2019 PCI DSS Workshop Agenda
Tampa Marriott Waterside Hotel | Tampa, FL
May 5 - May 8, 2019


Sunday May 5, 2019

2:00 – 5:00 pm Exhibitor Setup

4:00 – 6:00 pm Early Registration

5:00 − 6:30 pm Welcome Reception and Exhibits

Those who arrive early can mingle, meet friends old and new, share challenges and triumphs, plan questions, explore the exhibit tables and generally get ready for the workshop.

Monday May 6, 2019

7:00 am − 5:00 pm Registration

7:00 − 8:00 am Breakfast

General Sessions

8:00 − 8:30 am Opening Remarks and Pre-conference Survey Results

PCI DSS Workshop Co-Chairs: Ruth Harpool, AAP, APRP, CTP and Ron King

8:30 − 9:00 am PCI Workshop Orientation

PCI DSS Workshop Planning Committee Members: Robbyn Lennon, M.Ed., Senior Program Coordinator, University of Arizona; Kevin Sisler, CTP, Director of Treasury Services, University of Kentucky; and Linda Wilson, Director, Finance Systems & Services, Gonzaga University

This session is for everyone regardless of whether you are new to PCI, new to the PCI Workshop, a seasoned professional, long time attendee, or somewhere in the middle. Learn some helpful workshop tricks, make connections, and build a network of PCI colleagues you can rely on. Open to all!

Concurrent Sessions

9:00 – 10:00 am PCI DSS Refresh

Jon Allen, CISSP, Chief Information Security Officer & Interim CIO, Baylor University and Ron King, PCI DSS Workshop Co-Chair, Treasury Institute

Need a PCI Data Security Standards pick-me-up? Then plan to attend this session. The speakers will provide a refresh of the current Payment Card Industry Data Security Standards, an update on current hot topics, and a discussion of recent or expected guidance documents.

9:00 – 10:00 am QSA/ISA/PCIP: Which is Right for You?

Robbyn Lennon, M.Ed., Senior Program Coordinator, University of Arizona; Kevin Sisler, CTP, Director of Treasury Services, University of Kentucky; and Peter Campbell, CISA, CISSP, QSA, Security Advisor, CampusGuard

Enterprise compliance can be a burden to manage, which is where a PCI ISA and PCIP can be helpful. Mastercard provides an option for Level 2 merchant organizations to have their own ISA perform their assessment and complete the SAQ function. But is that the only occasion for having an ISA? When is a QSA called for? And what about having your staff PCIP qualified? And how about a hybrid ISA/PCIP/QSA model to facilitate your compliance with the PCI DSS? This presentation will explore the issues and benefits for each model.

10:00 − 10:30 am Morning Refreshment Break, Exhibits, and Networking

General Sessions

10:30 am − 12:00 pm PCI’s Evolving Approach to Address NextGen Threats

Troy Leach, CISSP, CISA, Chief Technology Officer, PCI Security Standards Council

Advancements in technology have provided both new opportunities and new challenges for securing payment data. In this talk, we will discuss recent threats and how the tactics for payment security is shifting as a result. As well as how these changes provide insight for future PCI standards and programs, such as the next version of the PCI Data Security Standard (DSS). Additionally, this talk will share examples of PCI metrics to demonstrate effective security has been adopted and likely making the organization more efficient in the process.

12:00 − 1:00 pm Networking Lunch

Concurrent Sessions

1:00 − 2:00 pm Point to Point Encryption in Higher Ed: What It Can Mean for Your PCI Scope

Linda Wilson, Director, Finance Systems & Services, Gonzaga University and Mike Sullivan, Vice President, Cashnet Sales, Cashnet

This presentation will describe how a PCI validated P2PE encryption differs from end-to-end solutions that instantaneously convert confidential credit card data and information into indecipherable code at the time the card is swiped, dipped or keyed to prevent fraud. We will also discuss the fact that the PCI SSC does not approve scope reduction for non-validated and E2EE solutions and that these solutions do not qualify for the SAQ P2PE. Attend this session to learn how a validated P2PE solution can impact mobile applications, reduce PCI scope, and provide cost savings.

1:00 − 2:00 pm Mobile Payments Revisited

Preston DuBose, ISA, E-Commerce & Payment Security Manager, Texas A&M University

Implemented properly, mobile payment acceptance can be a lifesaver for merchants on the move. This presentation reviews the range of options for untethered payments—from handheld, purpose-built card readers to smart-devices using P2PE. Attendees will learn about the technology behind mobile payment devices, PCI validation pitfalls, and considerations when shopping for mobile solutions. This session revisits the same topic presented in 2018 but updated with market changes from the past 12 months.

2:00 − 2:30 pm Afternoon Refreshment Break, Exhibits, and Networking

Concurrent Sessions

2:30 − 3:30 pm How the University of Florida Became PCI Compliant in 1 year.... The 4 Year Story

David Huelsman, Information Security Architect, University of Florida and Eric DeLaet, PCIP, Payment Card Assistant, University of Florida

In 2015, the University of Florida had our new QSA conduct an onsite gap assessment to the new PCI standard (PCI 3.0). Over the next couple of years, UF evaluated several remediation plans. In early 2018 there was a renewed initiative at the high levels to achieve PCI compliance by the end of the calendar year. Throughout the year major strides were made, including replacing all our terminals for P2PE validated devices and migrating all ecommerce web services to a cloud services provider. These presenters will highlight some of UF's remediation plans, outline successes and failures, and share how they migrated their ecommerce to a cloud platform.

2:30 − 3:30 pm Sustaining a PCI Environment

Kim Stringham, Systems Analyst, Texas State University

Once you achieve PCI compliance on your campus how do you make sure you remain in compliance? As policies, procedures, and continual education can ensure your campus remains compliant, sometimes it is necessary to evolve your PCI program to tackle all the new (and sometimes horrible) payment technology that departments and vendors want to bring on to your campus. Hear real life stores of risk assessment and team work that helps to vet the surprises that will inevitably come your way as you try to sustain your PCI environment.

3:30 − 3:45 pm Transition to General Session

General Sessions

3:45 − 5:00 pm PCI DSS Lightning Round

PCI DSS Workshop Planning Committee

This session will address multiple PCI topics submitted by attendees via the event app that will be addressed by a volunteer collection of session speakers and the PCI Workshop planning committee.

5:30 – 7:00 pm Networking Reception and Exhibits

Tuesday May 7, 2019

7:00 am − 5:00 pm Registration

7:00 − 8:00 am Breakfast

General Sessions

8:00 − 8:15 am Opening Remarks

PCI DSS Workshop Co-Chairs: Ruth Harpool, AAP, APRP, CTP, and Ron King

8:15 − 9:30 am Verizon Payment Security Report: What Breached and Non-Breached Companies Are Doing Differently

Rodolphe Simonetti, CISSP, CISM, PCI QSA, Managing Director, Verizon Enterprise Solutions

Have you heard of the Verizon Data Breach report? Then you don't want to miss this session. Topic: Recent Trends in the PCI world as well as what breached and non-breached companies are doing differently.

9:30 − 10:00 am Morning Refreshment Break, Exhibits, and Networking

Concurrent Sessions

10:00 − 11:00 am Building a Vendor Risk Management Program

Thierry Lechler, PCIP, Information Security Professional III, University of Central Florida; Ross Cooper, ITILF, Information Security Professional III, University of Central Florida; and Kevin Doar, CIA, CISA, ISA, PCIP, Director, Office of Merchant Services, University of Washington

Do you have a vendor risk management program? How do you classify risk? When do you need do a follow up review on already approved vendor? What internal resources should be engaged? How do you build a program? Attend this session to hear from two schools as to how they approach vendor risk management and the steps they take to ensure the vendors and the university remain both compliant and secure.

10:00 − 11:00 am Your Website is Compliant, but is It Secure?

Corey Graves, Compliance Analyst, University of Minnesota and Jefferson Hopkins, CISA, CISSP, Security Advisor, CampusGuard

Most universities recognize the value of reducing their scope by using third-parties, but can they rest easy just knowing they're compliant? This session will examine the security of web transactions when using a third-party to accept payment card data. It will explore the relationship between meeting the requirements of being compliant versus the need for security.

11:00 − 11:15 am Transition to Concurrent Sessions

11:15 am − 12:15 pm Lessons Learned from our PCI Incident Response Tabletop Exercise

Tim Bradish, CISSP, ISA, Assistant Director, Security Operations & Incident Response, Cornell University and Kevin Mooney, CTP, Assistant Director of Cash Management, Cornell University

Don't reinvent the wheel...learn from Cornell. Attend this session to hear the lessons that Cornell learned following their last PCI incident response tabletop exercise. The table top was developed and executed with the help of CampusGuard. Hear the value of having your QSA facilitate the exercise, learn the about the logistics and the execution of the exercise, know what players to have at the table, hear some of the scenarios tested, and leave with an understanding of lessons learned.

11:15 am − 12:15 pm Follow the Money

Jon Bonham, QSA, CISA, Principal, Coalfire Systems Inc.

In the world of universities and colleges it is easy to focus on the big picture, the large transaction areas, high profile areas. Most major universities have over a hundred merchant IDs and some of those fringe areas have little exposure to the people that oversee Compliance or information security. This talk will take a stroll around a campus and look at how to evaluate the risks beyond the technology and beyond the everyday transactions that have been locked down and secured for years. Fixing the problems is easy. Finding the problems is hard.

General Sessions

12:15 − 1:15 pm Networking Lunch

1:15 − 2:15 pm Think Passwords are Enough? Live Hack and Password Crack Shows Why Multi-Factor Authentication is Crucial

Jennifer Stone, MSCIS, CISSP, QSA, CISA, SecurityMetrics, Inc.

Attendees will watch a step-by-step ethical hack to see passwords cracked in 3 minutes or less. To drive home the importance of 2-factor authentication in payment security the speakers will demonstrate how they can quickly run a remote attack to 'own' a desktop. The takeaways include the fact that passwords alone are not enough to protect data. Attend this session to see first- hand the attacks that threaten the security around the use of passwords and how to mitigate those threats.

2:15 − 2:45 pm Afternoon Refreshment Break, Exhibits, and Networking

Concurrent Sessions

2:45 − 3:45 pm The Evolution of PCI-Validated P2PE and Payment Security across the Higher Ed Campus

Eldred F. Garcia, PCIP, VP Security Solutions, Bluefin

This session will explore what has changed with PCI P2PE in 5 years. Hear how the evolution of the technology changed from a stand-alone solution to a network of providers, learn of the vendors that offer validated solutions and the types of solutions available, and the costs and benefits of PCI P2PE. The speaker will share specific examples from universities that have deployed P2PE.

2:45 − 3:45 pm Unified Campus Commerce

Ethan Solomon, Vice President, Sales and Business Development, Adyen and Rhys Coles, Merchant Data Security Engineer, Adyen

This session will illustrate the possibilities of blurring the lines between various channels on a college campus by implementing a unified payments technology across the campus estate. Unifying your payments stack across channels allows you to gain a single view of your student, gaining a better understanding of their purchasing behavior across campus. This equips universities with agility and the ability to focus in more deeply on the campus life experience for students leading to strategies related to creating a more convenient and seamless one. The byproduct of reducing your payment systems campus wide with a unified platform can help to reduce the burden of PCI. We will explore what this means in terms of what your PCI obligations are with fewer systems in place. We will provide examples of how large, complex, multichannel retailers have overcome similar PCI challenges by consolidating systems and the benefits it has brought in gaining additional insight into the behavior of their shoppers.

3:45 − 4:00 pm Transition to Concurrent Sessions

4:00 − 5:00 pm HECVAT Update

Jon Allen, CISSP, Chief Information Security Officer & Interim CIO, Baylor University

What is the Higher Education Cloud Vendor Assessment Tool (HECVAT) and how can it help your school vet third-parties? What changes have happened with the HECVAT over the past year and what are the future plans? Never heard of HECVAT, don't know how to access the free tool? Don't miss this session!

4:00 − 5:00 pm Cyber Criminals, Compliance and Payment Security in Higher Education

Ruth Harpool, AAP, APRP, CTP, Managing Director, Treasury Operations, Indiana University and Ben Focht, Manager, Cyber Security Team, Nelnet Campus Commerce

Merchant data is continually under attack. But how? What makes them vulnerable? This session discusses how easily unprotected payment card data can be stolen. We will explore compromises, hacking methodology, and actionable ideas to help you get buy-in from your campus to prioritize your security and compliance efforts.

Wednesday, May 8, 2019

7:00 − 11:30 am Registration

7:00 − 8:00 am Breakfast

General Sessions

8:00 − 9:00 am Compliance vs Security: Is It Possible to Have One Without the Other?

Jason Gray, CISSP, Chief Information Officer, U.S. Department of Education; Michael Johnson, CISSP, ISA, Executive Director J.P. Morgan Chase Cybersecurity; Matt Leman, Executive Director, J.P. Morgan; and Dana Hwu, Associate, J.P. Morgan

This session will focus on the unique struggles of setting security standards and maintaining compliance from the perspective of the federal government and banking industries.  Panelists will discuss these challenges and offer perspectives that are transferrable to the higher education space, specifically regarding PCI compliance. Attendees will hear thoughts on governance and important points to consider from the U.S. Department of Education as well as from J.P. Morgan’s PCI lead about how universities can collaborate with processing partners to enhance these critical focus areas.

9:00 − 10:15 am Protecting Your Organization from Business Email Compromise

Andrew Sekela, Supervisory Special Agent FBI

According to the FBI's Internet Crime Complaint Center, Business Email Compromise (BEC) is the #1 internet crime in terms of victim losses. In 2017 alone, victims reported actual losses of over $676 million related to BEC schemes. It is anticipated the losses in 2018 will be even higher. SSA Sekela will define BEC, give a brief explanation of how the scheme works, offer suggestions on how to protect yourself from becoming a victim of this scam, and provide instructions on what to do if you or your organization loses money due to a BEC scheme.

10:15 – 11:15 am Alternative Payments

Kevin Mooney, CTP, Assistant Director of Cash Management, Cornell University and Glenn Morgan, CISSP, CISA, ITIL, PCI-ISA, CCSP, CRISC, Information Security Analyst, University of North Carolina, Chapel Hill

This session will provide an overview of the alternative payments landscape, with an emphasis on virtual wallet and eCommerce solutions such as ApplePay, GooglePay, PayPal and Venmo. Representatives from the University of North Carolina and Cornell University will discuss case studies at their respective campuses, including UNC’s implementation of NFC P2PE devices and Cornell’s PayPal parent/child program.

11:15 − 11:30 am Wrap up, Last Chance Questions, and Forward Looking to 2020

PCI DSS Workshop Co-Chairs: Ruth Harpool, AAP, APRP, CTP, and Ron King

11:30 am Symposium 2019 Concludes

Recertification Credits:

If you plan to claim CTP, CCM, FP&A OR CPE Credits, you are responsible for reporting your professional credits. Qualifying sessions of the PCI DSS Workshop 2019 are pre-approved for CTP, CCM & FP&A recertification credits by the Association of Financial Professionals (AFP). The PCI DSS Workshop 2019 is approved for up to 18.3 CTP recertification credits and 17.1 FP&A recertification credits at the rate of one credit for each 50 minutes of attendance of a qualifying session.

Treasury Institute conferences and workshops are not pre-approved for CPE credits. Attendees are emailed a certificate of attendance they can use if they choose to apply for CPE Credits. Approval for CPE credits is at the discretion of the provider.