PCI compliance crackdown
The concept of campus-as-merchant is a hard one to grasp. Sure, there’s the campus store, but the college or university itself?
For those involved in securing credit card data used in higher ed transactions, that merchant status is not only a good-to-know fact, but one that must be acted on. Banks are beginning to exercise greater scrutiny over these activities on campus, so it’s more important than ever that campus officials get a firm hold on, and a clear understanding of, this aspect of their operations.
The tighter focus comes with the latest version of the Payment Card Industry Data Security Standards (PCI DSS), which outline how credit card data is to be handled, stored and kept secure. The regulations must be adhered to by all payment card network members, merchants and service providers—including colleges and universities. The original standards made their debut in 2004.
Over the years, the standards have been refined to reflect not only advances in technology, but the increasingly sophisticated threats to data security. Now in its third incarnation, PCI DSS 3.0 took effect on Jan. 1, 2014, but merchants had until Jan. 1, 2015 to prove compliance.
Historically, higher ed institutions could qualify as a lower level of transaction activity—and, in turn, confirm compliance by simply filing an SAQ, or self-assessment questionaire. This was accomplished by treating each department involved in processing credit card payments as an individual merchant.
Now, banks—under pressure and threat of financial penalty from credit card issuers—are cracking down (or are about to crack down) and will measure colleges and universities based on transactions campuswide. Rule-breakers may be fined or barred from accepting credit cards. That’s why campus officials need to answer five crucial questions regarding PCI compliance.
Q: What merchant level are we—and what should we be?
A: Banks and credit card brands designate merchants as level 1, 2, 3 or 4 based on the annual number of transactions processed, says Ron King, founder and president of CampusGuard, which assists colleges and universities in achieving PCI compliance and other security-related objectives.
6 PCI compliance best practices
Advice from Ron King of CampusGuard, a PCI consultant, and Mike Cullen of Baker Tilly, a higher ed accounting and advisory firm
- Try outsourcing as much as possible, even though you’ll still need to ensure the third-party service provider is compliant.
- Use the latest encryption technology when it comes to card readers and swipe devices.
- Post information about how to be PCI compliant in centrally located spots in the various departments, much like is done with HR postings about workplace discrimination or codes of conduct.
- Never e-mail credit card information or store credit card numbers in any database or spreadsheet. Truncate all but the last four digits of the card number. Keep all credit card documentation locked. Destroy it when no longer needed.
- Limit access to cardholder information to only those employees with a legitimate need to know. Also, segregate duties so that the person performing reconciliation isn’t involved in processing credit card sales or refunds.
- Encourage a proactive focus on security, rather than just a focus on compliance. A merchant can be compliant but not fully secure.
Level 1 merchants process 6 million or more in Visa, MasterCard or Discover transactions (including card-present and card-not-present); level 2 merchants handle 1 million or more of either transaction type. Level 3 merchants process 20,000 or more card-not-present transactions; level 4 merchants are all others. (American Express also bases its level on transaction counts, but doesn’t distinguish between card-present or card-not-present transactions, and also has three rather than four levels.)
Because it’s common for colleges to treat each department involved in processing credit card payments as an individual merchant, the majority of higher ed institutions are designated as level 3 or 4, requiring the least amount of compliance work.
Level 1 merchants must be audited for PCI compliance by an outside, qualified security assessor (QSA). Level 2 merchants must undergo the same extensive audit, done either by a staff security assessor or an outside QSA.
Q: What impact are the PCI DSS 3.0 standards having on higher ed?
A: King cites two significant changes in the new standards, both pertaining to the use of third-party service providers:
- Many colleges contract with companies to process credit card payments and store the data. Under the new rules, the institution and the vendor share responsibility for compliance, and the vendor must ensure data is protected at all times. This requires that campus administrators closely examine their vendor contracts to ensure vendors will meet their obligations.
- The new self-assessment more clearly defines “wholly outsourced” versus “partially outsourced” in the use of third-party service providers. Previously, these terms were more open to interpretation, enabling many colleges to file a 14-question assessment, known as SAQ A. But tighter regulations may require colleges to answer nearly 10 times the number of questions, using the SAQ A-EP form.
Q: What are some of our biggest compliance risk areas?
A: College campuses typically are large and decentralized, with open networks designed to facilitate knowledge-sharing, says Mike Cullen, senior manager with Baker Tilly, a higher education accounting and advisory firm based in Virginia.
The decentralized environment makes it challenging for institutions because they don’t know where all the credit card data is, what networks the data is going over, where it’s being stored, and who/what department has taken it and how, he explains. In addition, the open networks that encourage data sharing make it harder to protect that data from a breach.
All of this can make complying with the standard’s goal of limiting the systems and networks that process credit card payments challenging, Cullen says.
Many institutions also still rely heavily on paper records, and continue to store them even after they’ve been scanned. “The PCI DSS 3.0 specifies how data on paper is to be stored and what constitutes a violation,” Cullen says. “So colleges not only have to be in compliance electronically but also in how they handle paper.”
Overloaded IT staffs, data-rich information systems that present an attractive target for intruders, and undocumented campus networks can add to the security risk, King adds.
Alumni fundraising efforts represent another vulnerability. These events are often held off-campus, with donations made by credit cards—and processed in ways that may not be PCI-compliant.
Q: How are institutions addressing risks?
A: One strategy has been centralizing control. For example, Brown University tasked its Commerce Committee with ensuring compliance. The committee consists of representatives from finance, computing, audit and a department that accepts credits card payments, says David Sherry, chief information security officer. This committee is the sole gatekeeper for credit card use campuswide.
“The university accepts cards in over 90 areas, so oversight and an approved body is key to success,” Sherry says. “With this centralized committee, all training, compliance, policies and approvals are in one area, with easier oversight.”
The committee regularly reviews each area accepting credit cards and also holds town hall sessions (for anyone involved in credit card processing and compliance) and mandatory training. The committee guides departments in completing the SAQs.
James Madison University in Virginia also organized a PCI committee, comprised of members from finance and IT, says Linda Combs, director of the University Business Office (UBO). It was determined that IT Security would oversee the technical requirements and that the UBO would be responsible for the administrative requirements. Because the committee agreed they needed guidance and expert assistance, they hired a PCI consultant.
Any office or department accepting credit cards has obtained approval from its assistant VP for finance, says Combs. Once approved, the requesting department is directed to her office to:
- Set up the merchant account.
- Determine how cards will be accepted.
- Schedule training for all card-handling employees.
- Schedule an inspection of security measures and physical set-up, and get help with the annual SAQ completion.
“To ensure that everyone is compliant, our IT staff regularly searches for system indications of unauthorized credit card processing,” Combs says. Staff also conduct annual training (as required by PCI) and try to have a consultant conduct a general information update session with all their merchant areas about every two years.
To reduce the risk of noncompliance, Villanova University in Pennsylvania partnered with a QSA to interpret the standards and determine a course of action, says Lucas Burke, chief information security officer.
Burke served at the coordinator and point-of-contact between the QSA, IT leadership, the financial affairs office and other campus stakeholders. Officials also committed to really understanding the requirements, he says.
“Version 3.0 contains 241 individual controls and 399 testing procedures,” Burke says. “Some of those controls can be interpreted or implemented in varying ways. Therefore, each must be considered carefully.”
Officials decided not to just achieve compliance but to “truly enhance the information security of our card-processing environment,” he adds. Among other strategies, the university:
- Reduced its cardholder environment. This involved outsourcing where possible to approved third-party providers. “Where you can’t outsource, implementing point-to-point encryption might be a good idea,” he says.
- Complied as a level 1 merchant. The reasoning is that the stringent requirements would ensure security.
- Established a relationship with their bank’s PCI staff. The bank guides them in applying the standards and suggesting alternatives when the rules allow, Burke says.
While outsourcing can be a smart way to help manage PCI compliance, this is hardly an area where administrators can contract with a company and be done with it. “Pay careful attention to your vendors,” Burke advises. “If you’re partnering with someone to store, process or transmit cardholder data for you, you must audit their environment or acquire their Attestation of Compliance.”
Q: Why and how have banks changed the way they’re looking at compliance?
A: If banks aren’t scrutinizing their higher ed merchants at the moment, there’s a strong likelihood they will, say Cullen and King. “So far, banks have focused attention on level 1 and 2 merchants,” says Cullen. “But they’re starting to look at level 3 and 4 merchants now.”
Banks have become more concerned about data breaches and more worried about risk in general, he says. If a merchant’s data is breached, the card provider could fine the bank and then the bank will fine the merchant.
Colleges and universities represent a particular concern for banks because of their unique vulnerabilities, and because the self-assessments don’t offer the level of security that banks increasingly want to see. In response, they’re moving to limit their own exposure to risk by “cracking down” on the merchants, he says.
It’s important for institutions to understand that compliance is more than an annual check-off exercise, says King. “Rather, compliance with the data security standards should be viewed as an everyday, business-as-usual practice. Campuses will need to evolve and change as their technology changes and as their risks and threats change.”
Pamela Mills-Senn is a Long Beach, Calif.-based writer.