As you proceed forward in your PCI compliance journey, you likely have a merchant inventory that you maintain and update as merchant accounts close, new accounts are opened, technologies and processes change, etc. This basic step allows you to monitor merchant activities and ensure payment practices remain compliant. However, in a college or university environment, the merchants covered by your bank agreement aren’t the only ones who can potentially damage your reputation.
Student or faculty organizations that begin accepting payment cards for dues, events, or other activities may not fall directly into your PCI scope but they should be managed similar to all other merchants (e.g. required to follow University policies) to avoid having rogue merchants. Common examples include professors setting up websites within university-network domains to sell their research books or fraternities selling t-shirts to students or conducting fundraising events. While they may seem innocuous enough, a mistake made in these scenarios could lead to your institution’s name making the headlines in a not-so-flattering light. Even though Greek organizations are separate legal entities and not financially tied to the College, it is still your reputation and brand that can be damaged if fraud occurs or a student’s information is breached at an associated organization.
In a perfect world, student organizations sponsoring activities that involve the acceptance of payment cards would work with the PCI Team to proactively review the proposed payment channel(s) and any third-parties involved in the process. With executive support, policy can be written that requires all campus-affiliated organizations to use University-managed or approved solutions.
The primary challenge is that PCI compliance is not always top-of-mind for students and faculty. They are focused on organizing an event and finding a quick and simple method, typically mobile, that allows them to take payments and collect the funds. Some groups may use PayPal or other peer-to-peer payment applications, or set up their own merchant accounts using Square or other mobile swipe devices connected to their personal smart phones. For them, plugging a swipe device into their personal phone gets the job done. Their connection is always available, they always have the device with them, and start-up costs are low.
Unfortunately, even though devices like Square promote PCI compliance, the problem with their use lies with the device they are connected to. Most smartphones and tablets are general-use and not locked down, thereby making the merchant’s process non-compliant. Students and faculty are browsing the web, checking their Facebook accounts, sending e-mails, and processing payments all on this unsecured device. If the card swipe fails and they use the app to manually key in a cardholder’s payment card number on the phone’s touch screen, if there is any malicious software installed on the phone, the information could now be at risk.
With nearly two-thirds of millennials sending or receiving money using a peer-to-peer payment applications, like Venmo and Google Wallet, they are clearly here to stay. Unfortunately, there are some unique risks associated with these solutions. The consumer protections against fraud that are fundamental to paying with a traditional credit or debit card do not exist when paying with Venmo or other P2P apps. User agreements state that personal accounts are meant to be used to send money between family and friends, so if you do business with strangers and get scammed, you are likely out of luck. On the other side, if the individual accepting the payment fails to follow through with the item purchased (i.e. never sends or delivers the t-shirt), there is little to no recourse for the buyer. Disputed charges are only allowed if the entity receiving the payment has gone through the process to become an official Authorized Merchant. Although this is not a PCI compliance challenge, if students are victims of fraud due to a P2P app, it still can reflect poorly on the affiliated organization. Make sure that your PCI Team is staying up-to-date on new technology, understand the risks to the institution, and proactively provide guidance to the campus community as to what options are acceptable for handling payment card data.
Another potential challenge with P2P apps is that, in the past, many fraternities, sororities, and other student groups would physically “pass the hat” during meetings to collect cash in order to avoid spending chapter funds on items prohibited by their house policies. Today, students ask each other to Venmo funds to an individual’s personal bank account in order to pool resources. If that person is a chapter officer and spends the collected funds on alcohol or some other inappropriate or illegal item, the trail of money is now documented and can lead to potential lawsuits down the road.
As an institution, you can prohibit campus merchants from using peer-to-peer payment solutions or other solutions, like Square, that can negatively impact your overall compliance and security. But how do you motivate those organizations or individuals that are not technically part of your PCI compliance program to use more secure and PCI compliant payment processes? Begin with education – include your affiliate organizations in your annual PCI Training. Educate them on available solutions and make it easy for them to gravitate towards those approved payment processes. The PCI Team can plan outreach activities to make student and faculty groups aware of the risks of taking payment cards and the consequences that can follow a breach. Your campus policies should deny the use of payment processes that are not PCI compliant, but rather than just saying “no, you can’t do that”, be there to provide solutions that will allow them to take payments as needed, but also allow you to rest easier at night.
Some additional guidance from the Security Advisor Team below:
[Gilmore]: One of the best ways to help keep an organization’s PCI scope small is by using a validated P2PE solution. If implemented correctly, it can be used in conjunction with a mobile device, even a personal device, and the security of the transaction is not affected. But long before a technical solution is considered to complete these transactions, as the article states, education is key. Stress the importance of maintaining an appropriate level of security around others’ sensitive information. Since this is an institution of higher education, this is the perfect opportunity to expose students, facility, staff, and the community to this important learning experience. Maybe consider giving non-credit classes on proper credit card and sensitive data