If you have a Merchant ID and accept payment cards at your institution, you are subject to the Payment Card Industry Data Security Standard (or PCI DSS). When your students make a payment, they are trusting you to protect their payment card information. If your campus were to have a breach, not only would you face significant costs and fines, you could greatly damage your reputation and brand.
Are you attesting your PCI compliance annually? If you aren’t, you probably want to start thinking about it. Many colleges and universities have recently received letters from their acquiring banks requesting an Attestation of Compliance (AOC) to verify they are meeting their PCI requirements. Failure to comply can result in significant fines, or you may even forfeit your ability to accept credit cards.
If you are new to the PCI world, this type letter can create panic across your organization. Which department is responsible for PCI? What do we do now?
Below are the 5 Steps CampusGuard recommends you take first:
-
Confirm Your Merchant Level
Based on the number of transactions you process annually, you are assigned a Merchant level that dictates how stringent your compliance program must be. Most colleges and universities are considered Level 3 or 4 merchants – processing less than 1 million transactions per year. As a Level 3 or 4 merchant, you are able to complete a Self-Assessment Questionnaire, or SAQ. You may also need to submit quarterly external vulnerability scans.
-
Determine What You Need to Submit to your Bank
Once you have defined your merchant level, you need to determine which SAQ is appropriate for your organization. This will depend on how you are processing, storing or transmitting cardholder data. Do you electronically store cardholder information? Do you take payments online? Do your cashiers take payments over the phone? All of these questions are important and will help you select the appropriate set of requirements. Once you have determined the appropriate SAQ, begin familiarizing yourself with the Standard’s requirements.
-
Assess Your Environment
Identify all technology and process vulnerabilities that could pose a risk to your cardholder data. You will want to start by making a list of all merchants handling cardholder information and then gathering an inventory of all Point of Sale devices, web applications, servers, networks, etc. that are either involved in the processing, storing, or transmitting of cardholder information, or that can affect the security of those environments.
-
Determine the Flow of Payment Card Data
Research how card data flows across campus – from the point of sale to the end of the transaction. Work with your IT department to create network diagrams detailing this data flow.
-
Hire a PCI validated QSA (Qualified Services Assessor)
QSAs have intense training to understand everything about the PCI DSS and data security in general. Partnering with a QSA can help jumpstart your PCI compliance efforts and assist your team in finding the gaps between the present status of your operations compared to the requirements of the PCI DSS. A QSA can make sure you are properly defining your network and make key scoping decisions, analyze and assess all merchant departments, identify potential vulnerabilities and help create a comprehensive remediation plan. Utilizing a QSA can seem more expensive, but they will help your institution get compliant fast in a way that is cost effective and even improves your underlying business processes. Most banks will also acknowledge that you are taking the appropriate steps towards remediation and extend your deadline for attesting full compliance once they know you have hired a QSA.
PCI is not a simple process; you can’t just check the boxes and move on. Getting compliant can be difficult, but if you take it one element at a time, you will see progress and eventually it will become business as usual. Remember, you’re not only protecting information, but your students, your employees, and your brand. The longer you wait, the longer your campus could be vulnerable.
