Highlights from the 2023 Europe Community Meeting Hosted by the PCI SSC

The Payment Card Industry Security Standards Council (PCI SSC) hosted its annual Europe Community Meeting in London from October 24 to 26, 2023. The event brought together more than 700 delegates from across the payments industry. The event focused on the latest updates to the payment security standards and programs and explored the latest trends and risks in payment security.

Ground Labs Takes to the Stage

We were delighted to present our tech talk, Harness Data Discovery for Sustainable Compliance, at the event, sharing our insights and experience on how to identify and manage cardholder data effectively, reducing complexity and mitigating data risks for a more sustainable approach to PCI DSS compliance.

It’s important organizations use evidence-based approaches that deliver deep discovery scanning across all file types, data formats and storage locations. As data volumes and the channels used to transmit and process it continue to grow, organizations face an increasing challenge to manage and contain their compliance scope. 

Comprehensive discovery tools, like Enterprise Recon and Card Recon, provide benefits to organizations beyond scoping, supporting compliance across four requirements of PCI DSS v4.0:

• Requirement 1: Install and maintain network security controls — Data discovery validates the network boundaries of scope and demonstrates data flows are up to date.
• Requirement 3: Protect stored account data — Discovery scans identify account data, including SAD, wherever it is stored. Periodic scans can confirm that data has been deleted when it has passed its retention period.
• Requirement 6: Develop and maintain secure systems and software — Discovery scans verify that account data is not present in non-production environments.
• Requirement 12: Support information security with organizational policies and programs — As part of periodic scope revalidation, data discovery verifies in-scope systems and data repositories. Advanced discovery solutions offer remediation-in-place for data found in unexpected locations.

The Continuous Journey of PCI DSS v4.0 Compliance

During their standards update presentation, the SSC highlighted that PCI DSS v4.0 compliance requires continuous effort to maintain. A check-box approach to compliance will no longer satisfy the strict requirements of the new standard, which requires organizations to implement ongoing monitoring and improvement of controls over time. 

The event featured several panel discussions with highly experienced experts across multiple topics related to PCI DSS compliance. These emphasized the value of the Internal Security Assessor (ISA) to both their sponsoring organization and their assessors in the compliance process, as well as the community involvement in shaping standards as threats and risks continue to evolve.

The Latest Trends and Risks in Payment Security

The Vendor Showcase offered delegates and solution providers the chance to share their insights, not least the current trends and risks affecting the payments industry. 

• Acquirer oversight remains an ongoing challenge — Many merchants don’t know about their PCI DSS compliance obligations and lack the resources to achieve them. Acquirers need to provide more guidance and support, and improved oversight, to help them comply to lower the risk of payments related cybercrime.
• Call centers remain high-risk — Call centers handle high card volumes, processing transactions over the phone or via online chat services. Call center agents remain a target however many organizations have not implemented solutions that protect this card data from agent view, reducing both their own corporate risk and the safety of their staff.
• Outsourcing eCommerce doesn’t mitigate all risk — Client-side risks such as malicious code injection and form tampering remain an issue in outsourced and hosted eCommerce services. As a result, vendors such as JScrambler offer solutions that can detect and prevent these risks using script activity monitoring and unauthorized activity blocking.
• Phishing remains an effective attack vector — Organizations are still not following best practices for email security, with many failing to implement a secure DMARC configuration to limit the number of unauthenticated emails successfully entering the organization. In their Tech Talk, Sendmarc emphasized the importance of this basic control, explaining how this could have mitigated an attack in which cyber-criminals spoofed the email address of the CEO of a large organization and sent a phishing email that resulted in an individual transferring significant funds to the criminals.

After an informative and exciting few days in Dublin with our industry peers and colleagues, we’re looking forward to joining our Asia-Pacific friends in Malaysia for the 2023 Asia-Pacific Community Meeting taking place on November 15–16. 

Find out how Ground Labs can help your PCI DSS compliance journey with our award-winning data discovery solutions