Education Seminars

Session 1 - 10.20 - 11.00

Session 2 - 12.50 - 13.30

Session 3 - 15.30 - 16.10

Sessions Include:
Arxan- Best Practices for Securing Android / HCE Mobile Payment Solutions within Banking & Retail Apps



Winston Bond, European technical Director, Arxan Technologies
 
With hackers increasingly targeting NFC-enabled mobile payment applications, financial institutions and merchants are seeking proven approaches to secure mobile payments.
 
What attendees will learn:
  • How to reverse-engineer and crack mobile apps and mobile payment APIs using freely available tools.
  • How to address security challenges to ensure that the payment tokens and cryptographic keys within the payment application are properly secured.
  • How to ensure that the code and assets on your back end server aren’t exposed via APIs leveraged in your payment applications
HCE Service Ltd- HOW TO DESIGN PUBLIC KEY INFRASTRUCTURES FOR USE WITH HCE (HOST CARD EMULATION) MOBILE PAYMENTS



Chandra Patni, CEO & Founder, HCE Service Limited 
 
Mobile Internet communication networks have removed all the barriers of on-line communication and data transfer to and from mobile devices situated anywhere in the world. HCE “host card emulation” mobile payments standards have now created new secure authentication and data transfer challenges with remote mobile devices. Secure tokenised virtual cards on our mobile devices accessible anywhere, anytime require secure user and device authentication as well as protection of payment related data delivered over the cloud from bank card issuers. With the open and insecure mobile Internet, higher levels of security, other than simple password and ID presentation, have to be introduced to limit payment fraud. Software based public key cryptographic tokens protected within secure software Whiteboxes are being adopted by leading financial institutions and commercial organisations around the world to ensure user and tokenised card data integrity; example of one such adoption is HCE, “host card emulation”, by Visa and MasterCard which advocates software tokenisation of user credentials such as credit/debit cards. 
 
What will the attendees learn:
  • What kind of security attacks are possible with mobile payments?
  • What cryptographic security services are essential to overcome threats posed by fraudsters? 
  • How should strong open and distributed cryptography be designed and used in the mobile environment?
Ground Labs- BAU enabling your security program for PCI DSS 3.1.



Stephen Cavey, Director of Corporate Development, Ground Labs

With the new build of the PCI DSS came the mandatory need to make data security part of your company’s standard processes. Find out how you can achieve this with minimum effort and maximum efficiency. 

Topics covered include:

  • Why PCI DSS 3.1 is mandatory
  • Introducing Business As Usual (BAU) as a concept
  • What this means for existing companies implementing or maintaining PCI DSS.
  • Practical advice on making PCI DSS part of your core business rather than project
Paragon Insurance Brokers- Demystifying PCI DSS breaches – what are your responsibilities and costs?



Erica Constance, Senior Vice President, Paragon Insurance Brokers
 
Along with the ability to accept credit and debit card transactions, companies are required to accept liabilities and contractual penalties with the Merchant Service Agreements they sign with the major credit card brands. Consequently a breach of PCI DSS can have a significant financial impact to a company. 
 
In this session we will discuss:
  • The responsibilities of a company following a breach of PCI DSS
  • The broken down costs, including $ amounts, of 3 PCI breaches
  • Can these costs be managed or reduced?
  • Specific Insurance coverage that can be purchased to transfer some of the risk
Aeriandi- Who’s responsible for what? Telco or Merchant for contact centre compliance?



Matthew Bryars, CEO and Co-Founder, Aeriandi
 
Almost a decade on from its original launch in 2006, the PCI DSS continues to generate heated debate as to its precise application and interpretation. In particular the role of the network operator, where their services are, and more importantly are not, in scope for PCI DSS.
 
Some of what attendees will learn:
 
  • I outsource my telephony to my network operator – are they responsible?
  • Where does the Network Operator boundary start and finish?
  • Is the SBC defined as “Core” network operator equipment or Enterprise Managed Service Equipment?
  • What is the definition of Core Services?
  • What is the PCI Council’s view on Network Operators and PCI DSS?
  • What is the effect on compliance when connecting to Network Operators over the internet?
  • Is my telephony provider actually a Network Operator?
  • Should my telephony provider give me an Attestation of Compliance in their name, or their supplier’s name?
Gemalto- Encryption, Key Management, Tokenisation and P2PE – A summary of Gemalto Customer use cases



Kevin McGill, Payments Commercial Lead, Gemalto 
 
Gemalto, including the recently acquired SafeNet business, has been providing solutions to help customers secure their data and meet PCI Compliance for many years. Kevin has led the merchant and payments business within SafeNet (now Gemalto) for the past 4 years. In that time his customers have successfully deployed various encryption, key management, Tokenisation and P2PE solutions as part of their PCI strategies. Prior to SafeNet, Kevin held similar roles in Managed Security Services and Identity Management.
 
What attendees will learn:
  • When to use crypto technologies - best practice advice
  • How to use crypto technologies - as a platform to drive cost reduction
Genesys Speechstorm- The Power of Personalisation for Secure Self-Service Payments



Damian Kelly, VP Product , Genesys SpeechStorm

Customers are twice as likely to use self-service when presented with personalised options according to the caller’s identity, characteristics, preferences, where they are in their customer journey, transaction history, and context of previous interactions. Personalisation in self-service also leads to a reduction in customer effort and, more importantly, a more secure experience as it eliminates the possibility of customer details being overheard or misused.  
 
What will attendees learn:
  • How customer information and the context of the call can be used to reduce complexity and provide a more secure customer experience.
  • Case studies showing how personalisation leads to an increase in NPS at the same time as deflecting calls away from the contact centre.
  • Best practice in agent-assisted and self-service payments.

Session 2
Semafone- What can we learn from Apple’s approach to HSM and apply to our own environments?



Ben Rafferty, Global Solutions Director, Semafone

 

Hardware Security Modules (HSMs) are physical computing devices that safeguard and manage digital keys for strong authentication and cryptoprocessing, which can be used to better protect and secure your telephony estate.
 

In this session you will discover ways to leverage additional HSM capabilities to de-scope more of your organisation for PCI DSS:

  • The different ways HSMs can be used, and why they should be an essential part of your data security and PCI compliance strategy
  • How to leverage tokenisation from your POS systems, whilst removing the business application from PCI scope
  • Ways to fully utilise HSMs in your contact centre environment using the Derived Unique Key Per Transaction Management Scheme (DUKTP) to individually protect every transaction
Akana- Is Regulation Driving Innovation Related to APIs, APPs and PCI Compliance?



Paul Webster, VP, Technology EMEA, Akana  
 
Regulated industries, such as Finance and Health, are being forced to provide APIs to enable access to their data. Being open while remaining secure is a significant problem that has to be addressed. In Banking, PSD2 regulation is driving EU banks to rework their banking platforms and risk being mediated out of the relationship with their own customers in the process.
 
What will atttendees learn:
  • What are the regulations that are driving this adoption of APIs?
  • How can this help transformation and generate more business?
  • How can security be maintained when becoming more open?
ECSC- PCI DSS Service Providers: The Good, The Bad, and The Ugly



Ian Mann, Senior Consultant (QSA), ECSC 
 
This seminar illustrates the wide variation in approaches to selling PCI DSS outsource services and the many associated dangers.  It helps you understand the mis-selling tactics deployed and will help you avoid expensive mistakes.
 
What you will learn:
  • Why you should ignore PCI DSS certificates
  • What are the common mis-selling strategies
  • Which words alert you to danger in contracts and proposals
  • How to manage future changes to the standard
Blackfoot UK- How the right training can help improve security culture



Matthew Tyler, CEO, Blackfoot UK

Employees are the front line in protecting business systems and confidential or sensitive data — they are your best defence. However, risks can come from anywhere so an organisation’s employees need to be up-to-date with privacy, payment fraud, security of card devices, remote working practices and so on. But this is easier said than done, especially with a large, dispersed workforce, changes in technology and legislation.
 
Following changes to the PCI requirements around employee training, this talk will explain how your organisation can use employee training to demonstrate and maintain a healthy security position. This helps protect your brand, reputation and financial health, and ultimately strengthens your business.
 
What will attendees learn?
  • More about the requirements for staff training contained in the PCI DSS, section 12
  • Who should be trained, about what, how and when
  • How to make best use of scarce training budget
  • Top tips for embedding information security awareness and best practice into a business-as-usual culture
NTT Security Limited- Are you ready to comply with the new VISA Europe's mandate?



Neira Jones, Independent Advisor & International Speaker, Strategic Advisor, NTT Security Limited
 
Visa Europe has recently made a step ahead in the domain of Data Security and launched a new mandate that will be effective in a take effect in a few months. The main intent of the new mandate is to make sure that Merchants and Retailers switch from a compliance approach to a risk based approach.
Neira Jones will take you through the news introduced by the VISA Europe's mandate focusing on how to help you understand the changes brought by the mandate and the impact that they have on Merchant Portfolio Authorities, Merchants and Payment Service Providers.
 
The deadline is May 2016, are you ready for it?
 
Some of the topics you will explore together with Neira Jones:
  • The Visa Mandate: what are the changes it brings and what do they mean for you?
  • What are the challenges that many will face in order to comply with the mandate.
  • The importance of risk-based activities.
  • Good security VS easy compliance.
  • What are the new penalties for those who do not comply with the mandate?
JAW Consulting UK- Employing a Data-centric Security Strategy: Meet Compliance and Protect Critical Business Assets



James Walker UK MD & Principal Security Architect, JAW Consulting UK

The EU GDPR will require businesses by 2018 to focus on identifying and protecting Personal Data of EU Citizens, with 50% of global companies saying they will struggle to meet the rules set out by Europe unless they make significant changes to how they operate.
What strategies can businesses adopt to ensure they meet these regulations, leveraging the best practice of PCI DSS to meet the new requirements?
 
In this presentation, attendees will learn key data-centric approaches that will help you realise efficiencies, saving time & cost of compliance with PCI DSS and the emerging EU GDPR regulations.

What attendees will learn:
  • Data Security First. Why perimeter security is dead.
  • Protection of Card Holder Data Vs Personal Data. What is the difference? 
  • Establish the right foundations: Why a good Cyber Security Strategy, starts with the Data.
  • How Data Classification extends the concept of Payment Holder Data to Personal Data.
  • The 10 Prioritised Steps for Building a Cyber Security Strategy

Session 3
Foregenix- The Evolution of Malware - The Rising Complexity of Malicious Code in eCommerce Environments



James Allman-Talbot, Forensics Manager, Foregenix 
 
Malware samples are ever changing and constantly adapting to detection techniques in order to hide their presence. The samples seen in today’s breaches are getting more complex and harder to detect, let alone reverse engineer. Join me to see an overview of the kinds of complex malware that we’re seeing, and what we’re doing to tackle it.
 
What will attendees learn:
  • An insight in to malware samples from some recent eCommerce breaches
  • An overview of the ever-changing landscape of eCommerce malware, from simple single-line scripts to binary obfuscated samples.
  • What can be done to detect and combat such complex entities
Osirium- Getting control of the Outsourced Outsourced Outsourcer



Kev Pearce, CTO, Osirium

Don't enable Third Party Access until you've been to this seminar session

Attendees will learn:
  • Why outsourcers outsource themselves
  • Why third parties need to be separated from the passwords your systems use
  • How to use identity to control incoming third party connections
  • How to use session recording to see who has done what where and when on your systems
  • How to allow third parties to use their normal digital management tool chain against your system
  • How Privileged User Management and Privileged Account Security work together to provide proper security
Aeriandi- How to reduce PCI controls to the absolute minimum for contact centre compliance



James Hiscott, Solutions Architect, Aeriandi

This seminar will detail the best way to reduce contact centre PCI DSS obligations to the barest minimum. PCI DSS compliance can be easy, quick and inexpensive to achieve if the controls required are reduced. Maintaining contact centre compliance also becomes an easily managed BAU activity.
 
Some of what attendees will learn:
  • Which controls can be avoided altogether?
  • How can I ensure a credit card data breach never ever happens?
  • How do I avoid incumbent infrastructure changes/replacements?
  • What can I do with old call recordings which may contain credit card data?
Data Divider- A risk based approach to MOTO Payments



Graham Thompson, VP of Sales & Marketing, DataDivider Inc.

Many merchants have found that their Achilles heel of their PCI program is that of their MOTO (Mail Order Telephone Order) payment in which we will include email, chat and fax. Having successfully deployed a PCI de-scoping strategy for e-commerce and bricks and mortar they only find they are back in scope for MOTO payments. Rather than looking at expensive and complex DTMF tone masking solutions, which also impact the customer journey, it is now possible to deploy alternative technologies which eliminate the risk of where real breaches occur.

What will attendees learn?
  • How it is now possible to de-scope desktops, networks and backend systems for phone, email, chat, fax and snail mail with minimal impact to telephony and other infrastructure
  • How it is possible to secure the desktop from a SaaS PCI Level Certified environment
  • Just how hackers can today attack your desktops and how such attacks can be foiled through remote security
  • Why remote security eliminates the many risks associated with local patching and security safeguards
  • Where the advances in SaaS security models designed for PCI will impact general security
  • Impact of the new EU General Data Protection Regulation (GDPR) to PCI 
HPE Data Security- Understanding Security Tokenization and PCI Compliance



Brendan Rizzo, Technical Director EMEA, HPE Data Security 

With newer methods of tokenization such as Apple Pay gaining ground in the marketplace, there is a need to develop deeper technical and architectural understanding of the available methods of protecting PAN data, and how security tokenization fits from the perspective of the end-to-end architecture of payments ecosystems.
 
What attendees will learn:
 
  • How the tokenization system is secured within the network and how it maps tokens into PANs
  • The latest on PCI 3.0 and updates related to SSL and TLS encryption protocols and vulnerabilities that can put payment data at risk
  • Security and PCI-related aspects of payment vs. security tokenization in user networks
  • Deeper understanding of standards and options for protecting PAN data in multi-platform enterprise environments