Workshop - Protecting Consumer Data: Securing Payment and Transaction Information

Monday, March 21, 2016

Cybersecurity incidents affecting consumer-facing businesses threaten the financial security of companies and the public, weakening consumer confidence, eroding individual privacy protections, and damaging the brand value and reputation of businesses.

Join the National Cybersecurity Center of Excellence (NCCoE) for a public workshop to help consumer-facing businesses improve the security around their payment ecosystem and better protect consumer information. Dive into technical issues, architectures, standards, and best practices surrounding multifactor authentication of online transactions and secure handling of sensitive, non-credit card consumer data with some of the brightest minds in this area.

Ultimately, your participation and expertise will result in a challenge statement that will form a new applied cybersecurity project at the NCCoE and lead to a NIST Cybersecurity Guide (Special Publication 1800 series).

Registration for this event is now closed. Find out more about walk-in registrations.  

For those who have registered, you should have received a confirmation email with details on logistics, including Wi-Fi and parking. You may also view that information online.


Date: March 22, 2016
Location: University of Alabama, Birmingham, 1400 University Boulevard, Hill Student Center, 3rd floor Ballroom, Birmingham, AL 35233


Please note: all times below are in Central Time.

8:30 a.m. – 9:00 a.m. - Coffee & Registration

9:00 a.m. – 9:15 a.m. - Welcome: Dean Palazzo, University of Alabama at Birmingham

9:15 a.m. – 9:45 a.m. - NCCoE Opening Remarks: Nate Lesser, Deputy Director, NCCoE

9:45 a.m. - 10:15 a.m. - Keynote Session: Brian Engle, Executive Director, R-CISC

10:15 a.m. – 11:30 a.m. - Panel Discussion: Combating Online Fraud – Multifactor Authentication for e-Commerce Transactions

Moderator: Mike Garcia, Deputy Director, NSTIC


  • Charles Bretz, Director of Payment Risk, Financial Services Information Sharing and Analysis Center (FS-ISAC)
  • Scott Frost, Chief Information Security Officer, Belk
  • Dr. Robert Martin, Vice President, Security Solutions, North America/Ingenico Group
  • Andrew Whelchel, Senior Technology Consultant, Fraud and Risk Intelligence, RSA  

11:30 a.m. – 11:45 a.m. - Break

11:45 a.m. – 1:00 p.m. - Panel Discussion: Safeguarding the Customer Profile – Secure Handling of Sensitive, Non-Credit Card Consumer Data

Moderator: Brian Abe, Project Lead, NCCoE/MITRE


  • Gerald Beuchelt, Chief Security Officer, Demandware
  • George Rice, Senior Director of Payments, HPE Security – Data Security
  • Jake Marcinko, Standards Manager, PCI Security Standards Council
  • Justin Simpson, Senior Manager, IT Risk & Security Governance Team, Walmart

1:00 p.m. – 2:00 p.m. - Lunch

2:00 p.m. – 3:15 p.m. - Technical Breakout Sessions

3:15 p.m. – 3:45 p.m. - Breakout Session Summaries/Prioritization of Topics

3:45 p.m. – 4:00 p.m. - Closing Remarks         


DoubleTree (next to the campus)
808 South 20th Street, Birmingham, Alabama, 35205

Residence Inn (next to campus)
821 20th St S, Birmingham, AL 35205

These listings are for information purposes only; they do not serve as an endorsement. There are other hotels very close to the UAB-Birmingham campus, including a Courtyard Marriott, Springhill Suites, etc.


As a result of conversations with consumer-facing businesses and associations, the NCCoE is proposing two technical projects to demonstrate the business value of more secure payment technologies/processes and more secure handling of consumer information. The NCCoE has worked closely with industry to prioritize their cybersecurity challenges as they relate to these areas. This highly interactive workshop will help finalize the challenge statements and begin to develop potential architectures for these projects, resulting in an initial white paper containing a detailed project description. Ultimately, the NCCoE will develop an example solution and publish that information in a NIST Cybersecurity Practice Guide, which provides detailed information on how to implement the solution.

Who Should Attend and Why

Executives at consumer-facing organizations should attend to share information on business drivers and constraints that would be relevant to any example solution.

Technical experts at consumer-facing organizations and payment ecosystem vendors – hardware, software, processors, financial institutions, etc. – should attend to provide critical technical information.

The consumer-facing/retail sector makes up the backbone of the American economy. This workshop will hone in on a technical cybersecurity challenge facing this sector and lay the groundwork for developing an example solution. Be part of the conversation to develop a challenge statement that incorporates your insight and expertise.


This event is graciously sponsored by

 HPE logo

Launch of NCCoE Medical Devices Use Case

Wednesday, December 17, 2014

The National Cybersecurity Center of Excellence (NCCoE) and the Technological Leadership Institute (TLI) at the University of Minnesota, in collaboration with members of the medical devices manufacturing and user community, have drafted a use case focused on the security of wireless medical infusion pumps. The two organizations will officially launch the new use case at an event on Thursday, December 18, 2014 in Minnesota. Gavin O’Brien, the NCCoE project leader for this use case, will attend, along with the leadership of the TLI and Minnesota Congressman Erik Paulsen. The use case will be available for public comment on the NCCoE website beginning on December 18.

7:30 - 9:00 a.m.

McNamara Alumni Center
University of Minnesota
200 SE Oak St
Minneapolis, MN 55414

There is no fee to attend. Please register at

Startup Maryland Bus at NCCoE

Tuesday, September 30, 2014

On Wednesday, October 1, 2014 from 9 to 11 a.m., the Startup Maryland bus will stop at NIST’s National Cybersecurity Center of Excellence and Institute for Bioscience and Biotechnology Research. Startup Maryland is a regional initiative to promote new business ventures. The Startup Bus is a mobile video studio where entrepreneurs can record pitches about their companies and products, which will be viewed and judged by potential investors. This stop will focus on the life sciences and cybersecurity. Learn more about the Startup Maryland bus and how to register to pitch your idea.

NCCoE Workshop on Software Asset Management

Wednesday, December 4, 2013

December 5, 2013
9 am - 3 pm

9600 Gudelsky Drive
Rockville, MD 20850

This workshop will review and conduct a deep dive into the Continuous Monitoring Software Asset Management (SAM) Building Block. The building block proposes techniques for meeting SAM challenges. SAM, as envisioned in this building block, requires a standardized approach that provides an integrated view of software throughout its lifecycle. Such an approach must support the following capabilities:

  1. Authorization and verification of software installation media  
  2. Software execution authorization 
  3. Publication of installed software inventory 
  4. Software inventory-based network access control 

The NCCoE and NIST Computer Security Division, in collaboration with Department of Homeland Security, General Services Administration, and National Security Agency, have developed a proposed building block. The authors encourage you to review the document prior to the workshop to facilitate building block discussion and the exchange of ideas.


This workshop is oriented to security researchers, security practitioners, system integrators, and other parties interested in developing solutions that address the following challenges: 

  • Verifying the identity of the software publisher providing installation media
  • Verifying that installation media is authentic and hasn’t been tampered with
  • Determining what software is installed and in use on a given endpoint device including legacy and end-of-life products
  • By process of elimination, determining software that is installed on an endpoint device that was not deployed using authorized mechanisms
  • Restricting execution of software that was not installed using authorized mechanisms. 
  • Identifying the presence of software flaws in installed software
  • Determining if patches are installed on an endpoint device or if additional patches need to be deployed to remedy software flaws


9:00-9:45 am
Overview of the National Cybersecurity Center of Excellence

9:45-10:15 am
Building Block overview and business drivers

Building Block deep dive

Noon–1:30 pm
Lunch on your own

1:30–3:00 pm
Q/A and next steps 

To confirm your attendance at this workshop send an email with your name, title, and organization to

Please download and review the building block document prior to the workshop.

Whether or not you attend the workshop, we welcome your comments. Send your feedback regarding this building block to


State and Local Government Cybersecurity Framework Kickoff

Wednesday, March 26, 2014

State and local CIOs and CISOs are invited to the National Cybersecurity Center of Excellence to learn about resources for the implementation of the Framework for Improving Critical Infrastructure Cybersecurity, Executive Order 13636. The Framework provides a structure that state and local governments can use to create, guide, assess or improve comprehensive cybersecurity programs.

The National Institute of Standards and Technology (NIST) released version 1.0 of the Framework on February 12, 2014. The release of the Framework marks the beginning of several areas of follow-on work to develop tools to help state and local governments implement the Framework, integrating and leveraging existing cyber efforts. The goal of this meeting is to lay out a plan of work for organizations assisting state and local government information officers and prioritize tasks for the coming year.

Join us at the NCCoE:

Thursday, March 27, 2014
8:00 a.m. to 12:30 p.m.

9600 Gudelsky Drive
Rockville, MD 20850

This event, which will also be available as a webinar, will include information about

To register, indicate whether you will view the webinar or attend in person, and email your name and affiliation to