Does your institution host a DSST Testing Center offering academic testing for students, adult learners or military personnel?
Formally known as DANTES (Defense Activity for Non-Traditional Education Support), which provided academic exams to military members, DSST is now owned and administered by Prometric.
Test takers register for exams on the DSST site. However, it has come to our attention that the $85 exam fee is not charged until the user arrives at the testing center. Using the computers provided within the computer lab at each institution, users are asked to provide a credit card payment to access the exam.
Why are we bringing this up as a PCI concern? Until recently, there were other options for making this payment. Now, users must pay via credit card at the designated computers. Which means your institution may be responsible for securing the workstations within the testing center and meeting all PCI requirements for protecting the cardholder information being keyed into those computers. Most likely, this is not currently being included within your PCI scope.
When a computer workstation is used for processing payments, it must be secured to only allow access to documented and approved functions and web sites and should be segmented from the rest of the institution’s network. Below are just a few of the controls that must be implemented:
- Network and dataflow diagrams must be up-to-date and kept current
- Documented firewall configuration standards must exist, with all exceptions approved/justified
- Firewalls consistently implemented and configured to restrict all network traffic to and from system components that store, process, or transmit cardholder data from the general network and the outside world
- All vendor defaults changed prior to putting components into production
- A formal vulnerability and patch management program for systems used to process or transmit cardholder data
- A formal change control system, so that all changes to the CDE are justified, reviewed, documented, and approved
- Account policies consistent with the Requirements in the PCI DSS
- Audit log data collected, reviewed, and retained in accordance with the PCI DSS
- Vulnerability scans and penetration tests performed on all systems requiring these tests
- File-integrity monitoring on all system components used to process or transmit cardholder data
Whether the resources and costs necessary to implement these security controls within your testing center should be the responsibility of your institution or the DSST program is up for debate. However, as it currently stands, without further contractual language and clarity from Prometric, your institution is most likely responsible and would be held liable in the event that a test taker’s cardholder information was breached due to a lack of PCI-specific controls within the testing center.
As a side note, institutions can dictate if and how much is charged for administrative fees, so you will want to ensure that if you’re collecting these fees, they are being collected in a PCI compliant manner.
Some additional guidance from Security Advisor team below:
[Ko]: With over 1,200 institutions worldwide delivering DSST exams to their student communities, this is not a small isolated problem. This issue brings up the same goosebump- making, shiver-inducing feeling as the GoArmyEd credit card laden emails (sorry if that’s stirred up bad memories). This change in process may have been made without fully accounting for the information security and PCI compliance ramifications. Your first step should be to review your contract with Prometric detailing what your testing center’s responsibilities are. Without clarity in the contract, it can get muddy. Since it’s Prometric’s merchant ID, if your testing center is responsible for your portion of the PCI compliance of the transactions, you could technically be considered a PCI service provider.
If you’re unsure whether your institution’s testing center offers the DSST exams, go to http://getcollegecredit.com/testcenters to find out.