Select Page

PCI compliance is a requirement for all merchants who accept payments and requires universities to follow specific security protocols to protect cardholder data. While the compliance requirements are straightforward, campuses often face difficulties managing the multitude of departments that accept payments in a variety of ways. The scope of PCI compliance for universities can often become unwieldy without outside help. 

Whether a university is managing compliance completely in-house or enlisting the help of a support team like Arrow Payments, here are some things to consider and 5 PCI compliance mistakes every university should avoid. 

1. Inaccurately Assessing PCI Scope

Colleges and universities often have a complex compliance scope due to the sheer number of departments and payment methods they deal with. Assessing PCI scope means identifying every single process, person, technology, and system that touches sensitive payment data. This assessment enables universities to implement the appropriate security measures needed to address vulnerabilities

Accurately understanding scope presents an opportunity to reduce it by decreasing or eliminating sensitive data touchpoints. However, without an accurate representation of what the current PCI scope encompasses, it becomes difficult to do this, which leads to more money and time spent on maintaining compliance. 

2. Not Fully Understanding the Risks of Non-compliance

While non-compliance with PCI DSS standards can lead to fines, fees, and penalties, it can also lead to data breaches that cost money and can damage a school’s reputation. In worst-case scenarios, schools can lose the ability to accept payment cards. 

Many colleges are classified as Level 3 merchants with between 20,000 to 1 million transactions each year. This enables them to do self-assessment questionnaires to certify compliance; however, that ability evaporates when a data breach happens. When that occurs, a school must meet Level 1 merchant requirements for a year, which calls for an outside qualified security assessor (QSA) to audit for compliance. 

3. Focusing Too Much on Compliance and Not Enough on Security

PCI compliance should be about more than checking boxes with PCI-validated technology. It’s a framework for a secure system, and universities that keep security at the forefront of this endeavor are best-positioned to keep payment data safe and students, staff, and faculty protected. 

Leveraging technologies like P2PE, tokenization, firewalls, and antivirus software can help protect payments and systems from the ground up — preventing breaches and using best practices to keep all touchpoints secure. This can also provide peace of mind to students and staff that their information is in good hands. 

4. Not Training Staff Properly

Data breaches can be tied to human error far too often. According to IBM’s Cost of a Data Breach Report 2020, the average cost of data breaches from human error stands at $3.33 million. There is a slew of ways that bad actors target unknowing victims (see: phishing scams), but these cyberattacks are much easier to perpetrate on unsecured networks, via lost devices, and through weak passwords.

Maintaining regular cybersecurity training for staff that addresses each of the potential threats above is a solid way to get everyone on the same page and stop cyber attackers in their tracks. 

5. Not Tracking the Card Data Journey

While it may be tedious, it’s important to track cardholder data to address PCI compliance hiccups and to trace back to vulnerabilities in case a breach does occur. Organizations should be able to map the journey of credit card data as it travels throughout the process. 

If you’re responsible for managing PCI compliance at your higher education institution, you have a lot on your plate. Reach out and schedule a free consultation to see how Arrow Payments might be able to help.

Thought Leadership

Recent Insights

Check out the latest trends and reports from Arrow Payments.

How Ecommerce Merchants Can Avoid Falling Victim to Carding

How Ecommerce Merchants Can Avoid Falling Victim to Carding

Carding occurs when bad actors use large volumes of stolen credit card data to attempt to make small purchases on an ecommerce website. It’s sometimes referred to as credit card stuffing or just plain old fraud, and it’s bad news for eCommerce merchants.  What Does...

5 Cybersecurity Facts to Know in Higher Ed

5 Cybersecurity Facts to Know in Higher Ed

Data breaches have become an unfortunate part of life, and cybersecurity is now more important than ever. Many universities are struggling to adapt to managing data sprawl, cloud services, and a variety of digital payment methods. As things only become more complex,...

Is Your University Ransomware-Proof?

Is Your University Ransomware-Proof?

Just a few months ago, the FBI issued a warning to universities about a sharp uptick in ransomware incidents that can extract and encrypt data. In 2020, ransomware attacks occurred across colleges and universities in the U.S., including one case where hackers asked...

How to Keep Omnichannel Payments Secure in 2021

How to Keep Omnichannel Payments Secure in 2021

The move to online payment channels means more convenience... and more risk. The past year has been marked by a shift to online payment channels and brick-and-mortar businesses were forced to pivot due to the pandemic. This dramatic increase in online and mobile sales...

Gain Visibility into Your Higher Education Payment Systems

Find out what’s happening in every department and start building solutions that address fundamental needs.

Start My Discovery