Select Page

PCI compliance is a requirement for all merchants who accept payments and requires universities to follow specific security protocols to protect cardholder data. While the compliance requirements are straightforward, campuses often face difficulties managing the multitude of departments that accept payments in a variety of ways. The scope of PCI compliance for universities can often become unwieldy without outside help. 

Whether a university is managing compliance completely in-house or enlisting the help of a support team like Arrow Payments, here are some things to consider and 5 PCI compliance mistakes every university should avoid. 

1. Inaccurately Assessing PCI Scope

Colleges and universities often have a complex compliance scope due to the sheer number of departments and payment methods they deal with. Assessing PCI scope means identifying every single process, person, technology, and system that touches sensitive payment data. This assessment enables universities to implement the appropriate security measures needed to address vulnerabilities

Accurately understanding scope presents an opportunity to reduce it by decreasing or eliminating sensitive data touchpoints. However, without an accurate representation of what the current PCI scope encompasses, it becomes difficult to do this, which leads to more money and time spent on maintaining compliance. 

2. Not Fully Understanding the Risks of Non-compliance

While non-compliance with PCI DSS standards can lead to fines, fees, and penalties, it can also lead to data breaches that cost money and can damage a school’s reputation. In worst-case scenarios, schools can lose the ability to accept payment cards. 

Many colleges are classified as Level 3 merchants with between 20,000 to 1 million transactions each year. This enables them to do self-assessment questionnaires to certify compliance; however, that ability evaporates when a data breach happens. When that occurs, a school must meet Level 1 merchant requirements for a year, which calls for an outside qualified security assessor (QSA) to audit for compliance. 

3. Focusing Too Much on Compliance and Not Enough on Security

PCI compliance should be about more than checking boxes with PCI-validated technology. It’s a framework for a secure system, and universities that keep security at the forefront of this endeavor are best-positioned to keep payment data safe and students, staff, and faculty protected. 

Leveraging technologies like P2PE, tokenization, firewalls, and antivirus software can help protect payments and systems from the ground up — preventing breaches and using best practices to keep all touchpoints secure. This can also provide peace of mind to students and staff that their information is in good hands. 

4. Not Training Staff Properly

Data breaches can be tied to human error far too often. According to IBM’s Cost of a Data Breach Report 2020, the average cost of data breaches from human error stands at $3.33 million. There is a slew of ways that bad actors target unknowing victims (see: phishing scams), but these cyberattacks are much easier to perpetrate on unsecured networks, via lost devices, and through weak passwords.

Maintaining regular cybersecurity training for staff that addresses each of the potential threats above is a solid way to get everyone on the same page and stop cyber attackers in their tracks. 

5. Not Tracking the Card Data Journey

While it may be tedious, it’s important to track cardholder data to address PCI compliance hiccups and to trace back to vulnerabilities in case a breach does occur. Organizations should be able to map the journey of credit card data as it travels throughout the process. 

If you’re responsible for managing PCI compliance at your higher education institution, you have a lot on your plate. Reach out and schedule a free consultation to see how Arrow Payments might be able to help.

Thought Leadership

Recent Insights

Check out the latest trends and reports from Arrow Payments.

Digitizing Payments for Higher Education 

Digitizing Payments for Higher Education 

Digitizing payments for higher education is essential as online payments are pervasive. Digital payments penetration reached 89% last year. What’s more, the number of people who report using at least two types of digital payments has grown from 51% in 2021 to 62% in...

Evaluating Higher Education Vendor Security Risks

Evaluating Higher Education Vendor Security Risks

Higher education vendor security risks must take center stage for colleges and universities. Schools work with dozens of third-party vendors that pose serious security vulnerabilities. When it comes to payments vendors, the stakes are higher.  Without a solid vendor...

University Incident Response Planning Guide

University Incident Response Planning Guide

Cyberattacks have become an unfortunate reality for many institutions, including colleges and universities. A 2023 SonicWall report highlights how malware attacks against colleges and universities increased significantly between 2021 and 2022.  Higher education...

Gain Visibility into Your Higher Education Payment Systems

Find out what’s happening in every department and start building solutions that address fundamental needs.

Start My Discovery