North America Community Meeting

Location: Orlando, FL USA
Date: September 12 – 14, 2017

Join us at the 2017 North America Community Meeting

Join your industry colleagues for three days of networking and one-of-a-kind partnership opportunities. Whether you want to learn more about updates in the payment industry or showcase a new product, you’ll find it all at the 2017 Community Meetings.


Join us for three days of discovery, updates and insights from regional community figures and merchants and members of the Council.



Tuesday, September 12
5:00 PM - 6:45 PMWelcome Reception
Wednesday, September 13
7:30 AM - 8:30 AMNetworking Breakfast and Vendor Showcase
8:30 AM - 8:45 AMWelcome Remarks
Presented by: Jeremy King, International Director, PCI Security Standards
8:45 AM - 9:15 AMPCI SSC's Strategic Initiatives
Presented by: PCI Security Standards Senior Team
9:15 AM - 10:15 AMKeynote: Lessons from the Miracle on the Hudson
Presented by: Jeff Skiles, Co-Pilot of U.S. Airways Flight 1549

When you’re a pilot and both your engines fail over the largest city in America, you must act quickly and independently, but you must also trust in the system that has trained you and prepared you to handle such crisis moments. Jeff Skiles’ story of the “Miracle on the Hudson” would not have the perfect ending if not for years of training and preparation that allowed the two pilots to understand exactly what the other was doing – thus maximizing their time, communication, and effectiveness. Having only met each other three days earlier, Skiles and Sullenberger were able to work together as a team because they trusted in their system and training and the professionalism of everyone involved, from the air-traffic controllers to their crew. As he takes audiences through the nearly catastrophic events leading up to US Airways Flight 1549’s emergency landing on the Hudson River, Skiles delivers the key lessons and principles that made the flight crew prepared, calm, and confident so they could successfully land the plane. If such lessons can save 155 lives when time is tight and every move must be perfect, imagine what these lessons can do for your organization.
10:15 AM - 10:45 AMNetworking Break and Vendor Showcase
10:45 AM - 11:30 AMSecurity Roadmap for Next Generation of Payments
Presented by: Troy Leach, CTO, PCI Security Standards Council

Digital payments are evolving rapidly which requires anticipating how cybersecurity attacks will change and how we should expect to protect against them. This session will discuss emerging security trends for 2018 and how new initiatives by the PCI Council plan to address these threats.
11:30 AM - 12:15 PMIndustry Keynote: Where Data Breaches Intersect Compliance
Presented by: Christopher Novak, Director, Investigative Response Verizon RISK Team

This session will take the audience on a journey through the Verizon Data Breach Investigations Report and Payment Security Report in order to learn how data breaches occur, who they happen to and how the audience members can avoid being the next victim in the headlines. The audience will learn about the trends that are being seen around the world as well as how they can build a solid compliance and security foundation of their own to create a resilient and evolving security posture.
12:15 PM - 1:15 PMNetworking Lunch and Vendor Showcase
Track One
Technology Track
Sessions will examine technical aspects of payments security standards and implementation. Best suited for those interested in looking at processes and technologies used to protect payment data and supporting systems.
Track Two
Business Track
Sessions will examine business challenges within payment security and include case studies and best practices. Best suited for those interested in strategic planning and implementation of governance programs for making payments safer.
1:15 PM - 1:45 PMNo Card? No Problem. Orvis and the NCCoE Present a Use Case on Multifactor Authentication for e-Commerce
Presented by: Tyson A. Martin, ISA, PCI-P, CISSP, CRISC, CISM, ECSA, CEH, CCISO, Head of IT Security, Compliance and Risk Management, Orvis and Brian Abe, Deputy Program Manager, National Cybersecurity FFRDC

In this session, Orvis and the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) will jointly demonstrate ways for retailers to implement stronger authentication mechanisms to ensure a customer is authorized to use the card for e-commerce transactions in CNP scenarios. Orvis and the NCCoE have worked closely together to develop a solution to introduce multifactor authentication that ties to existing web analytics and contextual risk calculation to reduce the risk of false online identification and authentication fraud.
Navigating the PTS-approved device listings
Presented by: Tim Cormier, Manager for Device Standards, PCI Security Standards Council

Do you know how to determine whether a payment device is PCI approved? What is it approved to do? Or is that device already expired? Come to this session for a walkthrough and to learn how to read and navigate the PTS listing. This session is intended for merchants, vendors, and QSAs to who want to better understand PTS approvals.
1:55 PM - 2:25 PMStealing a March: Get Ahead of Changes to Compliance and the Threat Landscape
Presented by: Jacob Ansari, QSA (P2PE), PA-QSA (P2PE), CISSP, Director Schellman & Company, LLC

In this session we will examine requirements that take effect in January 2018 and the impact on your compliance, particularly multi-factor authentication, but also managing control failures, and segmentation testing. Also, we review existing situations that commonly cause trouble, such as protecting SSL/TLS transmissions, disk encryption, and daily log review.
One-to-Many Compliance: Franchise Environment Case Study
Presented by: Carlos Villalba, QSA, CISSP, Vice President, Terra Verde LLC

A case study highlighting the successes and failures of establishing a security program that would lead the franchisee environment into compliance.
Many franchisor/franchisee environments do not clearly delineate compliance ownership. In many instances the delineation is either blurry, non-existing or suffocated by the legal language. Ultimately, the franchise brand will be the most impacted in the event of a breach. In terms of financial liability and reputational loss. We collaborated with a franchisor/franchise ecosystems of 150+ members to pragmatically and operationally implement security controls and best practices that would collaterally facilitate PCI DSS compliance.
2:35PM - 3:05 PMCryptography – Issues and Directions
Presented by: Ralph Poore, Director, Emerging Standards, PCI Security Standards Council

This session presents cryptography in the context of payments, advances in cryptanalysis, and the need for transition planning. It builds on basic concepts of effective key strength, symmetric and asymmetric algorithms, secure hashes, digital certificates, and good key management. Includes issues of algorithm sunsetting and impact of quantum computing.
Leveraging ISA’s: A Faster Approach to PCI Compliance
Presented by: Tom Arnold, CISSP, ISSMP, CFS, PCI/PA QSA, PCI ASV, PCI PFI, Visa SA, GIAC-GCFE Gold, Vice President, Head of Digital Forensics, PSC and Stacy Hughes, CITP, CRISC, CGMA, PCI ISA, PCIP, CISM SVP of Risk and Compliance, Global Payments

Global Payments and PSC will present a real-world case study on the benefits and approach for integrating PCI ISAs into a worldwide compliance program. The presentation includes: core issues and problems with worldwide compliance demonstration; strategic placement of PCI ISAs; ongoing training and communication; working on assessment requirements with the QSAs; benefits leveraged from assessments and ongoing maintenance of security and compliance; and overall governance of the program.
3:15 PM - 3:45 PMProliferation of Point-to-Point Encryption - Panel
Moderated by: Dan Fritsche, Vice President, Solution Architecture, Coalfire
Joined by panelists: Bill Bolton, Vice-President of Information Technology, The HoneyBaked Ham Company and Ruston Miles , PCIP, CPP, Chief Strategy & Innovation Officer BlueFin

An all industry panel regarding proliferation of point-to-point encryption. The purpose of the session is to share real life experience for validating and implementing P2PE solution with merchants, gateway and solutions providers. This will be all industry panel. The session will cover following:

• Use Case of a listed P2PE partnership
• Best Practices for P2PE
• What is fueling the growth of listed solutions and why should merchants adopt them?
• How does P2PE help a merchant to protect their environment?
• What is the fine balance between operations, security, and compliance?
• How can we leverage third party solution providers to protect merchant’s environment?

Simplifying Payment Security for Small Merchants
Presented by: Jack Ady, PCI Product Manager, SecurityMetrics, Michael Christodoulides, Vice President Security and Fraud Product Team, Barclaycard, Jenna Hutt, Retail Technology Specialist, Rocky Mountain Chocolate Factory, and moderated by Lauren Holloway, Director of Standards Coordination, PCI Security Standards Council

A panel of Small Merchant Business Task Force members: What we’ve created, how it’s being used, where we are.

SMB Task Force members including an acquirer, a small merchant, and a QSA/ASV provide an update on the Task Force's initiatives, how it is helping small merchants, and how the PCI community can help.
3:45 PM - 4:15 PMNetworking Break and Vendor Showcase
4:15 PM- 4:45 PMCybercriminals Love Your Remote Access: A Hacking Remote Access Demonstration
Presented by: Gary Glover, CISSP, QSA, PA-QSA, CISA, Vice President of Assessments, SecurityMetrics, Matt Halbleib, Principle Security Analyst at SecurityMetrics

Is your remote access application secure? If not, you could be losing valuable data and not even know it. Unsecured remote access is still the biggest pathway for hackers to find and steal sensitive information. Organizations should understand how easily unprotected card data can be stolen through remote access if they don’t secure it.

This presentation covers past remote access compromises, hacking methodology, live hacking examples, and tips to implement security practices to protect business data.
Session TBD

4:55 PM - 5:25 PMTechnologies for Application Security and Compliance in the Era of DevOps and Cloud
Co- Presenters: Joseph Feiman, Chief Innovation Officer, Veracode and Jake Marcinko, Standards Manager, PCI Security Standards Council

This “AppSec Survival Guide" evaluates application threats and outlines decision frameworks and technology solutions for building secure applications and application security defenses against attacks by outsiders and insiders. Special attention is paid to the methods of securing applications when organizations adopt innovative Cloud and DevOps paradigms. This research helps organizations to align their application security strategy with evolving PCI security standards for applications.
Establishing a Secure Development Training Program
Presented by: Paul Cotter, Senior Architect, West Monroe Partners

A secure development training program is a requirement under the PCI DSS, yet organizations often do not maximize the value that it can provide. We’ll discuss how a well-established program can increase development efficiency, provide direct business value, and incite executive sponsorship for continuing and/or expanding investment in the organization’s security program.
5:35 PM - 6:05 PMFixing Online Fraud - 3DSecure & In-Browser Payments
Presented by: Andrew Jamieson, Technical Manager, Underwriters Laboratories and Emma Sutcliffe, Senior Director, Data Security Standards, PCI Security Standards Council

This talk will outline how these new technologies work, how they may work together and indeed how they may compete in the changing landscape of online payments. Detail will be provided on how regulation such as PSD2 in Europe may impact the deployment of these technologies around the world, and what these changes may mean for the world of card present acceptance: When a customer can interface to a merchant webstore with a mobile phone that is also their payment mechanism, what is the purpose of the traditional POS? How do solutions such as QR codes interact and impact such technologies? What is 'advanced authentication', and how secure are technologies such as biometrics when applied to payments?
'You Shall Not Pass!' Segmentation Done Right
Presented by: Joseph Pierini, CISSP, GCIH, PCI: QSA, PA-QSA, PFI, ASV Vice President, PSC and Phyllis Woodruff, Vice President of Security Programs and Standards, Fiserv

Segmentation isn't easy. There are many processes and systems that need access to the CDE and isolating the card data from the rest of the business can break critical business needs. Segmentation, when done right, can allow the business to continue without interruption while securing PAN data against unauthorized access.
PSC has pen tested hundreds of segmentation designs and has seen some that work, some that might work and some that were a waste of money and resources. In this talk, we'll cover the common points of compromise to your network and review the most common segmentation design schemes to identify which ones are smoke and mirrors and which ones can stand up against direct assault.
6:05 PM - 7:45 PMNetworking Reception and Vendor Showcase
Thursday, September 14 
7:30 AM - 8:30 AMNetworking Breakfast and Vendor Showcase
8:30 AM - 8:45 AMWelcome Remarks
Presented by: Jeremy King, International Director, PCI Security Standards
8:45 AM - 9:15 AM Insights from PCI SSC Board of Advisors, a Panel Discussion
Moderated by: Mike Matan, Vice President, Network Industry Engagement, Product and Marketing, American Express and PCI SSC Executive Committee Chairperson
Joined by panelists: Todd Aument, Head of Data Security Governance, Square Inc., Dave Faoro, VP, Payment Security Officer, Verifone Inc and Stacy Hughes, SVP of Risk and Compliance, Global Payments
9:15 AM - 10:15 AMKeynote: Rebuilding Security - Lessons Learned from Tragedy
Presented by: Anthony Amore, Director of Security and Chief Investigator, Isabella Stewart Gardner Museum

The biggest terrorist attack in the history was launched from Boston’s Logan International Airport, and the biggest property theft in the history of the world took place at the Isabella Stewart Gardner Museum, also in Boston. Anthony Amore has worked to rebuild the security at both facilities, and will talk about how an honest examination of both incidents was the key to correcting past failures and protecting them both from future attacks.
10:15 AM - 10:45 AMNetworking Break and Vendor Showcase
10:45 AM- 11:15 AMFrom Payment to Ransomware, via the Internet of Things
Presented by: Ken Munro, Partner and Founder, Pen Test Partners LLP
11:15 AM - 11:45 AMMobile Security Update
Presented by: Elizabeth Terry, Advanced Research Manager, PCI Security Standards Council and Michael Thompson, Standards Manager, PCI Security Standards Council

PCI SSC will provide updates on the latest mobile security initiatives including Software-based Authentication on mobile POS and the latest updates to the Mobile Guidelines for Developers and Merchants.
11:45 AM - 12:15 PM2017 Cloud SIG update
Presented by: John Markh, Security Standards Manager, Alan Gutierrez-Arana, Director, Risk Advisory Services, National Leader Payment Card Industry (PCI) Services, RSM US LLP, Christine Luong, Senior IT Risk Analyst, Risk Advisory & Assurance Services, Adobe and Balaji Rengamannar, B.E., MBA, PCIP, CISM, PCI QSA, PCI QIR, EMV Program Consultant, President/CEO of A1PlusSoft,Inc.

Members of the Cloud SIG provide an overview of current SIG efforts to update and enhance the cloud guidance.
12:15 AM - 12:45 PMBehind the Magic: The Inner Workings of the PCI Security Standards Council
Presented by: Mauro Lance, Chief Operating Officer, PCI Security Standards
12:45 PM – 1:15 PMQ&A with PCI Security Standards Council and Closing Remarks
1:15 PM - 4:15 PMAssessor Lunch and Session

Register today to secure your spot at the 2017 North America Community Meeting


Please continue to check back for updates on our Sponsors

















Security Scorecard


Sponsorship Opportunities


An exclusive opportunity to position your company as a leader in the global payment security industry



Employee Education is the Best Defense for Protecting your Organization’s Data Assets.

In conjunction with the North America Community Meeting four training courses are available. The trainings will take place at the Walt Disney Dolphin Hotel.

Qualified Security Assessor Training September 7-8

The two-day Internal Security Assessor (ISA) class provides merchants, acquiring banks, and processors the opportunity to build their internal payment data security expertise, as well as increase their efficiency in complying with PCI Standards.

Internal Security Assessor | September 9-10

The two-day Internal Security Assessor (ISA) class provides merchants, acquiring banks, and processors the opportunity to build their internal payment data security expertise, as well as increase their efficiency in complying with PCI Standards.

Point-to-Point Encryption Assessor | September 9-10

The two-day Point-to-Point Encryption Assessor (P2PE) training programs prepare candidates to perform validation of Point-to-Point Encryption solutions and applications against the latest standard in order for those solutions and applications to be listed on the PCI Council website.

PCI Professional | September 11

The Payment Card Industry Professional is an individual, entry-level qualification in payment security information and provides you with the tools to build a secure payment environment and help your organization achieve PCI compliance.


Current Exhibitors:

Get the latest updates on the 2017 North America Community Meeting by joining our mailing list