2017 PCI DSS Workshop Agenda
April 23- April 26, 2017
Sunday April 23, 2017
4:00 pm - 6:00 pm Early Registration
6:00 pm - 7:30 pm Welcome Reception
Those who arrive early can mingle, meet friends old and new, share challenges and triumphs, plan questions, and generally get ready for the workshop.
Monday April 24, 2017
10:00 am - 1:00 pm Registration
10:00 am - 10:30 am Pre-Conference Optional Session: PCI DSS Workshop Orientation
Linda Wilson, Finance Systems and Services Manager, Gonzaga University; Robbyn Lennon, PCI Program Coordinator Senior, University of Arizona; Gene Willacker, ISA, PCIP, MSU IT Security, Michigan State University
Whether you are new to the PCI Workshop or new to PCI in general, this session will give you some insight, tricks of the trade, provide you with resources, and start your PCI workshop out on the right foot.
10:30 am - 12:00 pm Pre-Conference Optional Session: PCI DSS Refresh
Ron King, Co-Chair, PCI DSS Workshop, Treasury Institute and Jon Allen, CISSP, EnCE, Assistant Vice President & Chief Information Security Officer, Baylor University
An optional and interactive session for attendees who want to refresh their knowledge of the PCI to ensure they get the most out of the workshop.
12:00 pm - 1:00 pm LUNCH ON YOUR OWN
1:00 pm - 1:15 pm Welcome and Opening Remarks
Ruth Harpool, Co-Chair, PCI DSS Workshop, Treasury Institute and Ron King, Co-Chair, PCI DSS Workshop, Treasury Institute
1:15 pm - 2:30 pm GENERAL SESSION: The Song Remains the Same: A Decade of Unchanged Security Vulnerabilities
Greg Johnson, PCIP, Vice President of Business Development, A-LIGN
A decade of security innovation and awareness, combined with maturing compliance standards such as PCI DSS, ISO 27001 and SOC 2 have improved our security culture. However, the same vulnerabilities found in 2006 continue to appear today in standard penetration testing. Industry veteran and Vice President of Business Development at A-LIGN, Greg Johnson, will address the data breach landscape, the top vulnerabilities still present, and review how your organization can avoid them.
2:30 pm - 3:00 pm Networking Break
3:00 pm - 4:00 pm BUSINESS TRACK: PCI 3rd Party Management and Compliance
John Layman, Treasury Specialist, University of Missouri System and Nick O’Neil, Security Analyst, University of Missouri System
Third party service providers can be an essential part reducing PCI scope and maintaining PCI compliance. However, not all service providers are created equal. Attend this session as we examine some lessons learned at the University of Missouri during our conquest to reduce our scope and hold third parties accountable for their own compliance. We will detail the steps we have made to strengthen our procurement, security review processes, and how it relates to our third party service provider management. We will offer documents and techniques for you to take home to your campus and begin your own conquest to secure your data and reduce your scope.
3:00 pm - 4:00 pm IT TRACK: Preparing for the Worst: Table Top Testing of Your IRP
S. Dirk Anderson, CRISC, CISA, QSA, ASV, Vice President, Enterprise Risk & Compliance, Coalfire
The one time you don't want to test your Incident Response plan is in the midst of an actual incident. Discovering gaps and having to try to address them on the fly significantly reduces the likelihood of success. This is why PCI requires every merchant to test their Incident Response Plan at least annually, and yet it remains one of the most glossed over compliance requirements in the entire Data Security Standard.
This session will prepare you to plan for and execute a successful table top exercise of your incident response plan to both meet your compliance needs, as well as help you ensure your plan will bring value to responding to an actual event. Specific topics will include designing scenarios, guiding the exercise, and how to document it all to keep your bank or QSA happy.
4:00 pm - 5:00 pm BUSINESS TRACK: Reality of Implementing P2PE and E2EE
Jefferson Hopkins, CISA, CISSP, PCI ISA, IT Security Risk Analyst, IT Policy and Compliance, Purdue University and Kim Stringham, Systems Analyst II, Texas State University; Joseph Tinucci, Senior Director, SAQ, Technology: ERC, Coalfire; Dustin Rich, Managing Consultant, A-Lign
Scope reduction by P2PE is a worthy goal and one that most universities and colleges covet. In this panel discussion, we will address the pros, the cons, and the realities of implementing an encrypted solution and what you can expect if you are headed that way. Join a panel of QSAs and practitioners to discuss the realities of pursuing the encrypted solution.
4:00 pm - 5:00 pm IT TRACK: Leveraging Shared IT and Business Resources to Sustain PCI Compliance
Shiva Hullavarad, Manager of Compliance Information and Records, University of Alaska and Raaj Kurapati, Vice President for Finance and CFO, Texas A&M, Kingsville
Given the serious security risks to information technology (IT) assets, managing those risks effectively is an essential task for the University and its departments. The process will benefit both the individual departments and the University as a whole. It is important that management understand what risks exist in their IT environment, and how those risks can be reduced or eliminated. In an increasingly competitive business environment organizations must develop capabilities that will provide them with a sustainable competitive advantage. The universities and colleges big and small – face continued threat of data theft ranging from finance, heath, intellectual property and other sensitive information.
In such a high risk environment, it’s imperative for universities and colleges to share and collaborate ideas, methods and technologies to learn how the risks can be addressed. This talk will provide some insights on how to identify the areas for cross – collaboration to stay compliant and reduce risk. The talk also outlines University of Alaska and Texas A&M synergistic efforts.
5:00 pm - 6:30pm The 90 Minute Networking Hour
Our discussions of PCI and your compliance journey will continue informally. We created a special 90-minute hour so you can join colleagues and our sponsors in a relaxed atmosphere to share experiences, renew old friendships, and make a few new ones. Refreshments will be provided. Afterward, attendees are on their own to enjoy the many restaurants, attractions, and entertainment opportunities nearby.
Tuesday April 25, 2017
7:30 am - 8:30 am Breakfast
8:30 am - 9:45 am GENERAL SESSION: Sustaining PCI on Campus
Robbyn Lennon, PCI Program Coordinator Senior, University of Arizona and Gil Salazar, Senior Information Security Analyst- Information Security, University of Arizona
Engaging, Managing and Encouraging- Where IT and Business Meet.
The key to sustaining any program is engaging and encouraging the stakeholders and providing the tools to make the job easier. Individuals/projects must be kept on track throughout the year via effective organization, communication processes and use of security tools to maintain momentum in long term projects.
9:45 am - 10:15 am Networking Break
10:15 am - 11:30 am GENERAL SESSION: The Politics of PCI in Higher Education
Susan Albonetti, CPA, CTP, Assistant Treasurer, University of Cincinnati and Carole Fallon, JD, CTP, Senior Manager Treasury Operations, The Ohio State University
This presentation discusses the many nuances of working toward PCI Compliance in higher education. It reviews the politics involved and the challenges confronted in getting the support, funding, recognition, and resources for PCI projects. In addition, it discusses the interaction with and the politics of working with various internal departments as well as outside parties to obtain and maintain PCI Compliance.
Many schools are still struggling to obtain support and recognition from senior management on the critical aspects of compliance. What are some alternatives to achieving that? Even further, the costs for attaining and maintaining compliance are competing for other budget items. Do we push down the costs to the merchants? How is the cost allocated? Mandated PCI training is another burden on schools, and how to provide written guidelines for Third Party Vendors.
11:30 am -- 12:45 pm LUNCH
12:45 pm – 1:45 pm BUSINESS TRACK: PCI Compliance from an Office of One
Andrea Hendricks, ISA, PCIP, Coordinator eCommerce/PCI, Oklahoma State University
Are you feeling overwhelmed with the daunting task of becoming PCI Compliant with limited resources on your campus? As an office of one, it can be very challenging to address each of the requirements, collaborate with multiple stakeholders and departments on solutions and ultimately implement solutions in a compliant manner. At Oklahoma State University, we utilize a hybrid system for compliance and chose to transfer many of our compliance requirements by moving to fully outsourced payments and/or standalone analog connected terminals for all our merchants except our 3 largest. This session will highlight some of the challenges we have faced along the way, areas that are being readdressed for department’s needs, and identify solutions where tasks were mitigated in order to streamline the compliance process. It is important to remember you are not alone in this journey…even if you have few advocates at your school, there are always people willing to help.
12:45 pm – 1:45 pm IT TRACK: Guidance for PCI DSS Scoping and Network Segmentation
Kerry Digou, CISSP, ISA, Internal Security Assessor, North Carolina State University and Craig Henninger, CISSP, QSA, Manager Security Advisor Services, Campus Guard
This session will examine the new supplement and along with relevant examples show how that works in a university setting. We will discuss the pitfalls of "scope creep" and how to accurately determine what to apply the PCI DSS requirements to in the infrastructure.
1:45 pm - 2:15 pm Networking Break
2:15 pm - 3:15 pm BUSINESS TRACK: Crosswalk Data Security
Joseph Goodman, IT Security and Compliance Specialist, Virginia Tech University and Jen Stone, MSCIS, CISSP, QSA, Security Analyst, Security Metrics
Many organizations don’t realize that being compliant with financial and government mandates is just the starting point for data security. This presentation shows the different policies your organization needs to protect your students’ information. Attendees will also learn tips and best practices to leverage compliance efforts to further improve security and protect their students’ data.
2:15 pm - 3:15 pm IT TRACK: Penetration Testing: Art or Science?
Scott Daley, CISA, PCI QSA, HITRUST CCSFP, Senior Analyst, SecureState and Matt Franko, Senior Associate Management Consultant, SecureState
What makes a good penetration tester? Is it the breadth (or depth) of technical skills or the creativity in knowing when to use them? Learn how ethical hackers at SecureState are able to compromise systems and what you can do to help minimize the likelihood that they’ll be successful at your organization.
3:15 pm – 4:15 pm BUSINESS TRACK: The Fork in the Road and How We Took It
Debbie Wert, Payment Card and E-Commerce Analyst, Purdue University and Jefferson Hopkins, CISA, CISSP, PCI ISA, IT Security Risk Analyst, IT Policy and Compliance, Purdue University
Purdue University came to a realization that changes in technology and changes in the PCI Data Security Standards had made compliance a more costly and difficult endeavor. We dreaded the long road to our next SAQ D and the two-hundred and fifty plus boxes that we had to check. We were looking for alternatives. What followed was an examination of alternatives and our eventual choice of scope reduction as a goal.
3:15 pm – 4:15 pm IT TRACK: I’m Attacking Your Network Right Now (And This is Why)
Mark Shelhart, Director, Incident Response & Forensics, Sikich, LLP
You are a university; a complex organism made up of several different businesses and affiliations. I am an attacker and I have a very clear list of your systems to help me determine where I can harvest data from for profit. My targets are very apparent to me because I make a living looking at dozens of universities just like yours. You have a different perspective...
In this session, we're going to examine actual breaches that Sikich has recently investigated for its clients and apply that intelligence to your organization. As opposed to just looking from a statistical perspective, we're going to identify specific systems and organizations that are ripe for attack. This session will give you actionable ideas to take back to your university to help prioritize your security and compliance efforts.
4:30 pm - 5:30 pm PCI DSS QUICK HITS
Linda Wilson, Finance Systems and Services Manager, Gonzaga University and Gene Willacker, ISA, PCIP, MSU IT Security, Michigan State University
Wednesday April 26, 2017
7:30 am – 8:30 am Breakfast
8:30 am – 9:45 am GENERAL SESSION: The State of Data Breaches in Education
Jane Aube, Loan Programs and Compliance Specialist, Student Financial Services, Middlebury College and Ruston Miles, CPP, PCIP, Chief Innovation Officer, SVP, BlueFin Payment Systems
In 2016, there were 1,093 data breaches – a 40% increase over the 2015 data breach number of 781. Why do hackers breach point-of-sale (POS) systems and networks? To find valuable data that can be resold on the black market. Malware was the culprit in the multi-million-dollar Home Depot, Target and PF Chang’s breaches. While hackers got into the POS systems through a faulty firewall or third-party vendor, once in they were able to install malware that located unencrypted credit card information — which was then sent to remote servers, packaged and resold to fraudsters.
There are two security paths that educational institutions can take in the fight against malware: Defend the Fort or Devalue the Data. With the Defend the Fort approach, organizations build stronger, higher and more expensive walls of security around their systems and data. With the Devalue the Data approach, universities and educational institutions employ security technology to devalue the cardholder data before it reaches their point-of-sale systems, rendering the data useless to hackers if it is exposed.
During this Keynote Session for the 2017 PCI DSS Workshop, Bluefin Payment Systems and Middlebury College will provide a detailed overview and case study on PCI-Validated Point-to-Point Encryption (P2PE) and its role in devaluing card data, securing your systems, and reducing PCI compliance scope. Specifically, the session will discuss:
The current state of payment security, including 2016 breach numbers
- How malware operates to steal card data
- The role of EMV, Tokenization and P2PE
- The origin of PCI-validated P2PE and how it differs from non-validated solutions
- PCI-validated P2PE scope reduction and cost benefits
- Use cases for PCI-validated P2PE in the educational setting
- Industry Case Study: Middlebury College’s Implementation of PCI-validated P2PE
9:45 am - 10:15 am Networking Break
10:15 am – 11:15 am BUSINESS TRACK: Understanding PCI from an Acquirer’s Perspective
James Lock, III, MBA, CTP, CSCIP/P, Executive Director, Higher Education Industry Solutions Specialist, JP Morgan Chase Bank; Andy Goh, Vice President, Information Risk Manager, Merchant PCI Compliance, Chase Merchant Services; and Matt Leman, Executive Director, Business Development Director, Chase Merchant Services
What does an acquiring bank expect from its merchant clients in the areas of overall cyber security and PCI-DSS compliance? How are these expectations communicated? What role does the acquiring bank play in educating clients and helping them establish and maintain a secure merchant processing environment? Do you know what requirements must be met to be compliant with the PCI-DSS rules for payment card accepting entities? Because the higher education landscape includes large and small institutions with varying degrees of complexity around their merchant processing environments, this panel will also explore the best way to provide SAQ documentation to the acquirer. Should it be at the merchant ID level or somewhere higher in the reporting hierarchy to make certain all aspects of the processing environment are reported? What factors influence this decision and how do you strike a balance between finding a solution that works for both the merchant and the acquirer. This session will address these questions and give the audience a framework around the types of services and level of engagement one should expect from their merchant processor.
10:15 am – 11:15 am IT TRACK: Deep Dive into PCI Technical Controls
Carlos Lobato, CISA, CIA, CISSP, CPA, IT Compliance Officer, New Mexico State University
This session is meant for those with IT technical expertise as the presenter will take you into a Deep Dive into PCI Technical Controls including but not limited to the setup and configuration of network architecture and related devices such as perimeter firewall(s), router(s), switches, IDSs/IPSs, software cashiering, host and server hardening as well as the utilization of P2PE swiping devices. The session will be very interactive and cross-sharing of ideas will be highly encouraged. This session will be ideal for networking engineers, application programmers and tech savvy individuals at the merchant locations.
11:15 am – 12:30 pm LUNCH
12:30 pm – 1:45 pm GENERAL SESSION: PCI Internal Control and Auditing Requirements
Shiva Hullavarad, Manager of Compliance Information and Records, University of Alaska and Will Finley, Information Systems Auditor, University of Alaska
Higher Ed institutions are moving to decentralized IT and payment environments to suit their business processes customized for their business environments. Campuses might have relationships with more than one acquirer or payment processor, and independent campus groups may use the college or university name but have separate financial processes. Sometimes the full extent of payment operations is unknown, or key campus leaders might not be aware of PCI compliance expectations. In a multifaceted environment, it is imperative to establish internal controls to stay compliant. This talk will provide steps to evaluate security infrastructure including procedures, policies, networks and systems. The talk will cover specific PCI/audit requirements implemented at University of Alaska.
1:45 pm – 2:30 pm Survey Results and Workshop Conclusion
Sessions and speakers are subject to change without notice