Earlier this year, following multiple reports of card fraud after payment cards were legitimately used at their restaurants, Wendy’s food chain uncovered malicious software on point-of-sale systems at approximately 300 of their locations. Do you have a Wendy’s on your college campus? Were your students or staff affected by this breach? Do you have other similar restaurants in your food court?
Outsourcing dining on campus is a common practice. In fact, 61% of higher education institutions report they have outsourced food services. It makes sense to offer a service with brand recognition and is often more economical to bring in an outside vendor that can do the job more efficiently than an in-house team.
However, when it comes to PCI compliance, there are a couple of things to keep in mind. First, is your dining service or restaurant completely separate from your institution (like in the Wendy’s situation above)? Or are they a service provider using one of the Merchant IDs assigned by your acquirer? Your ultimate PCI responsibility will depend on this.
Option 1: The dining service is not a campus merchant and is completely its own entity.
It uses no campus resources, is not connected to campus networks, etc., so their PCI compliance has nothing to do with your institution, right?
In some ways, this is true. The restaurant or dining service is responsible for attesting their own PCI compliance. If they were to experience a data breach, the liability would be theirs. However, it is on your campus, and it is your students eating at their restaurant. If cardholder information is exposed, the headlines may link the breach back to you, and many readers will not take the time to review the full article and see that your organization was not at fault. They will draw their own conclusions and relate your campus to a possible security/privacy concern. You know that saying, “There’s no such thing as bad publicity?” Well, unfortunately, there is. The associated reputational damage that can be caused when an onsite vendor experiences a breach can still be expensive. When you are negotiating agreements to allow that vendor to set up shop on campus, we recommend that you ask for a copy of their annual Attestation of Compliance, similar to how you would treat a service provider.
Option 2: They are using an institutional merchant ID to accept card payments.
In this case, they would be considered a service provider, and you are responsible for confirming their PCI compliance prior to their deployment and annually thereafter. Your first step will be to ask for an Attestation of Compliance (or AOC). Simple, right? If they quickly provide you with the appropriate documentation and all appears to be complete and in order, you can rest a little easier.
Unfortunately, sometimes getting a vendor to provide their AOC can be a challenge in and of itself. After hounding them for weeks, you then get back what is obviously a “check-the-box” approach, and it doesn’t appear that they used the right Self-Assessment Questionnaire. They have not consulted a certified QSA and are not using an approved scanning vendor to complete their external scans. Major red flags! Before you make any decisions to contract with a payments-related vendor, make sure you have the proper documents confirming their compliance status. You do not want to get stuck in a contract with a non-compliant service provider who then makes it impossible for you to achieve / retain your PCI compliance.
Bottom line for PCI compliance is that no matter what your relationship is with third-parties on campus, a breach on their systems can lead to questions about your ability to protect sensitive information as well. You may want to consider updating your incident response plan to include not only the procedures for responding to a breach of your campus systems, but also the steps that need to be followed if a vendor with ties to your campus experiences a breach. Be vigilant about monitoring all third-party compliance efforts, and don’t hesitate to reach out to your QSA if you have questions about the vendor’s delivered documentation.
Some additional insights from our Security Advisor Team:
[Henninger] Most major dining service providers are attesting their PCI compliance annually. However, we have often found during our onsite assessments of operations, there is a disconnect, and the staff and employees in the trenches are unaware of the PCI DSS and its requirements. We almost always find requirements that are not being met, despite the annual attestation, which opens the door for potential vulnerabilities. CampusGuard recommends that any contract with third parties include statements such as:
- “Service Provider will attest and maintain compliance with the PCI DSS.”
- “The institution reserves the right to review the Service Provider’s compliance with our QSA. Service Provider will remediate any necessary findings.”
- “Should a breach occur in the Service Provider’s environment, the Service Provider will hold the institution harmless.”
Contact us with any questions or if you would like to discuss this topic in more detail.