|7:30 - 9:00||Networking Breakfast and Vendor Showcase||
|9:00 - 9:30||Welcome Remarks
Presented by: Jeremy King, International Director, PCI Security Standards
|9:30 - 10:30||Keynote: Lessons from the Miracle on the Hudson
Presented by: Jeff Skiles, Co-Pilot of U.S. Airways Flight 1549
When you’re a pilot and both your engines fail over the largest city in America, you must act quickly and independently, but you must also trust in the system that has trained you and prepared you to handle such crisis moments. Jeff Skiles’ story of the “Miracle on the Hudson” would not have the perfect ending if not for years of training and preparation that allowed the two pilots to understand exactly what the other was doing – thus maximizing their time, communication, and effectiveness. Having only met each other three days earlier, Skiles and Sullenberger were able to work together as a team because they trusted in their system and training and the professionalism of everyone involved, from the air-traffic controllers to their crew. As he takes audiences through the nearly catastrophic events leading up to US Airways Flight 1549’s emergency landing on the Hudson River, Skiles delivers the key lessons and principles that made the flight crew prepared, calm, and confident so they could successfully land the plane. If such lessons can save 155 lives when time is tight and every move must be perfect, imagine what these lessons can do for your organization.
|10:30 - 11:00||Networking Break and Vendor Showcase||
Sessions will examine technical aspects of payments security standards and implementation. Best suited for those interested in looking at processes and technologies used to protect payment data and supporting systems.
Sessions will examine business challenges within payment security and include case studies and best practices. Best suited for those interested in strategic planning and implementation of governance programs for making payments safer.
|11:00 - 11:30||Stealing a March: Get Ahead of Changes to Compliance and the Threat Landscape |
Presented by: Jacob Ansari, QSA (P2PE), PA-QSA (P2PE), CISSP, Director Schellman & Company, LLC
We will examine requirements that take effect in January 2018 and the impact on your compliance, particularly multi-factor authentication, but also managing control failures, and segmentation testing. Also, we review existing situations that commonly cause trouble, such as protecting SSL/TLS transmissions, disk encryption, and daily log review.
|Navigating the PTS-Approved Device Listings
Presented by: Tim Cormier, Manager for Device Standards, PCI Security Standards Council
Do you know how to determine whether a payment device is PCI approved? What is it approved to do? Or is that device already expired? Come to this session for a walkthrough and to learn how to read and navigate the PTS listing. This session is intended for merchants, vendors, and QSAs to who want to better understand PTS approvals.
|11:40 - 12:10||PCI DSS... Beyond Compliance and Actually Improving Cyber Defense |
Presented by: Adetokunbo Omotosho, Managing Consultant, Infoprive
It has been observed that most organizations focus on the compliance objective of PCI DSS rather than the real intent of the standard which is to improve payment security as whole. However there are real benefits the standards offer for those really interested in the security of the payment environment . The session will focus on how to improve payment security and gaining the security benefits of the standards outside of the cardholder environment.
|Waking Up in an Unaware Industry
Presented by: Lina Muriel Beltran, Sales, Marketing & Product Development Director, Sipay Plus and Albert Morell, QSA, Director and Co-founder, A2SECURE
This session will describe the struggle between Spanish payment providers and the PCI industry at the beginning of this decade, the Payment Provider’s initial perception of PCI DSS and how PCI helped to evolve its perception towards cybersecurity. Session will also include insight into:
• Wake-up call from A2secure.
• Why did Sipay start with PCI DSS?
• Initial battles to start embracing PCI DSS.
• PCI DSS is creating added value.
• First and next certifications.
• Now: PCI DSS is part of our DNA.
• Evangelizing the industry (still there are many SPs/merchants without a PCI/security strategy)
• From PCI to secure.
|12:20 - 12:50||Cryptography – Issues and Directions |
Presented by: Ralph Spencer Poore, Director, Emerging Standards, PCI Security Standards Council
This session presents cryptography in the context of payments, advances in cryptanalysis, and the need for transition planning. It builds on basic concepts of effective key strength, symmetric and asymmetric algorithms, secure hashes, digital certificates, and good key management. Includes issues of algorithm sunsetting and impact of quantum computing.
|Developing a PCI Security Management System
Presented by: Luis Alonso Albir, 27001 Lead Auditor, Grupo SIA
SIA will show how PCI DSS may become a trigger for security being business-as-usual while balancing compliance and control efforts with achievements and how PCI DSS can be added to the company's security portfolio and dashboard.
|12:50 - 13:50||Networking Lunch and Vendor Showcase||
|13:50 - 14:20||Journey to PCI DSS Compliant Private Cloud|
Presented by: Adam Heczko, Security Engineer, Mirantis Inc.
Securing complex computer systems such as OpenStack or Kubernetes clouds is difficult at the very first glance. To make it even worse, attackers can make many mistakes without consequences whereas a defender's single mistake could lead to a security breach. OpenStack and Kubernetes cloud operators need a simple and scalable method for securing their clouds. That starts with grouping components into compartments by its role, placement, intended use case and then looking at how those compartments interact with each other. Those interactions form the backbone of security policies and technical controls.
|2017 Cloud SIG Update
Moderated by: John Markh, Standards Manager, PCI Security Standards Council
Presented by: Alan Gutierrez-Arana, Director, Risk Advisory Services, National Leader Payment Card Industry (PCI) Services, RSM US LLP, Yusuf Musaji, CEO, Yusufali & Associates (Y&A) and Sam Pfanstiel, Solution Principal, Coalfire
Members of the Cloud SIG provide an overview of current SIG efforts to update and enhance the cloud guidance.
|14:30 - 15:00||Fixing Online Fraud - 3DSecure & In-Browser Payments|
Presented by: Andrew Jamieson, Technical Manager, Underwriters Laboratories and Emma Sutcliffe, Senior Director, Data Security Standards, PCI Security Standards Council
This talk will outline how these new technologies work, how they may work together and indeed how they may compete in the changing landscape of online payments. Detail will be provided on how regulation such as PSD2 in Europe may impact the deployment of these technologies around the world, and what these changes may mean for the world of card present acceptance: When a customer can interface to a merchant webstore with a mobile phone that is also their payment mechanism, what is the purpose of the traditional POS? How do solutions such as QR codes interact and impact such technologies? What is 'advanced authentication', and how secure are technologies such as biometrics when applied to payments?
|A Customers Journey of Implementing a Validated P2PE Solution, the Problems, Dilemmas and Benefits – A Merchant Experience Case Study
Presented by: Tracey L. Long, Senior Payment Security PCI DSS Compliance Manager, WorldPay, Peter Gore, Intel Systems Manager, McColl’s Retails Group and Jo Smith, PCI Business Analyst, WorldPay
A case study with one of the UK's largest retailers discussing and highlighting the bumps in the road along implementing a validated and listed P2Pe solution. Their experience of PIM management, the integration process and how their Acquirer assisted along this journey. Discussion will also take place on the benefits of implementing technology to reduce the scope of PCI compliance.
|15:10 - 15:40||Technologies for Application Security and Compliance in the Era of DevOps and Cloud|
Co- Presenters: John Markh, Standards Manager, PCI Security Standards Council and Joseph Feiman, Chief Innovation Officer, Veracode
This “AppSec Survival Guide" evaluates application threats and outlines decision frameworks and technology solutions for building secure applications and application security defenses against attacks by outsiders and insiders. Special attention is paid to the methods of securing applications when organizations adopt innovative Cloud and DevOps paradigms. This research helps organizations to align their application security strategy with evolving PCI security standards for applications.
|Extending Your PCI DSS Compliance to Cover General Data Protection Regulation
Presented by: Nigel Tranter, Vice President, Payment Software Company (PSC)
There's a lot of pressure to ensure that organizations are compliant with the new General Data Protection Regulation (GDPR) regulations by 2018. It's important to understand the intricacies of the relationship between PCI DSS and GDPR.
|15:40 - 16:10||Networking Break and Vendor Showcase||
|16:10 - 16:40||Cybercriminals Love Your Remote Access: A Hacking Demonstration |
Presented by: Gary Glover, Vice President of Strategic Partnerships, SecurityMetrics
Is your remote access application secure? If not, you could be losing valuable data and not even know it. Unsecured remote access is still the biggest pathway for hackers to find and steal sensitive information. Organizations should understand how easily unprotected card data can be stolen through remote access if they don't secure it.
|Simplifying Payment Security for Small Merchants
Moderated by: Lauren Holloway, Director of Standards Coordination, PCI Security Standards Council
Panelists: Claire Allen, Projects Coordinator, Suresite Group Ltd., Natasja Bolton, Senior Acquirer Support QSA, Sysnet Global Solutions and Michael Christodoulides, Vice President Security and Fraud Product Team, Barclaycard
A panel of Small Merchant Business Task Force members: What we’ve created, how it’s being used, where we are.
SMB Task Force members including an acquirer, a small merchant representative, and a QSA/ASV provide an update on the Task Force's initiatives, how it is helping small merchants, and how the PCI community can help.
|16:50 - 17:20||What Happens When the Attackers go POStal?|
Presented by: Andrew Barratt, Managing Principal, Coalfire Systems, Inc
Discuss the importance of point of sale security (ecom/mobile/face 2 face) and the risks associated with a weak or untrusted point of sale and how past threats could manipulate these scenarios in the future to cause havoc for merchants.
|PCI Service Providers - Gaining Further Assurance of Their PCI Compliance
Presented by: Sarah Nicholson, Security Policy, Risk and Compliance Manager, BT PLC
The session will cover the methodology and approach taken for BT's Service Provider Assurance Programme. It will cover the initial introduction of the programme, the key stakeholders involved and the importance of communication. It will include the key learning points and the value gained from this inaugural programme.
|17:30 - 18:00||Mobile Security Update|
Presented by: Elizabeth Terry, Advanced Research Manager, PCI Security Standards Council and Michael Thompson, Standards Manager, PCI Security Standards Council
PCI SSC will provide updates on the latest mobile security initiatives including Software-based Authentication on mobile POS and the latest updates to the Mobile Guidelines for Developers and Merchants.
|Small Merchant Franchised Strategy
Presented by: Mathieu Gorge, CEO and Founder, Vigitrust and Marie-Christine Vittet, Data Risk Manager, AccorHotels
Through “a success story” you will discover how AccorHotels enables its franchisees to comply with PCI Standards:
• PCI education: demystifying PCI Standards compliance for small merchants
• PCI program structure: simplifying the process to provide incentive for merchants to go through with certification the first time - tips to simplify the process and pre populate as many answers as possible
• PCI support platform: automated/consultants (internal/external)/QSA-based
• PCI business as usual: get continuous buy-in from franchisees to improve and continually augment the program (e.g., extend it to GDPR)
• Working with the franchise structure: understanding the key role of master franchisees for the success of the program and franchisee on-boarding best practices
• Key performance indicator for PCI programs for franchisees: focus on reporting
|18:00 - 19:30||Networking Reception and Vendor Showcase||