When it comes to payment card industry (PCI) compliance, the challenges for higher education are pretty well known. Departmental decentralization, independent payment systems across the enterprise, data-rich information systems which are a natural target, overloaded IT staff, and fiscal constraints are common practice. In 2013, this was business as usual for The College at Brockport, State University of New York (SUNY) and many other institutions. The importance of protecting credit card information was there, but not a particular priority for many.
“It wasn’t until we learned that all major credit card companies were involved, that we realized no one on our campus was compliant,” explained Teresa Major, Director of Students Accounts for The College at Brockport, SUNY. “When the SUNY System announced a PCI audit shortly thereafter, it made us realize we needed help.”
With eight separate merchants on The College at Brockport, SUNY’s campus, plus four others within Alumni Relations and Student Government – the right solution was needed quickly. The Business Office and the Information Technology offices teamed up to find that solution. They knew that they needed not only to gain and maintain PCI compliance, but also educate the campus at large.
After much research into possible service providers, it was discovered that CampusGuard was not only a Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV), but they were the only compliance and information security firm focused on campus-based organizations. Through customer references, and former experience with key players of the organization, The College at Brockport, SUNY chose CampusGuard.
“Their focus on higher education and experience with peer institutions assured us that we would receive advice specific to our environment,” said Major.
In April of 2013, CampusGuard visited The College at Brockport, SUNY to perform a PCI Assessment, which involved creating a roadmap outlining how to meet the PCI standards moving forward. This gap assessment prepared the College for successfully attesting PCI compliance.
“I feel like I’m their only customer in the best possible way. They are truly colleagues….”
CampusGuard also assisted with the College’s Incident Response Plan. A credentialed CampusGuard Security Advisor conducted a tabletop exercise in order to run through a variety of scenarios, which brought light to some previously invisible gaps in their plan.
To accomplish their final goal of educating the credit card accepting campus community, online Security Awareness and PCI training was also provided through CampusGuard.
“Without CampusGuard, we would never have achieved compliance or continue to maintain compliance,” Major admits. “Despite all the scrutiny on PCI, I feel confident we can defend our practices. I think that was evidenced when we were audited and CampusGuard assisted with our response. The head of the SUNY audit said it was the best written audit response in his career.”
On top of that, as part of their Annual Support Agreement, their dedicated Customer Advocate Team, comprised of their assigned Customer Relationship Manager and Security Advisor, also visits campus to do a live training event and assist with SAQ completion on an annual basis.
“I feel like I’m their only customer in the best possible way,” Major explains. “They are truly colleagues instead of a customer/vendor relationship.”
“Without CampusGuard, we would never have achieved compliance or continue to maintain compliance."