Established in 1872, Virginia Tech is a comprehensive public land-grant university classified as research level R1 and participates in intercollegiate sports at the D1 level. With an enrollment of more than 36,000 students and 3,000 instruction and research faculty, the university answers society’s grand challenges, invents technologies and products, and adds to the world’s intellectual capital.
Accepting credit cards for payment of products and services requires connecting to a complex system of issuing banks, card brand networks and credit card processors. Every merchant that accepts credit card payments is responsible for securing cardholder data and must be in compliance with the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.
Challenge
Compliance with the PCI DSS is particularly difficult for colleges and universities as there are unique aspects of higher education that sometimes compound achievement. Challenges often include the open nature of physical and technical environments, department decentralization, and multiple payment channels. Plus, the Inn at Virginia Tech, which is a full-service hotel and conference center for business meetings, university events, and business and leisure travel, further complicated compliance.
Associate Vice President for Finance and University Controller, Melinda West, when describing the early state of PCI compliance, explains “We knew we handled huge amounts of card information and that we were responsible for securing and protecting sensitive data. Having approached PCI on our own, we understood the financial side very well and could manage contracts with our merchant bank and vendors. When it came down to truly establishing a program however, there was the need for finance and IT to be on the same page. That is where we needed assistance. We needed a partner we could trust to provide us with a solid approach to PCI compliance.”
West began making changes and progress, but was not confident in knowing that the true scope had been defined. She presented a plan to the Vice President for Finance, who understood and supported the compliance initiative. Central to the plan was establishing a relationship with CampusGuard, an established company with deep industry and technical knowledge, had become a trusted partner with many peer institutions.
Approach
CampusGuard staffed the project with a Customer Advocate Team comprised of the Qualified Security Assessor (QSA) and Customer Relationship Manager (CRM) certified as a Payment Card Industry Professional (PCIP). This team worked very closely with West, Joseph Goodman, IT Security and Compliance Manager, VT Outreach and International Affairs, and Becky Ford, Assistant Bursar for Funds Handling and Commerce Operations, to coordinate timelines, resource allocations, and schedules to ensure a successful project.
The engagement was conducted with the following questions in mind:
- Was Virginia Tech’s PCI program structured for the risks of accepting credit cards?
- What was the scope of the cardholder data environment?
- Were technical safeguards and controls in place and effective?
- Was payment acceptance being handled in the most efficient and standardized way?
“With CampusGuard’s help, we developed our policies and security awareness training in addition to implementing the technical controls required to be compliant.”
– Becky Ford, Assistant Bursar for Funds Handling and Commerce Operations
The team found there was a sincere effort for building an effective compliance program and that Virginia Tech personnel were directing their efforts toward that goal. Suggestions were made for a program framework to effectively analyze, interpret, communicate, and manage preparation for a comprehensive PCI DSS assessment. “With CampusGuard’s help, we developed our policies and security awareness training in addition to implementing the technical controls required to be compliant,” explained Ford.
Once the program was established the team moved on to the critical step of interviewing management personnel and examining all processes and technology that were involved with storing, processing, or transmitting credit card information to accurately set the scope the university’s cardholder data environment.
With this preparation, CampusGuard performed a comprehensive assessment which included walkthroughs of campus merchants as well as the data center facility. Additionally, configuration checks were conducted on network devices and servers that were considered in scope for compliance. One critical concern was posed by The Inn at Virginia Tech as it had a valid business need to retain credit card information for billing items to guest rooms. CampusGuard’s team conducted vulnerability scans and penetration tests to ensure risk management and identified vulnerabilities without disrupting operations and to enable rapid compliance with PCI controls.
“CampusGuard delivered a custom report that provided a complete picture of any exploitable vulnerabilities, as well as a clear, actionable remediation strategy to strengthen the Inn’s security posture” said Goodman.
Results
CampusGuard followed the initial assessment with a thorough findings report that highlighted process improvements and remediations needed for validation. The Virginia Tech and CampusGuard team quickly resolved any issues, and as a result attested and has maintained full PCI DSS compliance.
“Our overall experience with CampusGuard has been great. Their team is knowledgeable about PCI DSS and particularly its application in our environment. They truly helped us reduce our business risks and now our program is in a mature state,” explained West. “In our experience having the initial gap analysis and learning from the QSA at that point was beneficial to moving us to compliance. We made some great leaps throughout the process with CampusGuard – documenting our program and scope, establishing standards for expectations of campus merchants, and training programs. Having that experiencehas made us confident in recommending CampusGuard to others.”
Going Forward
Virginia Tech continuously takes advantage of CampusGuard’s Annual Support Program to maintain steady, responsible communication and support throughout the year leading up to annual attestations of compliance. “We have a monthly meeting with CampusGuard and an open line of communication that provides ongoing operational and technical advice on our changing environment and evolving technologies. This proactive approach has resulted in a strong partnership,” said Ford, adding “I feel extremely comfortable in reaching out to our dedicated CRM or QSA at any time to discuss any aspect of PCI on our campus.”
“We made some great leaps throughout the process with CampusGuard- documenting our program and scope, establishing standards for expectations of campus merchants, and training programs. Having that experience has made us confident in recommending CampusGuard to others.”- Melinda West, Associate Vice President for Finance and University Controller
For more information, please visit CampusGuard.com or contact us.
“With CampusGuard’s help, we developed our policies and security awareness training in addition to implementing the technical controls required to be compliant.”
