Agenda

Presentations already confirmed include:


►What’s New in PCI Security: Updates and Insights from the Council

Úna Dillon, Regional Director Europe, PCI Security Standards Council

  • The PCI Council’s latest initiatives and effective ways to engage with the Council
  • Recent updates to the PCI Security Standards and how they impact your compliance strategy

►Third-Party Management at Scale: From Compliance Burden to Business Enabler

Simon Turner, Head of Security Governance and Compliance, BT Group

  • Evolving Landscape: Understand how changing service delivery models, cloud adoption, and outsourced payment solutions reshape third-party PCI obligations
  • Risk-Based Approach: Learn how to categorise suppliers ethically and apply assurance proportional to risk, ensuring PCI DSS controls remain practical and scalable
  • Strengthening Governance: Explore how structured governance frameworks, standardised assurance processes, and right-to-audit provisions can drive supplier accountability and consistency
  • Compliance as a Consequence: Discover how embedding PCI DSS into business-as-usual activities transforms compliance from a costly requirement into a driver of trust, resilience, and business value
     

►Beyond the Playbook: The Human Side of Managing Major Incidents

Michelle Griffey, GRC Director, Paragon

  • From Procedure to Performance – How to turn documented PCI-DSS response plans into confident, real-world action under pressure
  • Collaboration as a Control – How cross-functional coordination between IT, compliance, forensics, and business leaders strengthens response effectiveness
  • Preparedness through Culture – How regular training and simulations build an instinctive, empowered “response culture” across the organisation

►The Great De-scope: Using Tokenization to Slash Your PCI DSS Burden (A GRC Perspective on Strategic Scope Reduction and Multi-Framework Benefits)

Adaora Ezennia, GRC Lead, THG PLC

  • Strategic Scope Reduction – How tokenisation slashes PCI requirements from 300+ to dozens by eliminating cardholder data from your environment
  • Multi-Framework ROI – Delivering simultaneous compliance benefits across PCI DSS, GDPR data minimisation, and ISO 27001/27701 controls
  • Audit Advantage & Implementation – Why demonstrating compliance becomes 40-50% faster, plus actionable evaluation framework and next steps

►Getting Through the PCI Audit: Building Confidence and Compliance

Carol Lloyd, PCI Compliance Consultant, Stonegate Group

  • Demystifying the PCI Audit – what auditors expect, key requirements, and how PCI DSS fits into the broader compliance landscape
  • Preparation and Readiness – documentation, system evidence, and process reviews to avoid last-minute surprises
  • Working with Your Auditor – effective communication, handling requests, and demonstrating control ownership
  • Beyond Compliance – turning audit outcomes into opportunities to strengthen security posture and reduce risk

►From Checkbox to Continuous: How PCI DSS 4.0 Transforms Compliance into Living Governance

Ronak Topiwala, Global Information Security GRC Lead, Checkout.com

  • Applying the Customised Approach to align PCI controls with real engineering and business outcomes
  • Using Targeted Risk Analysis to drive smarter, evidence-based security decisions
  • Implementing Continuous Control Monitoring with real-time data and automation
  • Reducing audit fatigue, accelerating delivery, and strengthening organisational trust through outcome-based governance

►20 Years of PCI: Powering the Next Generation of Secure Payments

Jo Vane, InfoSec Compliance Director, Checkout.com 
Katie Cowman, Senior PCI Assurance Manager, Barclaycard 
Muhammad Emal Khan, Senior Information Security Consultant, Lidl

  • How can PCI requirements stay relevant as payments move into API-driven, serverless, and decentralised systems?
  • Should PCI evolve toward a more outcomes-based or risk-based framework?
  • What role will automation and real-time monitoring play in compliance?
  • The next generation of standards and what the ecosystem needs to thrive
  • What industry collaboration looks like in the next 20 years

Education seminars


The Uncomfortable Truth About Ecommerce Payment Security & PCI 4.0 Compliance


John Bartholomew, Senior VP, Strategic Relationships, SecurityMetrics

In 2020, a new kind of cyberattack was discovered that targets ecommerce secure payment iframes in a way that hadn’t been seen before. There are now multiple successful tactics to circumvent iFrames and their use is growing. Protecting ecommerce data needed an improved security approach. The industry response is PCI DSS 4.0 with new security controls specifically for ecommerce. While the transition to improved ecommerce security has begun, it’s far from over and ultimate success as currently functioning may be questionable. Join SecurityMetrics Sr. VP, John Bartholomew as he guides you through the evolving landscape of ecommerce website attacks, what attackers are focusing on in 2026, and how acquirers can help their merchants stay safe. He will also explore some challenging realities of our industry's current approach to protecting ecommerce payment data and how to improve.

Attendees will learn:

  • Key attributes of current hacker methodologies
  • Challenges for merchants, acquirers and forensics experts
  • Key criteria for simplified & effective solutions for 6.4.3 and 11.6.1
  • Risk-based practical & realistic options for reducing ecommerce merchant risk

The Next Wave: How AI Will Reshape Retail Security Threats


Simon Arazi, VP of Product, Reflectiz

Our presentation, The Next Wave: How AI Will Reshape Retail Security Threats, will examine the 2026 retail threat landscape, focusing on AI's impact—from personalised shopping to autonomous checkout. We'll highlight how these innovations are creating new security risks and forecast the emerging threats that are currently flying under the radar.

Attendees will learn:

  • 2026 Web Exposure Reality Check: A data-driven look at today's retail threat landscape
  • AI-Powered Retail - The Double-Edged Sword: How AI is transforming online shopping experiences, from personalized recommendations to autonomous checkout
  • Threat Forecast - What's Coming Next:  Why these same capabilities are creating a new set of threats currently are of radar

Choosing a QSA: Life Is Like a Box of Assessors—You Need to Know What You’re Going to Get


Parminder Lall, CEO and Founder, 1 Cyber Valley

In this presentation, Parminder will explain and describe to the audience what their thought processes should be like when selecting and working with a QSA. When presenting, Parminder will outline what a QSA’s job asks of them to deliver, What a QSA is and who in the audience needs a QSA. We believe this is important for the audience to learn further on as PCI may still be seen as a niche in the cyber security world. Having done two previous presentations at the AKJ event in past years, we have seen that the audience’s experience scale varies at the event and we also want to accommodate for those who have been in the industry for many years, like Parminder. To accommodate for these said individuals, our presentation will be highly interactive, where we will ask them to also provide their input and experience of the matter.

We will also explore ‘Cost Considerations’ and how pricing scales vary for all companies looking into PCI DSS QSAs. We feel this is important as it is a barrier we are consistently confronted with in our work and feel the need to justify/clarify what it is we do that requires such costs. This will be highly educational as it is something we deem very important for all involved parties. Parminder will inclusively also discuss the differences between ‘Value Added QSAs’ and ‘Cost Leader QSAs’, and how it is important for CISOs to actively discuss which is a better option for themselves when selecting a QSA. 

Attendees will learn:

  • What is a QSA?
  • Who needs a QSA?
  • Value-Added QSAs vs Cost Leader QSAs
  • Cost Considerations
  • Tips for when choosing a QSA