Select Page

As a university, you likely work with a number of third party vendors across campus and departments to keep things running smoothly. When it comes to payments, keeping tabs on these vendors is a necessary but sometimes overwhelming function. Not only do payment partners require typical oversight required of a vendor, but they also call for added consideration about how the university’s scope for PCI DSS compliance is impacted. This scope is defined as 

“the PCI DSS security requirements [that] apply to all system components included in or connected to the cardholder data environment.”

For universities, the cardholder data environment includes a broad range of people, technologies, and processes that work together to store, process, or transmit cardholder data or sensitive authentication. Vendors are a part of this system, which means they impact PCI scope. In this two-part series, we’ll look at the importance of vendor risk management and how to efficiently and effectively manage vendors in order to maintain PCI compliance and secure against breaches. 

The Evolution of Technology and its Impact on PCI Scope

PCI compliance is critical for a number of reasons. Not only is it mandated—and enforced via fines and other measures—but it protects the reputation and bottom line for those entities that accept payments where cardholder data is involved. It’s also the building block upon which universities can protect themselves from costly data breaches. IBM Security reports that the cost of data breaches is becoming more expensive, rising 12% in the past five years to cost $3.92 million on average. More interesting is the fact that data breaches that originate from third parties (e.g. vendors and suppliers) actually cost $370,000 more than the average breach. 

As technology evolves and mobile and cloud technologies become ubiquitous, systems, infrastructures, and processes have morphed towards greater connectedness. It has also multiplied the potential number of vendors exponentially, creating a frenzied web of third parties that have a hand in payments across a university network. It also presents a broader target of attack for bad actors and cybercriminals. 

This new reality has made it critical to have a vendor risk management strategy in place and to adhere to recommendations by PCI DSS and other governing bodies surrounding vendor management. These recommendations can help universities understand the legal requirements and ramifications regarding risk management for vendors and contractors. It enables a better understanding of risks that may be contractually passed to a vendor or vice versa. It also facilitates documentation and tracking of how, when, on which networks and between which parties sensitive data is stored, transmitted, and processed.

The bottom line is that sensitive information must be guarded rigorously and all risks associated with vendors must be accounted for. Without these steps, even the best intentions around PCI compliance can be nullified. In the next part of this series, we’ll outline specific questions to ask your vendors along with a more detailed list of overall best practices for managing vendors. 

Questions About Vendor Risk Management or PCI Compliance?

If you have questions about vendor risk management or PCI compliance today, contact us. We’re happy to discuss your compliance concerns and talk through ideas on how to streamline your university’s payments operations.

Check out part two of our vendor risk managment series here.

Thought Leadership

Recent Insights

Check out the latest trends and reports from Arrow Payments.

What to Know During the PCI DSS v4.0 Transition

What to Know During the PCI DSS v4.0 Transition

The Payment Card Industry Data Security Standard (PCI DSS) is focused on protecting cardholder data. As fraud and cybercriminals evolve, so must the standards by which organizations secure data, which is why we're in a phase of PCI DSS v4.0 Transition. The aim of the...

Understanding Real-Time Payments for Higher Ed

Understanding Real-Time Payments for Higher Ed

Real-time payments continue to gain momentum in 2022, especially as a new economic environment spurs the need for faster payments. As cross-border payments continue to gain steam, real-time payments show promise to aid those capabilities, too. The focus has long been...

What’s New in Treasury Tech?

What’s New in Treasury Tech?

Treasury departments hold a critical role in driving success for companies. Between financial planning, managing payments, and mitigating future risk, treasury departments must stay apprised of the latest technology developments to manage these responsibilities well. ...

Gain Visibility into Your Higher Education Payment Systems

Find out what’s happening in every department and start building solutions that address fundamental needs.

Start My Discovery