Monday, May 4

10:00 – 12:00 

Conference Registration
Conference registration will be available outside our meeting room on the second floor. Register then join us for the PCI deep dive. 

1:00 – 3:30
(Break from
2:15 – 2: 30)

PCI Overview including What’s New in PCI for 09 and Beyond
This session explores the background and development of PCI DSS, determining merchant levels, validating compliance, the latest on security risks, and completing your Self-Assessment Questionnaire (SAQ). This session is recommended for all attendees particularly those new to PCI or for those wanting an update on PCI 1.2 and the new SAQs. 
Walt Conway, NACUBO’s PCI Council Representative; PCI consultant, blogger, trainer, and workshop moderator

3:30 – 5:00

Red Flags Rule Briefing
The Federal Trade Commission’s “Red Flags Rule” is designed to reduce the risk of identity theft. Parts of this rule, originally aimed at financial institutions, likely cover many colleges and universities. If your institution participates in the Federal Perkins Loan program, is a school lender in the Federal Family Education Loan Program, or offers loans to students, faculty or staff, your institution could be considered a “creditor” under the Red Flags Rule.  This session describes the regulations and addresses steps to achieve compliance and protect students, faculty, and staff from identity theft.
Benita Kahn, Vorys Legal Council

Evening

Attendees are on their own to enjoy the many restaurants, attractions, and entertainment opportunities available in downtown Indianapolis. 

Tuesday, May 5: Note: The Sequence of Sessions May Change

8:00 – 9:00

Continental Breakfast and Registration

9:00 – 9:15

Welcome and Introductions
Dennis Reedy, Co-Executive Director, The Treasury Institute for Higher Education and Managing Director Treasury Operations, Indiana University;
Walt Conway, PCI consultant, blogger, trainer, and workshop moderator

9:15 – 10:00

PCI Compliance in Two Hours a Day
Learn how OSU’s Treasury Management and Data Security used an outsourcing strategy to achieve PCI compliance, offering OSU the most economical and efficient method of processing credit cards while minimizing data security risk. Then we address Wired Equivalent Privacy (WEP) for encrypting wireless networks. The PCI Council’s decision to ban WEP raises questions about the permitted use of wireless to transmit credit card data.  The goal of this talk and your questions is to illustrate the use of radio based devices to move credit card data from one point to another, and to separate good from bad practices. 
Carole Fallon, Treasury Management Officer,
Charles Morrow-Jones, Director of Security,
and Joseph Smith, Systems Manager, The Ohio State University

PCI within the IU Enterprise
Indiana University’s PCI Team worked together to solve the technical requirements of PCI compliance within their Enterprise environment. Find out how we implemented multiple firewalls, file integrity monitoring solution, and remote logging. This session will take you from acquisition, to funding, to actual implementation. We highlight a couple of items that we found difficult to solve as well as our solutions. 
Cheryl Schifflet, Associate Director Treasury Operations,
Tony Brazzell, Information Security, Indiana University

Confessions of a QSA
This session focus on PCI challenges and solutions for the Higher Education vertical, as told by a Qualified Security Assessor from a QSA firm. This session will cover: what makes a Higher Education institution unique compared to other merchant entities, strategies for reducing your PCI scope, and what to look for when hiring a QSA firm. This session also offers tips on how a Higher Education institution can best prepare for an engagement, told from the perspective of a QSA; this information can help your institution learn from and incorporate successful strategies from similar entities, and how to avoid some common mistakes.
Lee Buttke, Director of Professional Services, NetSPI

12:00 – 1:30

Emerging Threats in the Underground Carding Community
The U.S. Department of Justice actively investigates and prosecutes criminal carders (hackers) who make an illegal living from stealing and selling payment card data. This presentation traces the evolution of these prosecutions and explores the breaches and the criminals behind them. 
Kimberly Kiefer Peretti, Senior Counsel, US Department of Justice

Beyond PCI: Using the Standard to Secure the Infrastructure
Penn State embarked on the journey of PCI compliance over 2 1/2 years ago. This presentation describes our efforts to use PCI DSS to identify, secure, and in some cases remove other forms of personally identifiable information (PII). While there were technical and financial challenges, including some faculty resistance, there were achievements and events that justified our efforts.
Michael Leach and Jennifer Stewart, Pennsylvania State University

Red Flag Rules at a Public University: Coordinating Information Security and Financial Operations to Ensure Protection from Identity Theft.
At UVa, the staff under the Chief Financial Officer and the Chief Information Officer worked together to create the program required by the FTC’s ‘Red Flag Rules.’ We share our strategies, our lessons learned, and how we settled the question: “Who is supposed to be responsible for this, anyway?”
Susan Gray Herod, Chief of Staff Strategic Planning & Analysis, University of Virginia

How Do You Compare: The PCI Survey Findings
This session will analyze the findings from the online PCI survey that all attendees were asked to complete. Topics include dedicated PCI resources, acquirer support, compliance, and changes since last year. We also explore the differences between public vs. private and large vs. small institutions. 
Walt Conway, Walter Conway Associates LLC

Networking Event: Casino Nite 
Join your colleagues and our sponsors in a relaxed atmosphere to share information, renew old friendships, and make a few new ones. Activities and refreshments will be provided.

Wednesday, May 6 

8:00 – 9:00

Continental Breakfast
Avoid the rush and check out of the hotel early. Feel free to bring your bags with you to the meeting room. 

9:00 – 10:00

Special Keynote: PCI Council Developments and Directions
Learn first-hand about the Council’s quality assurance program, PA DSS, Special Interest Groups, expectations for PCI version 2.0, and other PCI-related initiatives. Be sure and bring your questions.   
Troy Leach, Technical Director, PCI Security Standards Council

10:00 – 10:15

Break and a second chance to run to the checkout desk!

10:15 – 12:00

Expert Panel Q&A
Bring your questions for the PCI compliance experts from leading acquirers working with Higher Ed institutions nationwide. This session has been one of the highlights of every past workshop. 
Marc Decary, Manager Compliance Security Programs, Moneris Solutions
Troy Leach, Technical Director, PCI Security Standards Council
Don Roeber, PCI Compliance Manager, Fifth Third Bank

12:00 – 1:15

Lunch
Our sponsors and all non-school attendees are free to depart after lunch.

1:15 – 3:30

Information Sharing (Higher Ed Institutions only)
This is your time when we launch into our usual, freewheeling and extremely interactive information sharing session with only one rule: nothing said leaves the room. Topics will include your experiences with the new SAQs, PCI version 1.2, acquirers and processors, and security breaches. This is the opportunity to share your experiences, issues, frustrations, and victories with your peers at other institutions. No PCI subject or experience is off-limits in this spirited and informative exchange. Bring your questions! 

3:30

Workshop Concludes