Loading images...
Loading images...
Loading images...

March 2014 – PCI – Changes and What you Need to Know

Date Venue Presentations
Check back after this event.


Date Wednesday, March 19, 2014 (Register)
Event Start Time – End Time 2:00 – 5:00 pm
Overall Event Title PCI – Changes and What you Need to Know
Event abstract PCI-DSS compliance is necessary for any organization that handles payment card data. Going into effect on Jan.1 2014, version 3.0 of the PCI Data Security Standard (PCI-DSS) will require organizations to bolster their compliance programs.

Protiviti – 888 Seventh Avenue, 13th Floor, New York, New York, 10106

Dress Code Business casual
Event kickoff opening remarks 2:00 – 2:10
Speaker NY ISSA Board Member
Session description Welcome attendees
Session Title PCI 3.0 Changes
Start Time – End Time 2:10 – 2:55
Session Description The PCI Security Standards Council (PCI SSC), published PCI Data Security Standard (PCI DSS) 3.0 of the new version of the standards in November 2013.  Understanding these changes in Version 3.0 such as better education and awareness is intended to address concerns and feedback from the community.  This discussion will cover the major changes coming up and the key drivers for these changes.
Speakers Moriah Cassandra Lazar Hara
Bio(s) With over 16 years of Information Security industry experience, Moriah is founder and managing director of Vigilance Security based out of New York, New York. Vigilance Security specializes in PCI compliance services, and delivering Information Security, Compliance and Technology Risk Management programs for Fortune 500 and major financial institutions.Moriah is a subject matter expert and a thought leader in the PCI compliance space. Hired by Visa USA and Visa International, she architected and developed the PCI Qualified Security Assessor program together with the payment brands. In addition she created the industry wide PCI training and certification for the thousands of security consultants performing PCI assessments globally.She has a technical background which includes ‘ethical hacking’ for Fortune 10 companies, security assessments on biogenetic data warehouses, and developing threat management programs for industry leaders in the banking sector. In addition, she has spoken and written in industry on building a world class vulnerability management program, risks of unstructured data, and vulnerabilities in GSM, GPRS, 802.1 x and Bluetooth wireless protocols. Moriah co-created the FSSCC (Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security) patent pending Risk Assessment and Prioritization Framework.
Session Title Engaging a PCI QSA
Start Time – End Time 2:55 – 3:30
Session Description A QSA is the best way to ensure implemented controls will meet the PCI compliance requirements. When looking for a QSA to perform an assessment, there are specific areas an organization should evaluate the first time to make it easier on yourself later.This discussion will focus on engaging a PCI QSA and the areas that you should consider including but not limited to: big name QSA, references, onsite costs and QSA location. 
Speakers Greg Tramel
Bio(s) Greg Tramel MBA, PMP, CSM Senior Project Manager Mr. Tramel is a Senior Project Manager Consultant with over twenty-two years experience in both technology and business. He is a proven management leader who is a creative Problem Solver, Team Builder and Change Agent . As a Senior Project Manger, Mr. Tramel has worked with such global organizations as American Express, General Electric, and Symantec. Working with these and other such organizations, Mr. Tramel has gained a working knowledge and certifications in such disciplines as Six Sigma, Agile, and SCRUM where he has led many development teams, both domestic and international, in Web and Application development.Most recently, Mr. Tramel has managed teams and works in Security and Compliance, specifically in PCI and SOX. Over the last 3 years he has led the PCI DSS “charge” with a $1B company where all compliance measures were met and RoC’s received. Today is an opportunity for Mr. Tramel to share his methodology in the QSA selection process and why the process is vital to the success of your respective programs.
Networking Break 3:30 pm – 3:50
Session Title Meeting Penetration Testing Requirements of the DSS
Start Time – End Time 3:50 – 4:30 PM
Session Description One of the fundamental updates to the PCI-DSS 3.0 standard is Penetration Testing. Updates to the penetration testing requirements include controls 11.3 and 11.3.4, which create the need for a consistent industry-standard methodology for conducting penetration testing (both internal and external) as well as methods to verify the legitimacy of segmentation boundaries of the CDE from other environments.This discussion will examine these requirements and discuss the challenges merchants will face to comply with these updates such as demarcation of the card data environment (CDE), the availability of in-house personnel capable of performing pen-tests, and the role of third party service providers and the need to update penetration testing requests for proposals.
Speakers Patrick Harbauer and Gene Meltser
Bio(s) Patrick Harbauer

Patrick Harbauer is a Senior Security Consultant with CISSP, CCSK, QSA, PA-DSS, ASV and MCSE certifications. Patrick’s primary focus over the past several years has been to perform security compliance and architecture assessments to help IT organizations build security into the architecture and operations of their IT systems.

Patrick is the Technical Lead for the Neohapsis PCI DSS services practice, performing PCI DSS gap analysis and compliance assessments for merchants and service providers. He has performed PCI DSS assessments for merchants including Fortune 100 financial services companies, traditional retail chains, automated retail solutions providers and service providers including a major CDN provider, cloud services provider and multiple payment processors. Patrick has also performed many security architecture reviews and general security best practice reviews.

Patrick possesses solid technical and analytical skills as well as excellent communication skills and seeks out and willingly accepts new challenges with the ability to focus on the details needed to complete project objectives. He also strives to meet or exceed customer expectations and delivers high quality analytical information to the customer through clear and concise written and verbal reports.

Gene Meltser

Gene Meltser is Technical Director at Neohapsis Labs. He has over 14 years of practical security expertise covering both strategic and tactical roles. In his role at Neohapsis, Gene is responsible for overseeing Neohapsis Labs research activities and methodology development while focusing on program development, strategy, and risk management projects for Neohapsis clients. Gene’s technical focus areas cover application and network penetration testing, vulnerability analysis and research, and secure application and architecture design.

Gene has expertise across multiple industries including internet technology companies, where he served as a technology strategy and risk consultant reporting to the CTO, and was responsible for developing a strategic plan to improve the security controls across the information technology space.

Who should attend  (customize to each session content) Who should attend this session:ISSA Members, ISACA Members and FS/ISAC Members (and other ISAC’s)This program has been created for information security practitioners,
but may also be of interest to the following:QSA’s– Striving to understand the context in which the new changes to PCI should be tested andSecurity Management & Executives – With a goal of understanding industry practices trends, and seeking perspective on implementing technical assessment activities in the context of a broader application security program.