As a university, you likely work with a number of third party vendors across campus and departments to keep things running smoothly. When it comes to payments, keeping tabs on these vendors is a necessary but sometimes overwhelming function. Not only do payment partners require typical oversight required of a vendor, but they also call for added consideration about how the university’s scope for PCI DSS compliance is impacted. This scope is defined as
“the PCI DSS security requirements [that] apply to all system components included in or connected to the cardholder data environment.”
For universities, the cardholder data environment includes a broad range of people, technologies, and processes that work together to store, process, or transmit cardholder data or sensitive authentication. Vendors are a part of this system, which means they impact PCI scope. In this two-part series, we’ll look at the importance of vendor risk management and how to efficiently and effectively manage vendors in order to maintain PCI compliance and secure against breaches.
The Evolution of Technology and its Impact on PCI Scope
PCI compliance is critical for a number of reasons. Not only is it mandated—and enforced via fines and other measures—but it protects the reputation and bottom line for those entities that accept payments where cardholder data is involved. It’s also the building block upon which universities can protect themselves from costly data breaches. IBM Security reports that the cost of data breaches is becoming more expensive, rising 12% in the past five years to cost $3.92 million on average. More interesting is the fact that data breaches that originate from third parties (e.g. vendors and suppliers) actually cost $370,000 more than the average breach.
As technology evolves and mobile and cloud technologies become ubiquitous, systems, infrastructures, and processes have morphed towards greater connectedness. It has also multiplied the potential number of vendors exponentially, creating a frenzied web of third parties that have a hand in payments across a university network. It also presents a broader target of attack for bad actors and cybercriminals.
This new reality has made it critical to have a vendor risk management strategy in place and to adhere to recommendations by PCI DSS and other governing bodies surrounding vendor management. These recommendations can help universities understand the legal requirements and ramifications regarding risk management for vendors and contractors. It enables a better understanding of risks that may be contractually passed to a vendor or vice versa. It also facilitates documentation and tracking of how, when, on which networks and between which parties sensitive data is stored, transmitted, and processed.
The bottom line is that sensitive information must be guarded rigorously and all risks associated with vendors must be accounted for. Without these steps, even the best intentions around PCI compliance can be nullified. In the next part of this series, we’ll outline specific questions to ask your vendors along with a more detailed list of overall best practices for managing vendors.
Questions About Vendor Risk Management or PCI Compliance?
If you have questions about vendor risk management or PCI compliance today, contact us. We’re happy to discuss your compliance concerns and talk through ideas on how to streamline your university’s payments operations.
Check out part two of our vendor risk managment series here.
