While complying with the Payment Card Industry Data Security Standard (PCI DSS) can be a challenge for any organization, there are specific hurdles to compliance for higher education.
For those not familiar with the standards, PCI DSS is a set of mandatory requirements designed to ensure companies that accept, process, store, or transmit credit card information maintain a secure environment for that information.
The latest update to PCI DSS, version 3.2, adds requirements to strengthen encryption and ensure multi-factor authentication (MFA) is used for all administrative access and remote access to cardholder data. The update is designed to address changes in technology and threats to credit card data. It takes effect February 1, 2018.
PCI Compliance Hurdles for Higher Education
Higher education is unique when it comes to credit card security. If we compare higher education to the foodservice industry, for example, we see that each foodservice chain has only one credit card processing type for its locations.
By contrast, each college or university location, whether the athletics department, dining hall, library, or bookstore, takes credit card payments through a number of different transaction types. This diversity exponentially increases the complexity of PCI DSS compliance.
In addition, colleges and universities stress open networks to encourage the exchange of ideas. Therefore, usability and the ability to collaborate are often prioritized over security. These institutions often chafe under the restrictions required to comply with PCI DSS.
To further complicate matters, higher education institutions are data-rich environments for attackers. The information systems are chock full of valuable information, but they often lack the staff resources and budgets to ensure their security. And their students are attractive targets for hackers because they tend to have poor data security habits.
According to a report by the Digital Citizens Alliance, close to 14 million email addresses and passwords of faculty, staff, students, and alumni were bought and sold on the dark web over an eight-year period.
The responsibility for university security is usually decentralized. Because PCI DSS compliance is mandated through the merchant agreement with the bank, the business unit usually has responsibility for credit card security. However, the IT department is responsible for endpoint and network security. When responsibility is divided, no one is directly responsible and little tends to actually get done.
To comply with PCI DSS, cooperation is needed between IT departments and business offices in higher educational institutions. First of all, the business office needs to take responsibility for credit card security and open communication channels with IT.
Having a common vocabulary is crucial for effective communication. If the business office doesn’t understand what IT is trying to say, they should ask questions. Otherwise, both sides lose when poor communication leads to a data breach.
PCI DSS Compliance Best Practices
With all of these complications, PCI DSS compliance can be challenging for higher education institutions. However, this EdTech article outlines PCI DSS best practices that colleges and universities can follow to get on the right track.
First, colleges and universities should consider outsourcing credit card processing to a third party, while verifying that the third party is PCI DSS compliant.
Second, think about hiring a qualified security assessor who can guide your institution through the steps for compliance. The assessor analyzes current processes, uncovers security gaps, and provides a report and roadmap for PCI compliance.
Third, your institution should train employees in credit card security best practices, such as not sending or accepting credit card data using email, not storing card data in any form for any reason, only allowing authorized employees to access cardholder data, and requiring each user to have a unique user ID with a secure password that is changed regularly.
Technology can help, too. As we’ve seen from the PCI DSS updates, MFA technology can be used to secure access to payment systems and make it easier to control and audit access to systems, applications, folders, and network resources that house credit card information. MFA also adds an additional layer of protection against compromised user accounts that could end up saving your company’s reputation. In addition, strong encryption is essential for credit card data security.
Higher education faces some unique challenges for PCI DSS compliance. The solution for colleges and universities is a combination of security best practices and technology, such as MFA and strong encryption.