Select Page

As a higher education institution, you are likely aware of the PCI DSS (Payment Card Industry Data Security Standard). Adherence to these requirements is mandatory for all organizations (including all departments and campuses within a university) that process credit card transactions⁠—and PCI compliance must be certified annually. This is a huge undertaking, especially for universities that may not have buy-in or help from other integral departments. 

PCI compliance is complex—especially for universities. In many cases, those tasked with this towering responsibility find that they lack support from teammates and other departments they work hand-in-hand with. Understandably, those departments are often overwhelmed with their own responsibilities, which can leave PCI compliance in the lap of one individual. This is an unfortunate reality for many institutions who are strapped for resources. The good news? There is a way to become and remain compliant if you are tasked with charting the course yourself, even sans help. 

Roadmap for PCI DSS compliance

All except extremely large merchants must complete a Self-Assessment Questionnaire (SAQ) and submit an Attestation of Compliance (AOC) annually to certify compliance. The complexity of the SAQ varies depending on the size of the merchant and how many and which types of transactions are processed each year. This can get hairy for institutions that often carry multiple Merchant Identification Numbers (MIDs), each of which must adhere to the PCI DSS requirements and certify. 

There are four levels of PCI compliance: 

  • Level 1: Merchants that process 6 million+ Visa card transactions per year, regardless of processing channel; also, any merchant that Visa determines should qualify as a Level 1 merchant

  • Level 2: Merchants that process 1 to 6 million Visa transactions per year, regardless of processing channel.

  • Level 3: Merchants that process 20,000 to 1 million Visa ecommerce transactions per year.

  • Level 4: Merchants that process fewer than 20,000 Visa ecommerce transactions per year; merchants that process up to 1 million Visa transactions per year, regardless of processing channel.

It’s important to note that different SAQs may apply depending on how a merchant processes transactions, especially if they process specific types of transactions (CNP MOTO, card-present POS, etc.) exclusively. 

PCI DSS Core Requirements

There are 12 core requirements instituted by PCI DSS, all of which are meant to protect cardholder data that is stored or in transit. 

While these 12 requirements may seem straightforward, institutions should note that there are an additional 251 sub-requirements that must be adhered to in order to properly address threats to cardholder data.  

Understanding True PCI DSS Compliance

In general, Level 1 merchants have high processing volumes, requiring a greater effort to secure payment systems and data. As a result, these merchants have to complete an on-site review by an internal auditor each year and pass a network scan done by an approved scanning vendor. 

Level 2, 3 and 4 Merchants are not required to do an on-site review but are responsible for keeping their annual SAQ current and conducting quarterly vulnerability scans via an approved scanning vendor.

Special Considerations for VoIP-Based Payments

As mentioned earlier, different types of payment processing may fall into categories that require additional security. Late last year, the PCI DSS released supplemental guidance (to augment, not replace or supersede) for protecting telephone-based payment card data. 

For higher education institutions that rely on VoIP systems, this is an important consideration as VoIP systems could bring an entire network into PCI scope. The new guidance was an effort to move organizations toward more modern Dual Tone Multi Frequency (DTMF) masking technology in lieu of antiquated pause-and-resume systems. You can view a more complete list of the tenets of the new guidance here

You Don’t Have to Chart the Course Alone

While you may be a solo practitioner tasked with PCI compliance, help is available. If the requirements seem daunting, we can help. PCI DSS compliance for higher education is our domain of expertise. 

We can help you create a robust payment system architecture, reduce PCI scope and keep payment card data protected. Contact us today to learn more about our PCI-validated P2PE solutions and how partnering with us can streamline PCI compliance.

Thought Leadership

Recent Insights

Check out the latest trends and reports from Arrow Payments.

Digitizing Payments for Higher Education 

Digitizing Payments for Higher Education 

Digitizing payments for higher education is essential as online payments are pervasive. Digital payments penetration reached 89% last year. What’s more, the number of people who report using at least two types of digital payments has grown from 51% in 2021 to 62% in...

Evaluating Higher Education Vendor Security Risks

Evaluating Higher Education Vendor Security Risks

Higher education vendor security risks must take center stage for colleges and universities. Schools work with dozens of third-party vendors that pose serious security vulnerabilities. When it comes to payments vendors, the stakes are higher.  Without a solid vendor...

University Incident Response Planning Guide

University Incident Response Planning Guide

Cyberattacks have become an unfortunate reality for many institutions, including colleges and universities. A 2023 SonicWall report highlights how malware attacks against colleges and universities increased significantly between 2021 and 2022.  Higher education...

Gain Visibility into Your Higher Education Payment Systems

Find out what’s happening in every department and start building solutions that address fundamental needs.

Start My Discovery