2018 PCI DSS Workshop Agenda
Hilton Austin | Austin, TX
May 6 - May 9, 2018

The Agenda is subject to change.

Sunday May 6, 2018                                             

2:00 pm - 5:00 pm         Exhibitor Setup

4:00 pm - 6:00 pm         Registration

6:00 pm - 7:30 pm         Welcome Reception

Those who arrive early can mingle, meet friends old and new, share challenges and triumphs, plan questions, and generally get ready for the workshop.

Monday May 7, 2018

9:00 am – 5:00 pm         Registration

10:00 am – 10:10 am      Welcome and Opening Remarks

10:15 am – 10:45 am      PCI Workshop Orientation

PCI Workshop Planning Committee Members: Robby Lennon, University of Arizona; Kevin Sisler, MBA, CTP; University of Kentucky; Gene Willacker, PCI ISA, PCIP, Michigan State University; and Linda Wilson, University of Gonzaga
If you are new to the PCI Workshop, have not been in a few years, or just want to start your networking as early as possible then this session may be for you. Learn some helpful tips and tricks from this year’s Workshop planners for making the most out of your 2018 PCI Workshop experience. Open to all.

10:15 am – 10:45 am      What the HECVAT?

PCI Workshop Planning Committee Member: Jon Allen, CISSP, EnCE, Assistant Vice President & Chief Information Security Officer, Baylor University
What is the Higher Education Cloud Vendor Assessment Tool (HECVAT)? This session will explain how it got started, how the HECVAT is used, and what opportunities it offers now and may present for the future.

10:50 am – 12:00 pm      PCI DSS Refresh

Ron King, PCI Workshop Co-Chair, Treasury Institute, and Jon Allen, CISSP, EnCE, Assistant Vice President & Chief Information Security Officer, Baylor University
Need a PCI Data Security Standards pick-me-up? Then plan to attend this session. The speakers will provide a refresh of the current Payment Card Industry Data Security Standards, an update on current hot topics, and a discussion of recent or expected guidance documents.

12:00 pm – 1:00 pm      Lunch & Exhibits

1:00 pm – 2:30 pm         Payment Card Industry Payment Security Standards Council

Marc Bayerkohler, PCI SSC Standards Trainer, PCI Security Standards Council
The payment landscape is changing rapidly. Advances in inter-connectivity, encryption attacks, and Agile development create challenges to protecting payments in traditional ways. PCI SSC recognizes these opportunities, and addresses them through a number of initiatives covering topics such as better authentication, better software design, and third party accountability. Recent PCI updates address this, as well as education and using technology to simplify compliance.

2:30 pm – 3:00 pm      Networking Break & Exhibits

3:00 pm – 4:00 pm      Should an ISA Accreditation Be in Your Future

Jefferson Hopkins, CISA, CISSP, PCI ISA, IT Security Risk Analyst, Purdue University; Gene Willacker, ISA, Information Security Analyst, Michigan State University; and Kurt Osburn, PCI QSA, CISA, CRISC, ISO 27001 LI, HITRUST, Control Scan
Increasingly, educational institutions have been considering training and using in-house staff as an Internal Security Assessor. ISAs can provide valuable guidance for PCI compliance but come at a cost to the organization. The moderator will question the panel about relevant issues that should be addressed when an institution is considering an ISA.

3:00 pm – 4:00 pm     Table Top Exercises: Things to Know

Tom Horton, ISA, Assistant Director for Identity Management and Security Engineering, Cornell University, and Ed Ko, CISSP, QSA, Manager Information Security Services, Campus Guard
A discussion on tabletop exercises and the benefits they can share. Cornell recently went through a table top exercise with their QSA. Attend this sessions to hear their experiences.

4:00 pm – 4:15 pm     Meeting Room Transition

4:15 pm – 5:15 pm     Why You Don't Need to be PCI Compliant

Eric DeLaet, PCIP, Payment Card Assistant, University of Florida
A provocative look on the role of PCI compliance from the viewpoint that you don’t need to be compliant.  Between the costs, effort and probability of a breach occurring, the argument can be made that you don’t need to be compliant. This presentation has been prepared to address each of those rationalizations.

4:15 pm – 5:15 pm     VoIP Phone Systems and the PCI DSS

Pat Buckley, Credit Card Coordinator, University of California Berkeley and Joe Tinucci, CISSP, QSA, Senior Director Payments Team, Coalfire
Telephone systems are conduits through which businesses and consumers conduct their commerce; obviously required for all telephone-related payments. Did you know that Voice over IP (VoIP) telephony systems are in scope for PCI DSS? This session will review the concepts and vocabulary that you will need to speak intelligently with your Telecom department about VoIP and security, as well as point you toward solutions for securing your merchants’ VoIP systems. UC Berkeley will discuss their experience creating a secure design for their VoIP system that not only secured their system but met the needs for PCI DSS compliance. We will cover the thinking and processes that led to the campus seeking assistance in creating a secure VoIP architecture. Join us for a discussion of this hot compliance topic.

5:30 pm – 7:00 pm     Networking Reception with Supporters
 

Tuesday May 8, 2018

7:30 am – 5:00 pm         Registration

7:30 am – 8:30 am          Breakfast & Exhibits

8:30 am – 8:45 am          Welcome Day 2 and Announcements

8:45 am – 10:00 am       Data Breaches and E-commerce Fraud:  What Went Wrong and What Are Some Ways to Avoid Them in the Future From an Acquirer’s Perspective?

Andy Goh, CISSP, CISM, Vice President, Information Risk Manager, Merchant PCI Compliance, and Matt Leman, MBA, Executive Director, Senior Business Development Director
Managing a secure card payment processing environment is no small challenge for higher education institutions.  Protecting both the processing infrastructure from a data breach and the payment transaction processes in order to avoid fraudulent e-commerce transactions are both critically important for business and technology leaders on campus.  Understanding specific areas of vulnerabilities that contribute to PCI breaches and on-line fraud can help institutions minimize and hopefully avoid them in the future.  This session will focus on sharing specifics around root cause analysis of a few recent PCI breach events as well as share best practices to help higher education institutions better protect their e-commerce payment acceptance environments from fraud in the future. 

10:00 am – 10:45 am        Networking Break & Exhibits

10:45 am – 12:00 pm        It's An Education

Jeff Hall, CISSP, CISM, PCI QSA, Principal Security Consultant, Optiv Security
The PCI Guru takes you on a tour of his experiences with higher education and PCI compliance.

12:00 pm – 1:00 pm        Lunch & Exhibits

1:00 pm – 2:00 pm        Solving the PCI Puzzle with New Rules and Strategies

Kristy Pritchett, CIA, CFSA, CBA, Director of Student Accounts, University of Alabama, and John McElroy, Product Strategy, TouchNet
PCI compliance often falls on the shoulders of the Business Office to manage, including those of us from Treasury and the Bursar's office. With hundreds of potential payment points, both in-line and online, this creates major challenges for us. Using new tools, like validated point-to-point encryption and Smart SAQ's, in conjunction with new card brand rules, this session will explore how Drexel University and the University of Alabama are working with their QSA, Acquirer, and ecommerce solutions provider to solve their PCI puzzle. Learn the strategy these two schools have used to drastically reduce their PCI scope and reduced their overall risk, with an enterprise commerce platform.

1:00 pm – 2:00 pm        Going Beyond Compliance: Why Let Service Providers Have All the Fun?

Robbyn Lennon, Program Coordinator Sr., University of Arizona, and Michael Simpson, CISSP, CISA, QSA, Security Analyst, SecurityMetrics
Organizations that deal with cardholder data must follow certain requirements to comply with The Payment Card Industry Data Security Standard (PCI DSS). The PCI Security Standards Council released the latest version of the PCI DSS—version 3.2—in 2016. The latest version of the standard includes new requirements that only apply to service providers. While merchant organizations are not required to follow these extra requirements, doing so could be good practice, depending on their organization. Attendees will learn which specific “service provider only” requirements would make sense for their organization’s security and how to fulfill them.

2:00 pm – 2:30 pm      Networking Break & Exhibits

2:30 pm – 3:30 pm      Training Campus Partners

Kevin Mooney, Cash Management Representative, Cornell University; Kevin Sisler, MBA, CTP, Director of Treasury Services, University of Kentucky; and Ruth A. Harpool, AAP, CTP, Managing Director Treasury Operations, Indiana University
PCIDSS requires formal awareness programs and training for personnel that are directly involved in the processing of credit card payments. But, for a successful compliance program, it is extremely important to train other key partners on campus that are major contributors to the success of your overall program. This session will identify those partners and explain what they need to know, why they need to know it, and how the partnership will benefit your PCIDSS compliance program.

2:30 pm – 3:30 pm      Dressing Up Your PCI Risk Assessment; Going from Casual to Formal

Gene Willacker, ISA, Information Security Analyst, Michigan State University
This is an introductory session for those unfamiliar with standard risk assessment processes, not necessarily for those who may already be well-versed in the subject. It will cover the required elements of a PCI DSS risk assessment, the differences between qualitative and quantitative assessment methodologies, risk treatment approaches, and will provide guidance for making productive use of standard reference materials from the National Institute of Standards and Technology (NIST), mainly NIST SP 800-30, SP 800-39, and FIPS 199.

3:30 pm – 3:45 pm      Meeting Room Transition

3:45 pm – 4:15 pm      PCI DSS Lightning Round
2018 PCI Workshop Planning Committee
This session will address multiple (quick) PCI topics submitted by attendees that can be discussed by the speakers in a few minutes or less.

4:15 pm – 5:15 pm      Open Forum (no supporters please)
2018 PCI Workshop Planning Committee
We will continue to discuss pressing issues and possible solutions with our peers.

Wednesday May 9, 2018

7:30 am – 2:00 pm         Registration

7:30 am – 8:30 am          Breakfast & Exhibits

8:30 am – 8:45 am          The Secrets of Successfully Reviving a PCI Compliance Program

Carolann Lazarus, IT Audit Manager, University at Buffalo, State University of New York
Attend this session to hear how a large, public research university recognized that their PCI compliance efforts had seen better days. Learn about the steps taken to reconstitute an effective, ongoing program. This presentation will walk you through what the University of Buffalo did and how they did it.

8:30 am – 8:45 am          Let’s Start from the Very Beginning! Getting in Front of the Process - Vendor Management and PCI

Linda Wilson, Director of Finance Systems and Services, Gonzaga University, and Jon Bonham, CISA, QSA, Director, SAQ Technology: ERC, CoalFire Systems, Inc.
Do you follow a formal process for hiring a service provider? Do you have a written agreement to the services they will be providing? Equally important: Are your third party vendors meeting your goals for today and in the future? Who is signing third party agreements on campus? Who is responsible for maintaining vendor compliance after the contract has been signed? This session will provide guidance and best practices for hiring a QSA firm, how to be a good partner and specifically address PCI Requirement 12.8 Managing Service Providers.

9:30 am – 10:15 am          Networking Break & Exhibits

10:15 am – 11:15 am          Session information pending

10:15 am – 11:15 am         System Hardening Beyond Just Policy

Jon Bowman, CISSP, QSA, Senior QSA Consultant, A-LIGN
Jon will review the different industry hardening standards, how to tune benchmarks/standards for a given system, provide examples of how to properly apply hardening benchmarks, and provide examples on how to verify that a system has been properly hardened.

11:15 am – 12:30 pm          Lunch & Exhibits

12:30 pm – 1:30 pm          Strategies to Secure Payments and Achieve PCI Compliance with Minimal Resources

Rich Emrich, CTP, Northwestern University; Bryan Jurewicz, Arrow Payments; and Ed Ko, CISSP, QSA, Campus Guard
Universities and colleges have the challenge of maintaining flexibility of payment solutions in a decentralized campus environment. Each department tends to want unique solutions that fit their specific needs which can involve the Treasury, Compliance and IT offices at the tail end of the decision-making process. This can leave Treasury/Compliance/IT playing catch up and at odds with the departments' desires. Discover the PCI approved technology advancements that can address security concerns with departmental solution flexibility, fiscal responsibility and minimized PCI compliance scope. The discussion will focus on leveraging external resources to address the business needs, security requirements and accounting best practices of higher educational institutions. The speakers will avoid using technical jargon making the discussion accessible to all attendees. University bench-marking will be shared from a host of schools who have addressed these challenges. The speakers will discuss QSA requirements, security reviews, solution discovery, and implementation across various technology vendors and the benefits of each to different institutions. This presentation will also include cost savings, resource efficiency and how the campuses are secured against data breaches and PCI compliance headaches.

12:30 pm – 1:30 pm          Mobile Payments: Challenges and Solutions for Secure Payments on the Go

Preston DuBose, PCI ISA, Ecommerce and Payment Security Manager, Texas A&M University
Implemented properly, mobile payment acceptance can be a lifesaver for merchants on the move. This presentation reviews the range of options for untethered payments—from handheld, purpose-built card readers to smart-devices using P2PE. Attendees will learn about the technology behind mobile payment devices, PCI validation pitfalls, and considerations when shopping for mobile solutions.

1:30 pm – 2:30 pm          Survey Results and Wrap Up
2018 PCI Workshop Co-Chairs: Ruth Harpool and Ron King