Join us for three days of discovery, updates and insights from regional community figures and merchants and members of the Council.

Tuesday, 24 October
10:00 - 18:30 Registration Open
13:00 - 13:20Welcome Remarks
Presented by: Jeremy King, International Director, PCI Security Standards
13:20 - 14:00KEYNOTE: PCI SSC's Strategic Initiatives
Presented by: PCI Security Standards Senior Team
This session opens the Community Meeting with an extensive look into some of the PCI SSC’s current and
global affairs and how, collaboratively, we help secure payment data.
14:00 - 14:30Insights from PCI SSC Board of Advisors, a Panel Discussion
Moderated by: Karen Czack, Vice President of Industry Engagement and Regulation within the Global Network Business, American Express and PCI SSC Executive Committee Chairperson
Joined by panelists: Pierre Chassigneux, EVP Project & Risk Management Division, Groupement des Cartes Bancaires, Stacy Hughes, SVP of Risk and Compliance, Global Payments and Tracey L. Long, Senior Payment Security PCI DSS Compliance Manager, WorldPay
Join this session for a panel discussion of PCI Security Standards Council’s Executive Committee. Members
of the PCI SSC Board of Advisors will discuss areas of focus for this year’s Board.
14:30 - 15:15Networking Break and Vendor Showcase
15:15 - 16:00INDUSTRY KEYNOTE: Where Data Breaches Intersect Compliance
Presented by: Christopher Novak, Director, Investigative Response Verizon RISK Team

This session will take the audience on a journey through the Verizon Data Breach Investigations Report
and Payment Security Report in order to learn how data breaches occur, whom they happen to and how
the audience members can avoid being the next victim in the headlines. The audience will learn about the
trends that are being seen around the world as well as how they can build a solid compliance and security
foundation of their own to create a resilient and evolving security posture.

16:00 - 17:00Security Roadmap for Next Generation of Payments
Presented by: Troy Leach, CTO, PCI Security Standards Council

Digital payments are evolving rapidly which requires anticipating how cybersecurity attacks will change and how we should expect to protect against them. This session will discuss emerging security trends for 2018 and how new initiatives by the PCI Council plan to address these threats.

17:00 - 18:45Welcome Reception
Wednesday, 25 October
7:30 - 9:00Networking Breakfast and Vendor Showcase
9:00 - 9:30Welcome Remarks
Presented by: Jeremy King, International Director, PCI Security Standards
9:30 - 10:30Keynote: Lessons from the Miracle on the Hudson
Presented by: Jeff Skiles, Co-Pilot of U.S. Airways Flight 1549

When you’re a pilot and both your engines fail over the largest city in America, you must act quickly and independently, but you must also trust in the system that has trained you and prepared you to handle such crisis moments. Jeff Skiles’ story of the “Miracle on the Hudson” would not have the perfect ending if not for years of training and preparation that allowed the two pilots to understand exactly what the other was doing – thus maximizing their time, communication, and effectiveness. Having only met each other three days earlier, Skiles and Sullenberger were able to work together as a team because they trusted in their system and training and the professionalism of everyone involved, from the air-traffic controllers to their crew. As he takes audiences through the nearly catastrophic events leading up to US Airways Flight 1549’s emergency landing on the Hudson River, Skiles delivers the key lessons and principles that made the flight crew prepared, calm, and confident so they could successfully land the plane. If such lessons can save 155 lives when time is tight and every move must be perfect, imagine what these lessons can do for your organization.
10:30 - 11:00Networking Break and Vendor Showcase
Track One

Sponsored by:

 Technology Track
Sessions will examine technical aspects of payments security standards and implementation. Best suited for those interested in looking at processes and technologies used to protect payment data and supporting systems.

Track Two
Business Track
Sessions will examine business challenges within payment security and include case studies and best practices. Best suited for those interested in strategic planning and implementation of governance programs for making payments safer.

11:00 - 11:30Stealing a March: Get Ahead of Changes to Compliance and the Threat Landscape
Presented by: Jacob Ansari, QSA (P2PE), PA-QSA (P2PE), CISSP, Director Schellman & Company, LLC

We will examine requirements that take effect in January 2018 and the impact on your compliance, particularly multi-factor authentication, but also managing control failures, and segmentation testing. Also, we review existing situations that commonly cause trouble, such as protecting SSL/TLS transmissions, disk encryption, and daily log review.

Navigating the PTS-Approved Device Listings
Presented by: Tim Cormier, Manager for Device Standards, PCI Security Standards Council

Do you know how to determine whether a payment device is PCI approved? What is it approved to do? Or is that device already expired? Come to this session for a walkthrough and to learn how to read and navigate the PTS listing. This session is intended for merchants, vendors, and QSAs to who want to better understand PTS approvals.
11:40 - 12:10PCI DSS... Beyond Compliance and Actually Improving Cyber Defense
Presented by: Adetokunbo Omotosho, Managing Consultant, Infoprive

It has been observed that most organizations focus on the compliance objective of PCI DSS rather than the real intent of the standard which is to improve payment security as whole. However there are real benefits the standards offer for those really interested in the security of the payment environment . The session will focus on how to improve payment security and gaining the security benefits of the standards outside of the cardholder environment.

Waking Up in an Unaware Industry
Presented by: Lina Muriel Beltran, Sales, Marketing & Product Development Director, Sipay Plus and Albert Morell, QSA, Director and Co-founder, A2SECURE

This session will describe the struggle between Spanish payment providers and the PCI industry at the beginning of this decade, the Payment Provider’s initial perception of PCI DSS and how PCI helped to evolve its perception towards cybersecurity. Session will also include insight into:

• Wake-up call from A2secure.
• Why did Sipay start with PCI DSS?
• Initial battles to start embracing PCI DSS.
• PCI DSS is creating added value.
• First and next certifications.
• Now: PCI DSS is part of our DNA.
• Evangelizing the industry (still there are many SPs/merchants without a PCI/security strategy)
• From PCI to secure.
12:20 - 12:50Cryptography – Issues and Directions
Presented by: Ralph Spencer Poore, Director, Emerging Standards, PCI Security Standards Council

This session presents cryptography in the context of payments, advances in cryptanalysis, and the need for transition planning. It builds on basic concepts of effective key strength, symmetric and asymmetric algorithms, secure hashes, digital certificates, and good key management. Includes issues of algorithm sunsetting and impact of quantum computing.
Developing a PCI Security Management System
Presented by: Luis Alonso Albir, 27001 Lead Auditor, Grupo SIA

SIA will show how PCI DSS may become a trigger for security being business-as-usual while balancing compliance and control efforts with achievements and how PCI DSS can be added to the company's security portfolio and dashboard.

12:50 - 13:50Networking Lunch and Vendor Showcase
13:50 - 14:20Journey to PCI DSS Compliant Private Cloud
Presented by: Adam Heczko, Security Engineer, Mirantis Inc.

Securing complex computer systems such as OpenStack or Kubernetes clouds is difficult at the very first glance. To make it even worse, attackers can make many mistakes without consequences whereas a defender's single mistake could lead to a security breach. OpenStack and Kubernetes cloud operators need a simple and scalable method for securing their clouds. That starts with grouping components into compartments by its role, placement, intended use case and then looking at how those compartments interact with each other. Those interactions form the backbone of security policies and technical controls.

2017 Cloud SIG Update
Moderated by: John Markh, Standards Manager, PCI Security Standards Council
Presented by: Alan Gutierrez-Arana, Director, Risk Advisory Services, National Leader Payment Card Industry (PCI) Services, RSM US LLP, Yusuf Musaji, CEO, Yusufali & Associates (Y&A) and Sam Pfanstiel, Solution Principal, Coalfire

Members of the Cloud SIG provide an overview of current SIG efforts to update and enhance the cloud guidance.

14:30 - 15:00Fixing Online Fraud - 3DSecure & In-Browser Payments
Presented by: Andrew Jamieson, Technical Manager, Underwriters Laboratories and Emma Sutcliffe, Senior Director, Data Security Standards, PCI Security Standards Council

This talk will outline how these new technologies work, how they may work together and indeed how they may compete in the changing landscape of online payments. Detail will be provided on how regulation such as PSD2 in Europe may impact the deployment of these technologies around the world, and what these changes may mean for the world of card present acceptance: When a customer can interface to a merchant webstore with a mobile phone that is also their payment mechanism, what is the purpose of the traditional POS? How do solutions such as QR codes interact and impact such technologies? What is 'advanced authentication', and how secure are technologies such as biometrics when applied to payments?
A Customers Journey of Implementing a Validated P2PE Solution, the Problems, Dilemmas and Benefits – A Merchant Experience Case Study
Presented by: Tracey L. Long, Senior Payment Security PCI DSS Compliance Manager, WorldPay, Peter Gore, Intel Systems Manager, McColl’s Retails Group and Jo Smith, PCI Business Analyst, WorldPay

A case study with one of the UK's largest retailers discussing and highlighting the bumps in the road along implementing a validated and listed P2Pe solution. Their experience of PIM management, the integration process and how their Acquirer assisted along this journey. Discussion will also take place on the benefits of implementing technology to reduce the scope of PCI compliance.

15:10 - 15:40Technologies for Application Security and Compliance in the Era of DevOps and Cloud
Co- Presenters: John Markh, Standards Manager, PCI Security Standards Council and Joseph Feiman, Chief Innovation Officer, Veracode

This “AppSec Survival Guide" evaluates application threats and outlines decision frameworks and technology solutions for building secure applications and application security defenses against attacks by outsiders and insiders. Special attention is paid to the methods of securing applications when organizations adopt innovative Cloud and DevOps paradigms. This research helps organizations to align their application security strategy with evolving PCI security standards for applications.
Extending Your PCI DSS Compliance to Cover General Data Protection Regulation
Presented by: Nigel Tranter, Vice President, Payment Software Company (PSC)

There's a lot of pressure to ensure that organizations are compliant with the new General Data Protection Regulation (GDPR) regulations by 2018. It's important to understand the intricacies of the relationship between PCI DSS and GDPR.

15:40 - 16:10Networking Break and Vendor Showcase
16:10 - 16:40Cybercriminals Love Your Remote Access: A Hacking Demonstration
Presented by: Gary Glover, Vice President of Strategic Partnerships, SecurityMetrics

Is your remote access application secure? If not, you could be losing valuable data and not even know it. Unsecured remote access is still the biggest pathway for hackers to find and steal sensitive information. Organizations should understand how easily unprotected card data can be stolen through remote access if they don't secure it.

Simplifying Payment Security for Small Merchants
Moderated by: Lauren Holloway, Director of Standards Coordination, PCI Security Standards Council
Panelists: Claire Allen, Projects Coordinator, Suresite Group Ltd., Natasja Bolton, Senior Acquirer Support QSA, Sysnet Global Solutions and Michael Christodoulides, Vice President Security and Fraud Product Team, Barclaycard

A panel of Small Merchant Business Task Force members: What we’ve created, how it’s being used, where we are.

SMB Task Force members including an acquirer, a small merchant representative, and a QSA/ASV provide an update on the Task Force's initiatives, how it is helping small merchants, and how the PCI community can help.
16:50 - 17:20What Happens When the Attackers go POStal?
Presented by: Andrew Barratt, Managing Principal, Coalfire Systems, Inc

Discuss the importance of point of sale security (ecom/mobile/face 2 face) and the risks associated with a weak or untrusted point of sale and how past threats could manipulate these scenarios in the future to cause havoc for merchants.

PCI Service Providers - Gaining Further Assurance of Their PCI Compliance
Presented by: Sarah Nicholson, Security Policy, Risk and Compliance Manager, BT PLC

The session will cover the methodology and approach taken for BT's Service Provider Assurance Programme. It will cover the initial introduction of the programme, the key stakeholders involved and the importance of communication. It will include the key learning points and the value gained from this inaugural programme.

17:30 - 18:00Mobile Security Update
Presented by: Elizabeth Terry, Advanced Research Manager, PCI Security Standards Council and Michael Thompson, Standards Manager, PCI Security Standards Council

PCI SSC will provide updates on the latest mobile security initiatives including Software-based Authentication on mobile POS and the latest updates to the Mobile Guidelines for Developers and Merchants.
Small Merchant Franchised Strategy
Presented by: Mathieu Gorge, CEO and Founder, Vigitrust and Marie-Christine Vittet, Data Risk Manager, AccorHotels

Through “a success story” you will discover how AccorHotels enables its franchisees to comply with PCI Standards:
• PCI education: demystifying PCI Standards compliance for small merchants
• PCI program structure: simplifying the process to provide incentive for merchants to go through with certification the first time - tips to simplify the process and pre populate as many answers as possible
• PCI support platform: automated/consultants (internal/external)/QSA-based
• PCI business as usual: get continuous buy-in from franchisees to improve and continually augment the program (e.g., extend it to GDPR)
• Working with the franchise structure: understanding the key role of master franchisees for the success of the program and franchisee on-boarding best practices
• Key performance indicator for PCI programs for franchisees: focus on reporting

18:00 - 19:30Networking Reception and Vendor Showcase
Thursday, 26 October
7:30 - 9:00Networking Breakfast and Vendor Showcase
9:00 - 9:15Welcome Remarks
Presented by: Jeremy King, International Director, PCI Security Standards
9:15 - 10:15Keynote: Rebuilding Security – Lessons Learned from Tragedy
Presented by: Anthony Amore, Director of Security and Chief Investigator, Isabella Stewart Gardner Museum

The biggest terrorist attack in the history was launched from Boston’s Logan International Airport, and the biggest property theft in the history of the world took place at the Isabella Stewart Gardner Museum, also in Boston. Anthony Amore has worked to rebuild the security at both facilities, and will talk about how an honest examination of both incidents was the key to correcting past failures and protecting them both from future attacks.
10:15 - 10:45Networking Break and Vendor Showcase
10:45 - 11:15IoT: Can I Really Trust My Coffee Machine Not to Hack My HVAC?
Presented by: Tony Gee, Security Consultant, Pen Test Partners LLP

This session will look at weaknesses in IoT, show how your building management system may not be as secure as you think, how your connected car can compromise you and how we can geolocate Bluetooth devices, then control them to cause maximum impact.
11:15 - 12:00Barcelona and PCI Security Standards Council es mucho más!
Presented by: Mauro Lance, Chief Operating Officer, PCI Security Standards Council

Don’t miss this special look into PCI SSC’s inner workings that make it possible to help secure payment data. From programs to partnerships, discover what happens behind the scenes.
12:00 - 12:30Q&A with PCI Security Standards Council and Closing Remarks
12:30 - 15:30Assessor Lunch and Session