If your institution processes, stores, or transmits card payments anywhere on campus, then you must conform to data security and compliance standards set by the Payment Cards Industry (PCI) Security Standards Council. The council was founded by card brands to work with stakeholders in payment processing to develop and implement security and compliance regulations.
Compliance with PCI standards is a substantial ongoing project for even the smallest organization. For higher education, where institutions have the size and complexity of an entire city, PCI compliance can be a formidable challenge. Managing and achieving compliance is made easier by creating a durable foundation that supports the people, processes, policies, and technology involved in payment processing.
Preparing for the Foundation
Before making card payment data secure and compliant with PCI standards, you must identify everywhere on campus that cardholder data might be processed, stored, or transmitted. Defining all areas on campus involved in processing payments—as well as their payment methods, channels, and locations—is called your Cardholder Data Environment (CDE). Knowing your CDE will help to build out your institution’s payments footprint and identify where PCI data security standards may apply. It includes not only the business office but the alumni association, student clubs, academic departments, campus food and retail shops, one time events, and more.
Building the Foundation
Successful PCI programs start with well-made fundamentals. Below are steps to begin building the strong foundation of a compliance and security program, a foundation that inspires credibility, ensures efficient and operationally sound processes, and enables understanding of why changes impact compliance and to what degree.
1. Implement Fully Certified Technology
- Choose the Right Payment Platform: Compliance begins with using payment processing technology that is fully certified. Choose a payment platform that is entirely PCI compliant and Europay-MasterCard-Visa (EMV) certified, but also provides your campus with the flexibility and scalability to support multiple payment methods, channels, and locations.
- Centralize Control and Management: Manage users, reporting, and compliance through your single payment platform. The more merchants you have processing payments through one centralized platform, the smaller your PCI footprint. This means less time auditing and reviewing payment applications, payment terminals, and vendor relationships, and ultimately less paperwork for you.
- Support a Link-Out Payment Strategy: Your third party campus partners should be able to link into your centralized, PCI-compliant payment platform to enable their acceptance of payments. This functionality reduces PCI scope for campus partners and the institution.
- Use Secure Protocols for Transmitting Payment Card Data: Ensure data integrity and reliability by employing up-to-date encryption protocols for payment data transfers, such as Transport Layer Security (TLS). The PCI Council offers guidance on this and related topics.
- Reduce Fraud at the Point of Sale: EMV-compliant devices greatly reduce the likelihood of card fraud by making it difficult to duplicate cards physically. Another benefit is the ability to accept contactless payments through EMV-enabled Point-of-sale (POS) terminals and smartphone eWallets. But EMV alone is not enough to protect all cardholder information. Point-to-point encryption (P2PE) is also needed to protect data in motion and the PCI Council has published standards on this topic.
2. Choose the Right Processing Partner
- Strategically Choose Your Acquirer: It’s important to view your Merchant Services Acquirer (MSA) as a strategic choice of a processing service rather than as a choice of the lowest cost vendor available. Your MSA should work alongside you to support PCI on your campus and be a resource.
3. Organize Your Merchant Structure
- Limit Your Cardholder Data Environment (CDE): Each unique combination of merchant, payment channel, and service provider connectivity within the CDE could impact your campus’s compliance. Campus merchants come and go for special events or activities, so it’s important to recognize these temporary merchants. CDE documentation should clearly identify short-term payment points and be readily available if your compliance is questioned or an incident occurs.
- Manage Your Merchant Identification Numbers (MIDs): All merchants must report their PCI compliance annually. Ask your MSA to help you organize the number of campus MIDs for which you report compliance, further reducing your overall PCI paperwork requirements.
- Take Advantage of Incentive Programs: Your MSA can recommend incentive programs for adopting payment technologies, such as EMV and certified P2PE, that can eliminate the requirement to submit some SAQs entirely as well as update and improve your security.
Becoming compliant with PCI standards, and maintaining that status, is a continual process. But the work of compliance is made easier when you start with a strong foundation that can accommodate advances in payment methods, channels, locations, and security standards. As the payments industry evolves, your PCI fundamentals will support changes to the payments process, safeguard your institution, students, and customers, and reduce PCI scope.