Advising Higher Education - Articles & Information - PCI Compliance for Institutions of Higher Education

PCI Compliance for Institutions of Higher Education

It may be a stretch to think of a university or college environment as anything akin to a shopping mall. But just consider all the ways your “shoppers”—either on campus or online—use payment cards and, well, you may quickly realize you have more in common with the Gap and Old Navy than you thought. This is especially true when it comes to your responsibilities for keeping data from all those card payment transactions secure and private. Be advised:

  • Just like any other merchant, a college or university that accepts remuneration via credit cards is required to adhere to the Payment Card Industry (PCI) Data Security Standard (DSS).
  • The DSS requirements are not legally mandated, but are stipulated in your agreements with Visa, MasterCard, Discover, American Express and the like.
  • Penalties and fees for non-compliance imposed by these card issuers can go as high as $500,000.
  • According to one source—try Googling “PCI compliance” and you’ll get no less than half a million hits—if an institution even fails to notify credit card companies of a possible breach, resulting in the loss or theft of cardholder information, “the member or merchant will be subject to a penalty of $100,000 per incident.”

That last bullet is often sufficient incentive for towing the PCI line. What has taken many educational institutions by surprise, however, is the fact that compliance is required for each merchant ID in their network. Thus the DSS applies to payment card transactions not only at the admissions office, but also at other sites such as:

  • A campus bookstore;
  • A performing arts center box office;
  • An alumni or development office; or
  • A health center.

To assess the risk to your institution of incurring a PCI fee or penalty, we suggest that at minimum, you focus on the following four considerations.

    1. How many credit card transactions does your institution generate per year? This includes all the credit cards in toto, not separately, meaning the totals of box office, retail, admissions office, and other offices or programs that work with credit cards all count toward the total. Again, it no longer matters whether the transactions are conducted online or at a physical storefront. It is important to know these numbers because compliance requirements vary depending on what level of transactions is taking place. A Level 1 merchant, for example, processes more than 6 million transactions annually while a Level 4 business processes fewer than 20,000 transactions per year, with each level associated with different compliance strictures.

    2. What are the requirements for each merchant ID at your college or university? Some institutions believe that because they are nonprofits they are not required to meet DSS guidelines. Others assume that because they outsource their credit card transactions they are DSS exempt. Neither assumption is correct. If your institution outsources transactions to a service provider, you are responsible for making sure that the provider has met all applicable PCI standards. These third party entities include database companies, telemarketing firms and any other firms storing cardholder data for you.

    3. What is the nature of the data your institution is storing from each credit card transaction? We suggest you make it a practice not to retain sensitive cardholder data, and that you encrypt all sensitive data stored by your institution. Be warned—many older cash registers (“cash” being a bit of a misnomer) keep all the information contained on a consumer’s credit card magnetic strip, or send it to a local server, which is contrary to PCI standards.

    4. Who has access to your data and how do you track it? Knowing where all your data is, who can get to it, and how it is transmitted to various parties is one of the best ways to identify possible security issues. We suggest you do not depend on a “software scan” for this information as there is no software available that can find all the places that PCI data is stored, how it is secured and who has access to it.

One final suggestion. Everyone has seen the chaos associated with—not to mention the negative press—experienced by large merchants who have suffered data breaches in recent months.  We strongly recommend that at least all Level 1 institutions have their PCI compliance audited and signed off on by a trusted, independent and objective outside firm to help avoid surprises and the consequences that stem from non-compliance.

 

For more information:

 

Is Your University or College at Risk for PCI Compliance?

About the PCI Data Security Standard (PCI DSS)

Compliance Validation Details for Merchants

 

************* 

Berry, Dunn, McNeil & Parker (BDMP) has been serving higher education institutions for more than 30 years. We have a dedicated team of management consulting professionals devoted to staying abreast of a wide spectrum of management and information technology subject matter and best practices, and most importantly we are 100 percent independent and objective as we maintain no partnerships and sell no hardware, software, or management products. We are accountable to the clients we serve, and not third parties.