PCI compliance is a requirement for all merchants who accept payments and requires universities to follow specific security protocols to protect cardholder data. While the compliance requirements are straightforward, campuses often face difficulties managing the multitude of departments that accept payments in a variety of ways. The scope of PCI compliance for universities can often become unwieldy without outside help.
Whether a university is managing compliance completely in-house or enlisting the help of a support team like Arrow Payments, here are some things to consider and 5 PCI compliance mistakes every university should avoid.
1. Inaccurately Assessing PCI Scope
Colleges and universities often have a complex compliance scope due to the sheer number of departments and payment methods they deal with. Assessing PCI scope means identifying every single process, person, technology, and system that touches sensitive payment data. This assessment enables universities to implement the appropriate security measures needed to address vulnerabilities
Accurately understanding scope presents an opportunity to reduce it by decreasing or eliminating sensitive data touchpoints. However, without an accurate representation of what the current PCI scope encompasses, it becomes difficult to do this, which leads to more money and time spent on maintaining compliance.
2. Not Fully Understanding the Risks of Non-compliance
While non-compliance with PCI DSS standards can lead to fines, fees, and penalties, it can also lead to data breaches that cost money and can damage a school’s reputation. In worst-case scenarios, schools can lose the ability to accept payment cards.
Many colleges are classified as Level 3 merchants with between 20,000 to 1 million transactions each year. This enables them to do self-assessment questionnaires to certify compliance; however, that ability evaporates when a data breach happens. When that occurs, a school must meet Level 1 merchant requirements for a year, which calls for an outside qualified security assessor (QSA) to audit for compliance.
3. Focusing Too Much on Compliance and Not Enough on Security
PCI compliance should be about more than checking boxes with PCI-validated technology. It’s a framework for a secure system, and universities that keep security at the forefront of this endeavor are best-positioned to keep payment data safe and students, staff, and faculty protected.
Leveraging technologies like P2PE, tokenization, firewalls, and antivirus software can help protect payments and systems from the ground up — preventing breaches and using best practices to keep all touchpoints secure. This can also provide peace of mind to students and staff that their information is in good hands.
4. Not Training Staff Properly
Data breaches can be tied to human error far too often. According to IBM’s Cost of a Data Breach Report 2020, the average cost of data breaches from human error stands at $3.33 million. There is a slew of ways that bad actors target unknowing victims (see: phishing scams), but these cyberattacks are much easier to perpetrate on unsecured networks, via lost devices, and through weak passwords.
Maintaining regular cybersecurity training for staff that addresses each of the potential threats above is a solid way to get everyone on the same page and stop cyber attackers in their tracks.
5. Not Tracking the Card Data Journey
While it may be tedious, it’s important to track cardholder data to address PCI compliance hiccups and to trace back to vulnerabilities in case a breach does occur. Organizations should be able to map the journey of credit card data as it travels throughout the process.
If you’re responsible for managing PCI compliance at your higher education institution, you have a lot on your plate. Reach out and schedule a free consultation to see how Arrow Payments might be able to help.