“The Journey to Harmonisation of Global PCI Assessments”: Joint Contribution of Worldline and usd to the PCI SSC Community Meeting Europe

19. October 2023

PCI DSS applies to all companies that store, process or transmit payment card data. However, large and global organizations in particular face PCI DSS challenges related to their size, structure, geographic distribution, and business operations. Resulting network architectures, as well as a variety of payment channels and scopes, require extensive preparation before appropriate security measures and assessments may even be thought of. Because of this complexity, large organizations typically need to evolve their approaches to manage PCI DSS responsibilities and scopes to ensure PCI DSS compliance across the organization.

Worldline, a leading global provider of secure payment services with entities in over 40 countries, knows this challenge all too well: "Mergers, acquisitions and different local jurisdictions complicate any certification project. At Worldline, we are no exception," explains Isil Ugurlu, Head of Worldline Group PCI Program. "Pursuing PCI DSS certification at a global group level is no easy feat, and the upcoming changes brought about by PCI DSS v4.0 require further formal and technical development and implementation in parallel. For us, it was clear we needed to take a new approach: In cooperation with the PCI team at usd, the concept of harmonization was developed: An alignment of all assessments throughout the group with central specifications and guidelines from the Worldline Group PCI Program. For us, this approach works very well and I am confident that it will lead us successfully through the upcoming transition to PCI DSS v4.0. So I'm pleased that usd's Christopher Kristes and I, on behalf of everyone involved in this project, will be sharing the concept, the approach, and of course the tripping points with the community at the PCI SSC Community Meeting - most certainly other payment service providers of this size will encounter similar situations."

On October 25, 2023, the second day of the 2023 Europe Community Meeting in Dublin, Isil Ugurlu from Worldline and Christopher Kristes from usd will jointly present in their talk "The Journey to Harmonisation: Successful Alignment of PCI Assessments in a Global Enterprise Environment" how PCI processes, policies and assessments can be aligned across all entities to overcome said challenges. The presentation will look at the certification project from both sides, that of the customer and that of the QSA: Isil Ugurlu will begin by providing insights into the PCI program she manages at Worldline, including the decision to align the organization with key business areas. Christopher Kristes will present the PCI assessment concept developed by usd especially for Worldline.

Christopher Kristes, Head of Security Audits & PCI and Member of the Executive Board at usd AG, on the content of the presentation: "Worldline, especially Isil's team, has really achieved a lot already through their efficient and targeted pursuit of harmonization since the start of the project. We are proud to be able to support this extensive certification project as a partner. From our years of experience we know that there is no one-size-fits-all solution regarding assessments, but this project was particularly exciting. An individual assessment concept had to be developed, which needed to be tailored as precisely as possible to the entities of the Worldline Group and which took into account their respective degree of harmonization in the assessment sessions as efficiently as possible. As a result, we were able to take away important best practices for future PCI assessments and customer environments and now have the opportunity to pass on and discuss this knowledge with other QSAs - at the central meeting place of the most important players in the payment card industry."

Due to the importance of the Community Meeting as an essential platform for the international exchange within the payment security community, usd AG once again supports the Europe Community Meeting as a sponsor.

"For almost 20 years we have been operating as an assessor accredited in all relevant PCI standards", explains Torsten Schlotmann, Head of PCI Security Services at usd AG. "We are one of the leading QSAs in Central Europe and since 2018 we are also involved in the Global Executive Assessor Roundtable (GEAR) and in some of the Council's Special Interest Groups. Events like the Community Meeting are essential to stay up to date on the topic of payment security and to learn from each other. Therefore, it was clear to us quite quickly that we would not only participate in the Community Meeting in Dublin, but also support the event again as a sponsor".

About Worldline

Worldline is a leading global provider of secure payment services and reliable transactions. Worldline is at the forefront of the digital revolution that is shaping new ways of paying, living, doing business and socializing. These create trust along the entire payments value chain. The innovative solutions, based on a solid technological foundation, are environmentally friendly, widely accessible and support social change.

About the PCI SSC Community Meeting

Under the banner "Help Secure Payment Data Globally", the Payment Card Industry Security Standards Council invites organizations to participate in the PCI SSC Community Meetings each year. With multi-day conferences in the U.S., Europe and Asia, the Council creates a forum each year for the global payment security community to share and learn from each other. In 2023, the PCI SSC Community Meetings will take place in Portland, Dublin and Kuala Lumpur. Attendees can expect an exhibitor area, a variety of networking opportunities, and a packed agenda of keynotes and presentations: Updates from the Council, insights into current trends and best practices from industry experts.

Also interesting:

DORA Deep Dive: Threat-Led Penetration Testing (TLPT)

DORA Deep Dive: Threat-Led Penetration Testing (TLPT)

The Digital Operational Resilience Act (DORA) will apply as of January 17, 2025. In addition to routine operational resilience testing, DORA will also make it mandatory for certain financial companies to carry out threat-led penetration testing (TLPT) every three...

Security Advisory on Gambio

Security Advisory on Gambio

The pentest professionals at usd HeroLab examined the online shop software Gambio during their pentests. The software offers merchants various functions that support the management of inventory and orders. Our professionals discovered a vulnerability in the password...