Agenda

08:00 - 08:50

Breakfast Networking Break 
08:50 - 09:00

Chair's Welcome 
09:00 - 09:20

►Update from the PCI Security Standards Council: Preparing for 31st March 2025 

Jeremy King, VP, Regional Head for Europe, PCI Security Standards Council

  • What does this mean?
  • What are the new requirements?
  • How this will affect your organization?
  • What other standards are changing in 2025? And how can you be involved?
09:20 - 09:40

►Overcoming Operational Challenges Implementing PCI DSS Requirements 6.4.3 and 11.6.1

John Elliott, Security Advisor, Jscrambler

  • Taking a risk-based approach to maximize operation efficiency and stay secure.
  • Understanding what the requirements say and importantly, do not say.
  • Identifying the key stakeholders, how does JavaScript get added to your website?
  • How to avoid drowning in authorizations and make sure you manage the risk associated with script changes.
  • Some common myths and misinterpretations shattered.
09:40 - 10:00

►PCI Compliance-as-a-Service: Simplifying the Path to Compliance

Martin Petrov, CTO, Integrity360

  • Navigating PCI compliance can be overwhelming with its numerous moving parts and complexities. Our session will demystify the concept of PCI Compliance-as-a-Service (PCIaaS) and demonstrate how organisations can simplify compliance efforts while improving security outcomes.
  • What is PCIaaS? A managed approach to simplifying and outsourcing non-core compliance activities.
  • Focus on Growth: Free your internal teams by offloading compliance burdens to trusted experts.
  • Simplify Vendor Management: Reduce vendor sprawl, consolidate contracts, and simplify oversight.
  • Enhanced Security Posture: Improve audit outcomes and mitigate compliance gaps through expert-led strategies.
10:00 - 10:20

►PCI DSS & Internal Security Standards - Managing the Alignments & Conflict

Katie Cowman, Senior PCI Assurance Manager, Barclaycard

  • Tailoring organizational policies to meet unique security needs.
  • Bridging PCI DSS compliance with internal security objectives.
  • Mitigating overlaps and contradictions between external mandates and internal protocols.
10:20 - 11:00

► Education Seminar 1

Delegates will be able to choose from the following education seminars:

  • PCI DSS 4.0 Compliance Made Easy with Thales, Ketan Pyne, Pre Sales team for UK&I & Matthew Santos, Thales Group 
  • This session has a bit of scope creep - much like your last PCI audit! You’re getting two topics for the price of one today: how to align PCI compliance with other frameworks and tackle PCI in serverless and cloud-native environments, Sam Greaves, Senior Consultant, CSA Cyber
  • Contact Centre 101: Back to Basics, Geoff Forsyth, CISO, PCI Pal
     
11:00 - 11:30

Networking Break
11:30 - 11:50

►Mastering PCI Evidence Collection: Simplify, Automate, Succeed 

Natasha Harries Roebuck, PCI Compliance Specialist, Sky UK

  • Practical strategies to make PCI evidence gathering less burdensome and more efficient
  • Automation for year-round readiness
  • Tips to transform the annual assessment from a scramble to a seamless process
11:50 - 12:10

►Countdown to Compliance: Misconceptions and Action Plans for 6.4.3 and 11.6.1 - Human Security

Mark Phillips - VP, Sales and Solutions Engineering EMEA, Human Security

Richard Fridge - Director, Enterprise Sales EMEA, Human Security

  • With the March 31st PCI DSS v4.0 deadline approaching, organisations face increasing pressure to meet requirements 6.4.3 and 11.6.1. 
  • This session addresses common misconceptions, clarifies what's required, and outlines practical steps to prepare effectively with just weeks remaining.
12:10 - 12:30

►Fireside chat: Demystifying PCI Audits: Insights for Seamless Compliance

Kevin Burns, PCI Compliance Lead, NMI

  • What are the key steps organizations should take to ensure they’re audit-ready throughout the year, not just at audit time?
  • How can companies turn PCI compliance from a checkbox exercise into an integral part of their security strategy?
  • What are some effective ways to handle unexpected challenges or findings during a PCI audit?
  • How can organizations future-proof their compliance programs to adapt to changes in PCI DSS and the broader threat landscape?
12:30 - 13:10

► Education Seminar 2

Delegates will be able to choose from the following education seminars:

  • Navigating SSL and Email PCI-DSS Compliance with Red Sift, Billy McDiarmid, Director of Solutions Engineering, Red Sift
  • Don’t Let Your Security Fall Apart: PCI DSS, Third-Party Software, and the Tetris Effect , Nadav Shatz, Customer Solutions and Advisory Director, Orange Cyberdefense
  • Scope Smarter, Not Harder, by Debunking Common PCI Myths That Derail Merchants, Peter Lane, Managing Cyber Security Consultant, Cyro Cyber
     
13:10 - 14:10

Lunch & Networking Break 
14:10 - 14:30

►The Legal and Contractual Side of PCI DSS: What Every Business Needs to Know

Dr Sam De Silva, Partner & Global Co-Head of Commercial Practice Group, CMS

  • Overview of the legal framework of PCI DSS
  • Understanding the "PCI DSS Contract Chain"
  • Identifying problems with PCI DSS in the legal context
  • Outline of actions that merchants should explore to reduce legal risk arising out of PCI DSS  
  • Considering issues in PCI DSS clauses in contracts
14:30 - 14:50

►Mastering PCI DSS compliance in a world of unstructured data 

Stephen Cavey, Co-Founder and Chief Evangelist, Ground Labs

  • In today's data-driven world, businesses are generating and ingesting more data than ever before, with up to 90% being unstructured. Ensuring PCI DSS compliance within these vast stores of unstructured data is a critical challenge, as organizations often lack the capability to identify and manage cardholder data (CHD) outside their defined cardholder data environment (CDE).
  • Learn what unstructured data is and the risks it presents for security and compliance.
  • Understand the complexities of ensuring PCI DSS compliance when dealing with unstructured data.
  • Discover how data discovery tools and techniques can help identify and manage unknown, unexpected and unstructured data.
  • Explore how evidence-based data discovery can help effectively manage unstructured data and its importance as we look to the future of AI/ML and ever-increasing data growth
     
14:50 - 15:10

►From Stress to Success: How Continuous Compliance Simplifies PCI DSS

Peter O’Sullivan, Principal Information Security Consultant, Blackfoot Cybersecurity

  • Understand the challenges of maintaining PCI DSS compliance between assessments.
  • Discover how shifting to a continuous compliance approach reduces stress and workload spikes.
  • Explore practical strategies for integrating compliance into daily operations.
  • Learn how to avoid non-compliance by anticipating lapses and overcoming them proactively.
     

 
15:10 - 15:50

► Education Seminar 3

Delegates will be able to choose from the following education seminars:

  • Future of PCI ComplAInce, Kris Olejniczak, CEO, Patronusec
  • MythBusters, Parminder Lall, CEO and Founder, 1CyberValley
15:50 - 16:10

Networking Break 
16:10 - 16:30

►Securing Payment Pages: Navigating PCI DSS v4 Requirements for Browser-Loaded Scripts

Graham Dawson, Cyber Security Architect, Naked Wines

  • Understanding the Invisible Risk: How scripts and tags on your payment pages impact security and compliance.
  • Building Robust Controls: Implementing practical controls to mitigate risks and meet PCI DSS v4 standards effectively.
  • Managing Scripts with Reflectiz: Exploring a cutting-edge tool to monitor, control, and secure browser-loaded scripts in real time.
  • The Road Ahead: What does the future holds for compliance and innovation.
16:30 - 17:00

►PCI Compliance: Breaking Barriers and Shaping the Future 

Simon Brady, Event Chairman, AKJ Associates (Moderator)
Kevin Burns, PCI Compliance Lead, NMI 
Laura Morgans, Security Risk and Compliance Manager, Dr Martens, Airwair International Ltd
Rashmi Nadig, Data Protection and Compliance Officer, Crisis 
Mike Somers, PCI DSS Consultant & Specialist 
Mark Osborne, BISO & Regional CISO UK, EU & ANZ, Corpay

  • How can organizations balance evolving PCI standards with effective vendor management?
  • Is AI an enabler or a risk for PCI compliance, and how can it be used responsibly?
  • What are the biggest challenges in standardizing PCI contractual obligations?
  • Is scope reduction still effective, or are there better strategies for managing PCI compliance?
  • How can we better communicate the business value of PCI compliance?
17:00 - 18:00

Drinks Reception & Networking 

Education seminars


This session has a bit of scope creep - much like your last PCI audit! You’re getting two topics for the price of one today: how to align PCI compliance with other frameworks and tackle PCI in serverless and cloud-native environments.


Sam Greaves, Senior Consultant, CSA Cyber

Most large organisations requiring PCI compliance also adhere to other standards, such as ISO 27001 or SOC 2. Traditionally, audits for each framework are conducted separately, making them time-consuming and resource intensive. By mapping controls across standards and conducting combined audits, organisations can streamline evidence collection and reduce effort. At the same time, modern serverless and cloud-native environments introduce unique challenges, such as shared responsibility models and the inability to apply traditional security controls – all whilst offering significant benefits like scalability and efficiency.

Join Sam as he explores the future of PCI compliance in a serverless world and how to navigate these emerging opportunities.

Attendees will learn:

  • Framework Alignment: Map controls across PCI DSS, ISO 27001, and SOC 2 etc., to minimise duplication and streamline compliance.
  • Unified Audits: Consolidate audits across multiple frameworks to save time, effort, and costs.
  • Cloud Native Challenges: Address complexities in serverless and containerised environments.
  • Compensating Controls: Replace traditional methods like FIM with modern approaches such as logging, runtime security, and immutable infrastructure.

MythBusters.


Parminder Lall, CEO and Founder, 1 Cyber Valley    

Following on to last year’s success of “Back To The Future” presentation at PCI London, this year we bring you “MythBusters: Who You’re Gonna Call?”. In an ever-evolving security landscape and with numerous interpretations and opinions about the PCI DSS framework, organisations can often misunderstand their responsibilities or fail to comply fully. We need to identify  ‘Misconception v Reality’.

Attendees will learn:

  • Will all QSAs maintain the same perspective?
  • Does reliance on outsourcing to a third-party providers eliminates you compliance responsibilities.
  • Are you protected by treating PCI DSS as a One-Time effort?
  • If you don’t store cardholder data you do not need to comply

Navigating SSL and Email PCI-DSS Compliance with Red Sift


Billy McDiarmid, Director of Solutions Engineering, Red Sift

  • Understanding PCI DSS Compliance: Explore the latest updates to PCI DSS requirements and their implications for organizations.
  • Certificates: Learn how compliance standards have evolved and the role of certificates in meeting these mandates.
  • Email Security as a Key Compliance Driver: Learn how securing your email domain with solutions like DMARC, SPF, and DKIM contributes to PCI DSS compliance by protecting cardholder data from phishing and spoofing attacks.
  • Data Protection: Discover how Red Sift solution monitors and secures sensitive information across your digital footprint, supporting critical compliance mandates.
  • Streamlining Compliance Efforts: See how automation and actionable insights from Red Sift simplify achieving and maintaining PCI DSS compliance.

 


Contact Centre 101: Back to Basics


Geoff Forsyth, CISO, PCI Pal
A look at how PCI impacts MOTO payments as we dive deeper into issues with SAD storage, and explore scope reduction techniques such as IVR, DTMF masking, speech recognition, digital payments


Don’t Let Your Security Fall Apart: PCI DSS, Third-Party Software, and the Tetris Effect!


Nadav Shatz, Customer Solutions and Advisory Director, Orange Cyberdefense

  • Third-party security risks are one of the top threats to organisations. Within this, the risk posed by third-party software is constantly on the rise as a major emerging threat especially for organisations that develop and offer payment solutions.
  • Now more than ever, the PCI DSS places an unprecedented focus on securing both custom and third-party software, including new, future-dated requirements set to come into effect early next year as part of PCI DSS v4.0.1. We will show:
  • A real-life demonstration of a customer case, exploiting a third-party software vulnerability to not only gain control of Account Data but also to turn a POS terminal into a music player!
  • Explore and suggest solutions for properly addressing this threat, to secure payment environments and ensure compliance with the relevant requirements of PCI DSS v4.0.1.

PCI DSS 4.0 Compliance Made Easy with Thales


Ketan Pyne, Pre Sales team for UK&I, Thales Group 
Matthew Santos, Thales Group 

  • Drawing on decades of experience helping banks and financial institutions comply with industry mandates, Thales offers integrated products and services that enable your organisation to protect stored cardholder data, encrypt it for transfer, restrict access on a need-to-know basis and protect applications managing payment transactions. 
  • Working with Thales can reduce the scope of your PCI DSS compliance burden. 

Scope Smarter, Not Harder, by Debunking Common PCI Myths That Derail Merchants


Peter Lane, Managing Cyber Security Consultant, Cyro Cyber

You know the drill. PCI requirements are notoriously complex, scoping gets messy, and the plethora of guidance out there often raises more questions than answers!

With tight deadlines and limited resources, most merchants don’t have the bandwidth to master the intricacies that QSAs live and breathe. The result? The same scoping mistakes and misconceptions continue to derail compliance efforts and stunt business growth. But with the right strategies, you can avoid these pitfalls.

Join Peter Lane, PCI DSS QSA and seasoned security expert, for a solution-focused session that tackles common PCI problems head-on. With 17+ years’ experience helping businesses from SMBs to enterprises, Peter will demystify the PCI essentials that impact your ability to meet the various demands. He will cover everything from why scoping matters more than you think, to the real-world implications of which technology or service providers you use and how to avoid unnecessary reporting challenges to ensure simpler compliance, and stronger security.

By the end of the session, you’ll be able to:

•    Understand the most common PCI scoping mistakes that derail compliance and growth.
•    Identify the impact of technology and service providers on your scope and audit requirements.
•    Develop your ability to understand the requirements intent and know where to find the best advice.
•    Refine your PCI strategy and strengthen your security posture.
 

 


Future of PCI ComplAInce


Kris Olejniczak, CEO, Patronusec

Artificial Intelligence is transforming the landscape of payments security. This includes the growing use of AI-driven tools that simplify compliance management, reduce operational complexity, and lower costs. However, the same advancements empower fraudsters and hackers, reshaping attack vectors and the overall threat landscape in payments security. AI is also redefining the role of QSA companies, enabling them to deliver assessments with greater focus on broader and more complex elements of compliance. Furthermore, as organisations increasingly explore processing cardholder data within AI and LLM-powered systems, the boundaries of PCI DSS scope are evolving, presenting new challenges and considerations.

Attendees will learn: 

  • The shifting threat landscape as fraudsters leverage AI tools to enhance their capabilities.
  • How organisations are utilising AI to streamline and enhance internal compliance processes.
  • The evolving role of QSA companies in delivering more impactful and focused assessments.
  • Key considerations for building AI-powered systems and specialised LLM models that process cardholder data while remaining PCI DSS compliant.
  • Discussing the above through real-world experience and case studies