Higher ed expertise helps university achieve and maintain PCI compliance
When expanding credit card use campuswide, Brown University’s business and financial officials sought the help of information security assessors to achieve Payment Card Industry (PCI) compliance. To meet PCI standards, the Rhode Island institution would need to process and transmit cardholder data securely.
Experts in higher ed
The initial security assessors with whom the Providence-based Ivy League institution worked did not understand how universities function. Enter CampusGuard, a Qualified Security Assessor (QSA), Approved Scanning Vendor (ASV) and certified cybersecurity firm of advisors, testers and managers who have backgrounds in and a deep appreciation of higher ed’s unique culture and complexities.
“CampusGuard’s experience in higher ed and PCI compliance drove us to sign a contact with them,” says Elizabeth Gentry, AVP of Business & Financial Services at Brown. “This knowledge is important when you come to a university campus. It’s like a small city.”
In late 2012, CampusGuard visited Brown to perform a PCI readiness review, which involved creating a road map for how to meet the payment card industry standards. This gap assessment prepared Brown for successfully attesting to PCI compliance.
“Because CampusGuard knew the magnitude of our business, they asked probing questions and identified gaps in places where other assessors wouldn’t know to look,” says Wynette Zuppardi, Senior Director of University Receivables & Commerce.
Adaptable training modules
Part of keeping Brown’s PCI compliance year after year includes staff participation in CampusGuard’s annual PCI online training sessions. Schools can choose to implement the firm’s hosted learning management system (LMS) or use modules to integrate into an existing LMS. Brown chose the latter since the university uses its LMS system to train over 700 employees and student workers.
“The fact that we haven’t had any breaches or negative financial impacts is our ROI.”
“The fact that we can use these modules with our internal system is important since our employees are already familiar with it,” says Zuppardi.
CampusGuard provides three modules to Brown: one for IT staff, one for executives who receive overview training, and one for employees in each primary merchant department.
Brown’s partnership with CampusGuard has continued after the initial assessment through the Annual Support Program, which provides guidance regarding the intent of PCI Data Security Standard (DSS) controls and advice for remediating any weaknesses identified across the enterprise.
CampusGuard officials also participate in monthly conference calls with the university’s commerce committee to discuss PCI compliance and security. “Their participation is helpful since CampusGuard has a direct relationship with the PCI Security Standards Council, so they can keep us up to date on what’s coming in the near and distant future,” says Zuppardi.
For more information, please visit CampusGuard.com