During our onsite PCI assessments, our Security Advisors are often asked if they need to visit the various third-party businesses located on campus – auxiliary services like dining that are outsourced to Chartwells or Aramark, or the campus bookstore that is operated by Barnes and Noble. While these may not be as critical to the assessment as the primary merchants, we do still recommend including these areas in the review.
Along with your campus departments that are processing credit card payments using a merchant ID issued by your acquirer, it is important for your PCI program to incorporate oversight of the compliance efforts of all campus affiliates. Any affiliates that operate on campus and potentially use school resources to process payments should be included. Although these merchants are not using a campus- owned merchant ID, you do still have responsibilities for overseeing and monitoring their PCI compliance.
Any deficiencies in PCI compliance by these affiliates that are not addressed can expose the campus to unnecessary risks should a breach occur, especially if it is determined that the campus shares any responsibility for the incident. A breach at a campus affiliate will most likely reflect negatively on the perception of the main campus. The headlines will not read that here was a breach of a dining services organization, but rather student information from _______ University was breached.
Third-parties have two options to validate compliance. The first option, and what we most commonly see, is that they can undergo an annual PCI DSS assessment on their own and provide evidence of their compliance. You will want to request their Attestation of Compliance, or AoC. If they are not able to produce this attestation annually, you should have the option to reject or terminate the contract.
If they are not assessing internally, you also have the option to include them as part of your annual assessment and treat them as one of your merchants to review their procedures and verify compliance. PCI DSS language should also always be included as part of the overall contract agreement and define all responsibilities as they relate to PCI requirements (i.e. who is responsible for ongoing device inspections, who provides staff training, who is liable in the event of a breach, etc.).
One other gotcha to be on the look out for – if payment card transactions at these affiliates are completed either by using the campus network to transfer payment card data or by deploying systems within the existing IT infrastructure or using campus-owned workstations, this may place the campus in a service provider role. Verify your campus affiliates are utilizing their own computers and devices and providing their own network resources, or that you are only acting in an Internet Service Provider (ISP) role, and not providing full services to these third-parties. You should also verify that they have their own employees and are not using university staff members.
Outside of PCI, it is also important to define responsibilities of all third parties accessing other types of sensitive information (PII, PHI, student records, etc.). A recent Ponemon Institute study revealed that 61% of companies experienced a data breach caused by a vendor or third-party in 2018.
In fact, in 2018, 10% of all healthcare data breaches were directly reported by business associates of HIPAA covered entities, with another 20% of breaches having some business associate involvement. One of the first healthcare breaches of 2019 impacting more than 30,000 patients of Managed Health Services of Indiana, was due to unauthorized access to employee accounts (phishing) at a third-party affiliate.
While you may not be directly liable for a breach that occurs at an affiliated organization, you will still experience the impact. If you aren’t maintaining a comprehensive list of all third-parties and affiliates who are accessing sensitive data, you aren’t alone (Ponemon’s study revealed only 34% of organizations are doing so). However, it is critical that you make this a priority. Establish an oversight program and document their access, how data is handled, and track contract agreements, compliance documentation, etc. ongoing.
If you have questions regarding how your affiliate organizations are managed on campus, please reach out to us.
Some additional guidance from the CampusGuard Security Advisor team:
[Gilmore]: Contracts for tenants that do business on campus should always include standard language that states the business will remain PCI compliant. The standard language should also include that they will provide an attestation of that compliance annually. CampusGuard discovers on a regular basis that some contracts are not reviewed from year to year, they are just renewed with the same terms; sometimes the original contract is many years old with no updates. As security needs change, so should the way businesses operate, and those changes should be reflected after a contract review.
Services offered to the affiliates such as a network connection, maintenance of workstation or servers, employees, or training of any sort can be considered a part of the security given to that business. The school may have to make some kind of attestation on behalf of that affiliate for any of the data security standards they may have to meet. As the article suggests, it may be best that the business provides as many of these services that it can for itself. Keep in mind though that a program to monitor the affiliates will certainly help reduce the risk of any data loss keeping you and your business partners out of the news.