This document summarizes a payment card industry security and compliance round table discussion. It includes an agenda covering topics like EMV chip technologies, mobile payments, data transmission encryption, point-to-point encryption, PCI compliance in the cloud, designated entities, and two-factor authentication. Short biographies are provided for the panelists - Dr. Phillip Hallam-Baker, Trevor Horwitz, and Richard Emrich. The document concludes by advertising the webinar sponsor and providing contact information for the InfraGard Atlanta organization.

1. What’s Trending?
Payment Card Industry
Security And Compliance Round Table
Wednesday October 28, 2015

2. INFRAGARD
InfraGard is a partnership between the FBI and the private sector. It is an
association of persons who represent businesses, academic institutions, state
and local law enforcement agencies, and other participants dedicated to
sharing information and intelligence to prevent hostile acts against the U.S.
Disclaimer
The views, opinions, and content of this webinar are solely those of the
speakers and other contributors. These views and opinions do not necessarily
represent those of InfraGard or InfraGard Atlanta Members Alliance (IAMA).

3. RICHARD EMRICH
Rich has been Director of Treasury at Northwestern University since
2007. His responsibilities include management of Treasury (capital
planning, as well as long-term debt portfolio and working capital
strategy); e-Commerce operations (primary oversight of 200
merchants across two campuses and related compliance); and
Bursar operations (various card programs, remote depositing and
cashiering). Prior to joining Northwestern Rich was Global Treasury
Manager at Hewitt Associates, Inc. for 5 years and Senior IT
Manager for Hewitt Associates LLC for 6 years. During his tenure in
Finance he worked to bring Treasury into compliance with
Sarbanes-Oxley following the company’s IPO, implemented a
Treasury workstation, and managed an investment portfolio of $600
million. Rich graduated from Bates College in 1984 pre-med, then
earned his MBA in finance from the University of Illinois / Chicago.
He has been a Certified Treasury Professional (CTP) since 2005.

4. DR. PHILLIP HALLAM-BAKER
Phillip Hallam-Baker is a computer scientist, mostly renowned for his
contributions to Internet security, since the design of HTTP at CERN in
1992. Currently vice-president and principal scientist at Comodo Inc., he
previously worked at Verisign Inc., and at MIT Artificial Intelligence
Laboratory. He is a frequent participant in IETF meetings and discussions,
and has written a number of RFCs. In 2007 he authored the dotCrime
Manifesto: How to Stop Internet Crime. Hallam-Baker has a degree in
electronic engineering from the School of Electronics and Computer
Science, University of Southampton and a doctorate in Computer Science
from the Nuclear Physics Department at Oxford University. He was
appointed a Post Doctoral Research Associate at DESY in 1992 and CERN
Fellow in 1993. Hallam-Baker worked with the Clinton-Gore ’92 Internet
campaign. While at the MIT Laboratory for Artificial Intelligence, he
worked on developing a security plan and performed seminal work on
securing high profile Federal Government Internet sites.

5. TREVOR HORWITZ
Trevor Horwitz is the founder and CISO of TrustNet, a leading
specialized provider of IT Security and Compliance services. Trevor
has designed, developed, and assessed security and compliance
solutions for corporations of all sizes and across multiple industries
for over twenty years. Trevor is a PCI Qualified Security Assessor and
contributing member of the PCI Security Council’s special interest
group on virtualization and cloud security. His career experience
includes roles as the CEO of a pioneering network security company
and a senior consultant at PWC. He is a board member of InfraGard
Atlanta, past Executive Board member of ISACA Atlanta, and has
been active in the Technology Association of Georgia for over fifteen
years. Trevor holds a Bachelor of Commerce from the University of
the Witwatersrand, Johannesburg, South Africa with a triple major
in Accounting, Information Systems, and Business Law.

6. AGENDA
1. EMV and “Chip and Pin” Technologies
2. Mobile Payments
3. Secure Data Transmission - Migrating from SSL and Early TLS
4. Point-to-Point Encryption (P2PE)
5. PCI and the Cloud
6. Designated Entities
7. Two Factor Authentication
8. Hidden Card Holder Data and Shadow IT
Webinar Sponsor
www.TrustNetInc.com

7. IS PAYMENT CARD SECURITY A BIG ISSUE ?

8. EMV – CHIP AND PIN TECHNOLOGIES

9. EMV – CHIP AND PIN TECHNOLOGIES
Chip and Dale
…not the same as
Chip and Pin

10. MOBILE PAYMENTS

11. MOBILE PAYMENTS
By 2017,
cash-based transactions
will represent fewer than
25 percent of all in-store
purchases

12. DATA TRANSMISSION ENCRYPTION
SSL AND EARLY TLS

13. DATA TRANSMISSION ENCRYPTION
SSL AND EARLY TLS
Refer to NIST SP 800-52
rev 1 for guidance on
secure TLS configurations
Little Known Fact
Not all implementations of
TLS v1.1 are considered
secure

14. POINT-TO-POINT ENCRYPTION (P2PE)
Are merchants using PCI
approved P2PE solutions
out of scope for PCI DSS?
In a word No

15. POINT-TO-POINT ENCRYPTION (P2PE)
P2PE SAQ can only be
used when merchants
process cardholder data
only via hardware
payment terminals
within a validated PCI
P2PE solutionThe P2PE Self-Assessment
Questionnaire includes
only 26 PCI DSS
requirements

16. First draft of “Dark Side”
recruiting poster
“Most
misunderstood
villain of all time”
According to his
Mom
aka Mama Vader

17. PCI AND THE CLOUD
Alternate names for cloud
computing that never stuck
 Utility Computing
 Shared Resource Computing
 Pay as you go Computing
 Service-oriented Computing

18. PCI AND THE CLOUD

19. THE PANEL
Dr. Phillip Hallam-Baker Trevor Horwitz Richard Emrich
Has a cat named PhilipFriends call him Phillip Middle name is Philip

20. DESIGNATED ENTITY
Examples of Designated Entities
 Entities storing large amounts of cardholder
data.
 Entities providing aggregation points for
cardholder data.
 Entities suffering large-scale and/or recurring
breaches resulting in compromise of cardholder
data.

21. This slide complies with the “Mandatory Reference to Star Wars Act of 2015”

22. TWO FACTOR AUTHENTICATION

23. HIDDEN CARD HOLDER DATA AND
SHADOW IT

24. HIDDEN CARD HOLDER DATA AND
SHADOW IT
Common Methods used to
find cardholder data
 Mod10 verification
 Length/Prefix checks
 Native format decoding
 Contextual data and
statistical analysis -

25. What you do … What your friends think you do …
Information Security

26. Webinar Sponsor
www.TrustNetInc.com
Twitter @TrustNetInc
LinkedIn #TrustNetInc

27. For more information about InfraGard Atlanta and upcoming events:
President, Jeff Gaynor
Presiama@gmail.com
Director of Outreach, Lawrence Tobin
Lawrence.Tobin@TrustNetInc.com
www.InfraGardAtlanta.org