Thursday, April 7, 2016

2016 PCI Workshop Agenda Announced

The Agenda for the 2016 Treasury Institute for Higher Education PCI DSS Workshop was announced this morning. There are still spaces left if you have not registered. Please join us for this lively and highly informative event specifically programmed for the Higher Education community.

Information on registering is in the right sidebar.

Sunday May 22, 2016

4:00 pm - 6:00 pm - Early Conference Registration

6:00 pm - 7:30 pm - Welcome Reception
Those who arrive early can mingle, meet friends old and new, share challenges and triumphs, plan questions, and generally get ready for the event.

Monday May 23, 2016

Monday Morning Pre-Workshop Events
(included with conference registration)

10:00 am - 1:00 pm - Conference Registration

10:00 am - 10:30 am - PCI Workshop Orientation
Whether you are new to the PCI Workshop or new to PCI in general,this session will give you some insight, tricks of the trade, provide you with resources, and start your PCI workshop out on the right foot.

10:30 am - 12:00 pm - PCI DSS Refresh
An optional and interactive session for attendees who want to refresh their knowledge of the PCI to ensure they get the most out of the workshop.

12:00 pm - 1:00 pm - LUNCH ON YOUR OWN

1:00 pm - 1:15 pm - Workshop Begins & Opening  Remarks

1:15 pm - 2:30 pm - Secret Service
Secret Service Agent Bernard Wilson

2:30 pm - 3:00 pm - Networking Break

3:00 pm - 4:00 pm - BUSINESS TRACK
We're All Imposters - Overcoming Self Doubt to Leave the Workshop a Winner
Preston DuBose - Texas A&M

3:00 pm - 4:00 pm - IT TRACK
How to Monitor Threats to PCI Compliance
Shiva Hullavarad - University of Alaska

4:00 pm - 5:00 pm - BUSINESS TRACK
Organizing an RFP for a QSA, ASV, and/or a Merchant Processor
Campus Guard and Indiana University

4:00 pm - 5:00 pm - IT TRACK
PCI Compliance in Hospitality Management Systems Point of Sale and Hotel Property Management Systems
Joseph Goodman, Virginia Tech

5:00 pm - 6:30 pm - The 90 Minute Networking Hour
Our discussions of PCI and your compliance journey will continue informally. We created a special 90-minute hour so you can join colleagues and our sponsors in a relaxed atmosphere to share experiences, renew old friendships, and make a few new ones. Refreshments will be provided. Afterward, attendees are on their own to enjoy the many restaurants, attractions, and entertainment opportunities nearby.

Tuesday May 24, 2016

8:00 am - 9:00 am - Buffet Breakfast

9:00 am - 10:15 am - Surviving the First 48 Hours of a Breach

10:15 am - 10:45 am - Break

10:45 am -12:00 pm - PCI Compliance - An Auditor View
Tim Marley, Oklahoma University

12:00 pm - 1:00 pm - Lunch

1:00 pm - 2:15 pm - BUSINESS TRACK
What a Processer Needs from a University to Validate Compliance

1:00 pm - 2:15 pm - IT TRACK
QSA Top 10 List of Compliance Misses

2:15 pm - 3:15 pm - BUSINESS TRACK
PCI DSS and Third Party Vendors. A Push-me Pull-me Relationship
Katie Todd, Columbia University

2:15 pm - 3:15 pm - IT TRACK
Protecting Merchant Data: A Live Hack Demonstration
Gary Glover, Security Metrics

3:15 pm - 3:30 pm - Networking Break

3:30 pm - 5:00 pm - PCI DSS QUICK HITS
This session will address multiple PCI topics that can be discussed by the speakers in 10 minutes or less.
PCI Workshop committee

Wednesday May 25, 2016

8:00 am - 9:00 am - Buffet Breakfast

9:00 am - 10:15 am - PCI DSS
The View of a CISO
Tim Ramsay, University of Miami

10:15 am - 10:30 am - Break

10:30 am - 11:30 am - Role Playing the Assessment of a MID
Monica Trippler, Utah State University

10:30 am - 11:30 am - Scope Reducing Ideas
Ruth Harpool, Indiana University and PayPal

11:30 am - 12:30 pm - Lunch

12:30 pm - 1:45 pm - A Story of Collaboration Across Campus Units
Mark Haas, VP Finance & Treasurer, Michigan State University
Rob McCurdy, CISO, Michigan State University

1:45 pm - 2:45 pm - Survey Results and Workshop Conclusion

Thursday, February 18, 2016

Where 4.0 Art Thou, PCI DSS?

In a not completely surprising move yesterday, Troy Leach of the Payment Card Industry Security Standards Council (PCI SSC) announced that there would not be a new, version 4.0 of the PCI Data Security Standard (PCI DSS) released in November of 2016. There will be a version 3.2 of PCI DSS released in the first part of this year.
The PCI SSC posted information on version 3.2 of the PCI DSS on their blog yesterday. As expected, the version of the standard will extend the sunset date for SSL V3 and early versions of TLS from June 30, 2016 to June 30, 2018. But there will be other changes to the standard and it sounds like they are still working out exactly what will be included. As with previous updates, the Council has taken market feedback into consideration, but they also look deeply into the current threat landscape. This includes the results of forensic investigations in current breaches.
Some of the changes may include multi-factor authentication for system administrators from within the cardholder data environment, clarification of guidelines covering the masking of displayed card numbers, and incorporating parts of the Designated Entities Supplemental Validation (DESV) for service providers.
When asked why v3.2 was coming out now instead of the fall, Leach mentioned the SSL remediation change and seemed to confirm that the three-year life cycle of the standard was a thing of the past:
"...the industry recognizes PCI DSS as a mature standard now, which doesn’t require as significant updates as we have seen in the past. Moving forward, you can likely expect incremental modifications to address the threat landscape versus wholesale updates to the standard."
He also says that these incremental changes will allow the Council to focus more of its time on emerging technologies, which are rapidly changing the ways in which payment cards are accepted.

Thursday, January 14, 2016

Call for Presentations for the 2016 PCI Workshop

Hello Friends and Colleagues in PCI DSS Compliance.

It's that time of year again, the program committee is requesting your input and submissions for presentations at the 2016 Treasury Institute for Higher Education PCI DSS Workshop.

The theme of the 2016 PCI DSS Workshop is
PCI DSS: Working Together; Succeeding Together.

In many schools, PCI oversight is the responsibility of the Treasurer/Finance Office yet much of the deployment and implementation of PCI DSS is a matter best left to the experts in Information Technology and/or the IT Security Office. Successful and sustainable PCI DSS compliance requires the identification and planning of common goals between finance and technology. Achieving and maintaining compliance requires top quality teamwork and documentation between Treasury/Finance (the PCI oversight group), Information Technology, third party service providers, and the individual departments that accept cards.

Where has your school succeeded in closing the distance between Treasury/Finance and Information Technology? What documentation and communication success stories do you have to share? Share your challenges or your glorious successes (or even your dismal failures) in implementing and maintaining PCI DSS compliance in the face of ever changing threats and attacks.

Concurrent Educational Session Topic Ideas

(All sessions should emphasize the collaboration needed between Finance and Technology to succeed.)
  • Dealing with PCI DSS and Changes in Vendor Delivered Technology
  • PCI DSS and Third Party Vendors, a Push-me Pull-me Relationship
  • PCI DSS: Funding the "Unfunded Mandate"
  • PCI DSS Change Management for Finance
  • Innovative Scope Reducing Solutions
  • Learning a new language; "IT meet Treasury, Treasury meet IT"
The sessions are scheduled in one-hour time blocks. Your presentation should be shorter than that in order to allow for Q&A and time for folks to move between sessions that may be in different rooms.

Speakers from Higher Education will be reimbursed for their workshop registration and certain travel, lodging, and meal expenses (maximum one person reimbursed per session). Speakers from outside of Higher Education will receive a complimentary workshop registration.
See General Expense Reimbursement Guidelines for further information.

How Do I Submit a Proposal?

To prepare your proposal, come up with a suggested title, a brief description of your presentation, your school's name, your contact info and suggested co-presenters, if applicable.

Either send your proposal to me using the Contact Form in the right sidebar and I will forward it on, or use that same Contact Form to ask me to send you the Treasury Institute address for Ruth Harpool so that you can contact her directly. (Sorry, to avoid spam I rarely include addresses in this blog.)

The submission deadline is: February 1, 2016

This workshop will be a gathering of your friends and peers, so there is never a hostile audience. You will be welcomed warmly, even if you have never presented anywhere before.  We know that many of you have valuable experiences that we would love to hear about. So get in touch and propose a session for the 2016 PCI Workshop in Savannah, Georgia this May.

Friday, January 8, 2016

Older versions of Internet Explorer expire January 12

What's going on?

Microsoft announced this week that it will be ending its support for older versions of Internet Explorer (IE) on January 12, 2016. What does end of support mean? It means that starting on Tuesday, January 12 (Patch Tuesday), Microsoft will only provide technical support and security updates for the most current version of Internet Explorer available for a "supported" operating system.

The most recent version of IE is version 11, and almost every Windows system should be running that version. There are a few exceptions to this, such as some specialized or older versions of the Windows operating system, like Windows Server or Windows Embedded, which may be used on integrated point-of-sale systems. These exceptions are not able to run Windows 11 at this time. See the lifecycle link below for more information.

Note: All systems in your cardholder data environment must be running the most current versions of their operating systems and software. All patching must be up-to-date. This is required by PCI DSS requirement 6.2.

What is the impact of this announcement?

This means that if you are running an older version of IE on your desktop that you should upgrade to Windows 11 right away. If a new vulnerability is discovered in an older version of IE, that version will not receive a security patch to fix it. And unpatched systems are the primary targets of criminal hackers and malware. Internet Explorer 11 will continue to receive security updates, compatibility fixes, and technical support on Windows 7, Windows 8.1, and Windows 10.

More information

For questions, help, upgrade assistance, and other resources please see the End of Support announcement page at

To learn more about exceptions and other supported operating systems read the Windows lifecycle FAQ sheet at