Join us for four days of learning, discovery, updates from the Council, regional community speakers, merchants, industry experts, and more.

The PCI SSC 2020 Europe Community Meeting Call for Speakers has Closed.

All session times are in Central Europe Summer Time.

Agenda times are subject to change.

All presentations will be available in the General Session. On-Demand content will be released immediately following the Community Experience each day. Attendees can access sessions by navigating to the “Filter By” drop down menu and searching by content type.

  • Tuesday, 20 October
  • Wednesday, 21 October
  • Thursday, 22 October
  • Friday, 23 October

Tuesday, 20 October

Morning Main Sessions

11:00 - 11:05

Opening Remarks and Overview

Presented by: Katty Kay, Lead Anchor, BBC World News America

11:05 - 11:30

Community Meeting Kick-off

Presented by: Lance J. Johnson, Executive Director, PCI Security Standards Council

11:30 - 12:00

PCI DSS v4.0 – Part 1: Evolving Through the Power of Feedback

Presented by: Lauren Holloway, Director, Data Security Standards, PCI Security Standards Council and Emma Sutcliffe, SVP, Standards Officer, PCI Security Standards Council

Join PCI Council leaders to hear the latest on PCI DSS v4.0, including key insights into how feedback from the last RFC has helped shape and evolve the draft for the upcoming RFC.
12:00 - 13:00

Brand and PCI SSC Offices

Representatives will be available to meet with you and answer questions.*
*Brand and PCI SSC Office hours may vary. Please check individual Offices for schedules.

Vendor Showcase

Visit and chat with our vendors, sponsors, and exhibitors.
12:00 - 12:10

Wellness Break - Take a moment to get up from your computer, refill your water, stretch your legs, do what you need to do to recharge.

13:00 - 13:30

Community Experience - Located in the Community Café

Cooking, Cocktails, or Yoga

Get your ingredients ready and attend a cooking demonstration where you will make Ratatouille; follow along to create three delicious cocktails including a French 75, Aperol Spritz and Negroni.

Or simply stretch both the mind and body with some relaxing and mindful yoga. Sessions are pre-recorded.

On-Demand Sessions - Will be released on the platform immediately following the Vendor Showcase.

Content Disclaimer: The views and opinions expressed in external presentations are those of the external presenters and do not necessarily reflect the official standards or position of the PCI Security Standards Council.

Challenges of Implementing a New Standard – A Panel Discussion

Moderated by: Tom White, Training Content Manager, PCI Security Standards Council

Panelists: Tanya Deen, Director, External Compliance, Global Payments and Nick Trenc, SSLCA, SSA, SSF, P2PE, PIN, Director, Coalfire

Join us for a panel discussion where we talk about the challenges of implementing a new standard in a large complex environment where Payment & Software Security is core to everything, at at time when the world is in lockdown.

Better Risk Assessments: Reframe Your Focus to Prioritize Efforts and Prevent Data Breaches

Presented by: Jen Stone, Principal Security Analyst, SecurityMetrics

With a few tweaks to mindset and approach, your risk assessment can go from what often seems like necessary “red tape” to the driving and organizing force behind your security and compliance programs. Jen Stone, Principal Security Analyst at SecurityMetrics, will give background of the purpose of risk assessments, outline the basic roadmap of activities, and highlight areas where risk assessments can go off course. Case study stories will bring real-life setbacks and successes to the forefront.

Cloud Initiatives and Efforts

Presented by: Zeal Somani, ISA, Security and Compliance Specialist, Google and Mike Thompson, Senior Manager, Emerging Standards, PCI Security Standards Council

Join this session to walk through cloud-based initiatives and efforts currently in progress at the PCI Council.

How Modern Cyber Threat Intelligence Can Be Used to Accelerate PCI DSS Compliance

Presented by: Christopher Strand, Chief Compliance Officer, IntSights Cyber Intelligence

Threat Intelligence is normally used to enrich the process of PCI assessment, providing proof on the enforcement of security controls required to be secure and compliant. As threat intelligence platforms evolve, they have become more instrumental to security audit, providing valuable context to the process. During this session we will explore examples based on real world data where contextual threat intelligence can be applied directly to PCI requirements to prioritize the assessment process.

LIVE DEMO: E-Commerce Exploits Merchants and PSPs Need to Watch For

Presented by: Jake Marcinko, Senior Manager, Emerging Standards, PCI Security Standards Council and Sam Pfanstiel, QSA(P2PE), QPA, PA-QSA, SSA, SSLCA, Director, Security Consulting Services, ControlScan

Software security experts provide live demonstration of four attacks that occur when merchants and providers don’t adequately test their e-commerce implementations. Use of hosted pages, JavaScript widgets, AJAX, and direct post all demand clear communication of responsibilities between the merchant and the payment service provider (PSP). Attend this session to see how attackers exploit common vulnerabilities such as XSS, CSRF, and broken authentication to intercept CHD while avoiding detection.

Maintaining Secure Cryptographic Architecture in a Cloud Environment

Presented by: Paolo Basilio, CISA, QSA(P2PE), PA-QSA(P2PE), Global Head of Practice, Foregenix Limited

This session will aim to explore ways in which cryptographic architecture could be maintained in a secure manner that aligns to PCI SSC standards when operating in decentralised and cloud environments. In a time of COVID-19, travel restrictions, and social distancing, how do organisations managing distributed cryptographic architecture and key management teams scattered around the globe effectively manage cryptographic processes where dual-control and split knowledge are strictly required.

PA-DSS/SSF Transition

Presented by: Tracey Harrington, CSCIP/P, Certification Programs Manager, PCI Security Standards Council and Jake Marcinko, Senior Manager, Emerging Standards, PCI Security Standards Council

In this session Jake Marcinko, PCI SSC Sr. Manager, Emerging Standards will share how PA-DSS compares to its successor, the Secure Software Framework and Tracey Harrington, Manager, Certification Programs will provide information on timelines and suggestions on how to prepare your organization to make the transition.

PCI Compliance 4.0 and Contemporary Cloud Native IT: A Modern Retail Payments Case Study

Presented by: Mark Bower, SVP Product and Market Development, Comforte, Inc. and Marty Edelman, CEO, Creative Systems Software

Cloud IT is not new, but new “cloud-native” ecosystems drastically change modern retailer and payment processor operation. Such ecosystems emerged rapidly with COVID19, enabling online API engagement. New cloud native foundations, like Kubernetes, complicate compliance and bring completely new risks. Traditional PCI DSS compliance is harder to apply, complicating risk reduction, inhibiting agility, and aggravating growth and recovery. PCI DSS 4.0 brings a natural fit to measure and reduce risk.

Top 6 Application Security Must Dos with Limited Resources

Presented by: Jared Albon, CEO, HackEDU, Inc.

The vast majority of application security teams are under resourced. Application security teams should scale with development teams, but this rarely happens. So, given this disadvantage, how can you make your applications safe and be effective with application security? The only way application security scales with limited resources is shifting responsibility back to developers. Even given infinite resources, developers should ultimately own this security responsibility.

You’ve Gone Dark: How Inconsistent Configurations Are Blinding Your Security Team

Presented by: Boyd Clewis, QSA, CISSP, PCIP, CCSK, CISA, Sr. Consultant - Risk, Security, and Privacy, Online Business Systems

One of the easiest ways to fail a PCI assessment is to have an overcomplicated environment with a patchwork of systems, networks, servers, and applications using completely different configuration standards. In this presentation, Boyd Clewis uses his experience working with companies of all sizes to break down how creating consistency in configurations can enhance compliance and security while also saving time, energy, and money.

Wednesday, 21 October

Morning Main Sessions

11:00 - 11:05

Opening Remarks and Overview

Presented by: Katty Kay, Lead Anchor, BBC World News America

11:05 - 11:30

Global Learning and Local Leading - Why your Participation is Critical to Payment Security Everywhere

Presented by: Troy Leach, Senior Vice President, Engagement Officer, PCI Security Standards Council

11:30 - 11:40

Wellness Break - Take a moment to get up from your computer, refill your water, stretch your legs, do what you need to do to recharge.

11:40 - 12:05

PCI DSS v4.0 – Part 2: New Customized Approach and Risk Analysis

Presented by: Marc Bayerkohler, Standards Trainer, PCI Security Standards Council

This second PCI DSS v4.0 session delves into the new customized approach and the essential role of risk analysis.
12:05 - 12:45

Keynote: Cybersecurity – During the Pandemic and Well into the Future

Presented by: Dr Jessica Barker, Co-Founder, Co-CEO, Cygenta and FC, Co-CEO and Head of Ethical Hacking, Cygenta

12:45 - 13:00

Wellness Break - Take a moment to get up from your computer, refill your water, stretch your legs, do what you need to do to recharge.

13:00 - 14:00

Vendor Showcase

Visit and chat with our vendors, sponsors, and exhibitors.

Brand and PCI SSC Offices

Representatives will be available to meet with you and answer questions.*
*Brand and PCI SSC Office hours may vary. Please check individual Offices for schedules.
14:00 - 14:30

Community Experience - Located in the Community Café

Casual Conversations

Hosted by some very special guests, join fellow attendees for interactive conversations about sports, movies, and television. Be sure to arrive early, as space is limited and based on a first-come, first-serve basis. Topics subject to change.

Sports – Hosted by: Jim Campbell, host of Football Ramble podcast and co-author of The Football Ramble

Movies & TV – Hosted by: Clint Worthington, host of More of A Comment, Really… podcast

On-Demand Sessions - Will be released on the platform immediately following the Café Experience.

Content Disclaimer: The views and opinions expressed in external presentations are those of the external presenters and do not necessarily reflect the official standards or position of the PCI Security Standards Council.

Engagement in the PCI Community – What’s In It For Me?

Presented by: James Hamilton, Department Manager – Governance, Risk & Compliance, Enterprise Holdings, Inc. and Elizabeth Terry, PMP, CISSP, CBSA, PCIP, Senior Manager, Community Engagement, PCI Security Standards Council

Whether you have been in this industry for years or this is your first Community Meeting, I would like to share the value and benefits I've gained from increasing engagement in the PCI Community. As I've gone from a background participant in my organization's PCI compliance program, to my company becoming a participating organization, to now serving as a member of the PCI Council's Technical Advisory Board, I'll share key benefits that have resulted from increased engagement along the way.

ATM Cash-Outs (Unlimited Operations)

Presented by: Alicia Malone, Senior Manager, Public Relations, PCI Security Standards Council and Douglas Russell, Director, DFR Risk Management Ltd

Unlimited operations, also known as ATM cash-out fraud, involves compromising a card issuer’s authorization system to eliminate or inflate ATM withdrawal limits. This session defines the primary attack methods and looks at the key mitigators that should be considered by both card issuers and ATM deployers.

How the Leading European Retailer Innovates Payments and Security

Presented by: Tomás Perlines, Head of Payment Security, Schwarz IT GmbH & Co KG

Schwarz Group is the leading European retailer providing card payments via multiple payment channels throughout its subsidiaries, among them being the retail brands Lidl and Kaufland with more than 12.000 locations. The enforcement of Compliance Programmes such as PCI DSS comes along with specific market demands and any solution should always be accepted by the customers. We will outline how we set the course to substantial innovation in payments and its security in order to meet all expectations.

Learning from PFI Investigations – 2020

Presented by: Gill Woodcock, Vice President, Global Head of Programs, PCI Security Standards Council

We will be sharing an update on what we’ve learned from investigations completed by PCI Forensic Investigators (PFIs) and look at what has changed in the last 12 months. We’ll look at what trends are showing, give an insight into what PFIs are reporting on factors which cause and contribute to cardholder data breaches and how companies can benefit from this knowledge.

Online Digital Skimming

Presented by: John Bloomfield, Standards Development Manager, Data Security Standards, PCI Security Standards Council and Carlos P. Kizzee, EVP Intelligence Operations and Legal Affairs, Retail and Hospitality ISAC

Review of Current Threats in the Hospitality Industry & Beyond

Presented by: Mathieu Gorge, CEO, Vigitrust and Marie-Christine Vittet, VP of Compliance, ACCOR

Review of the current threats in the hospitality industry & beyond.

Update on POI v6

Presented by: Leon Fell, CPA, CIA, CMA, CISA, CITP, Director of Solutions Standards, PCI Security Standards Council and Lars Hanke, Senior Consultant, Deutsche Telekom Security GmbH

Overview of the updates for the newly published POI v6 Security Requirements, including details on the new Domain-Based Asset Flow Analysis.

Trends and Evolution of Mobile Payments

Presented by: Berny Goodheart, Device Standards Manager, PCI Security Standards Council

Updates on PCI SSC Mobile Security Standards

Presented by: John Markh, Senior Manager, Emerging Standards, PCI Security Standards Council

Join this session to hear about timelines, key principles, and high-level architecture of the security standards for mobile payment acceptance channels (SPoC and CPoC). Learn what to expect in future Contactless on COTS with PIN and the security advancement in the COTS devices.

Thursday, 22 October

Morning Main Sessions

11:00 - 11:05

Opening Remarks and Overview

Presented by: Katty Kay, Lead Anchor, BBC World News America

11:05 - 11:25

PCI DSS v4.0 – Part 3: Evolving Nature of Authentication Practices

Presented by: Joel Weisz, Emerging Standards Manager, PCI Security Standards Council

Part three of the PCI DSS series explores how evolving authentication practices have influenced the next draft of PCI DSS v4.0.
11:25 - 12:10

Keynote: Preparedness, Crisis Management, and Communications

Presented by: John Volanthen, World Record-Holding British Cave Diver

Sponsored by
12:10 - 12:30

Wellness Break - Take a moment to get up from your computer, refill your water, stretch your legs, do what you need to do to recharge.

12:30 - 13:30

Vendor Showcase

Visit and chat with our vendors, sponsors, and exhibitors.

Brand and PCI SSC Offices

Representatives will be available to meet with you and answer questions.*
*Brand and PCI SSC Office hours may vary. Please check individual Offices for schedules.
13:30 - 14:00

Community Experience - Located in the Community Café

Magic and Mindreading

Prepare to be entertained by a digital illusionist with a highly interactive virtual magic and mentalist show like no other. Be sure to arrive early as space is limited and based on a first-come, first-serve basis.

Alan Hudson has been seen on Britain’s Got Talent, The Next Great Magician, and Penn and Teller’s Fool Us. With 20+ years of professional magical experience, Alan Hudson is highly regarded as one of the UK’s most amazing close up and funniest stage magicians.

Keelan Leyser is a world renowned Digital Illusionist and has been on over 100 television shows, performed in over 60 countries, and was voted the British Magic Champion by his peers in the UK. His performance will offer a one of a kind close up interactive experience you won't forget.

On-Demand Sessions - Will be released on the platform immediately following the Café Experience.

Content Disclaimer: The views and opinions expressed in external presentations are those of the external presenters and do not necessarily reflect the official standards or position of the PCI Security Standards Council.

Better Living Through Better Passwords

Presented by: Hoyt Kesterson, QSA, CISSP, CISA, Senior Security & Risk Architect, Avertium

Salting and large iterations are no longer enough to protect stored hashed passwords. Using techniques and specialized processers developed for cryptocurrency mining, attackers have the cost/performance advantage to compute large numbers of hash values. Memory-hard hashing recommended by the 2017 NIST guidance on passwords lets traditional servers recover that advantage. Using hash methods like balloon and enlisting users in detecting credential attacks will protect your business for the future.

Airlines Rethinking Payment Solutions to Meet the Challenge of PCI Compliance

Presented by: Leonardo Polvora, PCI QSA, ISO/IEC, ISACA CRISC, Principal Security Consultant,, SecureTrust, a Trustwave division

Airlines have long been associated with flight safety and operation security but like others, must now look to address customers payment security as well. This session talks us through the common challenges traditional and outdated payment solutions pose to airlines and tells the story of how addressing the challenge of PCI compliance enables airlines to update to secure payment solutions and rethink the payment process, enabling new business opportunities to bring home a return of investment.

Browser Origin Security: Attacks on Iframe- and Redirect-Based Payment Flows

Presented by: Kevin Bong, GSE, PMP, QSA, GCIH, GCFA, CISA, QSA, PFI, PA-QSA, 3DS, Director, Cybersecurity, Sikich LLP

Iframe- and redirect-based payments allow merchants to reduce PCI requirements on ecommerce servers. However, Sikich is seeing more PFI cases where attackers exploit browser origin security weaknesses to hide card-skimming malware on such sites. Sikich will present an overview of browser origin security controls, demonstrate common cross-site and cross-origin attacks against these payment processes, and provide guidance for developers and assessors to prevent and detect these weaknesses.

Cryptography Evolves

Presented by: Ralph Poore, Director, Emerging Standards, PCI Security Standards Council

How is the evolution of cryptography forcing our standards to evolve? Session addresses the why and how that support the sunrise dates (the what) with a focus on changes in PIN standards. Provides an overview of the project steps involved in meeting these dates.

Getting the Most From Your Membership

Presented by: Jeremy King, Vice President, Regional Head for Europe, PCI Security Standards Council

As a Participating Organization you have access to a wide range of benefits that come with your membership. This presentation will run through what those benefits are and how as a PO you can make the most from them to maximize your membership and involvement with the PCI SSC to help reduce card payment fraud.

Leveraging ISA's: A Faster Approach to PCI Compliance and Remote Assessments

Presented by: Walid Barakat, Vice President - Governance, Risk and Compliance, Global Payments Inc.; Stacy Hughes, CPA, CITP, CRISC, CISM, Chief Information Security Officer, Global Payments Inc. and Gill Woodcock, Vice President, Global Head of Programs, PCI Security Standards Council

Global Payments present a real-world case study on the benefits and approach for integrating PCI Internal Security Assessors into a worldwide compliance program and the impact on demonstrating compliance with remote assessments for multiple standards.

Merchants' Journey Through a Global Pandemic – A Panel Discussion

Moderated by: Lindsay Goodspeed, Senior Manager, Corporate Communications, PCI Security Standards Council

Panelists: Jacob Ansari, CISSP, QSA/PA-QSA (P2PE), Senior Manager, Schellman & Company, LLC; Andy Kirkland, CISO, Starbucks Coffee Company and Marie-Christine Vittet, VP of Compliance, ACCOR

P2PE - So Much More than an Acronym

Presented by: Matt O’Connor, AQM Manager, PCI Security Standards Council and Mike Thompson, Senior Manager, Emerging Standards, PCI Security Standards Council

Mike Thompson and Matt O'Connor delve into the PCI SSC's Point-to-Point Encryption (P2PE) Standard and accompanying Program, providing insight as well as highlights to the payments industry. Please join us while we peer into the many facets and peel back the layers of P2PE.

Track One

PIN Points—Cryptographic Standards

Presented by: Ralph Poore, Director, Emerging Standards, PCI Security Standards Council and Jeff Stapleton, X9F4 Chair, ASC X9 Financial Services

How is the evolution of cryptography forcing our standards to evolve? Session addresses the why and how that support the sunrise dates (the what) with a focus on changes in PIN standards. Provides an overview of the project steps involved in meeting these dates

Track Two

This is the World…Today: Consumer Trust and Spending Habits in a Post-Pandemic World

Presented by: Geoff Forsyth, CISO, PCI Pal

The world we find ourselves in today is a very different one to 2019. To get an accurate temperature check on sentiment and behaviour changes when it comes to data security from a global perspective, PCI Pal conducted market research in the US, UK, Australia and Canada. In each region at least 2,000 consumers were surveyed to glean insights into the sentiment around the onslaught of data security breaches and hacks. Our findings were interesting and informative, often confirming our hypothesis and experiences. As the world of 2020 is a very different one to what we originally surveyed, we decided to revisit our research to see if the post-pandemic consumer still held the same views. We also expanded the countries to include France, Germany, Italy and Spain, but employing the same methodologies across all regions. Join us to hear sentiment and behaviourial insights of consumers when it comes to data security and payments.

Friday, 23 October

Morning Main Sessions

11:00 - 11:05

Opening Remarks and Overview

Presented by: Katty Kay, Lead Anchor, BBC World News America

11:05 - 11:25

PCI DSS v4.0 – Part 4: Third-Party Relationships and Cloud Services

Presented by: John Bloomfield, Standards Development Manager, Data Security Standards, PCI Security Standards Council and Lauren Holloway, Director, Data Security Standards, PCI Security Standards Council

Our final PCI DSS v4.0 presentation centres on third-party service providers and customer relationships, including a focus on cloud and multi-tenant providers.
11:25 - 11:45

Keynote: The Perils of IoT When Working From Home

Presented by: Ken Munro, Partner and Founder, Pen Test Partners

11:45 - 11:50

Looking Towards The Future

Presented by: Lance J. Johnson, Executive Director, PCI Security Standards Council

11:50 - 12:00

Wellness Break - Take a moment to get up from your computer, refill your water, stretch your legs, do what you need to do to recharge.

12:00 - 13:00

Vendor Showcase

Visit and chat with our vendors, sponsors, and exhibitors.

Brand and PCI SSC Offices

Representatives will be available to meet with you and answer questions.*
*Brand and PCI SSC Office hours may vary. Please check individual Offices for schedules.
13:00 - 13:30

Community Experience - Located in the Community Café

Conversations with the Council

These “Birds of a Feather" live conversations will be led by PCI SSC staff and focus on the themes listed below. Be sure to arrive early as space is limited and based on a first-come, first-serve basis..

Security When Working from Home: Led by Jeremy King

Challenges for PCI DSS remote assessments: Led by Gill Woodcock

Vendor/Labs: Led by Tim Cormier, John Markh and Mark Mrotek

On-Demand Sessions - Will be released on the platform immediately following the Vendor Showcase.

Content Disclaimer: The views and opinions expressed in external presentations are those of the external presenters and do not necessarily reflect the official standards or position of the PCI Security Standards Council.

Tech Demos

How Security Orchestration, Automation and Response tools can be leveraged to better defend your PCI infrastructure: Dominick Vitolo, VP of Security Services, MegaplanIT Holdings LLC

HackEDU Secure Coding Training: Tyler Pratte, Global Strategic Account Manager, HackEDU

 

Verizon Payment Security Report: Sean Sweeney, Global PCI Lead, Verizon

Mapping the MITRE ATT&CK® Framework to the PCI DSS

Presented by: Jeff Man, Information Security Evangelist, Online Business Systems

MITRE ATT&CK® is a framework for evaluating the security of organizations and cybersecurity products/services based on real-world observations of 266 techniques (attacks) tied to12 tactics (goals). The framework also provides mitigations - and this is where I wanted to see how well PCI DSS protects an entity from ATT&CK. My hypothesis is that every mitigation is found in the PCI DSS. I will present the results of my analysis and discuss key findings.

Global Executive Assessor Roundtable Update

Presented by: Jacob Ansari, CISSP, QSA/PA-QSA (P2PE), Senior Manager, Schellman & Company, LLC; Gary Glover, Vice President of Security Assessments, SecurityMetrics and Lance J. Johnson, Executive Director, PCI Security Standards Council

Join this session to hear about the program’s successful inaugural run and what we can expect from the GEAR in the future.

PTS POI Device Testing Version 6

Presented by: Tim Cormier, Senior Manager, Device Standards, PCI Security Standards Council

Watch this session for a quick look at how terminals are tested to receive PCI PTS approval.

Petrol Taskforce Update

Presented by: Kara Gunderson, PCIP, Manager Payment Card Operations, CITGO Petroleum Corporation and Elizabeth Terry, PMP, CISSP, CBSA, PCIP, Senior Manager, Community Engagement, PCI Security Standards Council

Join PCI SSC’s Elizabeth Terry and CITGO’s Petroleum’s Kara Gunderson for an update on the Petroleum Task Force and learn how this group of industry participants are helping PCI SSC address some of the unique and often complex challenges for petroleum retailers.

Small Merchant Task Force – 2020 Efforts

Presented by: Natasja Bolton, Strategic Partner Support Engagement Manager, Cyber Risk Services, Sysnet Global Solutions and Lauren Holloway, Director, Data Security Standards, PCI Security Standards Council

Join this session to get the latest updates from the Task Force, including their current PCI DSS v4.0 efforts to develop an approach for merchants to better understand their payment environments and correctly navigate to the appropriate self-assessment questionnaires.

QA @ PCI: How the Council Ensures Integrity in it's Programs

Presented by: Nikki Billman, AQM Manager, Operations, PCI Standards Security Council and Brandy Cumberland, Director of Assessor Quality Management (AQM) Programs, PCI Security Standards Council

With an ever-expanding portfolio of programs, how does PCI SSC maintain the integrity of its Programs? Members of the Assessor Quality Management (AQM) Programs team will provide an overview of PCI SSC Programs and discuss the different approaches to PCI Program integrity.