Founded in 1878, Mississippi State University for Agriculture and Applied Science, commonly known as Mississippi State
University, is a public land-grant research university located in Starkville, Mississippi. Mississippi State is a comprehensive, doctoral degree-granting institution with a nationally and internationally diverse student body of 23,000. The University is a worldclass, R1 research institution and a Division 1 participant in intercollegiate athletics.
Similar to many universities when the PCI DSS was mandated by the major card brands, Mississippi State depended on a payment application that had been developed “in-house” that did not have all necessary controls in place to thwart the growing threats to security breaches. Additionally, no central credit card payment policies were in place, and there were associated reconciliation challenges. “We didn’t know what we didn’t know,” said Kevin Edelblute, Associate VP for Finance. “The more we learned, we saw how deep and wide PCI goes, and the more we understood we were not compliant. We needed to take the necessary steps to attest compliance but also develop a better understanding of the broader PCI landscape.”
One of the biggest challenges according to Edelblute was that, “without coordinated policies, departments could go out and find payment solutions that were completely online. They could contract via a click. And all of a sudden the university was taking credit cards through an unknown third-party provider. Policy states that any initiative involving credit/debit card processing must receive approval from the PCI Council. We try to communicate these guidelines, but
there’s always somebody that manages to by-pass the Council.”
CampusGuard, a Qualified Security Assessment (QSA) firm, specializes in providing ongoing support and remediation services to bring university clients into compliance and continuously maintain that compliance. We apply our unique skills effectively to the university environment because we know that it is markedly different from more traditional merchants.
Edelblute contacted the company and discussed the present situation and the desire to work toward improving the university’s posture to secure and protect cardholder data.
While colleges and universities are like cities with multiple, diverse venues taking cards for payment, a distinguishing characteristic is collaboration between administration, business units and information technology. Meredith Jackson, the recently retired Director of Enterprise Information Systems (EIS), teamed with Edelblute to lead the university in working with CampusGuard to begin mitigating and eliminating vulnerabilities and risks in the cardholder data environment. CampusGuard staffed the project with a Customer Advocate Team comprised of the Qualified Security Assessor (QSA) and Customer Relationship Manager (CRM) certified as a Payment Card Industry Professional (PCIP).
This team organized an interactive approach to align timelines, maintain a responsive stream of communication and ensure smooth coordination with the university’s team over the course of the initial assessment and entire project. A thorough assessment of the university’s card payments processes and controls was conducted against the requirements of the PCI DSS, with the particular emphasis on the security implications of compliance in the university environment.
“We knew that our environment was not sustainable for ensuring the security of payment cardholder data,” explained Jackson. “The CampusGuard team started us down the path of sound policy, training, pen testing and scans.” One of our concerns was about current third party vendors, misunderstanding where they might be or not be compliant,” added Jackson.
“CampusGuard’s team had direct, relevant experience with all of the major third party vendors in higher education and helped us (and them) develop a secure, compliant environment.” – Meredith Jackson, recently retired Director of Enterprise Information Systems
After conducting on-campus interviews and reviewing relevant documentation, CampusGuard delivered a comprehensive and actionable findings report. The report identified the greatest risks to the institution and where initial remediation efforts should be focused. A second section detailed findings of risks that were found across multiple or all departments, and the third provided a breakdown for each department so a more focused approach could be applied where necessary. After the initial assessment, Mississippi State engaged with CampusGuard to provide expertise and support throughout the entire compliance cycle.
“CampusGuard’s assessment allowed us to define a plan for the future which enabled us to rollout a secure environment to all of our business units and develop the appropriate policies to support those efforts,” said
“Working with CampusGuard provided a great opportunity for Information Technology Services and the Controller’s office to work together for the good of the entire university,” explained Jackson. She continued, “We have really locked down our card environment. Where we were maybe once vulnerable, we have established a PCI Council where business units come for advice for vetting new equipment and processes.”
“CampusGuard’s assessment allowed us to define a plan for the future which enabled us to rollout a secure environment to all of our business units and develop the appropriate policies to support those efforts.”