Join us for three days of discovery, updates and insights from regional community figures and merchants and members of the Council.
Agenda
*Agenda subject to change
| Tuesday, September 12 | ||
|---|---|---|
| 5:00 PM - 6:45 PM | Welcome Reception | Sponsored by: |
| Wednesday, September 13 | ||
|---|---|---|
| 7:30 AM - 8:30 AM | Networking Breakfast and Vendor Showcase | Sponsored by: |
| 8:30 AM - 8:45 AM | Welcome Remarks Presented by: Jeremy King, International Director, PCI Security Standards |
|
| 8:45 AM - 9:15 AM | PCI SSC's Strategic Initiatives Presented by: PCI Security Standards Senior Team |
|
| 9:15 AM - 10:15 AM | Keynote: Lessons from the Miracle on the Hudson Presented by: Jeff Skiles, Co-Pilot of U.S. Airways Flight 1549 When you’re a pilot and both your engines fail over the largest city in America, you must act quickly and independently, but you must also trust in the system that has trained you and prepared you to handle such crisis moments. Jeff Skiles’ story of the “Miracle on the Hudson” would not have the perfect ending if not for years of training and preparation that allowed the two pilots to understand exactly what the other was doing – thus maximizing their time, communication, and effectiveness. Having only met each other three days earlier, Skiles and Sullenberger were able to work together as a team because they trusted in their system and training and the professionalism of everyone involved, from the air-traffic controllers to their crew. As he takes audiences through the nearly catastrophic events leading up to US Airways Flight 1549’s emergency landing on the Hudson River, Skiles delivers the key lessons and principles that made the flight crew prepared, calm, and confident so they could successfully land the plane. If such lessons can save 155 lives when time is tight and every move must be perfect, imagine what these lessons can do for your organization. |
|
| 10:15 AM - 10:45 AM | Networking Break and Vendor Showcase | Sponsored by: |
| 10:45 AM - 11:30 AM | Security Roadmap for Next Generation of Payments Presented by: Troy Leach, CTO, PCI Security Standards Council Digital payments are evolving rapidly which requires anticipating how cybersecurity attacks will change and how we should expect to protect against them. This session will discuss emerging security trends for 2018 and how new initiatives by the PCI Council plan to address these threats. |
|
| 11:30 AM - 12:15 PM | Industry Keynote: Where Data Breaches Intersect Compliance Presented by: Christopher Novak, Director, Investigative Response Verizon RISK Team This session will take the audience on a journey through the Verizon Data Breach Investigations Report and Payment Security Report in order to learn how data breaches occur, who they happen to and how the audience members can avoid being the next victim in the headlines. The audience will learn about the trends that are being seen around the world as well as how they can build a solid compliance and security foundation of their own to create a resilient and evolving security posture. |
|
| 12:15 PM - 1:15 PM | Networking Lunch and Vendor Showcase | Sponsored by: |
| Track One Technology Track Sessions will examine technical aspects of payments security standards and implementation. Best suited for those interested in looking at processes and technologies used to protect payment data and supporting systems. | Track Two Business Track Sessions will examine business challenges within payment security and include case studies and best practices. Best suited for those interested in strategic planning and implementation of governance programs for making payments safer. |
|
| 1:15 PM - 1:45 PM | No Card? No Problem. Orvis and the NCCoE Present a Use Case on Multifactor Authentication for e-Commerce Presented by: Tyson A. Martin, ISA, PCI-P, CISSP, CRISC, CISM, ECSA, CEH, CCISO, Head of IT Security, Compliance and Risk Management, Orvis and Brian Abe, Deputy Program Manager, National Cybersecurity FFRDC In this session, Orvis and the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) will jointly demonstrate ways for retailers to implement stronger authentication mechanisms to ensure a customer is authorized to use the card for e-commerce transactions in CNP scenarios. Orvis and the NCCoE have worked closely together to develop a solution to introduce multifactor authentication that ties to existing web analytics and contextual risk calculation to reduce the risk of false online identification and authentication fraud. | Navigating the PTS-approved device listings Presented by: Tim Cormier, Manager for Device Standards, PCI Security Standards Council Do you know how to determine whether a payment device is PCI approved? What is it approved to do? Or is that device already expired? Come to this session for a walkthrough and to learn how to read and navigate the PTS listing. This session is intended for merchants, vendors, and QSAs to who want to better understand PTS approvals. |
| 1:55 PM - 2:25 PM | Stealing a March: Get Ahead of Changes to Compliance and the Threat Landscape Presented by: Jacob Ansari, QSA (P2PE), PA-QSA (P2PE), CISSP, Director Schellman & Company, LLC In this session we will examine requirements that take effect in January 2018 and the impact on your compliance, particularly multi-factor authentication, but also managing control failures, and segmentation testing. Also, we review existing situations that commonly cause trouble, such as protecting SSL/TLS transmissions, disk encryption, and daily log review. | One-to-Many Compliance: Franchise Environment Case Study Presented by: Carlos Villalba, QSA, CISSP, Vice President, Terra Verde LLC A case study highlighting the successes and failures of establishing a security program that would lead the franchisee environment into compliance. Many franchisor/franchisee environments do not clearly delineate compliance ownership. In many instances the delineation is either blurry, non-existing or suffocated by the legal language. Ultimately, the franchise brand will be the most impacted in the event of a breach. In terms of financial liability and reputational loss. We collaborated with a franchisor/franchise ecosystems of 150+ members to pragmatically and operationally implement security controls and best practices that would collaterally facilitate PCI DSS compliance. |
| 2:35PM - 3:05 PM | Cryptography – Issues and Directions Presented by: Ralph Poore, Director, Emerging Standards, PCI Security Standards Council This session presents cryptography in the context of payments, advances in cryptanalysis, and the need for transition planning. It builds on basic concepts of effective key strength, symmetric and asymmetric algorithms, secure hashes, digital certificates, and good key management. Includes issues of algorithm sunsetting and impact of quantum computing. | Leveraging ISA’s: A Faster Approach to PCI Compliance Presented by: Tom Arnold, CISSP, ISSMP, CFS, PCI/PA QSA, PCI ASV, PCI PFI, Visa SA, GIAC-GCFE Gold, Vice President, Head of Digital Forensics, PSC and Stacy Hughes, CITP, CRISC, CGMA, PCI ISA, PCIP, CISM SVP of Risk and Compliance, Global Payments Global Payments and PSC will present a real-world case study on the benefits and approach for integrating PCI ISAs into a worldwide compliance program. The presentation includes: core issues and problems with worldwide compliance demonstration; strategic placement of PCI ISAs; ongoing training and communication; working on assessment requirements with the QSAs; benefits leveraged from assessments and ongoing maintenance of security and compliance; and overall governance of the program. |
| 3:15 PM - 3:45 PM | Proliferation of Point-to-Point Encryption - Panel Moderated by: Dan Fritsche, Vice President, Solution Architecture, Coalfire Joined by panelists: Bill Bolton, Vice-President of Information Technology, The HoneyBaked Ham Company and Ruston Miles , PCIP, CPP, Chief Strategy & Innovation Officer BlueFin An all industry panel regarding proliferation of point-to-point encryption. The purpose of the session is to share real life experience for validating and implementing P2PE solution with merchants, gateway and solutions providers. This will be all industry panel. The session will cover following: • Use Case of a listed P2PE partnership • Best Practices for P2PE • What is fueling the growth of listed solutions and why should merchants adopt them? • How does P2PE help a merchant to protect their environment? • What is the fine balance between operations, security, and compliance? • How can we leverage third party solution providers to protect merchant’s environment? | Simplifying Payment Security for Small Merchants Presented by: Jack Ady, PCI Product Manager, SecurityMetrics, Michael Christodoulides, Vice President Security and Fraud Product Team, Barclaycard, Jenna Hutt, Retail Technology Specialist, Rocky Mountain Chocolate Factory, and moderated by Lauren Holloway, Director of Standards Coordination, PCI Security Standards Council A panel of Small Merchant Business Task Force members: What we’ve created, how it’s being used, where we are. SMB Task Force members including an acquirer, a small merchant, and a QSA/ASV provide an update on the Task Force's initiatives, how it is helping small merchants, and how the PCI community can help. |
| 3:45 PM - 4:15 PM | Networking Break and Vendor Showcase | Sponsored by: |
| 4:15 PM- 4:45 PM | Cybercriminals Love Your Remote Access: A Hacking Remote Access Demonstration Presented by: Gary Glover, CISSP, QSA, PA-QSA, CISA, Vice President of Assessments, SecurityMetrics, Matt Halbleib, Principle Security Analyst at SecurityMetrics Is your remote access application secure? If not, you could be losing valuable data and not even know it. Unsecured remote access is still the biggest pathway for hackers to find and steal sensitive information. Organizations should understand how easily unprotected card data can be stolen through remote access if they don’t secure it. This presentation covers past remote access compromises, hacking methodology, live hacking examples, and tips to implement security practices to protect business data. | Session TBD |
| 4:55 PM - 5:25 PM | Technologies for Application Security and Compliance in the Era of DevOps and Cloud Co- Presenters: Joseph Feiman, Chief Innovation Officer, Veracode and Jake Marcinko, Standards Manager, PCI Security Standards Council This “AppSec Survival Guide" evaluates application threats and outlines decision frameworks and technology solutions for building secure applications and application security defenses against attacks by outsiders and insiders. Special attention is paid to the methods of securing applications when organizations adopt innovative Cloud and DevOps paradigms. This research helps organizations to align their application security strategy with evolving PCI security standards for applications. | Establishing a Secure Development Training Program Presented by: Paul Cotter, Senior Architect, West Monroe Partners A secure development training program is a requirement under the PCI DSS, yet organizations often do not maximize the value that it can provide. We’ll discuss how a well-established program can increase development efficiency, provide direct business value, and incite executive sponsorship for continuing and/or expanding investment in the organization’s security program. |
| 5:35 PM - 6:05 PM | Fixing Online Fraud - 3DSecure & In-Browser Payments Presented by: Andrew Jamieson, Technical Manager, Underwriters Laboratories and Emma Sutcliffe, Senior Director, Data Security Standards, PCI Security Standards Council This talk will outline how these new technologies work, how they may work together and indeed how they may compete in the changing landscape of online payments. Detail will be provided on how regulation such as PSD2 in Europe may impact the deployment of these technologies around the world, and what these changes may mean for the world of card present acceptance: When a customer can interface to a merchant webstore with a mobile phone that is also their payment mechanism, what is the purpose of the traditional POS? How do solutions such as QR codes interact and impact such technologies? What is 'advanced authentication', and how secure are technologies such as biometrics when applied to payments? | 'You Shall Not Pass!' Segmentation Done Right Presented by: Joseph Pierini, CISSP, GCIH, PCI: QSA, PA-QSA, PFI, ASV Vice President, PSC and Phyllis Woodruff, Vice President of Security Programs and Standards, Fiserv Segmentation isn't easy. There are many processes and systems that need access to the CDE and isolating the card data from the rest of the business can break critical business needs. Segmentation, when done right, can allow the business to continue without interruption while securing PAN data against unauthorized access. PSC has pen tested hundreds of segmentation designs and has seen some that work, some that might work and some that were a waste of money and resources. In this talk, we'll cover the common points of compromise to your network and review the most common segmentation design schemes to identify which ones are smoke and mirrors and which ones can stand up against direct assault. |
| 6:05 PM - 7:45 PM | Networking Reception and Vendor Showcase | Sponsored by: |
| Thursday, September 14 | ||
|---|---|---|
| 7:30 AM - 8:30 AM | Networking Breakfast and Vendor Showcase | Sponsored by: |
| 8:30 AM - 8:45 AM | Welcome Remarks Presented by: Jeremy King, International Director, PCI Security Standards | |
| 8:45 AM - 9:15 AM | Insights from PCI SSC Board of Advisors, a Panel Discussion Moderated by: Mike Matan, Vice President, Network Industry Engagement, Product and Marketing, American Express and PCI SSC Executive Committee Chairperson Joined by panelists: Todd Aument, Head of Data Security Governance, Square Inc., Dave Faoro, VP, Payment Security Officer, Verifone Inc and Stacy Hughes, SVP of Risk and Compliance, Global Payments | |
| 9:15 AM - 10:15 AM | Keynote: Rebuilding Security - Lessons Learned from Tragedy Presented by: Anthony Amore, Director of Security and Chief Investigator, Isabella Stewart Gardner Museum The biggest terrorist attack in the history was launched from Boston’s Logan International Airport, and the biggest property theft in the history of the world took place at the Isabella Stewart Gardner Museum, also in Boston. Anthony Amore has worked to rebuild the security at both facilities, and will talk about how an honest examination of both incidents was the key to correcting past failures and protecting them both from future attacks. | |
| 10:15 AM - 10:45 AM | Networking Break and Vendor Showcase | Sponsored by: |
| 10:45 AM- 11:15 AM | From Payment to Ransomware, via the Internet of Things Presented by: Ken Munro, Partner and Founder, Pen Test Partners LLP | |
| 11:15 AM - 11:45 AM | Mobile Security Update Presented by: Elizabeth Terry, Advanced Research Manager, PCI Security Standards Council and Michael Thompson, Standards Manager, PCI Security Standards Council PCI SSC will provide updates on the latest mobile security initiatives including Software-based Authentication on mobile POS and the latest updates to the Mobile Guidelines for Developers and Merchants. | |
| 11:45 AM - 12:15 PM | 2017 Cloud SIG update Presented by: John Markh, Security Standards Manager, Alan Gutierrez-Arana, Director, Risk Advisory Services, National Leader Payment Card Industry (PCI) Services, RSM US LLP, Christine Luong, Senior IT Risk Analyst, Risk Advisory & Assurance Services, Adobe and Balaji Rengamannar, B.E., MBA, PCIP, CISM, PCI QSA, PCI QIR, EMV Program Consultant, President/CEO of A1PlusSoft,Inc. Members of the Cloud SIG provide an overview of current SIG efforts to update and enhance the cloud guidance. | |
| 12:15 AM - 12:45 PM | Behind the Magic: The Inner Workings of the PCI Security Standards Council Presented by: Mauro Lance, Chief Operating Officer, PCI Security Standards | |
| 12:45 PM – 1:15 PM | Q&A with PCI Security Standards Council and Closing Remarks | |
| 1:15 PM - 4:15 PM | Assessor Lunch and Session | |
