2018 PCI DSS Workshop Agenda
Hilton Austin | Austin, TX
May 6 - May 9, 2018

The Agenda is subject to change.

Sunday May 6, 2018                                             

2:00 pm - 5:00 pm         Exhibitor Setup

4:00 pm - 6:00 pm         Registration

6:00 pm - 7:30 pm         Welcome Reception

Those who arrive early can mingle, meet friends old and new, share challenges and triumphs, plan questions, and generally get ready for the workshop.

Monday May 7, 2018

9:00 am – 5:00 pm         Registration

10:00 am – 10:10 am      Welcome and Opening Remarks

10:15 am – 10:45 am      PCI Workshop Orientation

PCI Workshop Planning Committee Members: Robby Lennon, University of Arizona; Kevin Sisler, University of Kentucky; Gene Willacker, Michigan State University; Linda Wilson, University of Gonzaga
If you are new to the PCI Workshop, have not been in a few years, or just want to start your networking as early as possible then this session may be for you. Learn some helpful tips and tricks from this year’s Workshop planners for making the most out of your 2018 PCI Workshop experience. Open to all.

10:15 am – 10:45 am      What the HECVAT?

PCI Workshop Planning Committee Member: Jon Allen, CISSP, EnCE, Assistant Vice President & Chief Information Security Officer, Baylor University
What is the Higher Education Cloud Vendor Assessment Tool (HECVAT)? This session will explain how it got started, how the HECVAT is used, and what opportunities it offers now and may present for the future.

10:50 am – 12:00 pm      PCI DSS Refresh

Ron King, PCI Workshop Co-Chair, Treasury Institute; Jon Allen, CISSP, EnCE, Assistant Vice President & Chief Information Security Officer, Baylor University
Need a PCI Data Security Standards pick-me-up? Then plan to attend this session. The speakers will provide a refresh of the current Payment Card Industry Data Security Standards, an update on current hot topics, and a discussion of recent or expected guidance documents.

12:00 pm – 1:00 pm      Lunch & Exhibits

1:00 pm – 2:30 pm         Payment Card Industry Payment Security Standards Council

Marc Bayerkohler, PCI SSC Standards Trainer, PCI Security Standards Council
The payment landscape is changing rapidly. Advances in inter-connectivity, encryption attacks, and Agile development create challenges to protecting payments in traditional ways. PCI SSC recognizes these opportunities, and addresses them through a number of initiatives covering topics such as better authentication, better software design, and third party accountability. Recent PCI updates address this, as well as education and using technology to simplify compliance.

2:30 pm – 3:00 pm      Networking Break & Exhibits

3:00 pm – 4:00 pm      Should an ISA Accreditation Be in Your Future

Jefferson Hopkins, CISA, CISSP, PCI ISA, IT Security Risk Analyst, Purdue University; Gene Willacker, ISA, Information Security Analyst, Michigan State University; Kurt Osborn, Control Scan
Increasingly, educational institutions have been considering training and using in-house staff as an Internal Security Assessor. ISAs can provide valuable guidance for PCI compliance but come at a cost to the organization. The moderator will question the panel about relevant issues that should be addressed when an institution is considering an ISA.

3:00 pm – 4:00 pm     Table Top Exercises: Things to Know

Tom Horton, Assistant Director for Identity Management and Security Engineering, Cornell University; Ed Ko, Manager Information Security Services, Campus Guard
A discussion on tabletop exercises and the benefits they can share. Cornell recently went through a table top exercise with their QSA. Attend this sessions to hear their experiences.

4:00 pm – 4:15 pm     Meeting Room Transition

4:15 pm – 5:15 pm     Session information pending

4:15 pm – 5:15 pm     VoIP Phone Systems and the PCI DSS

Pat Buckley, Credit Card Coordinator, University of California Berkeley; Joe Tinucci, Senior Director Payments Team, Coalfire
Telephone systems are conduits through which businesses and consumers conduct their commerce; obviously required for all telephone-related payments. Did you know that Voice over IP (VoIP) telephony systems are in scope for PCI DSS? This session will review the concepts and vocabulary that you will need to speak intelligently with your Telecom department about VoIP and security, as well as point you toward solutions for securing your merchants’ VoIP systems. UC Berkeley will discuss their experience creating a secure design for their VoIP system that not only secured their system but met the needs for PCI DSS compliance. We will cover the thinking and processes that led to the campus seeking assistance in creating a secure VoIP architecture. Join us for a discussion of this hot compliance topic.

5:30 pm – 7:00 pm     Networking Reception with Supporters

Tuesday May 8, 2018

7:30 am – 5:00 pm         Registration

7:30 am – 8:30 am          Breakfast & Exhibits

8:30 am – 8:45 am          Welcome Day 2 and Announcements

8:45 am – 10:00 am        Session information pending

10:00 am – 10:45 am        Networking Break & Exhibits

10:45 am – 12:00 pm        Session information pending

12:00 pm – 1:00 pm        Lunch & Exhibits

1:00 pm – 2:00 pm        Solving the PCI Puzzle with New Rules and Strategies

Kristy Pritchett, Director of Student Accounts, University of Alabama; Peter Keyes, Associate Treasurer, Drexel University; John McElroy, Product Strategy, TouchNet
PCI compliance often falls on the shoulders of the Business Office to manage, including those of us from Treasury and the Bursar's office. With hundreds of potential payment points, both in-line and online, this creates major challenges for us. Using new tools, like validated point-to-point encryption and Smart SAQ's, in conjunction with new card brand rules, this session will explore how Drexel University and the University of Alabama are working with their QSA, Acquirer, and ecommerce solutions provider to solve their PCI puzzle. Learn the strategy these two schools have used to drastically reduce their PCI scope and reduced their overall risk, with an enterprise commerce platform.

1:00 pm – 2:00 pm        Going Beyond Compliance: Why Let Service Providers Have All the Fun?
Robbyn Lennon, Program Coordinator, Sr., University of Arizona; Michael Simpson, CISSP, CISA, QSA, Security Analyst, Security Metrics
Organizations that deal with cardholder data must follow certain requirements to comply with The Payment Card Industry Data Security Standard (PCI DSS). The PCI Security Standards Council released the latest version of the PCI DSS—version 3.2—in 2016. The latest version of the standard includes new requirements that only apply to service providers. While merchant organizations are not required to follow these extra requirements, doing so could be good practice, depending on their organization. Attendees will learn which specific “service provider only” requirements would make sense for their organization’s security and how to fulfill them.

2:00 pm – 2:30 pm      Networking Break & Exhibits

2:30 pm – 3:30 pm      Training Campus Partners

Kevin Mooney, Cash Management Representative, Cornell University; Kevin Sisler, Director of Treasury Services, University of Kentucky, Ruth A. Harpool, Managing Director, Treasury Operations, Indiana University
PCIDSS requires formal awareness programs and training for personnel that are directly involved in the processing of credit card payments. But, for a successful compliance program, it is extremely important to train other key partners on campus that are major contributors to the success of your overall program. This session will identify those partners and explain what they need to know, why they need to know it, and how the partnership will benefit your PCIDSS compliance program.

2:30 pm – 3:30 pm      Dressing Up Your PCI Risk Assessment; Going from Casual to Formal
Gene Willacker, ISA, Information Security Analyst, Michigan State University
This is an introductory session for those unfamiliar with standard risk assessment processes, not necessarily for those who may already be well-versed in the subject. It will cover the required elements of a PCI DSS risk assessment, the differences between qualitative and quantitative assessment methodologies, risk treatment approaches, and will provide guidance for making productive use of standard reference materials from the National Institute of Standards and Technology (NIST), mainly NIST SP 800-30, SP 800-39, and FIPS 199.

3:30 pm – 3:45 pm      Meeting Room Transition

3:45 pm – 4:15 pm      PCI DSS Lightening Round
2018 PCI Workshop Planning Committee
This session will address multiple (quick) PCI topics submitted by attendees that can be discussed by the speakers in a few minutes or less.

4:15 pm – 5:15 pm      Open Forum (no supporters please)
2018 PCI Workshop Planning Committee
We will continue to discuss pressing issues and possible solutions with our peers.

Wednesday May 9, 2018

7:30 am – 2:00 pm         Registration

7:30 am – 8:30 am          Breakfast & Exhibits

8:30 am – 8:45 am          The Secrets of Successfully Reviving a PCI Compliance Program

Carolann Lazarus, Senior IT Auditor, University of Buffalo
Attend this session to hear how a large, public research university recognized that their PCI compliance efforts had seen better days. Learn about the steps taken to reconstitute an effective, ongoing program. This presentation will walk you through what the University of Buffalo did and how they did it.

8:30 am – 8:45 am          Let’s Start from the Very Beginning! Getting in Front of the Process - Vendor Management and PCI

Linda Wilson, Director of Finance Systems and Services, Gonzaga University and Jon Bonaham, Director, SAQ Technology: ERC, CoalFire
Do you follow a formal process for hiring a service provider? Do you have a written agreement to the services they will be providing? Equally important: Are your third party vendors meeting your goals for today and in the future? Who is signing third party agreements on campus? Who is responsible for maintaining vendor compliance after the contract has been signed? This session will provide guidance and best practices for hiring a QSA firm, how to be a good partner and specifically address PCI Requirement 12.8 Managing Service Providers.

9:30 am – 10:15 am          Networking Break & Exhibits

10:15 am – 11:15 am          Intelligently Hedging Cyber Risk – Understanding What You Need vs. What You Get
Rebecca Freitag, FCAS, MAA, Consulting Actuary, Merlinos & Associates, Inc; Justin Orcutt, Manage, NCC Group
Cyber incidents have affected valuations (Yahoo/Verizon), impacted stock prices (Equifax) and led to class action lawsuits (see CareFirst, Equifax, Yahoo and more). Not all cybersecurity policies will cover all security incidents that can create a financial loss or reputational loss to your company. Additionally, if companies are not aware of key conditions in their insurance contracts, they may be denied coverage when incidents occur. During this interactive presentation, cyber risk and insurance will be dissected from an actuarial and cybersecurity perspective. We will focus on available coverages, where gaps in coverage may lie, how the insured can unintentionally create gaps in coverage, and how to make proper investments to close these gaps.

10:15 am – 11:15 am          Session information pending

11:15 am – 12:30 pm          Lunch & Exhibits

12:30 pm – 1:30 pm          Strategies to Secure Payments and Achieve PCI Compliance with Minimal Resources
Rich Emrich, Northwestern University, Bryan Jurewicz, Arrow Payments, Ed Ko, Campus Guard
Universities and colleges have the challenge of maintaining flexibility of payment solutions in a decentralized campus environment. Each department tends to want unique solutions that fit their specific needs which can involve the Treasury, Compliance and IT offices at the tail end of the decision-making process. This can leave Treasury/Compliance/IT playing catch up and at odds with the departments' desires. Discover the PCI approved technology advancements that can address security concerns with departmental solution flexibility, fiscal responsibility and minimized PCI compliance scope. The discussion will focus on leveraging external resources to address the business needs, security requirements and accounting best practices of higher educational institutions. The speakers will avoid using technical jargon making the discussion accessible to all attendees. University bench-marking will be shared from a host of schools who have addressed these challenges. The speakers will discuss QSA requirements, security reviews, solution discovery, and implementation across various technology vendors and the benefits of each to different institutions. This presentation will also include cost savings, resource efficiency and how the campuses are secured against data breaches and PCI compliance headaches.

12:30 pm – 1:30 pm          Mobile Payments: Challenges and Solutions for Secure Payments on the Go
Preston DuBose, PCI ISA, Ecommerce and Payment Security Manager, Texas A&M University
Implemented properly, mobile payment acceptance can be a lifesaver for merchants on the move. This presentation reviews the range of options for untethered payments—from handheld, purpose-built card readers to smart-devices using P2PE. Attendees will learn about the technology behind mobile payment devices, PCI validation pitfalls, and considerations when shopping for mobile solutions.

1:30 pm – 2:30 pm          Survey Results and Wrap Up
2018 PCI Workshop Co-Chairs: Ruth Harpool and Ron King