitrose
Camelot Group
TUI Group
Bupa Global
Burberry
Virgin Media
American International Group
Selfridges
Which?
Lycamobile
Royal Mail
National Trust
EE
Pearson
Carnival
Barclays
RSPB
JP Morgan Chase
Halfords
Travelodge
Cineworld
giffgaff
LV= Liverpool Victoria
British Heart Foundation
InterFlora
Metro Bank
The Caravan and Motorhome Club
Enterprise Holdings
Dermalogica
Ocado
Ann Summers
River Island
Barnardo's
Sky
Unilever
Addison Lee
Whitbread
Tesco
Addleshaw Goddard LLP
Arriva
RAC
Bet365
WH Smith
Debenhams

Industries

Retail
Travel/Leisure/Hospitality
Other Industry
Casinos/Gaming
Charity
Telecommunications
Construction
Food/Beverage/Tobacco
Media
Hardware
Water/Sewage
Food/Beverage/Tobacco
Electricity
Healthcare Services
Telecommunications
Telecommunications
Real Estate
Manufacturer
Regional Government
Telecommunications
Other Industry
Water/Sewage
Casinos/Gaming
Institute
Retail
Banking
Education
Construction
Electronic/Electrical Equipment
Automobiles/Parts
Real Estate
Education
Electricity
Retail
Retail
Healthcare Services
Media
Pharmaceuticals
Casinos/Gaming
Electricity
Automobiles/Parts
Regional Law Enforcement
Charity
Healthcare Services
Construction
Retail
Household/Personal Products
Charity
Oil/Gas
Education
Insurance
Water/Sewage
Transportation/Shipping
Real Estate
Electricity
Household/Personal Products
Transportation/Shipping
Automobiles/Parts
Central Government
Retail
Insurance
Legal
Food/Beverage/Tobacco
Household/Personal Products
Legal
Manufacturer
Banking
Construction
Banking
Retail
Banking
Institute
Regional Government
Charity
Casinos/Gaming
Oil/Gas
Insurance
Travel/Leisure/Hospitality
Electronic/Electrical Equipment
Retail
Travel/Leisure/Hospitality
Insurance
Retail
Construction
Construction
Accounting/Auditing
Oil/Gas
Association
Transportation/Shipping
Oil/Gas
Retail
Casinos/Gaming
Media
Association
Regional Law Enforcement
Media
Central Government
Real Estate
Construction
Travel/Leisure/Hospitality
Education
Media
Household/Personal Products
Legal
Charity
Retail
Pharmaceuticals
Food/Beverage/Tobacco
Other Industry