Located in Portland, Oregon, Reed College is an independent liberal arts and sciences institution known for its high standards of scholarly practice, creative thinking, and engaged citizenship. 1,400 students pursue degrees in forty majors and programs. Here is how CampusGuard helped Reed secure customer card information to comply with the PCI DSS and improve their overall cybersecurity posture.
Information security and achieving compliance with the Payment Card Industry Data Security Standard (PCI DSS) is a particularly difficult task for colleges and universities because there are unique aspects of higher education that sometimes compound compliance achievement. Like a small city, Reed has its own dining, residence, healthcare, and campus safety—each with its own data-rich information systems that can be targets for sophisticated intruders.
Reed College accepts credit cards for tuition, bookstore, dining, and many other services. Students, their families, donors, and the community expect their sensitive information to be protected. It was Reed’s College Relations office, with its fundraising and gift collection operations that was the initial spark for changing their approach to PCI compliance.
A distinguishing characteristic of higher education is that colleges and universities share information and experiences. Reed College is no exception. “When searching for a company to help us, we did what everyone does, we asked our friends,” explained Marianne Colgrove, Reed’s Interim Chief Information Officer. In her conversation with peers in the information technology community, one CIO shared that “CampusGuard had restored his faith in consultants.” Colgrove contacted the company to discuss Reed’s situation and orchestrated arrangements for embarking on the PCI compliance project.
CampusGuard staffed the project with a Customer Advocate Team comprised of a Security Advisor (QSA) and Customer Relationship Manager (PCIP) who were well-versed in higher education culture, operations, and cybersecurity requirements. Colgrove reached out to campus merchants and fundraisers to document their needs and questions, which, when reviewed with the CampusGuard team, became the core of the project. This team organized an interactive approach to align timelines, maintain a responsive stream of communication, and ensure smooth coordination over the course of the engagement. CampusGuard conducted a thorough assessment of Reed’s card payment processes and controls against the requirements of the PCI DSS, with particular emphasis on the security implications of compliance in their environment.
The gift processing platform in use at that time by College Relations presented issues with managing recurring payments and the way it handled customer credit card information. Stephanie Faulkner, Associate Director of College Relations Information Systems, said “We interact with alumni and parents who are excited to support the college. Our ability to talk confidently about how we securely handle their credit card information makes our donors feel much more comfortable and secure when they contribute.”
“When searching for a company to help us, we did what everyone does, we asked our friends.” In her conversation with peers in the information technology community, one CIO shared that “CampusGuard had restored his faith in consultants.” – Marianne Colgrove, Interim Chief Information Officer
A major factor for the success of any new program is training and education. For Erica Nukaya, Assistant Controller for Students and Grants, buy-in across campus was going to be critical. People aren’t motivated by compliance, but they are interested in doing the right thing: protecting information and having efficient processes. Providing training on “why” as well as “what” promotes understanding of the bigger picture that is on top of compliance. “What I appreciated about the process is that the training brought us all together to work towards one goal,” observed Nukaya.
Added Jacqueline Pitter, Chief Information Security Officer, “For me, what CampusGuard brought to the table is making clear the actions and responsibilities that end users have who handle the information – and that training has been accomplished and the entire college community has taken it seriously.”
“Going through the experience of PCI compliance helped us look at what is needed to be compliant in other areas, specifically GLBA and FERPA.”
– Jacqueline Pitter, Chief Information Security Officer
An added bonus is that a PCI DSS compliance initiative has been valuable for advancing Reed’s overall approach to security and protecting all forms of confidential and sensitive information. What began with CampusGuard helping the college select a Point-to-Point Encryption (P2PE) solution for College Relations led to adoption of this technology for other departments. This was a breakthrough, triggering advances in other areas. “Going through the experience of PCI compliance helped us look at what is needed to be compliant in other areas, specifically GLBA and FERPA,” said Pitter. “Establishing P2PE as our strategy takes major portions of personally identifiable information (PII) out of scope for compliance and enables us to look at our full cybersecurity footprint and give us confidence in what our security level is.”
Results and Going Forward
Reed College has been attesting full compliance with the PCI DSS since engaging CampusGuard. Additionally, the team makes full use of the Annual Support Agreement for annual reviews and reports, for questions about specific requirements issues and the use of different technologies, as well as penetration testing services.
What were the factors in Reed’s success?
First, it was finding a partner who had experience in the higher education environment and was certified as a Qualified Security Assessor Company (QSAC),
Second was establishing and empowering a dedicated team,
A third was listening to campus merchants and establishing a sound, relevant training program, and
Fourth was applying the experience to establish a campus-wide philosophy of protecting all forms of PII. is our ROI.”
“For me, what CampusGuard brought to the table is making clear the actions and responsibilities that end users have who handle the information – and that training has been accomplished and the entire college community has taken it seriously.”