North America Community Meeting

Location: Orlando, FL USA
Date: 12 – 14 September 2017

Register Now

Join us at the 2017 North America Community Meeting

Join your industry colleagues for three days of networking and one-of-a-kind partnership opportunities. Whether you want to learn more about updates in the payment industry or showcase a new product, you’ll find it all at the 2017 Community Meetings.


Join us for three days of discovery, updates and insights from regional community figures and merchants and members of the Council.



Tuesday, 12 September
10:00 - 6:30Registration Open
1:00 - 1:20Welcome Remarks
Presented by: Jeremy King, International Director, PCI Security Standards
1:20 - 2:30PCI SSC's Strategic Initiatives
Presented by: PCI Security Standards Senior Team
2:30 - 3:00Networking Break and Vendor Showcase
3:00 - 3:45Insights from PCI SSC Board of Advisors, a Panel Discussion
Moderated by: Mike Matan, Vice President, Network Industry Engagement, Product and Marketing, American Express and PCI SSC Executive Committee Chairperson
3:45 - 4:30Session TBD
4:30 - 5:15ROI of PCI
Presented by: Troy Leach, CTO, PCI Security Standards Council
Wondering how to measure the ROI of your PCI efforts? Attend this session to hear first-hand from the Council’s, Troy Leach, on how to evaluate metrics around your security efforts.
5:15 - 6:45Welcome Reception and Vendor Showcase
Wednesday, 13 September
7:30 - 9:00Networking Breakfast and Vendor Showcase
9:00 - 9:15Welcome Remarks
Presented by: Jeremy King, International Director, PCI Security Standards
9:15 - 10:15Keynote: Lessons from the Miracle on the Hudson
Presented by: Jeff Skiles, Co-Pilot of U.S. Airways Flight 1549

When you’re a pilot and both your engines fail over the largest city in America, you must act quickly and independently, but you must also trust in the system that has trained you and prepared you to handle such crisis moments. Jeff Skiles’ story of the “Miracle on the Hudson” would not have the perfect ending if not for years of training and preparation that allowed the two pilots to understand exactly what the other was doing – thus maximizing their time, communication, and effectiveness. Having only met each other three days earlier, Skiles and Sullenberger were able to work together as a team because they trusted in their system and training and the professionalism of everyone involved, from the air-traffic controllers to their crew. As he takes audiences through the nearly catastrophic events leading up to US Airways Flight 1549’s emergency landing on the Hudson River, Skiles delivers the key lessons and principles that made the flight crew prepared, calm, and confident so they could successfully land the plane. If such lessons can save 155 lives when time is tight and every move must be perfect, imagine what these lessons can do for your organization.
10:15 - 10:45Networking Break and Vendor Showcase
Track One
Technology Track
Sessions will examine technical aspects of payments security standards and implementation. Best suited for those interested in looking at processes and technologies used to protect payment data and supporting systems.
Track Two
Business Track
Sessions will examine business challenges within payment security and include case studies and best practices. Best suited for those interested in strategic planning and implementation of governance programs for making payments safer.
10:45 - 11:15Stealing a March: Get Ahead of Changes to Compliance and the Threat Landscape
Presented by: Jacob Ansari, QSA (P2PE), PA-QSA (P2PE), CISSP, Director Schellman & Company, LLC

We will examine requirements that take effect in January 2018 and the impact on your compliance, particularly multi-factor authentication, but also managing control failures, and segmentation testing. Also, we review existing situations that commonly cause trouble, such as protecting SSL/TLS transmissions, disk encryption, and daily log review.
Navigating the PTS-approved device listings
Presented by: Tim Cormier, Manager for Device Standards, PCI Security Standards Council

Do you know how to determine whether a payment device is PCI approved? What is it approved to do? Or is that device already expired? Come to this session for a walkthrough and to learn how to read and navigate the PTS listing. This session is intended for merchants, vendors, and QSAs to who want to better understand PTS approvals.
11:25 - 11:55No Card? No Problem. Orvis and the NCCoE Present a Use Case on Multifactor Authentication for e-Commerce
Presented by: Tyson A. Martin, ISA, PCI-P, CISSP, CRISC, CISM, ECSA, CEH, CCISO, Head of IT Security, Compliance and Risk Management, Orvis and Brian Abe, Deputy Program Manager, National Cybersecurity FFRDC

In this session, Orvis and the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) will jointly demonstrate ways for retailers to implement stronger authentication mechanisms to ensure a customer is authorized to use the card for e-commerce transactions in CNP scenarios. Orvis and the NCCoE have worked closely together to develop a solution to introduce multifactor authentication that ties to existing web analytics and contextual risk calculation to reduce the risk of false online identification and authentication fraud.
One-to-Many Compliance: Franchise Environment Case Study
Presented by: Carlos Villalba, QSA, CISSP, Vice President, Terra Verde LLC

A case study highlighting the successes and failures of establishing a security program that would lead the franchisee environment into compliance.
Many franchisor/franchisee environments do not clearly delineate compliance ownership. In many instances the delineation is either blurry, non-existing or suffocated by the legal language. Ultimately, the franchise brand will be the most impacted in the event of a breach. In terms of financial liability and reputational loss. We collaborated with a franchisor/franchise ecosystems of 150+ members to pragmatically and operationally implement security controls and best practices that would collaterally facilitate PCI DSS compliance.
12:05 - 12:35Cryptography – Issues and Directions
Presented by: Ralph Poore, Director, Emerging Standards, PCI Security Standards Council

This session presents cryptography in the context of payments, advances in cryptanalysis, and the need for transition planning. It builds on basic concepts of effective key strength, symmetric and asymmetric algorithms, secure hashes, digital certificates, and good key management. Includes issues of algorithm sunsetting and impact of quantum computing.
Leveraging ISA’s: A Faster Approach to PCI Compliance
Presented by: Stacy Hughes CITP, CRISC, CGMA, PCI ISA, PCIP, CISM
SVP of Risk and Compliance, Global Payments and Tom Arnold CISSP, ISSMP, CFS, PCI/PA QSA, PCI ASV, PCI PFI, Visa SA, GIAC-GCFE Gold, Vice President, Head of Digital Forensics, PSC

Global Payments and PSC will present a real-world case study on the benefits and approach for integrating PCI ISAs into a worldwide compliance program. The presentation includes: core issues and problems with worldwide compliance demonstration; strategic placement of PCI ISAs; ongoing training and communication; working on assessment requirements with the QSAs; benefits leveraged from assessments and ongoing maintenance of security and compliance; and overall governance of the program.
12:35 - 1:35Networking Lunch and Vendor Showcase
1:35 - 2:05Session TBD2017 Cloud SIG update
Presented by: John Markh, Security Standards Manager

Members of the Cloud SIG provide an overview of current SIG efforts to update and enhance the cloud guidance.
2:15 - 2:45Fixing Online Fraud - 3DSecure & In-Browser Payments
Presented by: Andrew Jamieson, Technical Manager, Underwriters Laboratories and Emma Sutcliffe, Senior Director, Data Security Standards, PCI Security Standards Council

This talk will outline how these new technologies work, how they may work together and indeed how they may compete in the changing landscape of online payments. Detail will be provided on how regulation such as PSD2 in Europe may impact the deployment of these technologies around the world, and what these changes may mean for the world of card present acceptance: When a customer can interface to a merchant webstore with a mobile phone that is also their payment mechanism, what is the purpose of the traditional POS? How do solutions such as QR codes interact and impact such technologies? What is 'advanced authentication', and how secure are technologies such as biometrics when applied to payments?
QIR Panel Discussion: Generating Traction Unlocking the QIR Program’s Potential
Presented by: Chris Bucolo, MBA, PCIP, Director, Market Strategy, ControlScan, Inc., Acquirerer TBD and Moderated by Gill Woodwock, Senior Director of Certification Programs, PCI Security Standards Council

The PCI Council’s QIR program is designed to prevent the insecure installation, integration and/or support of validated payment applications. Yet the program’s potential to better secure small merchants is not being realized due to lack of awareness and general apathy among payments industry stakeholders.
Why is this happening and what does it mean to you and your business?

In this session, we’ll take a look under the hood of the QIR program to examine its potential. Attendees will learn:
- Why the program’s success is a big deal;
- Where lack of awareness or understanding of the real risk is impeding the program’s progress;
- How your business can turn these challenges into opportunities; and
- What a coordinated effort to accelerate the pace of QIR certifications looks like.
- We will provide takeaways that all of us can leverage moving forward
2:55 - 3:25Technologies for Application Security and Compliance in the Era of DevOps and Cloud
Co- Presenters: Jake Marcinko, Standards Manager, PCI Security Standards Council and Joseph Feiman, Chief Innovation Officer, Veracode

This “AppSec Survival Guide" evaluates application threats and outlines decision frameworks and technology solutions for building secure applications and application security defenses against attacks by outsiders and insiders. Special attention is paid to the methods of securing applications when organizations adopt innovative Cloud and DevOps paradigms. This research helps organizations to align their application security strategy with evolving PCI security standards for applications.
Establishing a Secure Development Training Program
Presented by: Josh Holmes, Senior Consultant, West Monroe Partners and Paul Cotter, Senior Architect, West Monroe Partners

A secure development training program is a requirement under the PCI DSS, yet organizations often do not maximize the value that it can provide. We’ll discuss how a well-established program can increase development efficiency, provide direct business value, and incite executive sponsorship for continuing and/or expanding investment in the organization’s security program.
3:25 - 3:55Networking Break and Vendor Showcase
3:55 - 4:25Cybercriminals Love Your Remote Access: A Hacking Remote Access Demonstration
Presented by: Gary Glover, CISSP, QSA, PA-QSA, CISA, Vice President of Assessments, SecurityMetrics

Is your remote access application secure? If not, you could be losing valuable data and not even know it. Unsecured remote access is still the biggest pathway for hackers to find and steal sensitive information. Organizations should understand how easily unprotected card data can be stolen through remote access if they don’t secure it.

This presentation covers past remote access compromises, hacking methodology, live hacking examples, and tips to implement security practices to protect business data.
Small Merchant Task Force Update and Current PCI SSC efforts
Presented by: PCI Security Standards Council

Panel discussion: Where we are, What we’ve created, How it’s being used.

A panel of SMB Task Force members including an acquirer, a small merchant, and a QSA/ASV to provide an update on the Task Force's initiatives, how it is helping small merchants, and how the PCI community can help.
4:35 - 5:05'You Shall Not Pass!' Segmentation done right
Presented by: Joseph Pierini, CISSP, GCIH, PCI: QSA, PA-QSA, PFI, ASV
Vice President, PSC and Phyllis Woodruff, Vice President of Security Programs and Standards, Fiserv

Segmentation isn't easy. There are many processes and systems that need access to the CDE and isolating the card data from the rest of the business can break critical business needs. Segmentation, when done right, can allow the business to continue without interruption while securing PAN data against unauthorized access.
PSC has pen tested hundreds of segmentation designs and has seen some that work, some that might work and some that were a waste of money and resources. In this talk, we'll cover the common points of compromise to your network and review the most common segmentation design schemes to identify which ones are smoke and mirrors and which ones can stand up against direct assault.
Warning: These Common PCI Myths, Misconceptions and Mistakes Could Be Standing Between You And A Successful Report On Compliance
Presented by: Peggy Nolan, PCI ISA, PCIP, CISA, PCI ISA, Principal IT Compliance Analyst, Liberty Mutual

People with just enough knowledge about PCI are making assumptive decisions that may adversely impact your next Report on Compliance. Attend and learn how to educate decision makers without making enemies.
During this presentation, Peggy will discuss the following common misconceptions about PCI DSS Compliance: 1.“But I know what my cardholder data environment really is…” 2.The uncanny ability to underestimate the people, processes, technologies, and assets in scope for the annual assessment. 3.Rules lawyers and their ability to extract one requirement out of 400 plus requirements, sub requirements, and test procedures and declare its independence from the rest of the requirements 4.“…requirement area 2 has nothing to do with requirement area 6…” 5.Not all QSA’s are the same. (This is not a QSA bashing statement, but rather the acknowledgement that those who are QSA’s bring their wealth of experience to the their role and you won’t always get the same answer depending on who you ask) 6.Moving to the cloud will make PCI Compliance magically disappear…. 7.If you’re a Level 1 merchant and you’re not looking at the PCI DSS Reporting Details, this could cost you. 8.“That’s not how we did things last year…” 9.“This was good 5 years ago, why are we failing this requirement this year?” 10.“This evidence was assessed compliant by another assessor for a different compliance activity, why won’t the QSA just accept it?”
5:05 - 5:35Mobile Security Update
Presented by: Elizabeth Terry, Advanced Research Manager, PCI Security Standards Council and Michael Thompson, Standards Manager, PCI Security Standards Council

PCI SSC will provide updates on the latest mobile security initiatives including Software-based Authentication on mobile POS and the latest updates to the Mobile Guidelines for Developers and Merchants.
Aligning Your Digital Transformation with the PCI Program
Presented by: Adriana Gliga-Belavic, CISSP, PCI QSA, Director Cyber Security and Privacy, PCI Practice Lead, PwC

More Merchants are looking to take advantage of digital transformations to enable channel expansion and customers reach. What solution they choose and how they implement it will determine the impact on their PCI program. In this session we will explore how digital transformation could impact a Merchant PCI compliance program and their ability to manage risk. Moving operations to the cloud, mixing environments or just implementing a new e-commerce solution can bring their PCI program to a halt. How they approach the identification of the impact of each of those initiatives on their PCI program and the steps they take to address it could define their success in building the business and maintaining compliance.
5:35 - 7:00Networking Reception and Vendor Showcase
Thursday, 14 September 
7:30 - 9:00Networking Breakfast and Vendor Showcase
9:00 - 9:15Welcome Remarks
Presented by: Jeremy King, International Director, PCI Security Standards
9:15 - 10:15Rebuilding Security: Lessons Learned from Tragedy
Presented by: Anthony Amore

The biggest terrorist attack in the history was launched from Boston’s Logan International Airport, and the biggest property theft in the history of the world took place at the Isabella Stewart Gardner Museum, also in Boston. Anthony Amore has worked to rebuild the security at both facilities, and will talk about how an honest examination of both incidents was the key to correcting past failures and protecting them both from future attacks.
10:15 - 10:45Networking Break and Vendor Showcase
10:45 - 11:15From Payment to Ransomware, via the Internet of Things
Presented by: Ken Munro, Partner and Founder, Pen Test Partners LLP
11:15 - 12:00Behind the Magic. The Inner Workings of PCI Council.
Presented by: Mauro Lance, Chief Operating Officer, PCI Security Standards
12:00 – 12:30Q&A with PCI Security Standards Council and Closing Remarks
12:30 - 3:30Assessor Lunch and Session

Register today to secure your spot at the 2017 North America Community Meeting


Please continue to check back for updates on our Sponsors




















Sponsorship Opportunities


An exclusive opportunity to position your company as a leader in the global payment security industry



Employee Education is the Best Defense for Protecting your Organization’s Data Assets.

In conjunction with the North America Community Meeting four training courses are available. The trainings will take place at the Walt Disney Dolphin Hotel.


Qualified Security Assessor Training | 7-8 September

The two-day Internal Security Assessor (ISA) class provides merchants, acquiring banks, and processors the opportunity to build their internal payment data security expertise, as well as increase their efficiency in complying with PCI Standards.


Internal Security Assessor | 9-10 September

The two-day Internal Security Assessor (ISA) class provides merchants, acquiring banks, and processors the opportunity to build their internal payment data security expertise, as well as increase their efficiency in complying with PCI Standards.


Point-to-Point Encryption Assessor | 9-10 September

The two-day Point-to-Point Encryption Assessor (P2PE) training programs prepare candidates to perform validation of Point-to-Point Encryption solutions and applications against the latest standard in order for those solutions and applications to be listed on the PCI Council website.


PCI Professional | 11 September

The Payment Card Industry Professional is an individual, entry-level qualification in payment security information and provides you with the tools to build a secure payment environment and help your organization achieve PCI compliance.


Current Exhibitors:

Get the latest updates on the 2017 North America Community Meeting by joining our mailing list