The Security of Learning: PCI Compliance for Higher Education
Never miss a thing.
Sign up to receive our insights newsletter.
The Payment Card Industry (PCI) Data Security Standard (DSS) was introduced by the PCI Security Standards Council (SSC) in 2004 to combat payment card fraud through improved data security. The PCI DSS is an industry regulation rather than a law which outlines the minimum acceptable data security measures required when credit or debit card payments are involved. The PCI SSC works through banking institutions to enforce the regulation on merchants and service providers.
The PCI SSC defines merchants as “any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.” When higher education organizations accept payment cards for tuition, sporting events, cafeterias and vending machines, bookstores, alumni donations or any other reason, they become a merchant from the PCI perspective, and PCI compliance, at some level, is required.
Most colleges and universities have administrative offices that own the relationships with banks. This is commonly either finance and administration or the bursar. The person or office charged with managing the banking relationship is also a natural choice for accountability for PCI compliance. They can then delegate specific responsibilities to other personnel as dictated by the PCI compliance program, organization structure, and the reporting requirements assigned by the bank.
Banks assign reporting requirements based on the volume of payment card transactions accepted by the organization annually. Requirements are categorized into four levels, with level 4 applying to organizations with fewer transactions and level 1 applying to high transaction volume organizations. The table below provides general guidance on transaction volumes and reporting requirements per level, but individual banks may have differing requirements based on their internal guidance.
FDA article blog:
1 | Over six million payment card transactions in a 12-month period | • Onsite assessment and a Report on Compliance (ROC) completed by a QSA • Submit an Attestation of Compliance (AOC) to the bank |
2 | Between one million and six million payment card transactions in a 12-month period | • Either a Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ) completed by a QSA or ISA • Submit an Attestation of Compliance (AOC) to the bank |
3 | Between 20,000 and one million payment card transactions in a 12-month period | • Self-Assessment Questionnaire (SAQ) completion • Submit an Attestation of Compliance (AOC) to the bank |
4 | Less than 20,000 payment card transactions in a 12-month period | • Self-Assessment Questionnaire (SAQ) completion • Submission of documentation to the bank is not required by default |
The specific reporting requirements assigned by the bank will determine the testing and reporting tasks to be completed. These tasks can then be assigned as needed based on organization preference and required capabilities.
While centralization and delegation are preferred, not all colleges and universities are able to achieve this due to legacy implementations or inconsistent procurement requirements. Decentralization can lead to inconsistent policies, procedures and difficulty appropriately monitoring compliance efforts. Where a decentralized approach is already in place, some form of centralized oversight should be implemented to whatever extent is possible.
The simplest form of this is to implement a PCI charter which designates a position or office to aggregate relevant vendor and compliance information for existing PCI-related vendors. This office can also establish an exception process for onboarding new PCI vendors and solutions when an existing vendor or solution cannot be used. This has an additional benefit of increasing visibility for key stakeholders and creating a centralized contact for status information. This also facilitates a periodic evaluation to determine if converting to a more centralized approach is possible and preferable. A common trigger for this process is the diligence phase of the contract renewal process.
Once a centralized or decentralized process is identified, an effort to become compliant can truly begin. While no definitive list of trouble areas exists, some common where institutions experience struggles include:
- Shadow procurement or implementation: This is when a person or group bypasses the standard process to acquire or implement a credit card processing solution. This is generally driven by either an immediate need, lack of knowledge around policy and procedure or a feeling that proper procedure is too cumbersome for the need being fulfilled.
- Inconsistent training: When training is not provided in a uniform manner, differences of understanding and followed processes can arise. More severe cases can lead to missing required processes, eventually resulting in non-compliance with the regulation.
- Not keeping up with required hardware and software upgrades: Part of PCI compliance is ensuring cardholder data remains secure. As technology is constantly evolving, most product vendors regularly release patches, updates or replacement components to ensure security and functionality is retained. Failing to keep up with current software or hardware may create a vulnerable system which could be exploited.
- Not tracking vendor or supplier compliance: When relying on a third party to manage some or all of a PCI environment, the PCI DSS requires monitoring of the vendor or supplier’s PCI compliance status. Where a vendor is responsible for storing, processing or transmitting cardholder data, be sure to obtain its compliance information annually.
- Inappropriate delegation: Delegation can be tricky. Delegate too much or the wrong thing, and you may end up with more work than if you had not delegated at all. When deciding what to delegate, keep in mind what roles people serve. Delegated activities will vary based on the tasks performed by each party but tend to be assigned to “in the weeds” or “the boots on the ground” staff. Overarching accountability should remain centralized.
- Improper data and hardware disposal: A commonly overlooked aspect of data security is the disposal of what is no longer required. The PCI DSS has specific requirements for the retention of data and its disposal once no longer required to process transactions. Hardware retention and disposal is less defined. For media containing cardholder data, secure destruction is mandated. For other hardware components such as pin pads or networking devices, there is no strict guidance within the DSS for disposal. A defined process for how to collect and dispose of hardware that is no longer required or not functional is strongly encouraged.
Once an approach is determined and key personnel know what high-level obstacles to avoid in the design and implementation of a PCI compliance program, it is time to get to work on getting compliant.
Compliance
Implementing a compliance program is not easy. With the highly technical nature of many requirements within the PCI standard, it is recommended that organizations seek professional assistance to ensure all necessary aspects are built into the process. When selecting who will assist, there are several key factors to consider:
- Required qualifications: The PCI SSC has three certifications related to the PCI DSS. These certifications represent differing levels of training and understanding, focusing on employing the related knowledge.
- Payment Card Industry Professional (PCIP): PCIP is the entry level certification demonstrating the person has taken training in the subject matter and has a basic understanding of the DSS and required processes.
- Internal Security Assessor (ISA): ISAs have undergone more training than PCIPs and should have a deeper knowledge of the standard. The focus of an ISA is internal to their organization, and they may have fewer perspectives to draw from than a QSA.
- Qualified Security Assessor (QSA): QSAs undergo the same in-depth training as ISAs but apply their knowledge to other organizations and industries as an external assessor. As such, they tend to have experience with multiple compliant approaches. QSAs are also required to work for QSA companies or firms, which tend to have larger numbers of QSAs and should have higher quality control standards.
- Availability of personnel: Does the organization helping you have the necessary depth of experience to ensure you can be assisted even if your primary contacts are unavailable? QSA firms are required to maintain above a minimum number of QSAs for appropriate segregation between QSA assessors and QSA quality control personnel. When QSA firms like Weaver act in an advisory capacity, there are often additional QSAs with eyes on material to ensure continuity.
Once you have the internal personnel identified and have brought in any assistance needed, the next step is to develop formalized policies and procedures.
The first and arguably most crucial document to prepare is the PCI charter. This charter will provide the authority necessary for designated individuals to update or create policies as needed to ensure a comprehensive compliance program. Once the charter is approved and in place, policies and procedures related to the topics below should be reviewed for compliance with PCI requirements:
- Acceptable use
- Access management
- Auditing, logging and monitoring
- Configuration management
- Change management
- Incident management
- Network security
- Onboarding and offboarding
- Physical security
- Risk assessment and management
- Vendor management
- Vulnerability management
These policies span several areas of specialty, so it is recommended that they be reviewed, updated or created by a cross-functional group with experience across these areas. The individuals designated by the PCI charter to oversee compliance can guide this group and provide strategic oversight during the process. Alternatively, QSAs may be brought in to assist with the creation or review of policies.
Once policies are updated and approved, the next step is identifying what resides within the cardholder data environment (CDE). PCI requires an inventory of IT assets to be maintained, and an understanding of how to collect the information for an IT asset inventory is necessary. Once the inventory of assets is completed, it is much easier to ensure the right assets are secured. An inventory of PCI-related vendors and the PCI-relevant services is also needed. This can leverage an existing vendor management solution using key phrases or tagging.
At this point, the organization should have an understanding on what PCI DSS requires, an idea on how to manage it, the assistance of a specialist and policies, procedures and asset inventories. Now it is time to train the people that will be executing the payment card processes. Common departments include finance and administration, athletics, performing arts, catering (cafeterias, meal plan websites and vending machines), campus police, parking and bookstores, among others. These personnel will need to understand how to:
- Handle credit and debit cards when presented for payment
- Inspect the payment terminals to periodically validate that there has been no tampering
- Report suspicious activity
Many security awareness training platforms have premade modules to educate personnel on these PCI topics. While they may not specifically state they are for higher education institutions, the modules designed for retail provide the necessary information for card-present transactions, and those for e-commerce should be sufficient where card-not-present transactions are used.
PCI compliance can be implemented in many ways for higher education institutions. The key to an effective program is to know what assets exist in the payment environment, develop, and implement policies and procedures to protect those assets and train involved personnel to monitor and maintain the environment. Obtaining assistance from QSA professionals, like Weaver, can provide a large step forward on the path to compliance and can help avoid many of the potential stumbling points along the way. Please contact us to learn more about how Weaver can assist with your PCI journey.
©2024