Achieving and maintaining PCI compliance in a campus-based environment can be difficult. With multiple merchants, solutions, and devices spread across multiple locations, we often find that each area has implemented a payment process that best fit their needs at the time, or was the most affordable. Without specific guidance and proper follow up, it is very unlikely that you will have any consistency.
Every student group and organization on campus wants to accept payment cards for different reasons: selling t-shirts, promoting an event, etc. Large departments like Dining, Foundation, and others that operate as separate entities may or may not follow your processes. As a multi-purpose campus community, you don’t have the luxury of operating like a McDonald’s where they accept payment cards in only one way. However, it is still possible to define a set group of payment options that encompass the majority of situations on campus.
The PCI Team should make it a goal to implement standardized payment offerings. Where possible and appropriate, uniform policies, processes, procedures, training, and technology can offer your departments complete and consistent solutions. Not only will this effort provide simplified transaction processing and minimize confusion, your institution may also experience cost reductions going forward.
You will no longer be duplicating efforts across campus and spending unnecessary funding and valuable resources working to determine how to configure and secure each area’s payment infrastructure. And by banding departments together and working with a smaller number of vendors or third-parties, you will most likely also be able to obtain quantity pricing or reduced rates based on the volume of transactions that will now be occurring.
Standardized processes will reduce your compliance efforts by reducing the complexity of your environment, and it will become easier to attest and maintain compliance with the PCI DSS. You can rest easier at night knowing there isn’t that one random merchant who is putting your organization at risk with their questionable processes. The resources needed to implement technical controls, assure security, provide inventory control, create network documentation, etc. will also be greatly reduced.
Okay, sounds great, now how do we actually make this happen? First, research the various types of payment methods that the different areas on campus both want and need. Include the merchants in this process. As much as possible, start to group merchants into categories – these departments only process payments online, these groups just need a good way to process payments at ad-hoc events, and so forth. This will help you to determine the different types of solutions that need to be included in your standardized offerings.
Once you have your payment options defined, make the process of becoming a merchant as simple and streamlined as possible. Any merchant that then wants to accept payment cards must follow the defined process. Outline the different methods that are accepted on campus and allow them to select the option that best fits their needs. For example, you might provide the following options:
- A Stand-Alone Dial-up Terminal – provide details for the specific equipment that must be used, estimated charges including costs for dedicated phone lines, installation, monthly fees, processor charges, etc.
- Mobile Payment Terminal – for those merchants that need to accept payments in various locations, a cellular-based terminal may be the right choice. List only those devices that are approved by the PCI Team and adhere to the specific configuration requirements. Make sure the merchant understands the costs for this equipment, additional components needed, cellular service, and other charges as applicable.
- POS Integrated Swipe Device – if possible, mandate that any new POS systems are PCI DSS validated P2PE devices. Define what is required for use of these listed solutions (i.e. devices, software, etc.) and what is required if they opt to use an alternate solution. Before any department issues an RFP for a new POS system, require that they consult with the PCI Team to ensure that standards are met and the appropriate language is included with all service provider contracts.
- E-Commerce – If possible, use a dedicated e-commerce server so that all e-commerce sites are hosted in one location. This will make it much easier for your IT staff to validate that all necessary scans, logging, anti-virus updates, patches, etc. are implemented and managed according to the PCI DSS.
By providing this information to a potential merchant as they are considering their payment acceptance options, they can easily evaluate their options and determine how to best move forward. And the PCI Team is involved from the beginning so they can ensure the payment methods being implemented are compliant. Since this initiative will require support from the Executive Level, be sure to include them in the process as well.
Make this information easy for your merchants to find, but be cautious in how you publicize the list of acceptable solutions. No need to broadcast the exact solutions you are using to potential hackers eyeing your campus as a target, but a simple link on your Intranet that provides basic information about the options and contact information for the PCI Team will suffice. An awareness campaign on campus can help to get the word out and ensure new, potential merchants know where to start.
Stress to your campus community what they must consider when deciding if they accept payment cards. Ensure everyone has a basic understanding of the PCI DSS and the importance of the security controls, and the direct and indirect costs of card payments. This is where annual training and ongoing awareness comes into play. Verify that all users that are handling payment card information have participated in training that covers PCI compliance, and that they have reviewed both your overarching payment card policies and procedures, as well as their department-specific guidelines.
Creating a well-educated community with clearly defined procedures and standardized payment processes may seem out of reach. But following the suggestions here will progress your campus toward achieving and maintaining PCI compliance, and help to protect your customers’ cardholder data, your resources, and your reputation.
Some additional guidance from our Security Advisor team below:
[Gokturk]: Developing standard payment offerings will certainly facilitate the compliance process. As you are establishing your standard payment offerings, consider incorporating listed PCI P2PE technologies wherever possible. Using this type of a secure solution may be costly at the onset, but in most cases, the use of these technologies reduces the need for IT staff to make any adjustments to the cardholder data environment infrastructure.
Please contact us if you have any questions or would like to discuss how to create more standardized payment processes on your campus.