Select Page

PCI compliance is no easy feat. It’s even more complex for universities that have multiple units responsible for accepting and processing payments. Some institutions turn to third party service providers (TPSPs) to help manage these units, which may include dining facilities or fundraising campaigns. These TPSPs may have their own merchant accounts to process payments, but many also leverage the university’s computers or networks.

Getting the Scoop on “In-Scope”

What many universities don’t realize is that this sharing of computers and networks may make the university responsible for PCI compliance—even where those vendors are operating under their own merchant accounts. A university may use a TPSP to manage (store, process, transmit) cardholder data on its behalf or to handle the cardholder data environment (CDE), but this does not unburden the university from owning PCI compliance and ensuring that cardholder data and environment are secure.

Unfortunately, many higher ed institutions are not aware of this and believe that using a TPSP effectively transfers the risk and PCI scope to that party. It does not.

Minimizing Risk Across the Board

The good news is that the Third-Party Security Assurance Special Interest Group of the PCI Security Standards Council has provided guidance on best practices for universities to create and implement third-party assurance programs that keep all parties secure and compliant. These due diligence measures can help universities ensure that their risk is minimized and that the data and systems entrusted to TPSPs remain compliant.

In summary, here are the top considerations for merchants who opt to work with TPSPs:

Vetting & Due Diligence

Universities should carefully vet prospective TPSPs, considering skills, experience, areas of expertise— and run a risk assessment. Due diligence research may include tasks like consulting with the acquirer, reviewing participating payment card brand listings and websites, and asking the TPSP to submit relevant PCI DSS validation documentation (SAQ, AOC, data flow, etc.).

If the TPSP meets the university’s requirements up to this stage, a risk assessment of the TPSP should be performed. This includes looking at the TPSPs internal and external auditing process, whether or not it does periodic vulnerability scans, if the TPSP has ever had a data breach, if the TPSP utilizes PCI validated point-to-point encryption (P2PE), and whether or not it has policies on the transmission, storage, and processing of sensitive data. This is not a comprehensive list of due diligence and risk factors; however, it can be a good starting point.

Engagement & Setting Expectations

If the TPSP passes a risk assessment, the next step is to build a responsibility matrix between your university and the TPSP for agreement between both parties before proceeding with engagement. It’s important that the university has a clear understanding of the TPSP’s PCI compliance status and can determine an agreed-upon manner in which the TPSP will sufficiently safeguard the university’s cardholder data. Establishing written agreements and policies and procedures help clarify which PCI requirements fall under the university and which the TPSP will need to meet. Both parties should also identify primary points of contact as well as backup points of contact in case of emergencies.

TPSP Monitoring Programs for Continued Engagement

Developing a TPSP monitoring program is essential to ensure that the university is always aware of the TPSP’s PCI compliance status. This is especially helpful for universities that are engaged with TPSPs that offer a range of services; some services may be in scope while others are not. It can be helpful to establish a review results template in order to make sure no checks are missed. Universities should also consider how periodic results will be reviewed internally—and who will be involved in the review process. Finally, it is beneficial to keep these results on file for a three-year rolling period, per the official PCI guidance.

We Cut to the Chase

The Arrow Payments team is made up of PCI compliance experts. We’ve helped universities secure payments across departments and systems using the best hardware, software, and best practices. The end result? They have the most secure, efficient, PCI-compliant and cost-effective payments solutions available.

Are you looking for help streamlining and securing your campus’ payments? Reach out to one of our experts today.

Thought Leadership

Recent Insights

Check out the latest trends and reports from Arrow Payments.

The Evolution of Higher Education Cyber Attacks

The Evolution of Higher Education Cyber Attacks

Higher education faces unique challenges when it comes to cybersecurity. Data breaches and ransomware attacks continue to plague colleges and universities, though most have taken steps to combat these threats. Even so, a recent report by cybersecurity company...

Guarding Against Payments Fraud

Guarding Against Payments Fraud

Payments fraud is a serious and ongoing challenge for treasury practitioners, requiring an increasing amount of vigilance and foresight. According to the 2023 AFP Payments Fraud and Control Survey, 65% of organizations reported being victims of payments fraud in 2022,...

Cultivating Emotional Intelligence in Leadership

Cultivating Emotional Intelligence in Leadership

We’ve discussed how emotional intelligence (EQ) makes you better at business. We’ve even talked about how EQ and payments are tied together. This article explores why EQ is crucial for leaders to possess. Yes, technical skills and a strategic mindset are valuable...

Gain Visibility into Your Higher Education Payment Systems

Find out what’s happening in every department and start building solutions that address fundamental needs.

Start My Discovery