2012 PCI DSS Workshop Agenda
Downtown Marriott, Indianapolis
April 23-25, 2012

10:00 – 1:00

Conference Registration (Outside Indiana E)

Optional Session
9:30 – 11.00

Optional Session – PCI 101 for Higher Education (Indiana E)
This optional 90-minute session is for any attendee who is new to PCI or who wants a refresher on PCI together with a cup of coffee. We will cover the PCI ecosystem, cardholder data, merchant levels, SAQs, scanning, and other topics to ensure attendees get the most from the workshop.
Walt Conway, QSA, 403 Labs LLC, NACUBO’s PCI Council Representative

1:00 – 1:30

Welcome, Introductions, Workshop Overview (Indiana E)
Dennis Reedy, Co-Executive Director, The Treasury Institute for Higher Education and Managing Director Treasury Operations, Indiana University
Walt Conway, QSA, 403 Labs LLC, NACUBO’s PCI Council Representative, and workshop moderator

1:30 – 3:15

PCI Update, Tokenization, Point-to-Point Encryption (P2PE), and More
There is a lot new in PCI. We will review changes in version 2.0 and explore tokenization and P2PE, reviewing current guidelines for each technology and examining use cases where they may make sense for your campus. 
Walt Conway, QSA

3:15 – 3:30

Break

3:30 – 4:30

Briefing: e-Commerce Special Interest Group (SIG)
e-Commerce is one of only three SIGs for 2012. That SIG’s recommendations could impact every campus that outsources Web transactions.  Bring your ideas and suggestions to this briefing. 
Walt Conway, QSA (representing NACUBO on the e-Commerce SIG)

4:30 – 5:00

PCI in Higher Education: Survey Results
How does your school compare with your peers in terms of staffing, budgeting, and PCI compliance?  We will share the results of the online survey of all attendees.  You did complete your online survey, right!?!
Walt Conway, QSA

5:00 – 6:30

The 90-Minute Networking Hour (Indiana F-G)
Our discussions of PCI and you compliance journey will continue informally. We created a special 90-minute hour so you can join colleagues and our sponsors in a relaxed atmosphere to share experiences, renew old friendships, and make a few new ones.  Refreshments will be provided.
Attendees are on their own to enjoy the many restaurants, attractions, and entertainment opportunities nearby in downtown Indianapolis. 

8:00 – 9:00

Continental Breakfast (Indiana E) 

9:00 – 10:00

Managing Your Slice of the PCI Pie
PCI compliance is more manageable with centralized control and implementation of best-practice recommendations.  This session will discuss how UCLA changed legacy campus-wide credit card practices into more standardized processes with documented requirements to minimize PCI risk and ensure compliance.  Additionally, much of the PCI validation for the 200+ MIDs has gone “green,” making it easier to manage and document. 
Marsha Lovell, Director Student Financial Services, UCLA

10:00– 10:15

Networking Break

10:15– 11:00

The Evolution of Notre Dame’s PCI environment
Notre Dame began its PCI efforts in 2006 with five major payment applications hosted on campus and running on our general campus network. Over the last several years we focused on reducing risk and increasing security. We outsourced most applications, utilized tokenization and P2P encryption, isolated our cardholder data network, implemented secure payment workstations, and implemented management tools. The overall result is improved compliance and increased security with lower overhead.
Robert Winding, Lead Architecture Professional
Ryan Palmer, IT Compliance Program Manager, University of Notre Dame

11:00 – 12:00

(Security Topic TBD)
Mike Dahn is an internationally recognized security expert who has been involved in PCI DSS since its first days.  Bring your questions! 
Michael Dahn, PriceWaterhouseCoopers  

12:00 – 1:30

Lunch (Provided for all Attendees, Indiana F-G)

1:30 – 2:15

Going Beyond PCI
Harvard first validated PCI compliance in 2005. We validated over a hundred merchants individually.   In 2006 we undertook an effort to create a robust compliance program that standardized the approach across the University. The program goes beyond just meeting the requirements of PCI Data Security Standard.   Learn what we did, why we did it and how that affected merchant behavior.
Gene Madden, eCommerce Analyst, Harvard University

2:15 – 3:15

iPads and iPhones and Squares, Oh My! 
Smart Mobile Devices: PCI Compliant or Not?
Smart phones, tablets and iPads are mainstream, and campus merchants want to use these technologies for financial transactions.   This interactive session will examine how various smart phone and tablet technologies, together with third-party software, process card transactions, and how well they measure up to PCI.  This is an interactive session, so please come prepared to discuss:

• What is your institution’s policy? 
• What technologies have you approved and/or implemented?
• If you do not permit mobile devices, are you researching them?

Theresa Semmons, Chief Information Technology Security Officer, North Dakota State University

3:15 – 3:30

Networking Break

3:30 – 4:15

PCI Compliance, Dedicated Payment Workstations, and Creative Funding
Bolting down NIU’s network infrastructure to become PCI compliant was a daunting task. Using thin clients, we defined, designed and implemented dedicated, single-purpose workstations. Another key to our PCI compliance program is merchant services oversight and funding.
Tammie Farley, Director of Treasury Operations
Fred Williams, Infrastructure Architect, Northern Illinois University

4:15 – 5:00

Food for Thought:  Dining Services, Micros, and PCI
Does your institution operate its own Dining Services department?  If so, do they likely use a POS system such as Micros? This session will cover the PCI challenges and frustrations UK faced with its Dining Services operation – with locations across campus – and Micros.
Kevin Sisler, Merchant Card Services Director, University of Kentucky

5:00 – 6:30

The 90-Minute Networking Hour II (Indiana F-G)
Join your colleagues and our sponsors in a relaxed atmosphere to share information, renew old friendships, and make a few new ones.  Refreshments will be provided.

8:00 – 9:00

Continental Breakfast – (Indiana E)
Avoid the rush, and check out of the hotel early.  Bring your bags with you to our meeting room. 

9:00 – 10:00

Special Keynote: PCI Council Developments and Directions
Learn first-hand about the PCI Council developments, training programs, Special Interest Groups, and other PCI-related initiatives.  Be sure and bring your questions for Bob.  
Bob Russo, Executive Director, PCI Security Standards Council

10:00 – 10:15

Networking Break and a second chance to run to the front desk and checkout!

10:15 – 12:00

Expert Panel Q&A
Bring your questions for the PCI compliance experts from leading acquirers working with Higher Ed institutions nationwide.  This session has been a highlight of each of our past workshops. 
TBD

12:00 – 1:30

Lunch (Provided for all Attendees, Indiana F-G)
Our sponsors and all non-school attendees are free to depart after lunch. 

1:30 – 3:30

Information Sharing (Higher Ed Institutions only)
This is your time.  We will launch into our usual, freewheeling and extremely interactive information-sharing session with only one rule: nothing confidential leaves the room.  Topics will include your experiences with campus merchants, consultants, QSAs, acquirers and processors, and security breaches.  This is the opportunity to ask questions of your peers.  It is also the time to learn from and share experiences, lessons learned, frustrations, and victories with your peers at other institutions.  No PCI question or topic is off-limits in this spirited and informative exchange. 

3:30

Workshop Concludes