Monday, March 30, 2015

2015 PCI Workshop Program Set

Update, 3/30/2015: I heard from one presenter that his description of his presentation did not match up with what appears on the Treasury Institute web site. If any other have seen this, please let me know and we'll get it worked out. Also, our Sponsors and Supporters page may not be complete yet, I think some paperwork still needs to be processed before all the supporters are listed. --gaw

FRIDAY, MARCH 30, 2015

It's here at last. The program committee for the workshop has wrapped up the schedule for the 2015 Treasury Institute PCI Workshop. You can see the summary on the Treasury Institute's Workshop information page at I will add more details in the days to come.

Something new this year - we will have a (semi-official) pre-workshop reception at the resort late on Sunday afternoon. Many attendees will be checking in on Sunday April 19, so we will have an informal Welcome Reception from 5:00 until 6:30 PM. Talk about the week ahead or just relax after a day of travel with old friends and new. In years past groups have formed up on Sunday to sample the local restaurants and we will do the same. Dine at one of the Green Valley Ranch Resort, Spa, and Casino's 10 restaurants or head for the Strip! Or you can have a more laid-back night and take in the latest flick at the Regal Cinema, with 10 screens right on the resort property.

Whatever your arrival day plans may be, get ready for a fun and informative week at the 2015 Treasury Institute PCI Workshop.

Note: We may break attendance records for the second year in a row. If you have any problem booking your room (we're nearly sold out), our Meeting Planner Megan at the Professional Development Group will help you out. Information on Workshop rooms and Megan's contact info may be found here:

Wednesday, March 18, 2015

OpenSSL to be patched Thursday 2015-03-19

If you haven't heard the recent security news yet, be forewarned that newly-discovered flaws in the OpenSSL encryption library are due to be patched tomorrow, March 19. Some of the weaknesses have been classified with a "high" severity.

The OpenSSL libraries provide encryption services to protect online communications such as e-mail, file transfers, and most importantly, secure web sites. The libraries implement the (outdated) Secure Sockets Layer (SSL) and its replacement the Transport Layer Security (TLS) protocols. If you see a padlock and "https://..." in your web browser's address bar then SSL/TLS is at work. A major segment of the global internet depends on OpenSSL to maintain data privacy and secure confidential information such as banking and credit card data, transactions related to healthcare and government services, and other personally identifiable information that can be used to commit identity theft and other fraud.

Recently, the PCI Security Standards Council announced the upcoming release of the Payment Card Industry Data Security Standard (PCI DSS) version 3.1. The main reason for this update to the standards is to remove the older SSL protocol from lists that provide examples of strong cryptography. SSL no longer meets that definition based on recommendations by the U.S. National Institute for Standards and Technology, known as NIST.

For a good discussion of this news, please see Brian Krebs's blog, Krebs on Security. His post today, OpenSSL Patch to Plug Severe Security Holes, provides more background and explains the importance of putting these patches into place as soon as possible.

2015 PCI Workshop Tentative Schedule

2015 Treasury Institute PCI DSS Workshop
Green Valley Ranch Resort (Greater Las Vegas)
2300 Paseo Verde Pkwy
Henderson, NV 89052
April 20-22, 2015

Tentative Workshop Agenda*

Sunday April 19th
4:00 pm-6:00 pm Early Registration
Monday April 20th    
8:00 am -1:00 pm Conference Registration
10:00 am-noon Optional Session: Introduction to PCI
Noon-1:00 pm Lunch on your own
1:00 pm-5:00 pm Workshop Begins: General and Concurrent Sessions 
5:00 pm-6:30 pm The 90 Minute Networking Hour
Tuesday April 21st      
8:00 am-9:00 am Buffet Breakfast
9:00 am-Noon General Sessions
Noon-1:30 pm Lunch
1:30 pm-5:00 pm General and Concurrent Sessions
5:00 pm-6:30 pm The 90 Minute Networking Hour
Wed. April 22nd           
8:00 am- 9:00 am Buffet Breakfast
9:00 am-noon General Sessions
Noon-1:00 pm Lunch
1:00 pm-3:30 pm General Sessions

*Agenda subject to change at any time

Information about sessions and speakers is coming soon!

Friday, March 13, 2015

Program Finalized for 2014 PCI DSS Workshop

NOTE: This is for the 2014 Workshop. The 2015 schedule is coming soon!

The program committee for the Treasury Institute of Higher Education 2014 PCI DSS Workshop has finished its work and it's all ready for you now on the Workshop registration page. Please join us for this annual sharing of information among your colleagues. The theme of the Workshop will be structured to answer your questions regarding the changes to the PCI DSS that are coming as a result of version 3.0 that is effective January 1, 2014. View the agenda by visiting the registration link at the bottom of this post.

And we've moved the venue this year: The Workshop will be held in Chicago at the beautiful Palmer House, right in the heart of the city. The Palmer is truly a gem and you will have all of Chicago right out the front door.

I plan on arriving Sunday to start catching up with old friends and meet some new ones as well. Sunday night is a great time to jump in start connecting with your peers at one of the informal restaurant outings. I can't overstate the importance of the networking that is available at this workshop. This is your chance to not only gather knowledge, but to gain support of your PCI compliance colleagues from all around the US and Canada.

Agenda Items include:
  • Threat Trends, Attack Vectors and What the Verizon Data Breach Investigations Teaches Us
  • Merchant and Service Provider Oversight
  • PCI DSS 3.0: What Higher Education Institutions Need to Know
  • Preparing for and Reacting to a Breach Incident
  • Evolution of Security Culture
Participants will
  • Learn how best to manage PCI compliance at your institution
  • Understand how the PCI Council's Special Interest Groups' recommendations and new QSA Quality Assurance program will affect you
  • Share experiences of other institutions that are working on PCI compliance on their campuses
  • Get your questions answered, including what to expect from the PCI Council in the future
  • Earn up to 18.3 CPE credit

Date and Location:

April 27-30, 2014
Palmer House Hilton | Chicago, IL
Registration Fee is $450.00

Check It Out and Register at

Monday, February 16, 2015

SSL is No Longer Strong Cryptography

On Friday the Payment Card Industry Security Standards Council (PCI SSC) released their official statement regarding the acceptability of Secure Sockets Layer (SSL) version 3 for protecting payment data. Based on guidance from NIST and after months of discussions with stakeholders, no version of SSL encryption should be considered "strong cryptography" as defined by the PCI Council.

The Council will be releasing version 3.1 of both the PCI DSS and the PA-DSS to address this issue. The date for the release has not yet been announced.

If you are running any version of SSL on your e-commerce servers, even version 3.0, you should disable it along with older versions of Transport Layer Security (TLS). TLS should be version 1.2 or higher. Most modern and currently patched web servers should support this configuration. If you have old server software this may not be possible.

More information is available in the official statement at this link:

PCI SSC Official Statements:

Friday, February 13, 2015

Stay tuned for a PCI Council Announcement

Information regarding the upcoming release PCI DSS v3.1 and PA-DSS v3.1 is supposed to be coming out today.

Friday, January 23, 2015

Call for Presentations at Our 2015 PCI Workshop

A few of us have been working since late summer to develop a program for the 2015 PCI Workshop presented by the Treasury Institute for Higher Education. As in the last two previous years we are planning on offering general sessions and keynote speakers for the entire group, and also spending some of our time split into two concurrent tracks: Business and Technology. We have been going over feedback and listening to other ideas to make this another great workshop.
But coming up with those ideas is the easy part; we still need to find people who are interested in presenting at the workshop.

So we are turning to you, our friends and colleagues in the Higher Education community who may be interested in doing a presentation on one of these topics, or maybe another topic idea of your own that you would like to share. Here is the list we came up with:

  • Third party/service provider management/oversight
  • Requirement 9.9 and developing programs to manage/track point of interaction (POI) devices and train employees
  • Scoping: What's in, what's out, and why
  • Choosing the correct SAQ
  • Developing campus policies
  • Managing your PCI team
  • Branded campus ID cards and the ramifications for scope, security and risk
  • Incident Response: Policy, documentation, training, testing...
  • Campus security awareness training programs: Developing, managing, and the difference from breach response training 

If you have some experience in any of these areas that you would like to share, please get in touch. Or perhaps some other PCI or payment topic or project you would like to tell us about. Contact info is below.

We are also lining up some terrific industry experts to discuss these topics:

  • EMV, P2PE and Tokenization
  • Managing Merchants, Compliance and Risk from the Acquirer Perspective
  • Penetration Testing, esp. validating segmentation, pen tests vs. vulnerability scans, and tests for new SAQs
If you are interested in taking part in the 2015 PCI Workshop, write to one or more of us on the program committee:

Ron K - CampusGuard
Pete C - 403 Labs/Sikich
Mike L - The Penn State U
Robbyn L U of Arizona
Linda W - Gonzaga U
or Me!

If you don't have contact information for any of these folks, you can leave a message for me by using the Contact Form on the right side of this page.

Thank you in advance for considering sharing your knowledge and experience with us on the Las Vegas frontier this spring. I look forward to hearing from and seeing you all!


Reminder: Outside of invited speakers, the TIHE PCI Workshop is open to members of the Higher Education community only.