No Time for PCI? A Quick Hit Guide for Those Charting the Course Solo


No Time for PCI?

A Quick Hit Guide for Those Charting the Course Solo

As a higher education institution, you are likely aware of the PCI DSS (Payment Card Industry Data Security Standard). Adherence to these requirements is mandatory for all organizations (including all departments and campuses within a university) that process credit card transactions⁠—and PCI compliance must be certified annually. This is a huge undertaking, especially for universities that may not have buy-in or help from other integral departments. 

PCI compliance is complex—especially for universities. In many cases, those tasked with this towering responsibility find that they lack support from teammates and other departments they work hand-in-hand with. Understandably, those departments are often overwhelmed with their own responsibilities, which can leave PCI compliance in the lap of one individual. This is an unfortunate reality for many institutions who are strapped for resources. The good news? There is a way to become and remain compliant if you are tasked with charting the course yourself, even sans help. 

Roadmap for PCI DSS compliance

All except extremely large merchants must complete a Self-Assessment Questionnaire (SAQ) and submit an Attestation of Compliance (AOC) annually to certify compliance. The complexity of the SAQ varies depending on the size of the merchant and how many and which types of transactions are processed each year. This can get hairy for institutions that often carry multiple Merchant Identification Numbers (MIDs), each of which must adhere to the PCI DSS requirements and certify. 

There are four levels of PCI compliance: 

  • Level 1: Merchants that process 6 million+ Visa card transactions per year, regardless of processing channel; also, any merchant that Visa determines should qualify as a Level 1 merchant

  • Level 2: Merchants that process 1 to 6 million Visa transactions per year, regardless of processing channel.

  • Level 3: Merchants that process 20,000 to 1 million Visa ecommerce transactions per year.

  • Level 4: Merchants that process fewer than 20,000 Visa ecommerce transactions per year; merchants that process up to 1 million Visa transactions per year, regardless of processing channel.

It’s important to note that different SAQs may apply depending on how a merchant processes transactions, especially if they process specific types of transactions (CNP MOTO, card-present POS, etc.) exclusively. 

PCI DSS Core Requirements

There are 12 core requirements instituted by PCI DSS, all of which are meant to protect cardholder data that is stored or in transit. 

Build/maintain a secure network 1. Firewall configuration must be installed and maintained to protect cardholder data
2. System passwords and any other security parameters must not use vendor-supplied defaults
Cardholder data protection 3. Stored cardholder data must be protected
4. Cardholder data transmitted across open or public networks must be encrypted
Vulnerability Management Program Maintenance 5. Antivirus software and programs must be used and updated regularly
6. Secure systems and applications must be developed and maintained
Strong Access Control Measures 7. Restrict access to cardholder data to privileged user IDs via least privileges necessary/business need-to-know
8. Each person with computer access must be assigned a unique ID
9. Physical access to cardholder data must be restricted
Monitor and Test Networks Regularly 10. Access to network resources and cardholder data must be tracked and monitored
11. Test security systems and processes regularly
Information Security Policy Maintenance 12. Policy that addresses information security must be maintained for all employees and contractors

While these 12 requirements may seem straightforward, institutions should note that there are an additional 251 sub-requirements that must be adhered to in order to properly address threats to cardholder data.  

Understanding True PCI DSS Compliance

In general, Level 1 merchants have high processing volumes, requiring a greater effort to secure payment systems and data. As a result, these merchants have to complete an on-site review by an internal auditor each year and pass a network scan done by an approved scanning vendor. 

Level 2, 3 and 4 Merchants are not required to do an on-site review but are responsible for keeping their annual SAQ current and conducting quarterly vulnerability scans via an approved scanning vendor.

Special Considerations for VoIP-Based Payments

As mentioned earlier, different types of payment processing may fall into categories that require additional security. Late last year, the PCI DSS released supplemental guidance (to augment, not replace or supersede) for protecting telephone-based payment card data. 

For higher education institutions that rely on VoIP systems, this is an important consideration as VoIP systems could bring an entire network into PCI scope. The new guidance was an effort to move organizations toward more modern Dual Tone Multi Frequency (DTMF) masking technology in lieu of antiquated pause-and-resume systems. You can view a more complete list of the tenets of the new guidance here

You Don’t Have to Chart the Course Alone

While you may be a solo practitioner tasked with PCI compliance, help is available. If the requirements seem daunting, we can help. PCI DSS compliance for higher education is our domain of expertise. 

We can help you create a robust payment system architecture, reduce PCI scope and keep payment card data protected. Contact us today to learn more about our PCI-validated P2PE solutions and how partnering with us can streamline PCI compliance.

Sarah W