The University of Oregon is a Tier 1 public research institution committed to exceptional teaching, discovery, and science. The university is classified as “very high research activity” or R1, and participates in inter-collegiate sports in the PAC 12. Located in Eugene, Oregon one hour from the Pacific coast and one hour from the Cascade Mountains. The university has an enrollment of 29,000 students and 2,100 teaching and research faculty. It encompasses the humanities and arts, the natural and social sciences, and the professions.
Like many universities who were initially assessing compliance with the PCI DSS “We didn’t know what we didn’t know,” stated Mark McCulloch, Director of Information Systems in the Office of Business Affairs. “We had a minor breach of card data and didn’t like maintaining a self-assessment tool on our own. Also, we couldn’t really come into compliance in some of our parking areas, and needed the backing of a Qualified Security Assessor (QSA) firm to add clarity regarding inherent risks and advise campus merchants what to fix.”
José Domínguez, Director of Security Services and Information Assurance and McCulloch were concerned about the third party relationships departments were getting themselves into. “Issues like what payment gateways were being considered, nested service providers, and more important – whether those providers themselves are compliant were major risk issues,” explained McCulloch.
Partnering with CampusGuard
Deciding that they needed assistance to ensure compliance while also understanding and mitigating the risks of accepting credit cards on campus, the university issued a RFP for QSA services. “CampusGuard was selected because of its breadth of experience and commitment within the higher education community”, explained McCulloch. ”Also important was a comprehensive portal to maintain related documentation and attestation documents, that is specifically designed for colleges and universities. Finally, we wanted help with the entire spectrum of services required to attain and maintain compliance, including vetting service providers for compliance, a merchant self-assessment portal, consulting hours, and quarterly vulnerability scanning. We liked CampusGuard’s proposal the best.”
CampusGuard staffed the project with a Customer Advocate Team comprised of the Qualified Security Assessor (QSA) and Customer Relationship Manager (CRM) certified as a Payment Card Industry Professional (PCIP). This team organized an interactive approach to align timelines, maintain a responsive stream of communication, and ensure smooth coordination with the university’s team over the course of the initial assessment and throughout the entire project. CampusGuard’s QSA conducted a thorough gap assessment of the university’s card payments processes and controls against the requirements of the PCI DSS, with the particular emphasis on the security implications of compliance in the university environment. The initial assessment included several merchant areas, including tuition payments, parking, dining, and athletics with a presentation to the university vice presidents.
“Merchant departments that were high risk made good use of the recommendations that were offered. And are at considerably low risk now,” explained Domínguez.
“In the very near future the PCI DSS may radically change with the anticipated release of version 4.0, and we know that CampusGuard will be there to provide sound advice and direction.” – Mark McCulloch, Director of Information Systems in the Office of Business Affairs
Domínguez and his IT staff were involved from the beginning with CampusGuard. CampusGuard performed network segmentation penetration tests. “We made good use of all the recommendations that were offered at the time when building our network. We always wanted to make sure we built our network infrastructure in a way that we could provide a clear understanding of where the internal transactions were happening. We were separating anything that was a financial transaction behind a firewall. It just makes our lives a lot easier knowing that this is where all the financial transactions reside and the cardholder data is secure.”
“What we got from CampusGuard was a partner to help us understand what we really needed to do. At the time things seemed really complex, but after conversations with them we really got it,” explained Domínguez.
An external information security audit of the university’s PCI compliance program recommended that the university verify the compliance status of a few merchants each year.‘Trust but verify’ the checking of boxes on self-assessments. A team composed of CampusGuard’s QSA, the university internal auditor, McCulloch and Domínguez interviewed a few merchants this year to make sure they were compliant. The interviews were informative and identified a few things for the merchants to work on.
“What we got from CampusGuard was a partner to help us understand what we really needed to do. At the time, things seemed really complex, but after conversations with them, we really got it.”
– José Domínguez, Director of Security Services and Information Assurance
External, third-party service providers are a critical component of compliance. “They (CampusGuard) know higher education and the higher education service providers,” said McCulloch. “If we need a solution, it’s not that they can just help me certify the contractor, they can also say ‘hey look at these vendors’ because they’re familiar with them.”
The university has an annual support agreement that includes consulting hours that we have used to help vet service providers, review merchant compliance status each year), and for employee training. The agreement also includes vulnerability scanning and the use of the CampusGuard Central® portal for merchants’ self-assessment.
“Whenever there’s a new release of the PCI DSS and the requirements change – that’s an important reason and milestone to consult with CampusGuard. We take full advantage of their annual support and rely on their team to tell us what we need to change,” explained McCulloch. “And in the very near future the PCI DSS may radically change with the anticipated release version 4.0, and we know that CampusGuard will be there to provide sound advice and direction.”
“CampusGuard was selected because of its breadth of experience and commitment within the higher education community.”