4 takeaways from the Flywire Payment Security and Compliance Conference 2024

With a recent Flywire survey of 46 U.K. institutions revealing that 70% are now reporting full PCI DSS compliance, the sector has made significant strides in guarding against a complex payment security environment. But as standards get tougher, the goal is no longer just reactive annual compliance; it's a resilient, 'business-as-usual' architecture that supports institutional growth. A proactive approach such as this will distinguish leaders in the space including the 100+ senior finance, IT, and compliance professionals who gathered in Manchester for the 15th annual Payment Security & Compliance Conference.

1. Simplification is the ultimate payment security strategy

The most successful organisations aren't just adding more technology; they are radically reducing their compliance burden by descoping. The consensus from the day’s case studies—from the University of Kent to BT Group—is that you cannot fix what you have not mapped. In the face of potentially rapid regulatory shifts, 'unknown' payment environments are no longer just an audit failure—they are an institutional liability.

Attendees recognised the similarities between the experience of Simon Turner, Head of Security Governance and Compliance at BT Group, who struggled with "fragmented, high-risk payment environments," prone to scope creep and inconsistent practices, and their own institutions. But, by breaking down fragmented payment environments into manageable "islands", as Turner did for BT Group, and outsourcing to trusted third parties, institutions can successfully remove entire departments and devices from their PCI DSS scope. 

2. Ring fence time to make compliance "business as usual"

Compliance should not cause a frantic, pre-audit panic. The defining trait of high-performing institutions is their ability to treat compliance as a continuous, consistent "business-as-usual" workstream. As Steve Lawton, Head of Financial & Control Management at the University of Kent noted, shifting PCI to a continuous process doesn't just reduce risk—it makes the job significantly easier. BT Group’s Turner took this a step further. By focusing on smart design rather than policing individual controls, compliance was transformed from a blocker into a driver of operational efficiency and even innovation.

Utilising frameworks like Flywire’s Payment Security Management System (PSMS) or the AML toolkit will help higher education  teams maintain a steady state of readiness year-round rather than relying on massive bursts of activity. 

3. Compliance is about also people, not just systems

Robust system controls are rendered useless if your culture doesn't support transparency. Keith Read, former BT CECO, and author of ‘The Unconventional Compliance Officer’, issued a stark reminder: 42% of corporate fraud is uncovered by whistleblowing but fear of retaliation prevents over a third of people from speaking up. A true "compliance shield" requires not only policies and processes but also a culture where staff feel safe to report risks.

Sam Allen, Head of Accounts Receivable at The University of Sheffield, provided a blueprint for this cultural shift. By moving away from siloed fraud-monitoring operations and refining their investigation processes—embedding multi-disciplinary collaboration and cross-functional governance—responsibility is now shared amongst the teams, promoting transparency. 
 

The overarching message attendees left with was that the path to 100% compliance isn't about working harder, it’s about mapping the 'islands', thinking critically about your risk exposure, and empowering the people, not just the systems. As the sector faces a future of tighter oversight, those who act now to embed these pillars will not just survive the new regulatory era—they will lead it.

Updated juin 30, 2026