JOIN US AT THE NORTH AMERICA COMMUNITY MEETING

Join your industry colleagues for three days of networking and one-of-a-kind partnership opportunities. Whether you want to learn more about updates in the payment card industry or showcase a new product, you’ll find it all at the 2015 Community Meetings.

SPEAKERS

The following speakers will present at the meeting

AGENDA

Tuesday, 29 September  

7:30 - 20:30

Registration Open

13:00 - 13:15

Welcome Remarks

Presented by: Stephen W. Orfei, General Manager, PCI Security Standards Council and Jeremy King, International Director, PCI Security Standards Council

13:15 - 15:00

Understanding the Threat Landscape: Securing the Payment Ecosystem

Presented by: PCI Security Standards Council Standards and Operations Team including Gareth Bowker, Director of Training Programs; Tim Cormier, Manager for Device Standards; Brandy Cumberland, Director of Assessor Quality Management Programs; Leon Fell, Director of Device Standards; Troy Leach, Chief Technology Officer; Jake Marcinko, Standards Manager; Ralph Spencer Poore, Director of Emerging Standards; Emma Sutcliffe, Director, Data Security Standards and Gill Woodcock, Director of Certification Programs


It’s been a busy year for the Council and for securing payments. Attend this two part session to hear the latest updates and initiatives on the following:

  • Risk-based decision making
  • Card production
  • Mobile payments
  • AppSec
  • POS/ATM (Social engineering, skimming and malware)
  • E-Commerce and CNP fraud
  • Installation/Poor configuration
  • Networks (MiTM, DNS, SSL weaknesses)
  • Storage and scoping
  • Third party management
  • How to prepare/address evolving threats

15:00 - 15:30

Networking Break

15:30 - 17:30

Understanding the Threat Landscape: Securing the Payment Ecosystem

Presented by: PCI Security Standards Council Standards and Operations Team including Gareth Bowker, Director of Training Programs; Tim Cormier, Manager for Device Standards; Brandy Cumberland, Director of Assessor Quality Management Programs; Leon Fell, CPA, CIA, CMA, CISA, CITP, Director of Device Standards; Troy Leach, Chief Technology Officer; Jake Marcinko, Standards Manager; Ralph Spencer Poore, PCIP, CFE, CISA, CISSP, CHS-III, Director of Emerging Standards; Emma Sutcliffe, Director, Data Security Standards and Gill Woodcock, Director of Certification Programs


It’s been a busy year for the Council and for securing payments. Attend this two part session to hear the latest updates and initiatives on the following:

  • Risk-based decision making
  • Card production
  • Mobile payments
  • AppSec
  • POS/ATM (Social engineering, skimming and malware)
  • E-Commerce and CNP fraud
  • Installation/Poor configuration
  • Networks (MiTM, DNS, SSL weaknesses)
  • Storage and scoping
  • Third party management
  • How to prepare/address evolving threats

18:00 - 19:30

Welcome Reception

Wednesday, 30 September

  

7:30 – 18:30

Registration Open

7:30 - 9:00

Networking Breakfast and Vendor Showcase

Payment Brand and Council Office Hours

9:00 - 10:30

Insights from the Council: Why More Collaboration is Key for Stronger Payment Security

Presented by: Stephen W. Orfei, General Manager, PCI Security Standards Council; Bruce Rutherford, Group Head, Fraud Management Solutions, MasterCard; 2015 Chairman of the PCI Security Standards Council; Kelly Funk, President and CEO, Retail Solutions Providers Association; Tim Horton, Vice President Security and Fraud Solutions, First Data Corporation

10:30 - 11:00

Networking Break and Vendor Showcase

Payment Brand and Council Office Hours

11:00 - 12:00

The Flight Plan to Navigating Risk: What the Payments Industry Can Learn from Health Care and Aviation

Presented by: John Nance, Aviation and Health Care Expert, Analyst, Author & Consultant

What are three industries with higher risk than normal? Airlines, health care and payments. In this session, John Nance will address each in relation to one another pulling from his diverse background in health care and aviation and how the lessons he’s learned from these industries can be applied to the payments space when it comes to managing risk.

12:00 - 13:00

Networking Lunch and Vendor Showcase

12:00 - 18:30

Payment Brand and Council Office Hours

13:00 - 17:00

Breakout Sessions

 

Track One

Track Two

13:00 - 13:50

Discover the Critical Link Between PCI DSS Compliance and Real-World Security

Presented by: Ciske van Oosten, Global Intelligence Manager, Verizon PCI Security Practice

Mr. van Oosten, the Global Intelligence Manager for PCI Security Practice at Verizon Enterprise Solutions, and lead-author of the Verizon PCI Compliance Report will explain why less than a third (28.6%) of companies were found to be still fully compliant less than a year after successful validation, and why breached companies are less likely to be found compliant. Verizon’s annual PCI Compliance Report provides an in-depth assessment of the global state of payment security. It explores the approaches that organizations take to securing the cardholder data that they hold, the use of compensating controls across the industry, and the sustainability of security controls.

Overview Point-to-Point Encryption Version 2: What You Need to Know

Presented by: Dan Fritsche, Managing Director, Application Security, Coalfire; Ruston Miles, Chief Innovation Officer, SVP, Bluefin; Michael Thompson, Standards Manager, PCI Security Standards Council; Gill Woodcock, Director of Certification Programs, PCI Security Standards Council


This session will outline the latest on Point-to-Point Encryption (P2PE) Version 2 focusing on the feedback from the industry, the major changes and the benefits. It will also include an overview of the assessor perspective and what your organizations needs to know when implementing.

14:00 - 14:50

Fifty Shades of “In Scope” -- Dealing with “Near Scope” Assets. Mr. Grey Will See You Now

Presented by: Shawn Lukaschuk, Security & Compliance Specialist, IPS

How are the scope and reach of controls commonly misinterpreted? The root cause of common scoping mistakes will be explored, and tips for moving an organization beyond “store, process or transmit” will be addressed.

This presentation will also introduce a risk-based approach to identify scope issues and define the different “shades of scope.”

This approach considers the following:
• The scope’s relation to network architecture and controls
• Vertical, horizontal and “effective” segmentation
• The role of risk assessment and documentation
Mitigating the Data Breach Threat While Enforcing PCI DSS Compliance

Presented by: Christopher Strand, Senior Director of Compliance and Governance, Bit9 + Carbon Black

To address the increasingly sophisticated types of attacks on cardholder data environments, security teams must shift from merely checking the appropriate boxes to taking a “business-as-usual” approach to security. This session will address how to take such a continuous approach and will focus on three key aspects that security professionals should ensure are part of their overall framework: Application Control; Change Control and Policy Enforcement.

14:50 - 15:10

Networking Break and Vendor Showcase

 

Track One

Track Two

15:10 - 16:00

No More Credit Card Breach Risk -- How Caesars Implemented Point-to-Point Encryption (P2PE)

Presented by: Jeffrey Sanchez, Managing Director, Protiviti, and William Worthington, VP-IT Security, Caesars Corporation

Discover how Caesars Entertainment implemented a extremely large and complex P2PE environments, encompassing dozens of different payment applications, e-commerce channels and call centers.
Requirements -1, 0, 13 and 14: The Big Picture of PCI DSS Compliance

Presented by: Lynda Daniluk, PCI Coordinator, City of Calgary , Robert MacKinnon, PCI Compliance Manager, TD Merchant Services and Thomas Siry, Security & Compliance Specialist, IPS

Becoming PCI DSS-compliant is a journey. Maintaining compliance and deriving value from it creates a legacy. The spiritual PCI DSS requirements --1, 0, 13 and 14 -- complement the existing 12 requirements to create the big picture of PCI DSS compliance. Attend this session to hear practical experience from more than 10 Canadian organizations on how the additional four requirements will assist organizations of any size to meet, maintain and mature PCI DSS compliance.

16:10 - 17:00

The Evolution of Transaction Security - EMV Chip, Mobile and Beyond

Presented by: Brian Byrne, Director of Operations, EMVCo; Troy Leach, CTO, PCI Security Standards Council and John Thomson, Director, Compliance and Regulations, Interac Association

Moderated by: Laura Johnson , Director of Communications, PCI Security Standards Council

Join experts from EMVCo, Interac and the PCI Security Standards Council as they discuss the adoption of EMV in Canada and lessons learned for the rest of North America, as well as what is ahead for next generation technology such as EMV Payment Tokens, 3-D Secure v2.0 and more.
Managing PCI Compliance in an Outsourced World: Challenges, Opportunities and Risks

Presented by: Adriana Gliga-Belavic, Director, Cybersecurity and Privacy, PCI Practice Lead, PricewaterhouseCoopers and Penelope Santana, Cybersecurity Consulting Manager, STIGroup, Ltd.

This presentation will focus on the evolving challenges and risks that merchants experience while outsourcing payment related services or IT environments. All merchants must remain accountable for protecting credit card information to maintain PCI Compliance. Reaching out to vendors to initiate the process may seem overwhelming, but establishing a methodology and framework to work from will help keep track of your risk exposure and establish a formidable risk management program.

17:00 - 18:30

Networking Reception and Vendor Showcase

Thursday, 1 October

  

7:30 - 13:00

Registration Open

7:30 - 13:00

Payment Brand and Council Office Hours

7:30 - 9:00

Networking Breakfast and Vendor Showcase

9:00 - 9:05

Day Three Welcome Remarks

Presented by: Stephen W. Orfei, General Manager, PCI Security Standards Council

9:05 - 10:00

Krebs on Security - An Examination of the Current Headlines

Presented by: Brian Krebs, Author, KrebsonSecurity.com


Up to date on the latest blog post? Attend this session to hear from the infamous blogger on the latest headlines and what this means to you when securing data.

10:00 - 10:15

Networking Break and Vendor Showcase

10:15 - 12:00

Community Update

Moderated by: Troy Leach, CTO, PCI Security Standards Council

Special Interest Group Update: Daily Log Monitoring

Moderated by: Elizabeth Terry, Advanced Research Manager, PCI Security Standards Council

Presented by: John N. Harmon, Director of PCI and EI3PA, Sword & Shield Enterprises Security and Jake Marcinko, Standards Manager, PCI Security Standards Council

Attend to hear an update from the Daily Log Monitoring Special Interest Group.

“Hide and Seek” - Where is the Card Holder Data (CHD)?

Presented by: Howard Glavin, Senior Vice President, K3DES LLC

This session will outline how approaching PCI from a pure technical position will lead to unfound data.

Myths and Realities of PCI Compliance in the Cloud

Presented by: Eric Naiburg, Director of Marketing, INetU

PCI compliance takes on many facets when applications are hosted in the cloud. Responsibilities grow beyond a “four walls” as does the complexity of ensuring compliance. With control spread across different parties, risk increases, as does the ability to manage it. In this session we will leverage real company examples to discuss how moving to the cloud can actually reduce your risk, instead of adding to it. The examples will provide details on the precautions to take in the cloud.

The Future of Securing Virtual Payments

Presented by: Dan Fritsche, Managing Director, Application Security, Coalfire

The economics of the cloud are compelling and can't be denied. However, organizations need to make sure they get the security right. Many organizations are looking to virtualize their IT environment but are concerned about how virtualization will impact their security and compliance. PCI DSS is one of the most challenging and specific set of standards established to date. IT leaders need clear guidance for how to achieve and maintain PCI compliance in virtual environments. This session will address how to improve efficiency of compliance efforts in virtual environments, what the PCI guidance is for data-at-rest security controls in the areas of encryption, key management, logging and access controls and the unique challenges with managing all security requirements in virtual environments.

Canadian Media Giant De-scopes for Long-term Compliance and Security

Presented by: Tim Critchley, CEO, Semafone

This session will present a project case study on how long-term security and PCI compliance were achieved for a very large system-rich organization. Attendees will hear how a business can address the myriad security challenges that come from accepting payments from a multitude of channels including online, by telephone and in stores.

12:00 - 13:00

Networking Lunch and Vendor Showcase

13:00 - 15:30

Community Update (continued)

Moderated by: Troy Leach, CTO, PCI Security Standards Council

Special Interest Group Update: Shared Responsibilities

Moderated by: Elizabeth Terry, Advanced Research Manager, PCI Security Standards Council

Presented by: Issa Bazsa-Ecker, PCI Compliance Manager, Philips International B.V. and Michael Thompson, Standards Manager, PCI Security Standards Council

Attend to hear an update from the Shared Responsibility Special Interest Group.

Improve Your Security Posture Through Ongoing PCI Compliance

Presented by: Richard Daw, CEO, Clone Systems

The FBI classifies companies into two types: those who know they’ve been hacked and those who don’t know. Companies may be in compliance, but can still get hacked. So how can companies ensure that they’re in compliance and also that their data is secure? This session will discuss using managed security services and will detail how security and compliance need to be part of a holistic security strategy. By treating PCI as part of the security strategy, companies can improve their security postures overall.

Passwords and Equivalent Strength -- The Loophole in the PCI DSS

Presented by: Hoyt L Kesterson II, Senior Security Architect, Terra Verde

Can we make passwords stronger yet easier to remember than those typically created to comply with the DSS requirements? If we do so, how do we convince the QSA that our alternative method complies? Attend to hear how to answer these questions.

Do My Security Controls Achieve the Spirit of Wireless PCI DSS Compliance?

Presented by: Kevin McCauley, Director of Retail Market Development, AirTight Networks

This session will look at what it takes to arrive at true wireless security, focusing on three key elements that affect achieving the spirit of wireless PCI DSS compliance: technology, human behavior and regulation. Wi-Fi technology is changing fast, with the latest hacks, the Internet of Things and the new 802.11ac standard. Combine this with human factors and you get a perfect storm of uncertainty. In this session, you'll hear reports from the trenches, translated into best practices to prevent wireless vulnerabilities.

Comprehensive Dataflow Diagrams: Engaging the Business

Presented by: Stacy Hughes, VP, IT Governance, Risk and Compliance, Global Payments, and
Kevin Simmonds, Director, PricewaterhouseCoopers


Global Payments and PwC will present successful practices for designing and implementing an initial and ongoing process to meet the PCI DSS requirement 1.1.3 – Cardholder data flow diagram. The topics for this presentation will include discussions on 1) Methodology, 2) Bottoms-Up/Top-Down/Outside-In Approach, 3) Data Flow/Application Identification, 4) Infrastructure Identification, 5) Required People, Process, Technology, and 6) Governance and Sustainability.

Building Returns from PCI DSS Effort: Gaining Both Security and Compliance

Presented by: Tom Evans, CSO, Cognia Cloud

In this session, you will learn how Cognia Cloud’s investment in PCI DSS compliance leveraged itself to build a strong InfoSec culture and served as a springboard to developing operational cyber security across the whole enterprise.

How Blockchain Technology Offers Improvements to Payment Security

Presented by: Ashok Misra, Founder, Alina Consultants

In this session, hear an introduction to cryptocurrencies along with an overview about Bitcoin's technical building blocks. This session will also address the precise security advantages with crypto currency and how pain points with traditional payments can be addressed as well as an explanation of a prototype for a credit card payment system built on blockchain technology.

Closing Remarks

Presented by: Stephen W. Orfei, General Manager, PCI Security Standards Council

Community Meeting concludes.

Register today to secure your spot at the 2015 North America Community Meeting

TRAINING

Employee Education is the Best Defense for Protecting your Organization’s Data Assets.

In conjunction with the North America Community Meeting, four training courses are available, allowing attendees to make the most of their travel time and budgets. The trainings will take place at the Pan Pacific Hotel.

PCI-ISA

Internal Security Assessor Training | 27-28 September

The Internal Security Assessor (ISA) Program provides large merchants, acquiring banks, and processors the opportunity to build their internal payment data security expertise, as well as increase their efficiency in complying with PCI Standards.

PCI-qsa-rib

Qualified Security Assessor Training | 27-28 September and 2-3 October

PA-QSA training provides you the tools to become an expert on the requirements for PA-DSS compliance and have an impact on the consistent and proper application of security measures and controls for your client’s payment applications. Enrollment is restricted to existing QSAs only.

PCI-QSA

PA-QSA Training | 2-3 October

PA-QSA training provides you the tools to become an expert on the requirements for PA-DSS compliance and have an impact on the consistent and proper application of security measures and controls for your client’s payment applications. Enrollment is restricted to existing QSAs only.

P2PE

Point-to-Point Encryption (P2PE) Training | 4-5 October

P2PE training provides you the tools to become an expert on the requirements for P2PE compliance and have an impact on the consistent and proper application of security measures and controls for your client’s P2PE solutions and components. Enrollment is restricted to existing QSAs only.

TESTIMONIALS

SPONSORS

Silver Sponsors

NCC Group
Security Metics

Platinum Sponsor

vz_150_rgb_p

Gold Sponsors

armorlogos
proviti_logo

Bronze Sponsors

k3des
Bluefin

General Sponsors

Bit9_logo_tag_ltblue_pms
optiv
Vigitrust
coalfirelogo
ssh_logo
control-gap
Tentable

An exclusive opportunity to position your company as a leader in the global payment security industry.

Get maximum visibility for your brand – view the available sponsorship opportunities.

Sponsorship Opportunities

VENDOR SHOWCASE

Get the latest updates on the North America Community Meeting by joining our mailing list.