Las Vegas, Nevada, USA September 25 – 27, 2018

North America Community Meeting

Las Vegas, Nevada

25 – 27 September 2018

Join Us at the 2018 North America Community Meeting

Don’t miss THE data security event of the year for the payment card industry. Join us for: Networking opportunities, updates on industry trends, insights and strategies on best practices, engaging keynotes and industry expert speakers.

 

The PCI Security Standards Council’s  2018 North America Community Meeting is THE place to be. We provide you the information and tools to help secure payment data. We lead a global, cross industry effort to increase payment security by providing industry-driven, flexible and effective data security standards and programs that help businesses detect, mitigate and prevent criminal attacks and breaches. Don’t miss out!

 

Hear from past attendees on their experiences and the benefits of attending a PCI SSC Community Meeting by viewing this video:

AGENDA

Join us for three days of discovery, updates and insights from members of the Council and regional community figures and merchants.

TUESDAY, SEPTEMBER 25
1:00 PM - 1:15 PMWelcome Remarks
Presented by: Jeremy King, International Director – Europe, PCI Security Standards Council
1:15 PM - 2:00 PMKeynote: State of the Council
Presented by: Lance J. Johnson, Executive Director, PCI Security Standards Council
2:00 PM - 2:45 PMIndustry Standards, a Panel Discussion
Moderated by: Lance J. Johnson, Executive Director, PCI Security Standards Council
Panelists: Brian Byrne, Director of Operations, EMVCo and Steve Stevens, Executive Director, Accredited Standards Committee X9 Inc

Discussing challenges facing today's standards organizations.
2:45 PM - 3:15 PMNetworking Break and Vendor ShowcaseSponsored by
3:15 PM - 4:00 PMIndustry Keynote Forensics
4:00 PM - 5:00 PMShifting Paradigms: How Innovation is Changing Payment Security (and Standards)
Presented by: Troy Leach, Chief Technology Officer, PCI Security Standards Council
6:00 PM - 7:45 PMWelcome Reception and Vendor ShowcaseSponsored by
WEDNESDAY, SEPTEMBER 26
7:30 AM - 9:00 AMNetworking Breakfast and Vendor ShowcaseSponsored by
9:00 AM - 9:15 AMWelcome Remarks and Regional Update
Presented by: Jeremy King, International Director – Europe, PCI Security Standards Council
9:15 AM - 10:15 AMKeynote: Cyber Security in the Age of Espionage
Presented by: Eric O'Neill, Former FBI Counterintelligence Operative, Founder, The Georgetown Group and National Security Strategist, Carbon Black

The Internet is not a safe environment. It is a frontier. Recent years have seen a massive increase in cyber theft of private and confidential information from government agencies, business and private individuals. The modern spy is responsible for these attacks. Today s spies are sophisticated, brilliant, devious and technologically advanced, and they are targeting your data. Robert Hanssen was the first of these new cyber spies, charged with selling American secrets to Russia for more than US$1.4 million in cash and diamonds. His ability to exploit computer systems allowed him to protect his identity during a 22-year spy career. Join Eric as he uses real-life spy stories to show how careful diligence, counter-espionage techniques, and restraint in social media can help identify the numerous spies, hackers, hacktivists and trusted insiders that threaten every stroke of the keyboard.
10:15 AM - 10:45 AMNetworking Break and Vendor Showcase
Sponsored by
Track One
Technology Track
Sessions will examine technical aspects of payments security standards and implementation. Best suited for those interested in looking at processes and technologies used to protect payment data and supporting systems.
Track Two
Business Track
Sessions will examine business challenges within payment security and include case studies and best practices. Best suited for those interested in strategic planning and implementation of governance programs for making payments safer.
10:45 AM - 11:15 AMMobile Payment Initiatives
Presented by: Elizabeth Terry, Advanced Research Manager, PCI Security Standards Council and Michael Thompson, Senior Manager, Emerging Standards, PCI Security Standards Council

The PCI Council will provide an overview of recent mobile payment initiatives, which will include the recently released Software-based PIN Entry on COTS (SPoC) Standard in addition to the effort regarding contactless payment acceptance on merchant COTS devices.
PCI DSS: The Future is Now
Presented by: Emma Sutcliffe, Senior Director, Data Security Standards, PCI Security Standards Council

For a long time organizations have been looking “forward” to implementation dates and deadlines that would arrive sometime in the future. With the release of PCI DSS v3.2.1, that future is now the past. Join this session to learn about what PCI DSS means today and how the security standard is shaping up for the future.
11:25 AM - 11:55 AMEMVCo Initiative Overview
Presented by: Brian Byrne, Director of Operations, EMVCo
PCI DSS and Cloud - Navigating in Reduced Visibility
Presented by: John Markh, Standards Manager, PCI Security Standards Council and 2017 Cloud SIG participants: Jonathan Lewis, Infrastructure and Operations, Cloud and Compute, Target and Tabitha Gallo, Senior Security Consultant, Herjavec Group

As more and more business adopt cloud infrastructure and services, there is a need to better understand the business, technical and operational issues that may impact the security of payment data. In the session, the presenters will share their experiences managing PCI DSS compliance in cloud deployments.
12:05 PM - 12:35 PMBroken Foundations - The Deep Malaise of Inadequate Patch Management
Presented by: Jacob Ansari, Director, Schellman & Company, LLC

Advances in information security tools and practices have not alleviated the fundamental need for aggressively applying security patches and fixes to systems. Furthermore, regular security studies about security incidents show the need for prompt and thorough updates. Despite this, many organizations fail to prioritize this or struggle to execute successfully. This session will explore some of the reasons for this and consider some solutions.
Women in PCI and Cybersecurity Panel
Moderated by: Emma Sutcliffe, Senior Director, Data Security Standards, PCI Security Standards Council
Panelists: Gina Gobeyn, Chief Risk Management Officer, Payment Services, Discover, Stacy Hughes, SVP of Risk and Compliance, Global Payments, Nancy Rodriguez, Senior Vice President & Head of PCI Governance & Compliance, Wells Fargo and Phyllis Woodruff, Vice President of Security Programs and Standards, Fiserv

Women comprise only 11 percent of the global information security workforce. This panel will discuss: How everyone got involved in PCI, lessons learned, key challenges facing us now, mentoring the next generation, how to overcome obstacles, advice for women and men getting into the field and what the future brings.
12:35 PM - 1:35 PMNetworking Lunch and Vendor ShowcaseSponsored by
1:35 PM - 2:05 PMPasswords are NOT What They are CRACKED Up to Be (Live Demo)
Presented by: Rob Harvey, Risk, Security and Privacy, Online Business System and Adam Kehler, Senior Consultant - Risk, Security and Privacy, Online Business Systems

In this session, Online Business Systems will demonstrate ways for retailers to implement stronger password composition and storage mechanisms to ensure account credentials are not at risk. Through audience participation, we will generate a compliant password and then use password cracking tools to break it. We will provide practical recommendations on how to strengthen your cybersecurity program in accordance with the new NIST Special Publication 800-63B Digital Identity Guidelines.
How are New Privacy Regulations Affecting Your PCI Program
Presented by: Alexis Gargurevich, Manager, PricewaterhouseCoopers LLP (PWC)

Managing newly introduced privacy regulations in Europe and North America are hitting the news almost every day. In this changing environment, where credit card information is also considered personal information, most privacy standards and regulations will dictate how this data must be collected, used and disposed of. Both PCI DSS and privacy regulations have the same objective, which is to protect customer data, but are there aspects in common, and can we leverage our compliance efforts to meet both effectively? Find out more in this session.
2:15 PM - 2:45 PMProliferation of Point-to-Point Encryption (P2PE)
Panel Moderated by: Dan Fritsche, Vice President, Solution Architecture, Coalfire
Panelists: Bill Bolton, Vice-President of Information Technology, The HoneyBaked Ham Company and Ruston Miles, Chief Strategy & Innovation Officer, BlueFin

This will be an all industry panel discussing the proliferation of point-to-point encryption (P2PE). The purpose of the session is to share real-life experience for validating and implementing P2PE solutions with merchants, gateway and solutions providers and will cover:
• Use Case of a listed P2PE partnership
• Best Practices for P2PE
• What is fueling the growth of listed solutions and why should merchants adopt them?
• How does P2PE help a merchant to protect their environment?
• What is the fine balance between operations, security, and compliance?
• How can we leverage third-party solution providers to protect the merchant’s environment?
Compliance Cycles and Close Calls
Presented by: John Markh, Standards Manager, PCI Security Standards Council and 2018 Special Interest Groups participants, Ben Rafferty, Global Solutions Director, Semafone and Brian Dean, Principle Security Consulting Lead, Dell Secureworks


It’s been a busy year for Special Interest Groups (SIGs). In this session, the Chairs and participants of the 2018 SIGS “Maintaining PCI DSS Compliance” and “Securing Telephone-Based Payments” will share their insights on these topics and what to look forward to in the upcoming guidance documents.
2:55 PM - 3:25 PMCryptography Prepares for Schrodinger's Cat
Presented by: Ralph Spencer Poore, Director, Emerging Standards, PCI Security Standards Council and Steve Stevens, JD, Executive Director, X9 Financial Services, Inc.

Preparing for the inevitable changes in cryptography ranging from the latest moves by PCI SSC through to Quantum Resistant Algorithms. This session discusses the need for crypto-agility, i.e., isolating cryptographic functions to help futureproof your organization since cryptographic algorithms of necessity change as technology and cryptanalysis improve.
Warning: These Common PCI Myths, Misconceptions and Mistakes Could be Standing Between You and a Successful Report on Compliance
Presented by: Peggy Nolan, Principal IT Compliance Analyst, Liberty Mutual Group Inc.

In this session, hear about the myths and misconceptions about PCI and the pitfalls merchants may encounter if they don't have an in-depth understanding of the PCI DSS requirements and how they apply to merchants' environment. Not only will Ms. Nolan address common misunderstandings but she'll also speak to the types of personalities you'll encounter during a PCI DSS Report on Compliance.
3:25 PM - 3:55 PMNetworking Break and Vendor ShowcaseSponsored by
3:55 PM - 4:25 PM‘You Shall Not Pass!' Segmentation Done Right
Presented by: Joseph Pierini, Vice President, PSC and Phyllis Woodruff, Vice President of Security Programs and Standards, Fiserv

Segmentation isn't easy. There are many processes and systems that need access to the CDE and isolating the card data from the rest of the business can break critical business needs. Segmentation, when done right, can allow the business to continue without interruption while securing PAN data against unauthorized access. PSC has pen tested hundreds of segmentation designs and has seen some that work, some that might work and some that were a waste of money and resources. In this session, we'll cover the common points of compromise to your network and review the most common segmentation design schemes to identify which ones are smoke and mirrors and which ones can stand up against a direct assault.
PCI DSS Control Framework at Royal Dutch Shell
Presented by: Erik Pols, Retail Information Risk Manager, Royal Dutch Shell Ltd. and Rodolphe Simonetti, Managing Director, Security Consulting, Verizon

For PCI DSS Compliance, Royal Dutch Shell developed a Control Framework to embed and sustain PCI compliance activities to be better prepared for future changes of the standard, technology or business processes. Shell is managing PCI DSS requirements by operating 55 controls. The approach required the support of the QSA (Verizon) who had to align their ways-of-working. In this case study, Shell and Verizon will show the challenges faced when creating and implementing the PCI DSS Control Framework and the benefits when assessing Shell's retail markets.
4:35 PM - 5:05 PMMultifactor Authentication Requirements for Administrative Access: Designs for Small and Complex Environments
Presented by: Ohen Afriyie, Manager, IT Consulting – Cybersecurity, Protiviti and David Gianna, Senior Manager, IT Consulting – Cybersecurity, Protiviti

Organizations have been exploring ways to implement multi-factor authentication for each applicable in-scope system component. Join this session to explore different methods of satisfying the new PCI sub-requirements that became effective in 31 January 2018: meeting for administrator access servers and systems to verify multi-factor authentication is required for non-console access into the CDE for personnel with administrative access.
Cracking the PCI Compliance Whip in a Hospitality and Timeshare Industry Setting
Presented by: Ralph Villanueva, IT Security and Compliance Analyst, Diamond Resorts International


This session will discuss the challenges facing PCI compliance professionals in a hospitality and timeshare industry, and the way forward for implementing PCI DSS requirements. This hospitality and timeshare industry is similar to other industries as it has a retail component, a banking aspect and of course a hotel and restaurant operation, but it is subject to a myriad of other regulations due to its international nature.
5:15 PM - 5:45 PMWhat’s Your User [Security] Story!?!: Engaging Developers in the Battle for Software Security Supremacy - Panel
Moderated by: Jake Marcinko, Standards Manager, PCI Security Standards Council
Panelists: Oleg Gryb, Chief Security Architect, Visa Inc. and Rohit Sethi, Chief Operating Officer, Security Compass

As cyber-attacks increasingly target applications, software vendors and software developers are becoming more engaged in efforts to combat and prevent cyber-attacks. However, software development personnel have different priorities than security experts, and security experts need to be able to articulate security needs in development terms in order to bridge the gap. Join us for a panel discussion on modern trends in software development, the methods in which developers measure quality and success, and discover what the PCI SSC is doing to engage the Software Development Community and to improve the quality and security of payment software.
Choose Wisely: Tips on Selecting the Right Payment Terminal for your Business
Presented by: Tim Cormier, Manager for Device Standards, PCI Security Standards Council

A terminal can represent a business critical piece of equipment that may have a multiyear commitment for your business, yet many people do not understand what this means to their business. This presentation will communicate:

1. What are the different terminal types and understanding the acronyms alphabet (POS, PTS, POI, HSM, EPP, PED, SCR, SCRP, UTP)
2. Understanding the normal use case or cases for different terminal types
3. How to validate the device is indeed a PCI PTS approved device.
5:45 PM - 7:15 PMNetworking Reception and Vendor ShowcaseSponsored by
THURSDAY, SEPTEMBER 27
7:30 AM - 9:00 AMNetworking Breakfast and Vendor Showcase
9:00 AM - 9:15 AMWelcome Remarks
Presented by: Jeremy King, International Director – Europe, PCI Security Standards Council
9:15 AM - 10:15 AMKeynote: Lessons from the Miracle on the Hudson
Presented by: Jeff Skiles, Co-Pilot of U.S. Airways Flight 1549

When you’re a pilot and both your engines fail over the largest city in America, you must act quickly and independently, but you must also trust in the system that has trained you and prepared you to handle such crisis moments. Jeff Skiles’ story of the “Miracle on the Hudson” would not have the perfect ending if not for years of training and preparation that allowed the two pilots to understand exactly what the other was doing – thus maximizing their time, communication, and effectiveness. Having only met each other three days earlier, Skiles and Sullenberger were able to work together as a team because they trusted in their system and training and the professionalism of everyone involved, from the air-traffic controllers to their crew. As he takes audiences through the nearly catastrophic events leading up to US Airways Flight 1549’s emergency landing on the Hudson River, Skiles delivers the key lessons and principles that made the flight crew prepared, calm, and confident so they could successfully land the plane. If such lessons can save 155 lives when time is tight and every move must be perfect, imagine what these lessons can do for your organization.
10:15 AM - 10:45 AMNetworking Break and Vendor ShowcaseSponsored by
10:45 AM - 11:15 AMSecurity with My Fries, Please. How to Help Small Merchants Protect Their Business.
Moderated by: TBD
Panelists: Lauren Holloway, Director of Standards Coordination, PCI Security Standards Council, Jenna Hutt, Retail Technology Specialist, Rocky Mountain Chocolate Factory,and Laura Knapp Chadwick, Director of Commerce & Entrepreneurship, National Restaurant Association

Small merchants are suffering devasting security breaches at an alarming rate. Join us for this panel discussion to understand the situation and how you can help small merchants, and to hear about new resources available from the Council.
11:15 AM - 11:45 AMHow the H@ck R U? Insider Look into Cybercrime Dark Web
Presented by: Angela Grant, Director, Identity, Fraud and Risk Intelligence, RSA

Digital channels are ground zero in the fight against fraud. With 3B+ consumer credentials stolen annually, cybercriminals have the advantage and are looking to execute upon them. In this session, take a tour of the Dark Web, learn how cybercriminals hunt for potential points of compromise in our payments ecosystems, explore popular credential stuffing toolkits, and the use of social media as a rising cybercrime communication channel.
11:45 AM - 12:30 PMHow Industry Collaboration and Feedback Shapes PCI Programs
Presented by: Mauro Lance, Chief Operations Officer, PCI Security Standards Council

Join this session for walkthrough of how our industry collaboration and feedback has shaped current and upcoming PCI Programs.
12:30 PM - 12:35 PMClosing Remarks
Presented by: Mauro Lance, Chief Operations Officer, PCI Security Standards Council

12:35 PM - 3:35 PMAssessor Lunch and Session

Secure Your Spot at the 2018
North America Community Meeting

Sponsorship Opportunities

 

An exclusive opportunity to position your company as a leader in the global payment security industry.

 

DIAMOND SPONSOR

Verizon

 

PLATINUM SPONSOR

 

TECH SPONSOR

 

GOLD SPONSOR

Trustwave

 

SILVER SPONSOR

SecurityMetrics

 

BRONZE SPONSORS 

SUPPORTING SPONSORS

intersec
Optiv
Weaver

Please continue to check back for updates on our Sponsors

TESTIMONIALS

TRAINING

Employee Education is the Best Defense for Protecting your Organization’s Data Assets.

In conjunction with the North America Community Meeting, five (5) training courses are available, allowing attendees to make the most of their travel time and budgets. The trainings will take place at The Mirage.

 

3DS Assessor Training | 19 Sep

The one-day 3DS Assessor class provides instruction on how to perform assessments of 3DS Environments in accordance with the PCI 3DS Core Security Standard.

Point-to-Point Encryption Training | 20-21 Sep

The two-day Point-to-Point Encryption (P2PE) class provides a solid foundation of understanding of each of the comprehensive requirements included in the Point-to-Point Encryption Standard. Depending on prerequisites, candidates may earn the certification of Point-to-Point Encryption Qualified Security Assessor qualification or Point-to-Point Encryption Payment Application Qualified Security Assessor qualification.

Qualified Security Assessor Training | 20-21 Sep

The two-day Qualified Security Assessor (QSA) class provides instruction on how to conduct assessments of merchants, institutions and service providers who must be compliant with the PCI DSS.

Internal Security Assessor Training | 23-24 Sep

The two-day Internal Security Assessor (ISA) class provides large merchants, acquiring banks, and processors the opportunity to build their internal payment data security expertise, as well as increase their efficiency in complying with PCI Standards.

Payment Card Industry Professional Training | 24 Sep

The one-day Payment Card Industry Professional (PCIP) outlines the PCI Standards and provides you with the tools to build a secure payments environment and help your organization achieve PCI compliance.

VENDOR SHOWCASE

Current Exhibitors:

 

 

Get the latest updates on the 2018 Community Meetings by joining our mailing list.