Is Your University or College at Risk for PCI Compliance?
By Eigen Heald
The Payment Card Industry (PCI) Data Security Standard (DSS) has taken many educational institutions by surprise. If your College or University accepts payment cards on campus or online, you must comply with this standard designed for safe handling of sensitive consumer information.
So here are some tips for assessing what risk you have with the DSS:
Know Your Total Transactions:
How many credit card transactions does your institution generate per year? This includes all the credit cards together, not separately. All includes Visa, MasterCard, Discover, American Expres, and Diners Club. It no longer matters whether the transactions are online or at a physical storefront. Make sure you can identify the different banking relationships that support the different cards.
|
Merchant Level* |
Description |
|
1 |
Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year. |
|
2 |
Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year. |
|
3 |
Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year. |
|
4 |
Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year. |
** Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.
Know the Requirements:
Some institutions believe that because they are nonprofits that they are not required to meet DSS requirements. Other businesses believe that because they out-source their credit card transactions, the requirements do not apply to them. None of these statements are true. Any organization that uses credit card transactions is responsible for meeting the standards. If your business or institution outsources transactions to a service provider, you must make sure that the provider has met the PCI standards. These standards apply to all entities processing or storing credit card numbers, either primarily Web-based or not. This includes database companies, telemarketing firms, or any firms that may be storing cardholder data for you.
The compliance requirements vary depending on what level of transactions are taking place.
Compliance validation basics
In addition to adhering to the PCI Data Security Standard, compliance validation is required for Level 1, Level 2, and Level 3 merchants, and may be required for Level 4 merchants.
|
Level |
Validation Action |
Validated By |
Due Date |
|
1 |
· Annual On-site PCI Data Security Assessment · and · Quarterly Network Scan |
· Qualified Security Assessor or Internal Audit if signed by Officer of the company · Approved Scanning Vendor |
9/30/04 |
|
2 |
· Annual PCI Self-Assessment Questionnaire · and · Quarterly Network Scan |
· Merchant · · Approved Scanning Vendor |
New level 2 merchants: |
|
3 |
· Annual PCI Self-Assessment Questionnaire · and · Quarterly Network Scan |
· Merchant · · Approved Scanning Vendor |
6/30/05 |
|
4* |
· Annual PCI Self-Assessment Questionnaire · and · Quarterly Network Scan (if applicable) |
· Merchant · · Approved Scanning Vendor |
Validation requirements and dates are determined by the merchant's acquirer |
*The PCI DDS requires that all merchants perform external network scanning to achieve compliance. Acquirers may require submission of scan reports and/or questionnaires by level 4 merchants.
(Tables taken from:
http://usa.visa.com/merchants/risk_management/cisp_merchants.html?it=l2|
/business/accepting_visa/ops_risk_management/cisp.html|Merchants)
Know Your Data:
Determine exactly what your institution is storing from each credit card transaction. Make it practice to not retain sensitive cardholder data and encrypt all sensitive data stored on your institution’s systems. Many older registers keep all the information on the credit card magnetic strip, or send it all to a local server, which is contrary to PCI standards. Department store TJ Maxx was storing all the data from the credit cards. When it was discovered that their security had been breached, the resulting fines and costs were well into the millions of dollars. If they had stored only the required numbers, the thieves wouldn't have been able to use the information, and the reputation and financial damage to TJ Maxx could have been avoided.
Know Where Your Data Is:
Tracking where all the data is, who has access to it, and how it is transmitted to various parties is one of the best ways to indentify security issues. Organizations that "run a software scan" to determine compliance are missing the point. There is no software that can final all the places that PCI data is stored, how it is secured, and who has access to it. This can sometimes be a time-intensive search, but is well worth the investment to secure your data.
Berry, Dunn, McNeil & Parker (BDMP) has been serving higher education institutions for over 30 years. We have a dedicated team of management consulting professionals devoted to staying abreast of a wide spectrum of management and information technology subject matter and best practices, and most importantly we are 100% independent and objective as we maintain no partnerships and sell no hardware, software, or management products. We are accountable to the clients we serve, and not third parties.