| Tuesday, 29 September | ||
|---|---|---|
7:30 - 20:30 | Registration Open | |
13:00 - 13:15 | Welcome Remarks | |
13:15 - 15:00 | Understanding the Threat Landscape: Securing the Payment Ecosystem It’s been a busy year for the Council and for securing payments. Attend this two part session to hear the latest updates and initiatives on the following:
| |
15:00 - 15:30 | Networking Break | Sponsored by: |
15:30 - 17:30 | Understanding the Threat Landscape: Securing the Payment Ecosystem It’s been a busy year for the Council and for securing payments. Attend this two part session to hear the latest updates and initiatives on the following:
| |
18:00 - 19:30 | Welcome Reception | Sponsored by: |
Agenda
Wednesday, 30 September | ||
|---|---|---|
7:30 – 18:30 | Registration Open | |
7:30 - 9:00 | Networking Breakfast and Vendor Showcase | Sponsored by: |
Payment Brand and Council Office Hours | ||
9:00 - 10:30 | Insights from the Council: Why More Collaboration is Key for Stronger Payment Security | |
10:30 - 11:00 | Networking Break and Vendor Showcase | Sponsored by: |
Payment Brand and Council Office Hours | ||
11:00 - 12:00 | The Flight Plan to Navigating Risk: What the Payments Industry Can Learn from Health Care and Aviation | |
12:00 - 13:00 | Networking Lunch and Vendor Showcase | Sponsored by: |
12:00 - 18:30 | Payment Brand and Council Office Hours | |
13:00 - 17:00 | Breakout Sessions | |
Track One | Track Two |
|
13:00 - 13:50 | Discover the Critical Link Between PCI DSS Compliance and Real-World Security | Overview Point-to-Point Encryption Version 2: What You Need to Know |
14:00 - 14:50 | Fifty Shades of “In Scope” -- Dealing with “Near Scope” Assets. Mr. Grey Will See You Now Presented by: Shawn Lukaschuk, Security & Compliance Specialist, IPS How are the scope and reach of controls commonly misinterpreted? The root cause of common scoping mistakes will be explored, and tips for moving an organization beyond “store, process or transmit” will be addressed. This presentation will also introduce a risk-based approach to identify scope issues and define the different “shades of scope.” This approach considers the following: • The scope’s relation to network architecture and controls • Vertical, horizontal and “effective” segmentation • The role of risk assessment and documentation | Mitigating the Data Breach Threat While Enforcing PCI DSS Compliance Presented by: Christopher Strand, Senior Director of Compliance and Governance, Bit9 + Carbon Black To address the increasingly sophisticated types of attacks on cardholder data environments, security teams must shift from merely checking the appropriate boxes to taking a “business-as-usual” approach to security. This session will address how to take such a continuous approach and will focus on three key aspects that security professionals should ensure are part of their overall framework: Application Control; Change Control and Policy Enforcement. |
14:50 - 15:10 | Networking Break and Vendor Showcase | Sponsored by: |
Track One | Track Two |
|
15:10 - 16:00 | No More Credit Card Breach Risk -- How Caesars Implemented Point-to-Point Encryption (P2PE) Presented by: Jeffrey Sanchez, Managing Director, Protiviti, and William Worthington, VP-IT Security, Caesars Corporation Discover how Caesars Entertainment implemented a extremely large and complex P2PE environments, encompassing dozens of different payment applications, e-commerce channels and call centers. | Requirements -1, 0, 13 and 14: The Big Picture of PCI DSS Compliance Presented by: Lynda Daniluk, PCI Coordinator, City of Calgary , Robert MacKinnon, PCI Compliance Manager, TD Merchant Services and Thomas Siry, Security & Compliance Specialist, IPS Becoming PCI DSS-compliant is a journey. Maintaining compliance and deriving value from it creates a legacy. The spiritual PCI DSS requirements --1, 0, 13 and 14 -- complement the existing 12 requirements to create the big picture of PCI DSS compliance. Attend this session to hear practical experience from more than 10 Canadian organizations on how the additional four requirements will assist organizations of any size to meet, maintain and mature PCI DSS compliance. |
16:10 - 17:00 | The Evolution of Transaction Security - EMV Chip, Mobile and Beyond Presented by: Brian Byrne, Director of Operations, EMVCo; Troy Leach, CTO, PCI Security Standards Council and John Thomson, Director, Compliance and Regulations, Interac Association Moderated by: Laura Johnson , Director of Communications, PCI Security Standards Council Join experts from EMVCo, Interac and the PCI Security Standards Council as they discuss the adoption of EMV in Canada and lessons learned for the rest of North America, as well as what is ahead for next generation technology such as EMV Payment Tokens, 3-D Secure v2.0 and more. | Managing PCI Compliance in an Outsourced World: Challenges, Opportunities and Risks Presented by: Adriana Gliga-Belavic, Director, Cybersecurity and Privacy, PCI Practice Lead, PricewaterhouseCoopers and Penelope Santana, Cybersecurity Consulting Manager, STIGroup, Ltd. This presentation will focus on the evolving challenges and risks that merchants experience while outsourcing payment related services or IT environments. All merchants must remain accountable for protecting credit card information to maintain PCI Compliance. Reaching out to vendors to initiate the process may seem overwhelming, but establishing a methodology and framework to work from will help keep track of your risk exposure and establish a formidable risk management program. |
17:00 - 18:30 | Networking Reception and Vendor Showcase | Sponsored by: |
Thursday, 1 October | ||
|---|---|---|
7:30 - 13:00 | Registration Open | |
7:30 - 13:00 | Payment Brand and Council Office Hours | |
7:30 - 9:00 | Networking Breakfast and Vendor Showcase | Sponsored by: |
9:00 - 9:05 | Day Three Welcome Remarks | |
9:05 - 10:00 | Krebs on Security - An Examination of the Current Headlines Up to date on the latest blog post? Attend this session to hear from the infamous blogger on the latest headlines and what this means to you when securing data. | |
10:00 - 10:15 | Networking Break and Vendor Showcase | Sponsored by: |
10:15 - 12:00 | Community Update Moderated by: Troy Leach, CTO, PCI Security Standards Council Special Interest Group Update: Daily Log Monitoring Moderated by: Elizabeth Terry, Advanced Research Manager, PCI Security Standards Council Presented by: John N. Harmon, Director of PCI and EI3PA, Sword & Shield Enterprises Security and Jake Marcinko, Standards Manager, PCI Security Standards Council Attend to hear an update from the Daily Log Monitoring Special Interest Group. “Hide and Seek” - Where is the Card Holder Data (CHD)? Presented by: Howard Glavin, Senior Vice President, K3DES LLC This session will outline how approaching PCI from a pure technical position will lead to unfound data. Myths and Realities of PCI Compliance in the Cloud Presented by: Eric Naiburg, Director of Marketing, INetU PCI compliance takes on many facets when applications are hosted in the cloud. Responsibilities grow beyond a “four walls” as does the complexity of ensuring compliance. With control spread across different parties, risk increases, as does the ability to manage it. In this session we will leverage real company examples to discuss how moving to the cloud can actually reduce your risk, instead of adding to it. The examples will provide details on the precautions to take in the cloud. The Future of Securing Virtual Payments Presented by: Dan Fritsche, Managing Director, Application Security, Coalfire The economics of the cloud are compelling and can't be denied. However, organizations need to make sure they get the security right. Many organizations are looking to virtualize their IT environment but are concerned about how virtualization will impact their security and compliance. PCI DSS is one of the most challenging and specific set of standards established to date. IT leaders need clear guidance for how to achieve and maintain PCI compliance in virtual environments. This session will address how to improve efficiency of compliance efforts in virtual environments, what the PCI guidance is for data-at-rest security controls in the areas of encryption, key management, logging and access controls and the unique challenges with managing all security requirements in virtual environments. Canadian Media Giant De-scopes for Long-term Compliance and Security Presented by: Tim Critchley, CEO, Semafone This session will present a project case study on how long-term security and PCI compliance were achieved for a very large system-rich organization. Attendees will hear how a business can address the myriad security challenges that come from accepting payments from a multitude of channels including online, by telephone and in stores. |
|
12:00 - 13:00 | Networking Lunch and Vendor Showcase | Sponsored by: |
13:00 - 15:30 | Community Update (continued) Moderated by: Troy Leach, CTO, PCI Security Standards Council Special Interest Group Update: Shared Responsibilities Moderated by: Elizabeth Terry, Advanced Research Manager, PCI Security Standards Council Presented by: Issa Bazsa-Ecker, PCI Compliance Manager, Philips International B.V. and Michael Thompson, Standards Manager, PCI Security Standards Council Attend to hear an update from the Shared Responsibility Special Interest Group. Improve Your Security Posture Through Ongoing PCI Compliance Presented by: Richard Daw, CEO, Clone Systems The FBI classifies companies into two types: those who know they’ve been hacked and those who don’t know. Companies may be in compliance, but can still get hacked. So how can companies ensure that they’re in compliance and also that their data is secure? This session will discuss using managed security services and will detail how security and compliance need to be part of a holistic security strategy. By treating PCI as part of the security strategy, companies can improve their security postures overall. Passwords and Equivalent Strength -- The Loophole in the PCI DSS Presented by: Hoyt L Kesterson II, Senior Security Architect, Terra Verde Can we make passwords stronger yet easier to remember than those typically created to comply with the DSS requirements? If we do so, how do we convince the QSA that our alternative method complies? Attend to hear how to answer these questions. Do My Security Controls Achieve the Spirit of Wireless PCI DSS Compliance? Presented by: Kevin McCauley, Director of Retail Market Development, AirTight Networks This session will look at what it takes to arrive at true wireless security, focusing on three key elements that affect achieving the spirit of wireless PCI DSS compliance: technology, human behavior and regulation. Wi-Fi technology is changing fast, with the latest hacks, the Internet of Things and the new 802.11ac standard. Combine this with human factors and you get a perfect storm of uncertainty. In this session, you'll hear reports from the trenches, translated into best practices to prevent wireless vulnerabilities. Comprehensive Dataflow Diagrams: Engaging the Business Presented by: Stacy Hughes, VP, IT Governance, Risk and Compliance, Global Payments, and Kevin Simmonds, Director, PricewaterhouseCoopers Global Payments and PwC will present successful practices for designing and implementing an initial and ongoing process to meet the PCI DSS requirement 1.1.3 – Cardholder data flow diagram. The topics for this presentation will include discussions on 1) Methodology, 2) Bottoms-Up/Top-Down/Outside-In Approach, 3) Data Flow/Application Identification, 4) Infrastructure Identification, 5) Required People, Process, Technology, and 6) Governance and Sustainability. Building Returns from PCI DSS Effort: Gaining Both Security and Compliance Presented by: Tom Evans, CSO, Cognia Cloud In this session, you will learn how Cognia Cloud’s investment in PCI DSS compliance leveraged itself to build a strong InfoSec culture and served as a springboard to developing operational cyber security across the whole enterprise. How Blockchain Technology Offers Improvements to Payment Security Presented by: Ashok Misra, Founder, Alina Consultants In this session, hear an introduction to cryptocurrencies along with an overview about Bitcoin's technical building blocks. This session will also address the precise security advantages with crypto currency and how pain points with traditional payments can be addressed as well as an explanation of a prototype for a credit card payment system built on blockchain technology. |
|
Closing Remarks | ||
Community Meeting concludes. | ||
