A Primer on PCI DSS Compliance for Higher Education
While some higher education institutions have remained under the radar, banks are now paying closer attention to whether colleges and universities are meeting payment card security requirements.
Like businesses, higher education institutions must comply with the Payment Card Industry Data Security Standard (PCI DSS) to secure card transactions — and the consequences of noncompliance can be costly.
To help colleges and universities understand the security standard, here’s an overview of what PCI DSS compliance means for higher education.
What Is PCI DSS?
The standard requires campuses to implement a set of security controls that include building a secure network, protecting cardholder data by encrypting data across open, public networks and deploying a vulnerability management program that includes anti-virus software.
In April, the Payment Card Industry Security Standards Council updated the standard. PCI DSS version 3.2 includes increasing the use of multifactor authentication and migrating from Secure Sockets Layer and Transport Layer Security version 1.0 to TLS version 1.1 or higher, which is more secure. The new requirements must be implemented by Feb. 1, 2018.
What Are the Risks of Noncompliance with PCI DSS?
If higher education institutions are not compliant, they run the increased risk of data breaches, which would not only damage the school’s reputation, but can result in fines. Campuses can also lose the ability to use cards for payment and spend staff time and financial resources to alert customers of the breach, says Ron King, founder and president of CampusGuard, which provides compliance and security services.
Furthermore, a data breach will force most institutions to deal with more stringent audits. Instead of doing self-assessments, they will have to hire a qualified security assessor to audit their campuses to prove compliance.
What’s the difference? Most colleges today are classified as Level 3 merchants, meaning they have 20,000 to 1 million transactions a year. (Level 1 merchants have more than 6 million transactions annually, Level 2 has between 1 and 6 million transactions, and Level 4 merchants have fewer than 20,000 transactions).
Level 3 merchants are required to do self-assessment questionnaires to prove their compliance. But if they suffer data breaches, they must meet Level 1 merchant requirements for a year, meaning they must use an outside qualified security assessor (QSA) to audit their university to ensure compliance, King says.
What Are the Challenges to Achieving PCI DSS Compliance?
Campuses may have several dozen departments taking payments face to face, over the telephone or online, including the bursar’s office, bookstore, food vendors and the athletics department. The big challenge is knowing what every department is doing and whether they’re meeting PCI DSS requirements, King says.
Another challenge is securing the network by segmenting the traffic to keep payment card transactions separate from other network traffic.
What Are Some PCI DSS Implementation Best Practices?
Outsource card transaction processing to third-party service providers as much as possible. That results in a smaller footprint that universities have to manage, King says. If service providers are used, campuses must have proof that service providers are PCI DSS–compliant, he adds.
Hire a qualified security assessor. The third-party consultant can analyze the current process, discover gaps and provide a detailed report and roadmap on what a college or university needs to do to fully meet PCI DSS requirements, King says.
An assessor will meet with individual departments that use card transactions, but also focus on the IT department, which manages the network, firewalls and point-of-sale devices. “Eighty percent of the time we’re called by business and finance officials at a university, but 80 percent of the work is shouldered by the IT department,” he says.
IT best practices include segmenting the network through technology such as virtualization and using point-to-point encryption if they are storing card information, he says.
Train employees on security best practices. Wesley Howdyshell, compliance specialist at James Madison University’s University Business Office, shares these best practices as part of his training:
Do not send or accept credit card information over email.
Do not store payment card data in any form for any reason, including account numbers and expiration dates, after the transaction is complete.
Only allow employees who have legitimate business needs to access cardholder information.
Each user needs his or her own User ID with a secure password that is changed regularly.