Agenda

08.30 - 09.30

Breakfast & Networking Break
09.30 - 09.40

Chairmans Welcome
09.40 - 10.00

►What’s New in PCI Security: Updates and Insights from the Council

Úna Dillon, Regional Director Europe, PCI Security Standards Council

  • The PCI Council’s latest initiatives and effective ways to engage with the Council
  • Recent updates to the PCI Security Standards and how they impact your compliance strategy
10.00 - 10.20

►Beyond Compliance: Protecting the Payment Journey in a Machine-Driven World

Daniel Bond, Account Executive, Payments & Fraud — EMEA, HUMAN Security 
Mohamed Inshaff, Principal Sales Engineer, EMEA, HUMAN Security

  • The rise of agentic AI and its implications for payment security
  • Why protecting payments now requires a zero-trust approach built on continuous visibility and verified intent
  • What recent third-party platform abuse reveals about modern payment-journey risk
10.20 - 11.00

►Education Seminar 1

Delegates will be able to choose from a range of topics:

  • IPI presentation to be announced
  • The Next Wave: How AI Will Reshape Retail Security Threats, Simon Arazi, VP of Product, Reflectiz
  • The Uncomfortable Truth About Ecommerce Payment Security & PCI 4.0 Compliance, John Bartholomew, Senior VP, Strategic Relationships, SecurityMetrics
11.00 - 11.30

Networking Break
11.30 - 11.50

►The Great De-scope: Using Tokenization to Slash Your PCI DSS Burden (A GRC Perspective on Strategic Scope Reduction and Multi-Framework Benefits)

Adaora Ezennia, GRC Lead, THG PLC

  • Strategic Scope Reduction – How tokenisation slashes PCI requirements from 300+ to dozens by eliminating cardholder data from your environment
  • Multi-Framework ROI – Delivering simultaneous compliance benefits across PCI DSS, GDPR data minimisation, and ISO 27001/27701 controls
  • Audit Advantage & Implementation – Why demonstrating compliance becomes 40-50% faster, plus actionable evaluation framework and next steps
11.50 - 12.10

►Using an AI Assistant to Simplify Third-Party Script Authorisation for PCI DSS Requirement 6.4.3

Gareth Bowker, PCI Technical Advisor, Jscrambler

  • The Problem: PCI DSS 6.4.3 requires managing undecipherable third-party scripts that vendors can update without notice - manual review doesn't scale
  • The Risk: Single malicious script change could compromise payment data, yet security teams must vouch for code they can't read
  • The Solution: AI-assisted authorisation combines LLM analysis with deterministic checks and behavioral baselines - proving AI can be used safely for security-critical decisions
  • The Result: Auditable decision trails that satisfy assessors and transform "which wire do I cut?" moments into documented, defencible authorisations
12.10 - 12.30

►Beyond the Playbook: The Human Side of Managing Major Incidents

Michelle Griffey, GRC Director, Paragon

  • From Procedure to Performance – How to turn documented PCI-DSS response plans into confident, real-world action under pressure
  • Collaboration as a Control – How cross-functional coordination between IT, compliance, forensics, and business leaders strengthens response effectiveness
  • Preparedness through Culture – How regular training and simulations build an instinctive, empowered “response culture” across the organisation
12.30 - 13.10

►Education Seminar 2

Delegates will be able to choose from a range of topics:

  • Choosing a QSA: Life Is Like a Box of Assessors—You Need to Know What You’re Going to Get, Parminder Lall, CEO and Founder, 1 Cyber Valley
  • ComplyB4 presentation to be announced
  • From Annual Panic to Continuous Control: 5 Practical Steps to Build a Continuous PCI DSS Compliance Model, Kris Olejniczak, CEO, Patronusec
  • Fighting Against The AI Bot Threat, Tim Ayling, VP EMEA Cyber Security Specialists, Thales
13.10 - 14.10

Lunch Networking Break
14.10 - 14.30

►Getting Through the PCI Audit: Building Confidence and Compliance

Carol Lloyd, PCI Compliance Consultant, Stonegate Group

  • Demystifying the PCI Audit – what auditors expect, key requirements, and how PCI DSS fits into the broader compliance landscape
  • Preparation and Readiness – documentation, system evidence, and process reviews to avoid last-minute surprises
  • Working with Your Auditor – effective communication, handling requests, and demonstrating control ownership
  • Beyond Compliance – turning audit outcomes into opportunities to strengthen security posture and reduce risk
14.30 - 14.50

►Third-Party Management at Scale: From Compliance Burden to Business Enabler

Simon Turner, Head of Security Governance and Compliance, BT Group

  • Evolving Landscape: Understand how changing service delivery models, cloud adoption, and outsourced payment solutions reshape third-party PCI obligations
  • Risk-Based Approach: Learn how to categorise suppliers ethically and apply assurance proportional to risk, ensuring PCI DSS controls remain practical and scalable
  • Strengthening Governance: Explore how structured governance frameworks, standardised assurance processes, and right-to-audit provisions can drive supplier accountability and consistency
  • Compliance as a Consequence: Discover how embedding PCI DSS into business-as-usual activities transforms compliance from a costly requirement into a driver of trust, resilience, and business value
14.50 - 15.10

►From Checkbox to Continuous: How PCI DSS 4.0 Transforms Compliance into Living Governance

Ronak Topiwala, Global Information Security GRC Lead, Checkout.com

  • Applying the Customised Approach to align PCI controls with real engineering and business outcomes
  • Using Targeted Risk Analysis to drive smarter, evidence-based security decisions
  • Implementing Continuous Control Monitoring with real-time data and automation
  • Reducing audit fatigue, accelerating delivery, and strengthening organisational trust through outcome-based governance
15.10 - 15.40

Networking Break
15.40 - 16.20

►20 Years of PCI: Powering the Next Generation of Secure Payments

Simon Turner, Head of Security Governance and Compliance, BT Group (Moderator) 
James Richardson, Information Security Officer, Specsavers
Jo Vane, Director, Information Security, Checkout.com 
Katie Cowman, Senior PCI Assurance Manager, Barclaycard 
Muhammad Emal Khan, Senior Information Security Consultant, Lidl 
Úna Dillon, Regional Director Europe, PCI Security Standards Council

  • How can PCI requirements stay relevant as payments move into API-driven, serverless, and decentralised systems?
  • Should PCI evolve toward a more outcomes-based or risk-based framework?
  • What role will automation and real-time monitoring play in compliance?
  • The next generation of standards and what the ecosystem needs to thrive
  • What industry collaboration looks like in the next 20 years
16.20 - 16.30

Chairman's Closing Remarks
 
16.30 - 17.30

Drinks Reception

Education seminars


The Uncomfortable Truth About Ecommerce Payment Security & PCI 4.0 Compliance


John Bartholomew, Senior VP, Strategic Relationships, SecurityMetrics

In 2020, a new kind of cyberattack was discovered that targets ecommerce secure payment iframes in a way that hadn’t been seen before. There are now multiple successful tactics to circumvent iFrames and their use is growing. Protecting ecommerce data needed an improved security approach. The industry response is PCI DSS 4.0 with new security controls specifically for ecommerce. While the transition to improved ecommerce security has begun, it’s far from over and ultimate success as currently functioning may be questionable. Join SecurityMetrics Sr. VP, John Bartholomew as he guides you through the evolving landscape of ecommerce website attacks, what attackers are focusing on in 2026, and how acquirers can help their merchants stay safe. He will also explore some challenging realities of our industry's current approach to protecting ecommerce payment data and how to improve.

Attendees will learn:

  • Key attributes of current hacker methodologies
  • Challenges for merchants, acquirers and forensics experts
  • Key criteria for simplified & effective solutions for 6.4.3 and 11.6.1
  • Risk-based practical & realistic options for reducing ecommerce merchant risk

The Next Wave: How AI Will Reshape Retail Security Threats


Simon Arazi, VP of Product, Reflectiz

Our presentation, The Next Wave: How AI Will Reshape Retail Security Threats, will examine the 2026 retail threat landscape, focusing on AI's impact—from personalised shopping to autonomous checkout. We'll highlight how these innovations are creating new security risks and forecast the emerging threats that are currently flying under the radar.

Attendees will learn:

  • 2026 Web Exposure Reality Check: A data-driven look at today's retail threat landscape
  • AI-Powered Retail - The Double-Edged Sword: How AI is transforming online shopping experiences, from personalized recommendations to autonomous checkout
  • Threat Forecast - What's Coming Next:  Why these same capabilities are creating a new set of threats currently are of radar

Choosing a QSA: Life Is Like a Box of Assessors—You Need to Know What You’re Going to Get


Parminder Lall, CEO and Founder, 1 Cyber Valley

In this presentation, Parminder will explain and describe to the audience what their thought processes should be like when selecting and working with a QSA. When presenting, Parminder will outline what a QSA’s job asks of them to deliver, What a QSA is and who in the audience needs a QSA. We believe this is important for the audience to learn further on as PCI may still be seen as a niche in the cyber security world. Having done two previous presentations at the AKJ event in past years, we have seen that the audience’s experience scale varies at the event and we also want to accommodate for those who have been in the industry for many years, like Parminder. To accommodate for these said individuals, our presentation will be highly interactive, where we will ask them to also provide their input and experience of the matter.

We will also explore ‘Cost Considerations’ and how pricing scales vary for all companies looking into PCI DSS QSAs. We feel this is important as it is a barrier we are consistently confronted with in our work and feel the need to justify/clarify what it is we do that requires such costs. This will be highly educational as it is something we deem very important for all involved parties. Parminder will inclusively also discuss the differences between ‘Value Added QSAs’ and ‘Cost Leader QSAs’, and how it is important for CISOs to actively discuss which is a better option for themselves when selecting a QSA. 

Attendees will learn:

  • What is a QSA?
  • Who needs a QSA?
  • Value-Added QSAs vs Cost Leader QSAs
  • Cost Considerations
  • Tips for when choosing a QSA

Fighting Against The AI Bot Threat


Tim Ayling, VP EMEA Cyber Security Specialists, Thales

In this session, Thales’ expert Tim will guide attendees through the dynamic and increasingly complex world of bots and automated threats, focusing on the latest transformations in the cybersecurity landscape. As digital environments grow more sophisticated, so do the tactics deployed by malicious actors seeking to exploit vulnerabilities. Tim will illuminate the ways in which these bad actors are now harnessing artificial intelligence to supercharge their bot attacks, shifting the focus from rudimentary automated scripts to highly adaptive, intelligent threats capable of bypassing traditional defences.

Drawing upon Thales’ extensive expertise in advanced security solutions, Tim will dissect recent bot-based threats and showcase the innovative methods attackers now deploy—covering everything from account takeover to fraud and data exfiltration. Through detailed, real-world examples, participants will gain a clear picture of these evolving threats and the practical challenges they pose to organisations of all sizes. Importantly, the session will not only depict the risks but will also equip attendees with actionable strategies and cutting-edge approaches to bolster their defences. Tim will also highlight collaboration opportunities with industry leaders like Thales, illustrating how multilayered security frameworks and threat intelligence sharing are essential for staying resilient.

Attendees will learn:

  • In-depth understanding of how AI is revolutionising both bot attacks and defences in today’s cyber landscape
  • Practical, real-world strategies for identifying and mitigating advanced, automated threats targeting organisations
  • Insights into leveraging Thales solutions to deploy multilayered security frameworks and harness threat intelligence for ongoing protection
  • Knowledge of emerging collaboration techniques that strengthen organisational resilience against evolving bot-driven risks

From Annual Panic to Continuous Control: 5 Practical Steps to Build a Continuous PCI DSS Compliance Model


Kris Olejniczak, CEO, Patronusec

Continuous compliance is often described as the holy grail of the security and compliance world — widely discussed, frequently promised, but in reality achieved by very few organisations. For many companies, PCI DSS still remains an annual exercise driven by audit pressure rather than a sustainable security operating model. This session demystifies continuous PCI DSS compliance by breaking it down into five practical and achievable steps. Instead of abstract frameworks or theoretical maturity models, the presentation focuses on real-world practices that security and compliance teams can apply immediately within their existing environments.

Attendees will learn:

  • Why treating PCI DSS as an annual event creates unnecessary risk, cost, and operational friction
  • What “continuous compliance” really means in the context of PCI DSS 4.x — beyond marketing buzzwords
  • What is step 1 in continous compliance journey
  • What are other 4 actionable steps that you can implement in your organization to stop experiencing annual panic