Experts discuss the biggest PCI vulnerabilities for higher education

Watch out for lack of awareness, rogue payment pages and lack of centralization

Payment solution providers were asked: What is the biggest vulnerability you see when it comes to PCI compliance at colleges and universities?

“The biggest vulnerability is a lack of awareness across a distributed and diverse environment. The Payment Card Industry Data Security Standards cover everything related to processing credit card transactions, including software, hardware, networks and business processes. There have been several high-profile security breaches on campuses across the past several years, and trends indicate this type of malicious activity is increasing. Ongoing education efforts are critical. It’s not just enough to purchase hardware and software that are compliant; it’s maintaining the environment in a secure manner that is the real challenge. Even the best deployed solution can be compromised by an inadvertent opening of a firewall port or sharing of a password.”

—Cheryl Boeckman, vice president, Blackboard Transact

“The existence of the various touchpoints and the trust given to individuals to properly handle data and follow security guidelines always poses a risk for vulnerability. Here at Higher One, we have made it part of an ongoing effort to educate our clients as well as our employees in order to help alleviate those vulnerabilities. We believe PCI compliance is a communal effort and we convey this to our clients. This means everyone handling sensitive information is part of the community who must follow and be educated about PCI guidelines.”

—Bob Willer, vice president of technology and operations, Higher One

“One of the biggest vulnerabilities we see is noncompliant/rogue payment pages and processes set up in departments across campus. Departments are setting up everything from simple PDF forms to full-blown shopping carts to sell goods and services, and they are not secure or compliant. In the worst cases we even see old URLs hacked, which not only puts the institution at risk from a compliance perspective, but could also negatively impact their reputation. Institutions should strive to bring campus commerce activities together under one umbrella, using a secure and compliant campus commerce provider that offers services to meet needs campuswide.”

—Peter Sanderson, managing director, Nelnet Business Solutions

“The big challenge to PCI compliance in higher education is the lack of a unified payment system and centralized visibility of campuswide payment activities. Historically, colleges and universities have adopted a decentralized system structure, but today’s payment security standards require a global campus perspective and a clear understanding of an institution’s total PCI DSS footprint, including people, processes, technologies and services providers.”

—Daniel J. Toughey, executive director, TouchNet Information Systems


Most Popular