Adam Hero Heading 2

A.M. Edition

Insights For Higher Education

Join Adam McDonald, TouchNet president, as he discusses various industry topics, shares insights and spotlights new trends to make sure you're up to date on all things campus commerce and credentials related!

Welcome to the A.M. Edition

A.M. Edition is Transitioning to the TouchNet Blog

September 26, 2019

When I took over this newsletter back in July 2018, I was excited to have the opportunity to share the trends, opportunities, and complexities of the payment industry. That hasn’t changed. In the months since I’ve talked about everything from PCI compliance and new security measures to Alternate Payment Methods. Judging by the feedback I’ve received, our readership appreciates the insights and best practices I’ve shared along the way.

The great news is we’re expanding A.M. Edition and turning it into a full-fledged blog. I’ll continue to write posts, but you’ll also hear from the many well-informed subject matter experts at TouchNet who can expound on topics we’ve already covered and introduce new ones we haven’t touched on yet. Considering how quickly technologies and trends change in the higher ed payment space, I think branching out to keep our readers informed by new voices and perspectives is the epitome of thought leadership.

As we transition to our new blog format, my team and I look forward to continuing our long-standing tradition of sharing important commerce and credentialing technology changes that affect higher ed. I can’t predict every topic we’ll cover in our new blog, but I guarantee that every post will be informative and instructive when it comes to guiding your school’s digital transformation.

Thanks for reading,

Adam McDonald

Get Ready for the Rise of APMs

August 27, 2019

With a new school year kicking off, colleges and universities around the world are greeting their students with new digitally enhanced commerce and credential platforms. But students may have updates of their own for schools to accommodate for — in the form of alternative payment methods (APM).

Instead of traditional payment methods like credit cards or checks, APMs give shoppers more flexibility in the way they choose to pay. Well-known U.S. APMs include Apple Pay, Google Pay, and PayPal. Around the world, hundreds more enjoy the regional popularity of non-traditional payments methods, including WeChat Pay in China and M-Pesa in Africa.

According to, in 2019 55 percent of online transactions will be made using APMs. Schools that don’t accept these new payment options run the risk of losing students or reducing students’ ability to pay for on-campus room and board, transportation, and other living expenses and services.

There are many reasons for the growing popularity of APMs worldwide. Some are cultural, such as Western Europeans affinity for APM bank transfers. Unlike U.S. consumers, Europeans are reluctant to use credit cards and consider bank transfers both accessible and convenient. When you combine the worldwide popularity of this payment method with millennials’ reluctance to accumulate debt, it’s easy to envision more U.S. e-commerce transactions completed by bank transfers.

Cash-in APMs are also popular outside the U.S., especially among younger consumers who may not have established credit or even a bank account. Both prepaid cards on traditional networks and prepay accounts fall into this category — they both require funds loaded in advance that decline in balance as purchases are deducted.

Among current APM categories, digital or e-wallets are probably the most familiar. Digital wallets are safer; they use encryption or tokens to hide account information and safely transfer payments. They’re also faster to use and easy to fund. With these advantages, it’s not surprising that by 2021, wallet-based solutions are poised to overtake credit cards as our preferred payment method in the U.S.

While we tend to focus on their academic needs, students are consumers too. And consumers like choices when it comes to paying for goods and services. By educating ourselves about students’ cultural and demographic preferences, we’re better prepared to accommodate whatever payment methods spring up in the ever-evolving APM landscape.

Thanks for reading,

Adam McDonald

Modernizing Your Campus? Don’t Overlook Credentials

July 31, 2019

In recent A.M. Editions I’ve talked about digital transformation on campus and next-generation payment security, so it makes sense to also discuss the evolution of credentialing security. Just as EMV and NFC have changed the way payment cards transfer information back and forth to protect data from skimming and cloning, DESFire is modernizing campus access software, making it safer, more portable, and easier to customize for specific school needs.

Much like payment security advances, DESFire utilizes encryption to protect data. The master key stays in a secure place, and encrypted versions of it determine where and by whom credentials are accepted. DESFire also provides secondary keys, which institutions can use to give student subgroups credentialed permissions. For example, a school might store basic student data with its primary key then encode a secondary key to denote which students have chemistry lab access.

Beyond accommodating diverse student academic needs, DESFire’s centralized structure also helps schools manage multiple campuses. Whether an institution uses one of DESFire’s templates or configures its own structure, the ability to manage multiple locations with a single master key will be welcome news to any school that’s grown beyond its original campus to accommodate its student population.

Of course any discussion about contemporary campus modernization must include mobile capabilities. DESFire delivers here, too, by laying the groundwork to work with multiple applications and file types on smartphones.

The ability to accommodate multiple campuses and DESFire’s adaptability to mobile technology also factor into its strengths from a security standpoint. By working in conjunction with other technologies and applications, DESFire can empower a campus to change or update its keys in an emergency or add integrated partners without compromising campus security.

Advantages such as centralized control, administrative flexibility, and the ability to work in tandem with other applications might seem like they only benefit administrators. But DESFire is also a boon to end users who aren’t even aware they’re using the technology.

From an end user’s perspective, the best technologies work in the background, and that’s definitely the case with DESFire. Students don’t understand the solution powering their credentials enables seamlessness among applications, cross-campus consistency, or mobile-friendliness; they just know they have what they need to get where they need to be on campus. You won't find it highlighted on the product spec sheet, but DESFire delivers peace of mind, which might be its biggest selling point of all.

Thanks for reading,

Adam McDonald

Get to Know NACHA’s New Anti-Fraud Rules

June 25, 2019

Institutions that transfer money back and forth via ACH transactions are increasingly vulnerable to fraud, and colleges and universities are no exception. In response to more frequent and sophisticated phishing and other attacks, the National Automated Clearinghouse Association (NACHA) will implement two new fraud-prevention policies in 2020. Those deadlines will be here before you know it, so here’s a quick summary of the new rules and their respective compliance options:

Supplementing Fraud Detection Standards for WEB Debits — Effective Jan. 1, 2020

While organizations are already required to use fraud detection when conducting commercial ACH transactions, this new rule will supplement existing efforts by making account validation explicitly required. Existing account validation methods include:

  • ACH Validation Test (Prenote) – This method uses a test transaction for zero dollars to validate the account. It takes a few days to complete, and although it verifies the account and routing number, it doesn’t verify the account holder.
  • Micro Deposits – Similar to prenotes, micro deposits — sometimes as little as a penny — take a few days to complete. This method requires action to be taken by the payer (i.e. students) to verify the amount deposited into their bank account.
  • Account Validation Service – This real-time method leverages a cooperative database that is maintained and updated by major financial institutions. Validation includes both account and routing number, with no delay or added student interaction.

Both prenotes and micro deposits are manual processes, and response time is delayed for both.

Unlike the first two methods, an Account Validation Service is automated and occurs in real time at the point of payment, so accounts are validated immediately. Less friction for students, fewer returns for your office — this is the spirit of the new NACHA rules.

Supplementing Data Security Requirements — Phase-in Begins June 30, 2020

This two-phase rule will supplement data protection requirements by requiring bank account numbers used in the initiation of ACH transactions to be rendered unreadable when stored electronically. In simple terms, account numbers must be encrypted or tokenized when stored.

  • Larger originators and third parties with ACH volume greater than six million will be required to have their encryption (or tokenization) in place by June 30, 2020.
  • Smaller entities with ACH volume greater than two million must have encryption in place by June 30, 2021.

Both encryption and tokenization meet this rule’s requirements; Tokenization vs. Encryption: Learn (the) Differences Between Both compares them using helpful charts and illustrations.

When it comes to higher ed fraud prevention, the best defense is a good offense that also provides a better student experience. By working with your Third Party Sender — also known as an ACH Originator or ACH Merchant Services Provider — now to implement Account Validation Service and end-to-end encryption or tokenization, you’ll be compliant in advance of NACHA’s rule updates. You’ll also have a competitive advantage when it comes to meeting student expectations for real-time campuswide commerce that’s frictionless and secure.

Update: The effective date for NACHA's WEB Debit Account Validation has been moved to March 19, 2021, rather than Jan. 1, 2020.

The NACHA Board of Directors approved the extension to allow for additional time, education, and industry guidance. This does not change the Supplementing Data Security Requirements — phase-in begins June 30, 2020.

Thanks for reading,

Adam McDonald

The Tokenized Road to E-Commerce Security

May 29, 2019

Swipe. Dip. Tap. For years, consumers have tried to keep up as point-of-sale (POS) technology evolved to stay ahead of identity thieves and their ilk. But while customers were focused on “dipping” their cards with the chip end first and wrapping their brains around the concept of encryption, con artists quietly shifted targets and turned their sites from POS toward e-commerce.

Fortunately for consumers and merchants alike, the phase-one lessons learned by systematically amping up POS security now provide a roadmap for phase two: making e-commerce safer and more secure. With 2020 digital payments expected to surpass the trillion-dollar mark in the U.S. alone, the race is on to fix the weaknesses and vulnerabilities that make the internet an easy target for fraud.

One of the most promising fixes is tokenization, the process that substitutes randomly generated numbers for real account numbers. This technology — which is used in digital wallet platforms such as Google Pay, Apple Pay, and Samsung Pay — is already playing a growing role in phase-two e-commerce data security.

While tokenization has gained favor over encryption because it’s more cost effective and secure, it also has a third advantage. In the context of contactless payments and the role those payments play in PCI compliance, tokens reduce PCI-DSS scope. The technology alone doesn’t guarantee compliance, but if your school accepts card payments, you need to store, process and transmit data securely to be PCI compliant. Tokenization simplifies that process by reducing scope, which diminishes the likelihood of data breaches.

Although data security should be a primary concern when evaluating your payment technology needs, don’t overlook the value of providing a consistent user experience. Students are comfortable using mobile wallets for POS purchases, so offering them a similar e-commerce experience is a great way to replicate the seamlessness they’ve come to expect. Tokenized systems can also be instantly refreshed when cards are lost, stolen, or expired, eliminating the worry and wait typically associated with such events.

In the complex world of payment security, tokens offer simplicity, flexibility and operational efficiencies. The fact that they make transactions easier, safer, and more convenient for students too … that can be your little secret.

Thanks for reading,

Adam McDonald

Maximizing the Opportunities of Digital Transformation on Campus

April 25, 2019

In my January issue, I mentioned the terabytes of payment, transaction, and check-in data generated on campus and its potential to improve student experience. Based on my tradeshow conversations this spring, the prevalence of people talking about how to use student data effectively makes me believe it’s a topic worth delving into more deeply.

With the current emphasis on student success and engagement as they relate to student retention, we understand how overwhelming big data can be. The ground-level administrators of commerce and credentials systems are integral to funneling an entire ecosystem of data to people and departments on campus that in many cases didn’t exist a few years ago.

At some schools, one new role with the power to affect data-driven change is that of Chief Transformation Officer. This individual monitors university enrollment rates, analyzes activity data from outside the classroom, models student outcomes, and shares positive impacts and areas where additional work is needed to achieve student success and retention.

It’s also important to understand who can best help interpret your data. It might be a partner, or it might be a new administrative role. If you’ve reached this stage, Choosing a Predictive Analytics Vendor: A Guide for Colleges is a useful publication for exploring key topics such as ensuring data transparency, supporting privacy and security, and facilitating staff professional development.

Why do transformation efforts and comprehensive student data matter? Imagine the advisory potential with insights from both payment and credential systems. Monitoring campus engagement, automating reminders for time-sensitive transactions, and advisory services to prevent attendance or payment problems from snowballing into student withdraws are just a few of the opportunities made possible by 360-degree data integration.

Transformation can go many different directions. Fortunately, with the right tools, people, and context in place you’ll enjoy a clearer path toward better student experiences and educational outcomes.

Thanks for reading,

Adam McDonald

The Payoff for Switching to Contactless Payments

March 27, 2019

I've talked in this space before about online fraud and near-field communication (NFC) as they relate to securing campus payment systems. This month's topic touches on both of those and expands the conversation to include the role contactless payments play in compliance.

Unlike chip cards, which protect transaction information at the point of sale, there's no data to protect with contactless payments. Tokenization and NFC are connected because both Apple Pay and Android Pay utilize these technologies. Users provide their actual account numbers when they set up either type of account, but it's the stand-in tokens stored on their phones or contactless cards rather than actual account numbers that are passed on to merchants. As a result, even if scam artists gain access to a token, it's useless.

Since data breaches and identity theft are constantly in the news, some consumers are still reluctant to use contactless payment methods because they perceive digital payments to be less secure. But whether they know it or not, early adopters who already embrace contactless payments have taken a big step toward keeping their data safer.

So contactless payments are safer for consumers, but how does that affect merchant compliance? The secret's in the PCI-related paperwork. Compliance Self-Assessment Questionnaires (SAQs) are complicated to navigate, but with the right software and hardware, merchants can reduce their questionnaires significantly. They can even avoid them altogether if they have a processor who can apply for SAQ exemption status on their behalf.

For a processor to successfully help a merchant apply to skip the SAQ questionnaire, merchants have to meet various credit card companies' requirements. These differ across card networks but in general require merchants to have:

  1. Up-to-date PCI DSS compliance already on file.
  2. Equipment capable of processing contactless payments already in place.
  3. Zero breaches of cardholder data.

Taking the steps to switch to contactless payments is more than just keeping up with the latest cool technology. It offers a greater level of data security, delivers the best experience for your students, and ensures compliance while potentially reducing your PCI paperwork. So, maybe compliance can be cool!

Thanks for reading,

Adam McDonald

Debt-Averse Students Seek Payment Plan Options

February 28, 2019

It’s no secret that the cost of attending college is high — according to Business Insider tuition has more than doubled since the late ‘80s. As a result, more than half of families rely on scholarships and grants, but as many as 65 percent also borrow money to pay for college, generating loans that take an average of 20 years to pay off.

Generation Z, the demographic that represents incoming freshmen, is keenly aware of statistics such as $1.53 trillion in current U.S. student loan debt and monthly loan payments that average $393. The College Savings Foundation says this generation isn’t keen on racking up loans to pay for school, and in fact, only 11 percent are willing to accrue debt to pay for college. For these students, working and pay-as-you-go approaches are much more attractive than decades of debt.

Industries that cater to higher education are responding to this dual trend of higher tuition and students and parents who are eager to minimize long-term debt with tuition payment plans that come with various options:

  • On-campus plans provide a one-size-fits-all solution with limited options for customization. Such plans require plan changes, lender disclosures, and messaging to be manually implemented.
  • Outsourced plans offer more automation for plan maintenance and support but less transparency for students and administrators. Since these plans aren’t integrated with students’ school accounts, fund flow to and from is slower and can sometimes result in payment shortages or overages.
  • Software automation plans that work with existing student payment software can be customized to schedule payments, charge late fees, send automated reminders, and more for students and parents. Fully managed plans can even provide all related customer service assistance to prevent staff from fielding questions, handling reminders and managing paperwork.

If you think your school could benefit from implementing a payment plan, do your research before committing to a specific plan. Be sure to ask how administering it would obligate your institution under the Truth in Lending Act (TILA). The law recognizes schools that enroll students in payment plans as creditors that must disclose plan-related information to families. Understanding these requirements and asking questions up front can save your institution from unnecessary penalties down the road.

Once you know the facts, choosing the right plan can be a win-win addition to your tuition financing options. Some plans can be implemented without creating any extra work for staff, and the affordability and flexibility they provide can help students achieve their goals of earning an education without breaking the bank.

Thanks for reading,

Adam McDonald

Turning Student Data Into Safety Nets

January 22, 2019

If there's a college-bound young adult in your household, you're probably already aware of the special curricula, testing strategies, and tutoring their school may offer to help them get into their chosen college. But preparation for non-academic challenges — homesickness, budgeting and timely bill payments, second-guessing majors, and feeling welcome and accepted on campus — isn't as common. Considering one-third of college students drop out during or immediately after freshman year, many schools are searching for ways to ease this difficult transition.

One encouraging solution for improving student engagement is the growth of actionable data. Technology is everywhere on campus. Online classes, digital IDs, near-field communication payments and building access, and mobile apps create terabytes of payment, transaction, and check-in data. Administrators are starting to use this data to identify students who need a little extra help making the transition to college life. By identifying potential problems early, schools can help students make adjustments that improve their ability to transition and ultimately graduate.

Since digital student IDs can be programmed to provide access to dining and residence halls, labs, gyms, and other campus locations, the students who aren't using these facilities are easy to spot. Schools can check in with students who miss meals or come home late regularly to see if their behavior is symptomatic of a bigger issue. Once administrators understand the problem, they can recommend solutions, such as alternate campus meal options or assistance with class schedule planning.

Another digital canary in the coal mine is tuition payments. Money is the top reason students leave college. But according to a Public Agenda study, the problem isn't necessarily high tuition but learning to balance work and school. If payment systems alert the business office earlier when a student falls behind or carries a balance, schools can intervene and offer assistance to help the student adjust, thus reducing their chances of dropping out.

The biggest benefit to the abundance of student data is the assistance it provides in resource allocation. For example, do recreation center check-ins peak late on Thursdays? Keep the facility open an hour later. Has cafeteria traffic has already doubled near a planned residence hall? Consider that additional traffic in expansion plans. Better access to campus services and amenities makes students feel welcome and recognized as individuals, according to Associate Professor and Freshman Seminar Director Joe Cuseo. According to Cuseo, such positive feelings play an important role in "launching the quest for student success in an accurate direction."

Data alone doesn't improve student experience. But used effectively, it can help institutions make better decisions and intercede in a more timely manner to make that difficult first year a little easier.

Thanks for reading,

Adam McDonald

Happy Holidays to You From TouchNet

December 11, 2018

Working in such a fast-moving field, it's sometimes hard to slow down and take a moment to reflect. But during this holiday season, I'd be remiss if I didn't do just that.

I'd like to use this issue of A.M. Edition to simply say thank you ... to our customers, our partners, and everyone who contributed to helping us improve the campus experience for both students and staff in 2018.

From myself and the entire TouchNet team: We wish you all a safe and happy holiday season. Enjoy our digital holiday card, and we look forward to seeing you next year.

Seasons greetings,

Adam McDonald

Staying Two Factors Ahead of Online Fraud

November 20, 2018

Our COMTEC users conference just ended, and one frequently discussed topic was the growing concern and continued need for campuswide data protection and cybersecurity. Hackers and con men are nothing new. But the more our lives center around online channels the more scammers and phishers switch to online tactics to perpetrate fraud.

In 2017, security expert Symantec estimated there were roughly 135 million attempted phishing attacks every day. According to EdTech, in higher ed, schools are successfully educating users and raising awareness to avoid security breaches, which has reduced the number of successful attacks. However, new scams are always on the horizon, and schools must take every opportunity to prevent these expensive and destructive crimes.

This past August, the government warned institutions of higher education about a new wave of phishing scams aimed at students. Timed during peak Federal Student Aid (FSA) refund distribution periods, these attacks tricked students into providing personal information. The attackers then used that data to divert funds from student direct deposit accounts into their own illegal accounts.

In its phishing alert memo, the Department of Education advised schools to switch from traditional Single Sign On (SSO) protocols to more secure methods, such as two-factor (2FA) or multi-factor (MFA) authentication. Such methods benefit schools and students alike; the student's account is protected from funds being illegally diverted, and the school has an added layer of assurance that any changes made are executed by the lawful account owner

If you're interested in implementing 2FA on your campus, look at places where sensitive data or payment data is captured, entered or stored, such as payment methods, refund details or contact information. By requiring an additional, newly generated code sent to a separate device to be entered before the account is updated, fraudulent attempts to access the account are averted.

There is no way to know what threats lie ahead, but it's a given that vigilance, ongoing preparation, and education will be key to minimizing their impact.

Thanks for reading,

Adam McDonald

Are you ready for the NFC Wave?

October 16, 2018

New technology evolves so fast. Now when I travel I use my smartphone to schedule a car to the airport, order and pay for my coffee, board my flight, and access my hotel room. It's extremely convenient. The technology making all of that possible is digital wallets and near-field communication (NFC). With its mainstream status, NFC turns phones, tablets, and other smart devices into single payment or access points able to complete transactions when placed within a few inches of an enabled device. That's the beauty of NFC.

NFC can streamline almost any transaction. Imagine how this technology will revolutionize the way students navigate your campus. NFC on a college campus will resemble my travel example but can go one step further. As payments and credentials converge into a digital wallet, students will be able to enter their dorm rooms, pay for parking, check into classes, and make purchases at the bookstore or dining hall.

How does it work? Digital wallets can store both open-loop credit/debit cards and closed-loop campus ID credentials, enabling the change from plastic to virtual cards and turning their smartphone into a payment method. The positive impact for students and campuses include:

  • Contactless payment at any point-of-sale.
  • Contactless entry into any secured door on campus.
  • No more physical student IDs or wallets needed.

The benefits are tremendous. For students, transactions are simple, secure, and completed via their smartphone, which is readily available and is less likely to be lost or stolen than a wallet, key, or payment card. For campuses, these transactions occur in a highly secure and scalable way and can be integrated into your unified campus commerce and credentials system for real-time reporting and reconciliation.

It's now more important than ever to offer top-notch technology to compete for students who have come to expect convenient and simple user experiences. These "contactless" transactions are here, so be sure your campus commerce provider understands NFC and is operating with a mobile-first vision in mind. Contactless technology is the next logical step and will soon become the norm. You will want to be ahead of this curve.

Thanks for reading,

Adam McDonald

Acquirer: Partner or Problem?

September 11, 2018

PCI compliance is not a choice. If you take card payments, you are a merchant and thus you agree to comply with the PCI requirements. It's in your merchant services contract. Failure to do so could be both costly and risky. As the merchant, you can't pass the responsibility off to another entity. The good news is that there are ways to reduce the effort of validating your annual PCI compliance: contact your acquirer and put them to work for you.

Are you asking yourself, "What is an acquirer" or "Who is our acquirer"?

I am surprised that many merchants (colleges and universities included) are not familiar with this term. Simply put, an acquirer is an entity that processes your credit and/or debit transactions. Unfortunately, when selecting an acquirer, the decision is often made in terms of "cost per transaction." That is, most merchants evaluate their acquirer by asking in an RFP "How much do you add to my transactions' processing costs?" instead of asking "What value do you provide as my payments partner?" An acquirer acts as your representative to the card brands. You don't report your compliance to the PCI Council, nor do you report to the card brands. Your documentation is first vetted, then approved, and finally delivered to the card brands by your acquirer. They are the arbiter of your PCI status. You attest to your compliance to your acquirer.

So, ask yourself, how well does your acquirer know your payments environment? How well do they understand the unique challenges of a college or university's campus environment? Are you partners, or are you just another merchant amongst thousands of merchants? Are they helping you eliminate redundant and unnecessary documentation, or just going through the motions? If your acquirer has a deep knowledge and trust in your payment systems, they can determine answers to many of the PCI SAQ questions in advance, saving you considerable time and effort. Your acquirer can also help you efficiently organize the number of campus Merchant IDs (MIDs), further reducing your annual reporting effort. Finally, a knowledgeable acquirer might recommend enrollment in the card brands' "exemption" programs that can eliminate the requirement to submit some SAQs entirely.

As the card brands continue to ramp up protections against cardholder data and identity theft, your choice of an acquirer to help you through this resulting maze of requirements will become even more critical to your PCI efforts. Ask yourself: Is your acquirer your partner or your problem?

Thanks for reading,

Adam McDonald

Let's Talk About Omnichannel Payments

August 8, 2018

Good morning. I've been hearing a lot of discussion recently about omnichannel payments across campus. It's a concept recently borrowed from retail businesses. Brick and mortar stores are working to make online and in-store shopping experiences as seamless as possible in order to enhance consumer satisfaction and build customer loyalty. Who would have guessed that Amazon, the king of e-commerce, would acquire Whole Foods, a brick and mortar business, to offer customers a choice of channels?

Of course, satisfaction and loyalty are important considerations for campuses, too. But, how does an omnichannel payments strategy apply to higher education? Think about omnichannel as "consistency" in how payments are accepted, secured, and processed. The goal is to provide a frictionless experience for students, parents, and other constituents, as well as streamlined operations for the campus. If you’re considering an omnichannel strategy, here are the three basic steps you need to get started on the right foot:

  1. Pick your payments. Payments are made campus-wide, so the scope of your payments strategy needs to include all campus merchants, not just business office transactions. Decide which payment channels you want to offer and then which payment methods you want to adopt. Give your students, parents, and other constituents a standard payment experience regardless of where they make payments on campus.
  2. Pick your platform. Your payment platform must be able to process campus-wide payments from all of your channels and methods, and consolidate them into a single, manageable system. Consistency in back-office processes is as important to your omnichannel strategy as your payer’s experience. All options must be secure, PCI compliant, and timely, and your platform must provide staff with support to streamline the application and reconciliation of payment transactions, too.
  3. Pick your partners. Your campus application providers must be willing to work together to unify and secure payments across campus. But to do this, they first must know your plans. Make all campus vendors aware of your intention to create an omnichannel commerce environment on campus and get all vendors onboard.

The omnichannel payments concept is being driven by the mobile payments revolution in addition to growing institutional incentives to enhance student success. Whether payments arrive on campus online, via smartphones, in-person, or from home, your constituents' commerce environment must be consistent and frictionless. From the student point of view, omnichannel means a better campus experience. From the campus point of view, omnichannel is a strategy to tame the complexities of today's commerce environment. Both are worthwhile goals.

Thanks for reading,

Adam McDonald

Good Morning, I'm Adam McDonald.

July 10, 2018

If you're saying "I don't know you from Adam," let me introduce myself. I'm Adam McDonald and I am very happy to have this opportunity to lead the TouchNet team. As Dan mentioned in the last of his Toughey Talks Payments newsletters, I joined TouchNet a bit more than a year ago. Since then, I have time and again confirmed my initial impressions that this is a remarkable company serving a wonderful higher education community. So, I am excited to be here and I’m looking forward to continuing these "Talks" about trends, opportunities, and complexities in campus commerce and credentials through my new A.M. Edition newsletter.

More reasons to be excited right now are the changes taking place in the payments industry. We are at a major intersection of smartphone technology and transaction processing — a place where plastic cards are transforming to virtual cards. One of the key drivers behind this transformation has been the introduction of EMV-ready payment terminals. 75% of all POS (point-of-sale) locations in the U.S. are now chip card enabled. As you know, this was no small feat. Originally billed as a move to protect against payment card fraud, EMV also laid the groundwork for a new payment technology centered on smartphones and electronic wallets.

EMV-compliant terminals enabled NFC (Near Field Communications) technology for "contactless" transactions. Apple, Google, and Samsung smartphones already have built-in NFC capabilities. However, Apple has been hesitant to open its NFC options to outside developers until recently, when it announced that it will selectively roll out third-party NFC capabilities. This includes the ability to use Apple smartphones as campus ID cards and access passes for many actions that today require a physical card. This is great news for all of us in the campus card space! Once beta testing is complete, NFC technology will help usher in a new era of mobile commerce. Storing both open loop-credit/debit cards and closed-loop campus ID credentials in a single electronic wallet will supercharge the migration from plastic to virtual cards for all types of campus activities.

I look forward to working with all of you as these innovative technologies transform the campus experience for students and staff alike. I'm sure you're aware that when a relatively new technology hits a certain critical mass, change seemingly happens overnight. Today, there is no doubt that "we are living in interesting times."

Thanks for reading,

Adam McDonald

The Best is Still Ahead!

June 19, 2018

I believe that sincerely. By and large, we continue to become a more educated, healthy, and enlightened world and higher education has played a vital role in making that true. I've been writing this blog for years now as a way to help colleges and universities improve payment processes on campus. In my first issue, I tried to clear away the confusion surrounding new PCI regulations and give campuses a clear understanding of payment strategies. Turns out, "There was a pony in there after all!"

Anyway, that was my first blog; nine years later, this will be my last. The time is right to announce my retirement. I am looking forward to it, although it's hard for me to leave the company we started over 29 years ago. It has truly been a joy. Nonetheless, I am confident about the future for my many friends and colleagues in the higher education community. I am leaving TouchNet in the hands of an incredible group of professionals who are ready to carry on the important traditions (including this newsletter) and continue the accomplishments we’ve started together.

Our new senior leader will be Adam McDonald. Adam has been in the technology and data security business for over 20 years. He is a native of the Kansas City area and has been our Vice President and General Manager for the past year. In addition, he will have the support of Ron Farmer, President Global Payments Campus Solutions, and Ron's wealth of experience in the higher education industry. Most important, Adam has a team of tenured staff with a strong commitment to setting the curve in campus business software. For those of you who have not yet met Adam, I hope you get to do so soon. Take the opportunity to say hello at events like NACUBO, EDUCAUSE, and COMTEC.

Personally, I have been honored to be part of the higher education community and all the good it does for advancing our society. I've been very fortunate to be able to focus on my two passions–technology and finance–and help colleges and universities keep up with changes in both. Thank you for all that you do to make the world a better place. You make a difference!



Daniel Toughey

Wired for International Payments?

May 15, 2018

At a recent industry show I had an interesting conversation about the challenges of attracting qualified foreign students. It is getting more difficult. In fact, according to NACUBO, the total international student population is now 1.1 million – down about 2%. However, institutions that best accommodate the important needs of international students will be the most successful at attracting and retaining them. For example, consider providing local currency bill-payment options as a way for international students and parents to pay for campus obligations more conveniently. Here are four key questions to address when evaluating a foreign exchange payments system:

  • Is the vendor properly licensed?
    Compliance with government agencies' rules and regulations is critical and licensing is an important part of that compliance. Achieving full compliance is labor intensive and expensive. At a minimum, a provider should be licensed as a money transfer agent in all the states in which it does business. This will give you peace of mind that student payments are being handled with proper oversight of the vendor.

  • Does the vendor have an effective anti-money laundering (AML) strategy?
    Your vendor should have a two-pronged approach for stopping money laundering or potential terrorist funding activities. First, it should screen payment activity against multiple money laundering databases, including those from the Office of Foreign Assets Control (OFAC). Second, your vendor should not allow large overpayments of student tuition and fees. Overpayments are often associated with a money laundering tactic called layering and may put your campus inadvertently into the scope of Money Services Business (MSB) rules and regulations.

  • Can your vendor offer wire transfers as an integrated payment method?
    Offering a foreign exchange (FX) solution as a separate, standalone system can be both confusing for students and challenging for staff. For students, cross-border payments offered within their campus payment portal is the best way to go. For staff, real-time student account integration removes the headaches and extra manual processes often associated with wire payments and posting to student records. In addition, embedding an FX engine within your core bill payment system puts checks and balances in place to protect student information, enhance transaction security, and reconcile payment amounts.

  • Is the vendor's foreign exchange conversion rate fair and transparent?
    And last but not least, make sure students (or their parents or sponsors) get a fair deal. Since it is not easy to understand the inner workings of FX conversion rates, you'll need to periodically "test the waters" and see how your rates stack up to industry benchmarks. This can be accomplished only when the conversion exchange rate is clearly stated and guaranteed for a reasonable time period.

For those institutions that want to attract quality foreign students, an appropriate local currency, wire transfer system for tuition payments can be a powerful attraction to students and parents alike. Yes, FX wire payments can be complicated and confusing, and finding the right solution takes some effort. A small business with a standalone model may not be the right choice for an FX partner in today's financial environment. This is one area where bigger may be better.

Keep in touch,


Daniel Toughey

A Winning Hand for Campus Cards

April 16, 2018

Not that long ago, the campus ID card office was often a hotbed of creativity. Meetings, discussions, and strategy sessions were often focused on innovative ways to increase revenue and increase funding for campus card systems. Insert a merchant logo here. Add phone calling there. Perhaps the Queen even said, "Let them eat pizza!" However, time has shown most of those ideas are no longer valid. Card systems grew too complex and are being superseded by more modern solutions better suited to meet today's student and campus expectations. So, what are the hallmarks of these newer card systems that offer win-win solutions for both students and campuses?

Win for Students: To meet student expectations, the campus card experience must be convenient and easy to use. It must work smoothly, without hitches, for normal campus activities and should be synched with other campus systems to avoid delays and inconsistencies. It needs to present a seamless and intuitive connection to campus life. Most important, it must offer students the option to transfer ID functions and card management options to their smartphones.

Win for Campuses: From the campus perspective, the next generation of campus ID card solutions must be highly functional systems for credentials and permissions. It is absolutely critical for institutions to know who is on campus and restrict access to certain areas and events. Further, the ID card system should not place undue burdens on campus IT and administrative staff. Cloud computing significantly reduces the resources required to maintain ID card systems compared to campus operations. Finally, the ID card system should work closely in real time with other campus software, especially the campus ERP system, to create a frictionless business environment.

In short, campus ID card solutions need to shift from a being a "shiny object" marketing tool to being a mission critical technology system for managing student and employee credentials. The next generation of campus ID systems will make campus ID cards a key player in an institution’s efforts to promote student success and campus integrity. If your campus hasn't begun the move yet, it's time to deal yourself a new, winning hand!

Keep in touch,


Daniel Toughey

Heads AND Tails of Compliance

March 15, 2018

I've never seen a one-sided coin, and I'm sure you haven't either. However, when it comes to payment security and compliance, most people only talk about PCI. They ignore the other side of the coin: the card brands themselves. To maximize benefits, campuses must look at both sides of the compliance process. The good news is that by understanding both sides' requirements and benefits (their "sticks" and their "carrots"), there are big gains to be found.

The PCI SSC (Payment Card Industry Security Standards Council) is an organization formed by and on behalf of the card brands. The council’s job is to codify data security requirements so merchants know what to do and how to measure their progress. PCI SSC also defines the sometimes dreaded reporting forms, called Self-Assessment Questionnaires (SAQ's). The card brands themselves determine "merchant levels" and the actual amount of reporting required to validate compliance (there are currently four levels). Although this sounds straight forward, many times the PCI SSC and the card brands independently offer "incentives" to merchants in order to direct investments in more secure technology.

This is exactly what is happening in the in-person, point-of-sale (POS) space. The PCI SSC has created a shorter, less onerous SAQ form for merchants who incorporate validated P2PE (point-to-point encryption) technology into their POS solutions. The card brands, at the same time, are offering merchants further reductions in compliance paperwork when they adopt the newer security technology. This all sounds great for merchants, but trying to get these incentives is easier said than done. For many years, most established payment processors (and technology providers) have been using data encryption technologies other than the type now recommended by the PCI SCC. Changing to a new encryption method is difficult and costly for the big players. However, solutions are starting to come forward that let merchants take advantage of combined PCI and card brand incentives.

By understanding the heads and tails of compliance, embracing newer POS technologies, and working with the right payment partner, campuses can significantly reduce their PCI reporting requirements and improve cardholder data security. Check with your payment processor and/or technology provider to see what is available for you today.

Keep in touch,


Daniel Toughey

Half Bad is Not Good Enough

February 13, 2018

One thing is becoming clear – two years after implementing its new Cash Management Rule, the Department of Education (ED) is not pleased with the results. Specifically, the Department feels that student bank account fees are still higher than necessary. While some vendors have lowered their charges, even touting cuts of up to 50%, the Department believes that most student account offerings are still “not in the best interests of the students".

So, here we go again. Recently, ED published a draft of a Request for Proposal (RFP) seeking help to build a new pilot program. In this program, ED would offer students the ability to select a financial account directly sponsored by the Department to receive their financial aid. The description of this financial account is eye-opening and illustrative. It appears that ED is looking for a “Bank-Zero” solution – as in “zero costs” to students. Based on discussions during the Cash Management Negotiated Rule Making (NRM) sessions in 2014, it was evident that the Department believed bank accounts should be offered as "loss leaders" during students' college years. After that, the banks and their resellers would be free to seek profits doing whatever they do to/for their other consumers.

Also in these NRM sessions, there was discussion around the creation of a "back-door" option that would allow ED to offer its own debit card refund program. This option could be implemented if banks and service providers didn’t clean up their act. Here are the 38 words, out of the thousands of words in the published rule, giving ED their back door:

“The Secretary may pay title IV, HEA credit balances under paragraphs (h) and (m) of this section directly to a student or parent using a method established or authorized by the Secretary and published in the Federal Register.

So, just when you thought it was safe to jump back into student refunds, the game is very likely changing again. Not only is ED considering direct disbursement of funds to student debit cards, but also it wants the ability to track the types of purchases and transactions made with these cards. The Department would then possess the ability to restrict the types of products and services for which the funds could be used. This may be just a red herring, but all campuses once again need to keep a sharp eye on decisions from the Department of Education concerning student financial account practices. Stay tuned.

Keep in touch,


Daniel Toughey

What's Your Focus in 2018?

January 23, 2018

For most of us, the new year takes on added significance as a time we set aside to evaluate past accomplishments and strategize new goals. Here are some of my thoughts on strategies that will be crucial to campus commerce success in 2018.

Trends in Campus Payments

Transaction Costs. The cost of processing payments, especially credit card payments, is growing faster than most merchants are aware. The primary culprits are the new, super-generous rewards cards most of us have in our wallets. This trend is getting out of hand. Merchants (like you) are paying for "loyalty" programs for the largest merchants and card brands. The key to managing these growing costs is to know your real "effective transaction rate." Hint: it's higher than you think.

Mobile Payments. Mobile payments will continue to expand with options like Apple Pay providing the big push on campuses. The popularity of contactless payments in general is growing rapidly. It seems many of today's payment innovations are happening with in-person transactions. The silver lining is that the move to EMV technology is paving the way to modernize payments systems for the coming wave of smartphone-centric consumers.

Data Security. Data security measures have evolved significantly over the last several years, and compliance is a never-ending challenge. PCI and EMV have reduced the use of fraudulent cards at the point of sale by over 60%. On top of that, data encryption technology such as P2PE is minimizing the risk of major breaches. Now is a good time to make enhancements in systems because of today's mobile payment trends. In addition, the card brands have offered merchants some PCI relief for moving to more secure technology.

Accessibility. Online systems must be easy to use for everyone on campus. This means intuitive and clear operation with minimum hassle. Furthermore, they must conform to the ADA requirements set forth in Department of Justice's updated Section 508 that went into effect last week. Most campuses now consider the World Wide Web Consortium’s (W3C) Web Content Accessibility Guidelines (WCAG 2.0 AA) as the template for ADA compliance.

Yogi Berra, baseball player and philosopher, once said, "It's tough to make predictions, especially about the future." But we all do our best to be prepared for the challenges ahead. So, to everyone, I wish the best of luck and much success in the coming year.

Keep in touch,


Daniel Toughey

P.S. Digital currencies such as Bitcoins will be in the news a lot, but they are not likely to be used for campus transactions. They are too new and too volatile to be "ready for prime time" yet.

From Cashiers to Advisors

December 12, 2017

Recently, I enjoyed being part of several interesting discussions at our annual Client Advisory Board (CAB) meeting. One of them, the evolving role of student customer service on campuses, particularly caught my attention. CAB members referred to the topic by several names: one-stop services, omni-channel services, and enhanced student services, to name a few.

At the heart of the matter is a resurgence of in-person student services. Campuses for years have pushed to bring more and more student services online. The advent of smartphones added urgency to this strategy. It made sense. It was cost effective; it was scalable; and most important, it was what the students (and their parents) wanted. But today, as student retention has become even more critical, campuses have begun a movement back toward more in-person "hand holding."

So, is this just a regression to systems available a decade or two ago? Not at all; online self-service is not going away. This emphasis on "one-stop service" is actually a new way of thinking about delivering student services—a way to answer the loud voices that are demanding better student retention and improved student experiences. This is similar to the challenge faced by today's retailers as they blend in online shopping or as "e-tailers" add in-store experiences. Some key characteristics of this new strategy are:

  • Single point of contact for multiple disciplines. Give students one place to visit when they seek assistance, regardless of the area in which they want help.

  • Open, more welcoming physical environment. Gone are cashier windows (and green visors). Think comfortable chairs in an open, friendly room.

  • Merging of online and in-person. Systems need to provide consistent, quality experiences whether they’re via computers, tablets, phones, or advisors.

In the world of campus commerce, this trend is illustrated by the transformation of campus cashiers into student financial advisors. Cashiers are taking on an expanding role as student customer service representatives; they are asked to provide financial instruction and student counseling in addition to their more traditional payment services. This shift requires that campuses find the right tools—systems that provide a unified approach to both “online” and “inline” transactions with broad access to multi-department actions such as payments for tuition, deposits, refunds, fees, meal plans, and the list goes on. And, as always, much of the responsibility to lead this shift will likely fall to the business office. Don’t be caught by surprise.

Keep in touch,


Daniel Toughey

Another 12-Step Program

November 9, 2017

As the old saying goes, "If you can read this, thank a teacher." You could also thank your lucky stars, because some of your students may not be able to. Disabilities, such as sight impairment, are much more common than generally believed. The Americans with Disabilities Act of 1973 (ADA) is a broad set of civil rights laws that were enacted to protect individuals with disabilities from discrimination. It is the reason we have things like disabled parking requirements, service counter height requirements, and wheelchair ramp mandates in building codes. In 1998, Section 508 was added to the law to specifically address websites and online software. These 508 standards were updated again last January and will go into effect January 18, 2018. (Final Rule.)

Higher Education is no stranger to the ADA and is often challenged by 508 compliance. For example, in August 2016, the US Department of Justice (DOJ) ruled that a major public university in California was in violation of the ADA because their YouTube channel's videos didn't include captions for hearing impaired visitors. The DOJ ruled that the university should use the World Wide Web Consortium's (W3C) Web Content Accessibility Guidelines (WCAG 2.0 AA) as the template for compliance.

The WCAG is a set of accessibility standards to help guide web content producers in making their work more accessible to all, including users with disabilities. The updated 2018 version of the ADA uses the standards published in the WCAG 2.0. Like the Payment Card Industry Data Security Standard (PCI DSS), WCAG 2.0 has 12 basic guidelines. Each can be expanded into testable "success criteria" that can be used to measure the usability of websites. The 12 guidelines are organized into key goals:

  • Perceivable –Ensures that a webpage's media is usable by all.

  • Operable – Helps avoid common webpage accessibility problems.

  • Understandable – Guides web developers to logical functionality and language use.

  • Robust – Provides technical guidance for integrating user aids such as assistive equipment.

We've all heard stories about firms who cruise parking lots looking for the absence of ramps or handicap parking spots and file lawsuits against those enterprises that fail the test. These "drive-by lawsuits" amount to nothing more than shakedowns for cash. Now, the updated requirements of section 508 could offer similar opportunities to get-rich-quick schemes. Just imagine someone "driving by" your institution's web services checking for ADA violations. You have only a few months before the updated 508 guidelines become law. Be proactive. Unlike PCI, section 508 (and the WCAG 2.0 guidelines) have no annual validation requirements. Nonetheless, it would be a good idea to ask your vendors if they comply with 508 guidelines. Better yet, ask if that compliance has been evaluated by an independent third-party auditor. The 508 conversation will only grow louder over the coming years.

Keep in touch,


Daniel Toughey

And the Winner is...

October 6, 2017

On September 1st, the last of the phased-in requirements for the Department of Education's (ED) new Cash Management Rule went into effect. This requirement impacts all institutions offering students either T1 or T2 bank accounts on campus. By now, schools must have reported to ED and posted on their campus websites the mean and median costs associated with those sponsored accounts; the number of students accepting and using those accounts; and any considerations paid or received under the terms of the contract between the institution and its financial services provider. In last July's blog, I called this point "where the rubber meets the road."

No doubt we'll find a lot of variance in fees from one sponsored account to another. You can be sure, however, that the information will be carefully analyzed by the Department of Education and other consumer watchdog groups. In December 2016, the Consumer Financial Protection Bureau (CFPB) combined an analysis of campus credit card offerings with bank account (debit card) data in its annual report to Congress. They will do the same again this December, including a detailed look at the fee information posted by campuses concerning T1 and T2 accounts. In fact, just several weeks ago, the CFPB published a blog to students asking "Does Your Campus Sponsor an Affordable Bank Account?" This blog to students (consumers) outlines the wide disparities in bank account fees offered to students by schools and their financial partners.

A number of campuses have told me their service providers have made significant improvements in the costs associated with their campus financial accounts and that they are much better than they used to be. That's good news. But the real question is will those improvements be strong enough to meet the bottom-line Cash Management requirement established by the Department of Education. That is, can schools justify how their campus banking arrangements are in "the best interest of students?" In the past, empirical data has been hard to come by. But today, disclosure is the law. So it might be a good idea to have a file on hand marked "In the Best Interest" that documents your due diligence.

Keep in touch,

Daniel Toughey

PCI Security: Good News, Bad News

September 12, 2017

Recently, two new reports concerning data security hit the streets. The Ponemon Institute released its 2017 Cost of Data Breaches Study and Verizon published its 2017 Data Breach Investigations Report. Both are respected researchers with a fairly long history of digging into data breaches. First, the good news: according to Verizon, some sectors have improved compliance with the PCI DSS by 15% in the last year and overall compliance has improved 10% across all industries. Also, according to Ponemon, the average cost of a data breach across all countries and industries decreased from $4.0 million to $3.6 million. These numbers are going in the right direction.

Now for the other side: higher education is still in the top tier of breaches and the most expensive to remediate: $245 per record! This is almost 20% more than the average for all other industries. Why? For criminals seeking an “easy in,” college and university campuses have long been a favorite target with so many doorknobs to rattle. Plus finding and mitigating breaches is harder and more time consuming than most businesses.

Here are a few other key findings from these reports:

  • 62% of breaches involved some form of hacking by a third party. What's more, of the breaches that did involve hacking, 81% were the result of leveraging weak or stolen passwords. Effective password management is still a big factor in the fight against hackers and PCI DSS compliance.

  • 51% of breaches included the installation of malware and 66% of this malware was delivered via malicious email attachments. Hackers tricked unsuspecting users into clicking on dangerous links. From there, thieves installed malware on the targeted systems in order to siphon off sensitive data. This is especially true in POS (point of sale) environments.

  • The studies reveal that the longer it takes to discover a breach, the more expensive the breach becomes. The cost of a breach identified in fewer than 100 days averages $2.8 million, while the average cost rises to $3.8 million for breaches discovered after 100 days. Globally, the average time to identify a breach went down from 201.0 to 190.7 days.

There is no doubt criminals are becoming increasingly more sophisticated in their cyberattacks. So, your campus must continue its on-going effort to fight back with better controls and improved technology to meet the challenge. Understanding how many merchants, pay points, payment applications, and payment channels operate on campus is still the foundation of a complete PCI security effort. Gaining that understanding helps you put your campus in a position to win.

Keep in touch,

Daniel Toughey

PS: In another sobering reminder that hackers are tirelessly working to breach defenses, Equifax just announced a security breach that has compromised the personal information of as many as 143 million individuals – including names, social security numbers, birth dates, addresses, and some credit card numbers.

The Buzz at NACUBO

August 1, 2017

Here I am in beautiful downtown Minneapolis at the annual NACUBO conference. Attendance is good, and energy in the exhibit hall is high, with a lot of focus on technology as well as how fast things are changing. In fact, Tom Friedman's keynote address on the speed of change was very well received, but also there were some concerns with trying to understand all the challenges ahead. Here are a few other themes I'm hearing from inside the booth:

The Intersection of Bill Payment and Student Success. This is always a tricky subject, since the business office is where the buck stops (someone has to keep track of all the money coming in). There is a growing gap between big institutions and others on policies regarding payments. While some schools are closing cashiering windows, others are extending hours and doing everything they can to keep students enrolled. There is no perfect answer, but the consensus is to be crystal clear on payment policies and offer as many payment options and plans as possible.

OneStop for the Back Office. More and more institutions are not only creating one-stop service centers for students; they are also consolidating functions in the back office for the same reasons. For example, the merging of campus ID cards is happening both on the front side for students and the back side for business administrators. This is all about efficiency, meeting the challenges of the day, and the changing role of the student ID card. With mobile ID cards on the horizon and cloud-based solutions a reality, the time for new thought is now. OneStop for students and staff is more than a passing trend.

Pop-up Point-of-Sale (POS). Even though many schools are pushing hard for students/parents to make tuition payments online, there is also a big push to accept payments in-person on demand. The nature of POS systems is changing. The key is to be mobile and to be anywhere people want to pay. Like many technology innovations, however, this creates a challenge for campus IT and business staff to control, secure, and account for the proliferation of payments everywhere. Embracing a campuswide strategy will pay off in more than one way.

There are many more good ideas and conversations going on at the convention. Also, it's great to see so many customers and partners, and to catch up on unfolding trends. It's amazing how much can be accomplished in a short period of time with people who are all dedicated to making campus business run better.

Keep in touch,

Daniel Toughey

One Year Later – Refund Rules Rolling

July 7, 2017

It's been fairly quiet on the student financial aid reform front, with plenty of other news items to follow with a new administration in the White House. Yet, we have just passed the one-year mark from the effective date of the new Department of Education (ED) Cash Management rules, and there is still plenty of activity going on behind the scenes.

Leading up to the new rules, there were many examples of students paying unjustified transaction fees and being subjected to aggressive marketing activities. The spirit of the rule was to ensure schools were looking out for the best interest of students. There is no question things have improved, but there is still a big concern that T2 bank accounts offered to students are not as fee-friendly as they should be. T1 accounts are much more restrictive on fees that can be charged to students.

July 1 also marks the next big date when schools must calculate actual cost information incurred by students for bank accounts offered by their institution's financial account providers for the previous 12 months. Then, by September 1, schools must post on their web site and submit to ED the total cost of all student fees assessed and the average cost students incur by having either a T1 or T2 bank account offered by their institution.

This September 1 milestone is where the rubber meets the road, because it leads to the grand finale requirement, which is that institutions perform due diligence to determine whether the bank account they offer is "in the best interest of the student". The $64,000 question: How will bank accounts that cost students significantly more than others be justified? The concept of "in the best interest of the student" is the foundation of the new rule, and every word is very intentional in that area.

ED will be keenly interested in this information, as will the CFPB as they prepare their annual "Campus Banking Report" to Congress. No doubt this information will be front and center. I've heard some are hoping deregulation will save the day, while others believe the opposite will play out. Either way, it is best to prepare for the spotlight to shine on student refunds.

Keep in touch,

Daniel Toughey

P.S. Also, ED is working on a new Fee Disclosure table for student bank accounts, which should be available soon.

Small Things Make a Big Difference

June 1, 2017

Most campuses are putting a renewed emphasis on improving the student experience as a means to attract and retain a critical mass of institution-appropriate students. The move to enhance all touchpoints on campus will have a high priority and strong executive oversight. One of the areas bound to receive scrutiny is the business office. Why? Because the “buck stops here.” The business office accepts payments, reminds students of payments due, collects late payments, and sets deadlines. This isn’t an enviable position to be in if your goal is to improve the “student experience.” Nonetheless, there are things you can do to help your institution meet its goal of improving student satisfaction.

First, make a plan. Having a plan will help you to be proactive when the student experience czar knocks on your door. It doesn’t have to be a grandiose project that addresses your complete wish list. Identify all of your student touchpoints in the business office. Then, prioritize your list with the ability to get a couple of quick wins right away.

A good place to start would be to review all email communications with your students. Are emails friendly or overly brusque? Do they invite specific behaviors or just demand action? As our society becomes more social and informal, so does written communications. Improve the tone of your student emails. And don’t forget those that are automatically created by your business software. Automatic communications may be overlooked because they are out of sight, out of mind.

Another high visibility touchpoint is your business office web presence. Many times this is the front door to your services for parents and third-party payers. Is the information clear and organized? Do all links work correctly? Are the pages Section 508 compliant? Website accessibility is important. Also, review web pages for consistency. Do all pages use the newest logo, current slogan, and correct colors? Consistency is a major contributor to overall ease-of-use and positive student perceptions.

If you agree that it is much better to have your own plan in motion than to be told to execute someone else’s plan, then it is important to remember the advice of John Wooden, legendary basketball coach: “It's the little details that are vital. Little things make big things happen.” Now is a great time of year for a business office refresh.

Keep in touch,

Daniel Toughey

Are Two Tracks Better Than One?

May 1, 2017

It depends. With razor blades, it seems you get a better shave with multiple blade tracks rather than only one. Two sets of train tracks can move more freight than one. But when it comes to campus ID cards, two magnetic stripes (two accounts) on one card are not the way to go. The days of a bank account sharing space on the campus ID card are fading away. Here's why:

Department of Education Regulations
The latest ED Cash Management rule makes it much harder to offer bank accounts to students. Not only must the bank accounts offered comply with strict ED requirements, but each institution must also perform due diligence reviews to ensure bank accounts are "in the best interest of the student." It doesn't make sense to comingle bank accounts and student IDs anymore considering the complexities involved in each.

PCI Security
We all know the importance of securing payment devices and cardholder data. Dual-stripe cards are notorious for causing confusion about which stripe is being used. It's important to consider the consequences when a card reader intended for swiping student ID data reads PCI payment data by mistake. Are PCI data then stored in unsecured locations? Both types of data are sensitive, but PCI data also have a well-defined set of handling rules plus penalties for failure to comply.

EMV Chips
Bank issued credit and debit cards are moving quickly to the new chip-card technology in order to comply with EMV standards. It seems unnecessarily confusing to create cards that have two stripes as well as a chip or two on each. Student ID cards have carried contact chips in the past; but the practice never found a compelling value proposition. Similar chips on bank issued payment cards, however, have found a critical use — EMV security.

Mobile Phones
In the long run (3-5 years), the number of magnetic stripes will not matter since ID cards are going digital and smartphones will have wallets. On the phone, the accounts will be separate. It's time to start thinking about adding ID's to smartphones, instead of stripes to plastic cards.

There was a time when it might have made sense to put student ID cards and bank accounts together. But today, the practice seems counterproductive. In the meantime, institutions are considering the future of their campus card systems with a new generation solution that is hosted, integrated, and mobile. These trends are truly your friends.

Keep in touch,

Daniel Toughey

A "Supreme" Interest in Swipe Fees

April 6, 2017

Many merchants feel that the cost of accepting credit cards is high. Last week, the U.S. Supreme Court took action on two cases that address merchants' credit card fees. First, the Supreme Court refused to hear an appeal of a lower court's decision to overturn a class action settlement between merchants and Visa/MasterCard. Second, the Supreme Court decided that the underlying issue in the New York law against credit card surcharges was based upon regulating "the communication of prices rather than prices themselves." All eight Justices concurred that it is a violation of free speech to prohibit merchants from asking for a credit card surcharge. The Supreme Court sent the case back to the circuit appeals court with its opinion. In both cases, merchants stand to gain a lot of ground.

The first case evolved from a 2012 class-action settlement between merchant groups and Visa/MasterCard over unfair interchange (swipe) fees. The settlement entailed three main points: (1) a reduction in interchange fees; (2) a $7.2B cash settlement (later reduced to $5.7B) to merchants; and (3) the agreement by the card brands to allow merchants to add surcharges to credit card sales. However, most merchants were not overjoyed with the settlement; more than 8,000 opted out. The reduction of swipe fees was offered for a limited time only. The cash settlement required merchants to sign an agreement that would prevent them from ever suing Visa/MasterCard over fees again. The second case has roots that go back decades. Its inclusion in the settlement was clouded by laws in 10 states that prohibited surcharges, thus negating a merchant's ability to do business the same way in multiple states.

So, what does all this mean for higher education and payments? First, it reaffirms the growing use of service or convenience fees as a way to offset the cost of processing card payments for tuition. Also, you may see a slight downward pressure on credit card fees due to more energetic merchant negotiations and anticipated court actions. However, you won't see any big changes to your merchant statements in the near term. Nonetheless, the tide is starting to turn for credit card fees, just as it did for Durbin and debit card fees, but it will take years to move the industry giants. All in all, last week was a good week for merchants.

Keep in touch,

Daniel Toughey

Level 4 Merchants Must Do More

March 9, 2017

Effective January 31, 2017, all level-4 merchants must validate their PCI DSS compliance annually. For such a simple statement, this announcement seems to have caused a lot of confusion. Of course, the card brands have always required Level-4 merchants to comply with the PCI DSS, but now Visa has added a requirement to verify that compliance. What this means to most campuses is added work each year to complete and file the appropriate Self-Assessment Questionnaires (SAQs).

Why add a new requirement?
The recent shift to EMV standards in the United States has prompted concern of a coming spike in card fraud similar to what was seen in Europe and Canada after the EMV shift there. When you combine that risk with the fact that 90% of fraud losses in the U.S. come from small-to medium-sized businesses, you can see why Visa wants to ensure smaller merchants are safeguarding their transactions.

Who is a level 4 merchant?
Most campus merchants at colleges and universities fall in this category. A merchant's total Visa transaction volume over a 12-month period determines the merchant level. Here are Visa’s definitions of merchant levels. The same definitions apply to merchants who accept MasterCard transactions.

If your PCI compliance strategy has been to deploy many MIDs (Merchant IDs) on campus in order to maintain a Level 4 PCI status for all, then the number of SAQ’s you must handle now may get out of hand. An alternative strategy is to organize campus merchants into a smaller group of MIDs and reduce your reporting, even if Level 4 status is no longer available. The difference between Level 3 and 4 is practically nil in light of the new reporting requirements. What’s more, the big picture—safeguarding cardholder data in the face of ongoing and increasingly active external threats—can be managed more easily in a unified commerce environment, too.

Keep in touch,

Daniel Toughey

PS: The Visa Technology Innovation Program (TIP) and the MasterCard Exemption Program can help you reduce your PCI compliance paperwork. (See Here's a TIP in the Toughey Talks archives.)

The Omni-Channel Experience

February 16, 2017

For many years, I have been a strong proponent of unifying campus commerce into one central and certified infrastructure. The benefits of this move to the institution include greater control, cost savings, and easier compliance, to name a few. The good news is that many schools have made significant progress towards this objective. But the ball keeps bouncing and the challenges get bigger. The latest push towards a business integration strategy is called "Omni-channel." Its roots are lodged in the attempt by business retailers to create an integrated consumer shopping experience, but the concept has important implications for colleges and universities, too.

Think of Omni-channel as a commerce unification strategy that integrates payments and creates a consistent customer experience through the various service channels. But don't confuse Omni-channel with multi-channel. "Multi-channel" commerce is giving your constituents multiple ways and places to make payments. Omni-channel strategy is much more complicated. Omni-channel not only centralizes all payment transactions on campus through a single commerce infrastructure, but it is also focused on making the user experience as similar as possible through these various channels. Transactions from POS devices, one-stop service centers, online self-service, and smartphones are all considered individual parts of one single, consistent, constituent experience. With an Omni-channel commerce strategy, campuswide commerce reflects the end goal of an institution to deliver convenient, high-quality, technology-based services to all constituents.

This is all much easier said than done, especially in higher education, where the number of disparate systems and processes in use is high. Realistically, you can't expect to achieve an identical experience in all channels because of the very nature of those channels, but you can strive for a clear and consistent interaction in all channels. Today, because technology is omnipresent in all business environments, an Omni-channel commerce strategy is the forward-thinking option for institutions working to enhance the student experience.

Keep in touch,


Daniel Toughey

Keep Your Eyes on the Radar

January 20, 2017

2017 is not yet three weeks old and already we see the ripples from recent changes in commerce rules and regulations popping up in the news. In some cases, merchants are pushing back; in another, the Consumer Financial Protection Bureau (CFPB) is doing the pushing. Here are some examples:

1. CFPB Reports on Campus Banking Agreements

A report released by the Consumer Financial Protection Bureau (CFPB) in mid-December raises continuing concerns about financial products marketed to students by colleges and universities. In general, the report is most critical of agreements with Tier 2 banks not subject to the very tight account fee rules under which Tier 1 service providers operate. T2 banks may still charge overdraft fees to students. The CFPB questions how these T2 accounts can be in the "best interest of the students" when T1 accounts cannot charge such fees. In addition, there are other areas where the CFPB would like to see improvements in providing institutions with more contractual rights with regard to fees and charges. The message is clear that the CFPB will continue to provide ongoing oversight of campus banking relationships now that the Department of Education's new Cash Management Rules are in effect.


2. Merchants Push Back Against EMV Challenges

The transition to chip cards continues to challenge merchants. Two Florida merchants have filed a federal lawsuit against 18 defendants, including payment card networks, financial institutions, and EMVCo. The merchants allege the defendants engaged in a "conspiracy" to fix a liability-shift date they knew merchants could not meet because of certification backlogs and other complications. "Some merchants have been getting hit with huge amounts of chargebacks under the liability shift," according to the suit. Some members of Congress are also investigating the payment card industry for similar reasons and the push towards EMV "chip and signature" vs. "chip and PIN". They say chip and signature is more costly for merchants than PIN transactions. The interesting thing is, the largest and smallest merchants are more likely to be EMV compliant than mid-sized merchants—the largest because they had sufficient resources to devote to the task and the smallest because it was easy to replace a standalone terminal. Mid-sized merchants, including most colleges and universities, have complex systems but limited resources, making their shift to EMV a bigger challenge. EMV is not going away, but has been much more difficult than many thought.


3. Supreme Court Hears Free Speech Arguments Concerning Surcharges

Speaking of merchants pushing back, the Supreme Court heard arguments on Tuesday, January 10, from lawyers for merchants (plaintiffs) and the state of New York (defendants) concerning whether the state’s ban on merchant credit card surcharges is constitutional. Ten states have enacted laws that prohibit merchants from announcing a price with an added charge to consumers paying with credit cards, even though these same merchants can offer a price less a “discount” to cash buyers. The plaintiffs say this violates their free speech since both are the same thing – just expressed differently. The Supreme Court could render a decision in the case by late June. While this decision may not have a direct impact on most campuses that already have built-in exceptions, it could ultimately have a strong impact on how the merchant community as a whole continues to challenge the growing cost of processing credit cards.


Keep in touch,

Daniel Toughey

PS: My good friend and colleague, John Murphy, has announced his long and successful career serving the higher education community is coming to an end as he moves on to pursue other interests. Though he'll stop by occasionally in the role of advisor, we will miss the influx of his humor, energy, and skills on a daily basis. Best wishes, John.

"Better Watch Out..."

December 19, 2016

Making a list and checking it twice...

So goes the classic 1934 Christmas song. Of course, the song refers to Santa Claus, but it could just as easily apply to any of us. It’s the time of year to reflect on our past accomplishments and set new goals for the coming year. As we look forward to 2017, most campuses will see a new emphasis put on the "student experience." It is rooted in the need for colleges and universities to attract and retain a critical mass of institution-appropriate students and manage their perceptions and experiences on campus. This focus has proven to have a high correlation to student graduation rates and overall institutional success.

Gonna find out who's naughty or nice...

Student experience is the new buzzword for every touchpoint on campus — recruiting, admissions, enrollment, billing, payments, and so on. The student experience literally covers the gamut of campus life. One of my fearless predictions for next year is the rise of a new executive position on campus called, perhaps, the Chief Experience Officer (CXO). This position will lead the evaluation of all parts of campus life and their impact on students. Make no mistake — this new position will have the ear of the president and the power to correct perceived problems. You've seen this cycle before in areas of critical campus need with positions such as Chief Information Officer and Chief Security Officer.

So be good for goodness sake...

For many years, enhancing PCI security and boosting efficiencies have been at the top of your annual "to do" list. But in 2017, you can add a new topic to the top of the list — the review of your business processes and systems for their impact on the overall student experience. You can get a good start by identifying all student touchpoints within your business environment, big and small. Then, you'll want to evaluate how each one enhances the student's experience, or not. It is much better to have your own plan in motion than wait to act on someone else's plan.

Keep in touch,


Daniel Toughey

100% Pure Mobile ID Cards

November 18, 2016

Most of us carry smartphones. So, when you think about revitalizing your campus card system, why not consider going 100% pure mobile? The technology is ready and students are ready. Why ask constituents to carry a piece of plastic around to act as an ID when they could use smartphones as their campus credentials?

Nearly a whopping 90% of millennials own smartphones/mobile devices and the number is still growing. Your students keep them handy 24 x 7. There's even a name for the anxiety your students feel when separated from their digital devices – "nomophobia" (fear of no mobile service). Going mobile just makes sense. For campuses, think of eliminating the cost and hassles of ramping up to print and distribute plastic ID cards a couple of times a year. I imagine a few years from now we'll consider mailing plastic ID cards the same way we think about mailing student grades, or billing statements, or paper checks.

Colleges and universities are unique because they can control all access points to their well-defined and finite ecosystem. This makes it not only possible, but also practical, to offer a campus card system that aligns with how your students think and operate today. Of course, there will be some issues concerning digital IDs to consider, like lost phones or dead batteries. But there are issues with current systems and the use of plastic cards, as well. 100% is rarely 100%. The point is to make mobile ID’s the default option for everyone.

The trend for campus card systems is to become more agile, simpler, and in tune with other campus business systems. The next generation will be in the cloud, ERP integrated, and fully mobile. Considering the steps needed to procure and implement a new card system, now is the right time to learn more about modern campus card systems designed to meet the expectations of the smartphone generation.

Keep in touch,


Daniel Toughey

The Big Squeeze Is On!

October 26, 2016

Several months ago, I waved a yellow warning flag about Costco's new affinity credit card agreement with Citibank. These new cards carry some of the highest card interchange rates of all payment cards. Why? Two reasons: (1) to pay for the super rewards programs offered to consumers; and (2) to pay Costco a "lick off the cone" everywhere consumers use their co-branded cards, including your campus. That leaves most merchants like your campus squeezed in the middle, paying the higher processing fee on the influx of expensive reward cards and indirectly supporting rich co-branding programs like Citibank/Costco.

So, how big of an impact will these new affinity deals have on your merchant fees? That’s hard to predict exactly. However, a recent article in Digital Transactions reported that Citibank recognized a 57% increase in third quarter credit card sales volume compared to the same period last year. That’s a big leap, especially considering the already large size of their credit card business! Furthermore, the numbers reported by Citibank were for just the first 90 days after adding the Costco portfolio. Finally, Costco isn’t the only group involved. Affinity groups, such as Southwest Airlines, Amazon, and others, have rushed to join the bandwagon on these deals too. Higher fees make the banks feel happy. Greater rewards make consumers feel happy. Merchants in the middle just feel squeezed.

What can you do? First and foremost, know your numbers. What is your effective rate? What is your mix of credit to debit cards, Visa to MasterCard, and high-priced reward cards to emerging-market rates available to colleges and universities? Then put incentives in place for students and parents to pay with lower cost debit options, including campus-issued closed-loop debit cards. We are just beginning a new round in the "credit card reward wars." Plan accordingly.

Keep in touch,


Daniel Toughey

Campus ID Card Systems at the Crossroads

September 30, 2016

Few things seem to be as enticing as those plastic (or, now, exotic metal) 3" x 4" cards we put in our wallets and purses. I remember handing my young children non-activated credit cards from direct mail programs years ago; smiles would light up their faces. Our fascination with these instruments is amazing. We love the possibilities they represent.

This same fascination with "plastic" holds true for campus one card systems, too. Sometimes those shiny campus ID cards have blinded us to their primary purpose – secure campus credentialing. Like moths to a flame, campus cards attracted business schemes and deals that were meant to add value for students and revenue to the institution. Yet these business models failed to keep pace with evolving technologies and business trends. For example, the promise of the campus ID card becoming a student's long-distance calling card gave way to the reality of cell phones and the hope that closed-loop debit payments would bring additional revenue to campus coffers ran into the proliferation of bank-issued debit cards.

Today, there is a move “back to basics” with a focus on campus one card systems as a technology platform – not a business model. Many of the campus executives with whom I've talked would consider merging their campus ID card systems with their financial technology platforms to create a more unified campuswide permissions and payments environment. This would lower overall operating costs and improve access to important services. Unifying campus commerce and credentialing platforms, with deep integration to the ERP system and other campus services, is a strong position for campuses to embrace.

With the next generation of a unified commerce and credentials platform coming around the corner, the challenge to "right size and right purpose" one card systems has been made much easier. Integration of campus business applications and services is a trend that is far from over.

Keep in touch,


Daniel Toughey

Too Big to Care?

August 31, 2016

A couple of months ago, a news announcement slipped by without much notice. On June 20th, Costco terminated its relationship with American Express and inked a new deal with Citibank to issue and accept Visa "Signature Preferred Cards" (SPC) instead. Citi’s Costco co-branded Visa rewards cards were issued to millions of Costco customers to replace their American Express cards. This was a big loss for AMEX and a major victory for Visa and Costco. In a similar shift, another large "affinity" group, USAA, recently replaced MasterCard.

Why should colleges and universities take notice of what appears to be just "business doing business?" Consider this. This new breed of "super rewards" cards is driving up the cost of accepting credit cards for all merchants. These cards carry some of the highest card interchange rates of all transactions. Also, Costco and other affinity groups are getting a "lick off the cone" everywhere a consumer uses their co-branded card – even on your campus. Ouch! In other words, "we the other merchants" help pay for affinity arrangements by dealing with an influx of expensive reward cards when consumers set aside older cards and use their newer rewards cards instead. A new report from CMS Payments Intelligence Inc. estimates that 59% of one of the biggest credit card issuer's interchange income is used to fund its rewards programs. That would mean, for example, 1.4% out of a 2.4% interchange goes to support the issuer’s generous rewards program.

In 2010, the Dodd-Frank Act and its accompanying Durbin Amendment regulated interchange fees for most debit cards. However, no similar effort has curbed interchange rates for credit cards, so they'll most likely continue to climb. Many merchants have the capability to increase their prices to offset these unfortunate cost hikes. Campuses do not. The best path for higher education institutions is to encourage payments with ACH or debit cards or move to a convenience fee model, if possible. Either way, understanding the fees associated with each payment transaction you accept is paramount to managing costs during the rewards card "arms race."

Keep in touch,


Daniel Toughey

When Is the Due Diligence Deadline?

July 27, 2016

July 1st was the deadline for the new Cash Management rule. Most of us would concur that the following "big four" changes should now be in place for processing Title IV refunds. This is true on all campuses that have established Tier 1 or Tier 2 financial account relationships.

1. Prohibitions against mailing debit cards to students without their approval;
2. Displaying an unbiased student choice menu for selecting disbursement options;
3. Making direct deposit to a student's existing account the first choice on the menu;
4. Having reasonable access to surcharge free ATMs.

So, where do we go from here? Up next is the September 1, 2016 deadline for conspicuously posting the contracts of any T1 and T2 arrangements on your campus website. The rule says you may redact any portion of your agreements that would compromise "personal privacy, proprietary information technology, or the security of information technology or of physical facilities." You must also send the URLs of these webpages to ED for inclusion in a public database. ED has recently posted an electronic announcement explaining how you can submit URLs.

Speaking of deadlines, some of the more interesting discussions I've had recently concern the requirement for due diligence reviews. Institutions with either T1 or T2 arrangements must ensure that the terms of the financial accounts offered are "not inconsistent with the best financial interests of the students opening them" and document reasonable due diligence reviews "at least every two years...." Some campuses interpret this rule to mean that institutions have the next two years to complete their analysis. Others believe that the due diligence deadline is due. Since the new rule is already in effect, the safe play is to be ready now. The spotlight is still shining on student refunds and regulators are keenly interested in full and timely compliance.


Daniel Toughey

PS: For full disclosure, it should be noted that TouchNet+Heartland is one of those organizations providing new financial aid student refund services.

Mid-Year Radar Review

June 28, 2016

It's official now. It's summer! We’ve reached the mid-point of the year. Not surprisingly, the three key factors that we've been tracking on our Campus Commerce Radar—Refund Reform, EMV, and PCI—are still bringing critical changes to campuses. What's more, the organizations behind them are still making news:

Card Brands
The attempt to rollout the new EMV chip card technology has been a lot harder and has taken longer than many first anticipated. Recently, however, there has been some good news, too. Visa has recently announced initiatives to ease the path for merchants transitioning to EMV. These new initiatives should simplify EMV testing; shorten certification timeframes by up to 50%; and limit merchants' exposure to counterfeit card liability during the transition period. Visa will begin blocking all chargebacks for counterfeit cards under $25 on July 22, 2016.

Dept. of ED
Most of the requirements in the Department of Education's new Cash Management Rule go into effect this Friday, July 1, 2016. We've already seen several important changes in the financial aid refund provider space. Some major players are exiting the market, including Higher One, Inc., representing millions of student accounts. Effective June 16, 2016, Higher One's refund disbursement service was acquired and is now BankMobile's Refund Management® Service. Other organizations are moving into refunds business with new offerings. More than ever, it's important for colleges and universities to exercise due diligence in analyzing the financial accounts offered to campus constituents.

PCI Council
The PCI Council published a new release of PCI DSS, version 3.2, in April. Either PCI DSS 3.2 or the prior PCI DSS 3.1 may be used for assessments until October 31, 2016. Thereafter, all PCI DSS assessments will need to use 3.2. You'll remember that it was Version 3.1 that defined the use of common Internet protocols such as SSL and early TLS as unsafe and to be avoided (the effective date for this requirement was later extended until 2018). The publication of two major updates to the PCI DSS in two years illustrates the complexities and difficulties involved in safeguarding cardholder data.

New rules and regulations bring heightened anxiety and frustration to those tasked with implementing change. Like always, we'll continue to work to keep you informed so you can find the clear path to achieving campus goals.

Keep in touch,


Daniel Toughey

PS: For full disclosure, it should be noted that TouchNet+Heartland is one of those organizations providing new financial aid student refund services.

Dueling Debits

June 01, 2016

For most of this century, Walmart has sparred with Visa over high merchant fees associated with debit card transactions. In 2010, Senator Richard Durbin authored an amendment to the Wall Street Reform Act to regulate many of the debit card interchange rates. Because of Durbin and Walmart, we have lower debit interchange rates today than in the past. Now, it appears, both are eager to jump in the debit card fray again, this time with a new entity. EMVCo is the organization that controls, on behalf of a consortium of card brands, the specifications governing chip-based payment cards world-wide.

Durbin says that EMVCo has made a mess of the U.S. EMV rollout, to the benefit of the card brands. Specifically, Senator Durbin is upset that card issuers are rolling out chip-based debit cards primarily with signature authentication and not with PIN. Security for debit cards is critical because debit cards are linked directly to consumers' bank accounts. Durbin stated in a letter to EMVCo, "I am concerned that EMVCo's controlling networks, most of whom have fiercely advocated against PINs because of their financial stake in signature transactions, may be preventing EMVCo from stating a clear position on the benefits of PIN." Walmart agrees and is suing Visa (a key member of EMVCo) to require PIN enablement for all chip-based debit card transactions. Walmart's intent is to better protect customer bank accounts and lower merchant transaction fees.

I agree with Senator Durbin and Walmart that card payments have gotten messy for merchants and consumers alike. Today's variations and combinations of chips, swipes, signatures, PIN, credits, and debits are causing major confusion. To date, the majority of EMV credit cards are signature based (but not all). Now, debit cards are just starting to roll out, and many of those (but not all) are signature based, too. It's almost impossible for a cashier to know when a PIN versus a signature is needed. Nonetheless, chip cards are here to stay, and merchants and solution providers will be tasked with sorting it all out. Touché!

Keep in touch,


Daniel Toughey

Will the Real Bank Please Stand Up?

May 11, 2016

As colleges and universities begin to implement the Department of Education's new Cash Management rule, an important task will be performing due diligence reviews of financial accounts (debit cards) marketed to students. A good starting point is to ask the obvious but often overlooked question, "Who is the real bank holding your students' funds and issuing debit cards?" Like the long-running TV game show To Tell the Truth, you may have to ask a few direct questions to determine the regulated financial institution as opposed to the marketing organization. Why is this important?

There are people who believe the "rent-a-bank" concept is one of the root causes that led the Department of Education (ED) to write a new rule in the first place. Service providers would contract with small banks interested in gaining new deposits cheaply who would, in turn, allow the service provider to private label their debit cards and accounts. A lack of involvement by the bank, the regulated entity, led to overly aggressive marketing tactics and a lack of accountability by some service providers. Certainly, it was the impetus behind the ED's creation of a two-tiered structure (T1 & T2) of requirements for financial account providers. In the ED’s view, there was a big difference between banks with big brands to protect and service providers offering students private-labeled debit card accounts.

A good business practice is to make sure the bank account provider (the regulated banking entity) puts their name on the "front" of the debit cards and not just in small print on the back. It is important for campuses to know the financial institutions issuing campus debit cards and holding students' monies. A major part of your due diligence is to identify all of the players involved. Then, and only then, can you move on to evaluating whether or not the arrangements are in the best interests of your students.

Keep in touch,


Daniel Toughey

Chargeback Mania

April 14, 2016

Six months after the EMV liability shift went into effect (October 1, 2015), non-EMV merchants across the U.S. are experiencing more chargeback and fees than ever expected. In fact, some merchants are claiming "chargeback dumping." In a recent lawsuit filed in a California federal court, litigants cited a 20-fold increase in fraud losses when they were accustomed to only a few chargebacks each month. They say the card brands now seem to be lumping many of today's problem transactions into one pile of "EMV issues" and dumping them on merchants not yet taking EMV transactions.

This is a concern, but I'm sure these issues will all get sorted out in the near future. The bigger question is why are merchants still not EMV compliant? As you're out shopping, you'll notice that plenty of merchants have invested in card readers with a slot for chip cards, but they are not being used. The reason is EMV is much more about software and integration than about chip card equipment. Solution providers are tasked with developing new software for their payment systems that allow the terminal to "talk EMV." Once this is accomplished, the rest of the payment processing chain, such as gateways, processors, and the card brand networks themselves must be upgraded to stay synchronized, too. Finally, the new terminals and merchant software must undergo a certification process with each card brand network. To top it off, the certification queues and wait times are much longer than expected.

Nonetheless, it's important for colleges and universities to work with their solution providers and make the move to EMV. When you do, your campus will accrue three significant benefits immediately: (1) you push the liability for the growing number of fraudulent transactions back to the card issuers; (2) you put your campus in a position to take advantage of programs like Visa's TIP to reduce annual PCI paperwork; and (3) you meet your constituents' expectations for what they perceive as a safer payments technology compared to the old swipes. In the meantime, keep a sharp eye on the chargebacks in your processors' statements. Get ready to dispute more chargebacks than before.

Keep in touch,


Daniel Toughey

Student Refunds Upside Down

March 17, 2016

In drafting its new Cash Management rule, the Department of Education (ED) wanted to change both behaviors and attitudes concerning student financial aid disbursements. So it's interesting to see how the new rule not only defines required actions, but also turns some conventional thinking on its head. Here are three examples of past concepts that are changing.

At those institutions where the primary disbursement method has been debit card bank accounts, student participation (or "take rate") has been a key measure of success—the greater the percentage of students taking the card, the better the program's performance. Under ED's new rule, campuses will see take rates fall from 60% or more to around 25% for the following two reasons: (1) no more pre-mailing of debit cards with activation instructions; and (2) the new student choice menu requires that direct deposit to existing accounts be the first and easy choice. Now, instead of higher take rates in debit card accounts, lower should be the norm.

In the past, to give students access to their financial aid funds without hassles, institutions negotiated for as many ATMs on campus as possible. ED's new rule requires "convenient access" that includes surcharge-free national or regional ATM networks. So, while the number of students choosing a debit card bank account should drop, the number of "conveniently accessible" ATMs should increase dramatically. For savvy campus administers today, the goal might be to limit the number of ATMs on campus and let neighboring businesses provide surcharge-free ATMs. So, instead of more ATMs on campus, fewer will mean less hassle and responsibilities for schools.

In the past, many campuses have off-loaded the administration and marketing of debit card refund programs to reduce costs and hassles. The result was that vendors' programs were often "out of sight and out of mind." That is, less involvement by the campus resulted in more savings. Now, ED requires campus involvement in the oversight of disbursement programs, including all marketing materials, through regular and periodic due diligence reviews. Now, more involvement is better.

Shifting your focus to a fiduciary role is a key part of ED's strategy to alter disbursement practices. The result is a new set of best practices should be put in place for the new rules. Don't let old habits influence your decision making going forward.

Keep in touch,


Daniel Toughey

Here's a TIP

February 17, 2016

Recently Visa announced it would tighten data security requirements for Level 4 merchants. Their research indicates that over 90% of all data breaches are happening at these small to mid-size merchants. Therefore, effective January 31, 2017, all Level 4 merchants (see table) must begin validating their PCI DSS compliance with their processor (acquirer) annually. Since many colleges and universities are classified as Level 4 merchants, the Visa announcement could cause a new challenge for many campuses.

All merchants are and have been required to comply fully with the PCI DSS. However, compliance reporting from Level 4 merchants has often been treated informally. While most of you have been putting forth the effort to fortify your PCI safeguards, submitting formal documentation, such as your SAQs has not been part of your annual process. Now, it will have to be, and that's probably not good news.

Now for the TIP. Many institutions have been moving toward acceptance of EMV chip cards at the point of sale (POS). These schools may qualify for a little known program offered by Visa called Technology Innovation Program (TIP). TIP rewards merchants by eliminating the PCI DSS validation/reporting requirements for merchants that are actively working to reduce POS fraud. Merchants at all levels that qualify for TIP could find next year's paperwork much easier.

To qualify, a merchant must meet the following criteria:

  • Ensure that sensitive authentication data (i.e., the full contents of magnetic-stripe, Card Verification Value 2, and PIN data) are not stored subsequent to transaction authorization, as defined in the PCI DSS.

  • Ensure that at least 75 percent of all transactions originate through secure acceptance channels, either enabled and operating EMV-compliant terminals or PCI-validated P2PE solutions.

This is a classic "kill two birds with one stone" move. Get your EMV conversion done and eliminate some of your most difficult PCI reporting requirements. TIP might also help you offset the cost of your transition to EMV. Now this is a TIP that makes both dollars and sense.

Keep in touch,


Daniel Toughey

A December to Remember

January 13, 2016

We like to think of the year's end as a time to relax and enjoy the holidays. That's not necessarily true, especially for the country’s regulatory agencies and businesses. In fact, December 2015 was a particularly active period for organizations like PCI, CFPB, FDIC, Federal Reserve, Visa, and others. While our attention was distracted by eggnog and roasting chestnuts, December brought us key decisions and new rules that could impact campuses as early as this year. Here's a recap of 2015's unusual year-end flurry of news and announcements:

  • Visa Tightens Requirements for Level 4 Merchants. Many schools are classified as Level 4 Merchants and will soon be subject to additional reporting requirements thanks to Visa's recent announcement. This may be a good time to consolidate your eCommerce systems to avoid more paperwork. Learn More

  • Higher One to Sell Its Refund Management Business. Higher One agreed to sell its refund disbursement services to Customers Bancorp, Inc. (Customers Bank), a regional banking partner since 2013, for $42 million over the next 3 years. While Customers Bank is buying and will operate the refunds business, they are not assuming any liabilities. This could be a real game changer in the student refunds space. Learn More

  • PCI Backs Off TLS Requirements. The PCI Security Standards Council (PCI SSC) announced an extension of two years to transition from SSL and early TLS protocols to a newer version of TLS (currently v1.1 or higher). This gives you more time to make critical system updates. Learn More

  • Federal Reserve & FDIC Order Fines and Restitution. The Federal Reserve and the Federal Deposit Insurance Corp (FDIC) in separate actions issued millions of dollars in fines and ordered restitution to more than a million students over deceptive marketing practices and fees in Higher One's disbursement of student loans. Learn More

  • CFPB Publishes Safe Student Account Toolkit. The Consumer Financial Protection Bureau is published its Safe Student Account Toolkit to help colleges evaluate whether to co-sponsor a prepaid or checking account with a financial institution. Colleges can use the Safe Student Account Toolkit to evaluate costs and benefits for students, including accessing upfront information about fees, features, and sales tactics before agreeing to a sponsorship. Learn More

  • CFPB Sends Letters to Schools Warning of Violations of Federal Law. The CFPB, in assessing compliance with the CARD Act of 2009, found that four out of five colleges did not disclose their credit card marketing contracts on their website and more than two-thirds of the schools did not provide access to agreements upon request. Be forewarned; the CFPB is unhappy about the results and seems to be on a mission. Learn More

  • Global Payments to Acquire Heartland. Global Payments Inc. announced its intent to acquire Heartland Payment Systems, Inc. (our parent company) for $4.3 billion. The combination would leverage Global Payments' worldwide infrastructure with Heartland's strengths in domestic technology-driven markets. Learn More

  • Congress Extends Perkins Loan Program. Congress passed an omnibus spending bill to fund the federal government that included a two-year extension of the existing Perkins Loan program. Also included were a change to an institution's requirement to report tuition and related expenses on IRS Form 1098-T and a new deadline to file employer Forms W-2 and 1099-MISC with the IRS. Good news for most campuses. Learn More

As you move campus business forward into 2016, I hope you consider these year-end announcements in your planning. There is no doubt that more news and updates will be forthcoming on topics such as payment security and student refunds. Hopefully, the rate of change will slow down a bit for all of us.

Keep in touch,


Daniel Toughey

Let’s Talk Turkey about Tiers

November 23, 2015

Let's talk turkey about student refunds. In the past three weeks, you've probably heard a lot and read even more about the new Department of Education (ED) rule for disbursement of financial aid credit balances. A key feature of the new rule is the definition of relationships between a campus and its financial service providers. There are Tier 1 (T1) and Tier 2 (T2) arrangements, and then T2 is further segmented with a special low-threshold designation.

If you have a T1 relationship with a financial services provider, you probably have little doubt about it. They provide new financial accounts to students (e.g., debit cards); they participate in the disbursement process; they represent a T1 arrangement. Simple. The more confusing call is a T2 arrangement. Let's say you're rolling along using ACH (Direct Deposit) or paper checks only to disburse Title IV credit balances. The new rule doesn't change things for you; right? Not so fast!

ED’s goal for T2 relationships is to fully disclose the arrangements between educational institutions and financial institutions in order to help prevent potential predatory banking and financial aid disbursement practices. To that end, ED has required that T2 relationships be disclosed and included in your students' refund choices. Let's say a department "over there" contracted with a bank to market accounts to students as a campus service. If just one student uses his/her account to receive financial aid disbursements, then that other department's decision and its banking relationship force modifications to the business office's disbursement process. It adds student choice requirements, a disclosure process, and extra due diligence to the institution's efforts, not to mention restrictions on the way the bank markets the accounts and the account fees and ATM access provided.

Every campus not involved in a T1 relationship today should be busy reviewing all campus contracts with financial institutions to determine if any represent a T2 relationship. If so, these campuses have work to get done before next July. In fact, all campuses should be studying ED's new rule to understand changes to their responsibilities and the consequences for July 1, 2016, even the unintended ones.

Keep in touch,


Daniel Toughey

PS: To learn more about how the new ED rule might affect your campus, visit the TouchNet Knowledge Center to watch our webcast, Solving the Student Refund Puzzle.

The Balance of Payments

October 20, 2015

Almost a decade ago, major card brands formed the Payment Card Industry Security Standards Council (PCI SSC). Its focus was the development of security standards to protect cardholder data in the rapidly growing Internet payments arena. As PCI standards evolved and became more stringent, the pendulum of criminal activity shifted from Internet payments to easier pickings — the card reader devices used for in-person, card-present payments made at the point of sale (POS).

Now the card brands are using new EMV standards to upgrade protections for in-person payments. This doesn’t mean, however, that they have forgotten the Internet payments side of the equation. The most recent version of the PCI DSS (PCI Data Security Standard Release 3.1) includes tough new requirements for existing systems that go into effect July 1, 2016. This is a shift from older network communication protocols (such as SSL) to the more secure TLS (Transport Layer Security) version 1.1 and above. All other versions of SSL and TLS will no longer be acceptable for payment-enabled applications by next July.

The implications of this new mandate may surprise you. Many campus software systems connect to payment components that use a secure network communications protocol. With the removal of support for earlier protocols, links that have been communicating for years could cease to work. The same is true for web browsers. Campus staff and students use web browsers in their desktops, tablets, and phones to access applications that have payment-enabled features. Now, they too must be using a version of their browser that supports at least TLS 1.1 or no longer be able to access these applications.

Historically, as countries move to EMV technology, fraud at the point of sale decreases but fraud for web-based payments increases. More secure network protocols can help mitigate this shift. Once again we find payment card security is a never ending process of change. EMV, TLS, and PCI are three important acronyms that should be on your campus commerce radar.

Keep in touch,


Daniel Toughey

EMV Is Here Today To Stay

October 1, 2015

Today is the day that EMV (Europay, MasterCard, Visa) technology officially launches in the U.S. That is, it’s the date set by the card brands on which the weak link in the payment chain becomes liable for covering the cost of any fraudulent “card present” credit/debit card transactions. The weak link is defined as the party who is not EMV compliant.

If you felt the earth move this morning, though, I’m pretty sure it was just a coincidence. After all, there is a good chance that you’re not yet ready for EMV payments. What’s more, you’re not alone. Information published by Visa shows that at the end of July, only 18% of the 720 million Visa-branded credit, debit, and prepaid cards in the U.S. contained an EMV chip. Furthermore, only 295,000 merchant locations were enabled for chip card acceptance, far short of the country’s approximately 8 million card-accepting locations.

Are you surprised that so few have converted to EMV? Don’t be. It is a mammoth and highly complex effort. Each payment card type (brand) must be individually certified through each payment terminal and each payment processor. Then, merchants must install new, or at least updated, card reading equipment, and point-of-sale software must be developed to handle the new chip cards as well. And let’s not forget the card issuing banks and financial firms. They too have to “re-card” their customers with the more costly chip cards required for EMV transactions. All in all, I agree with Visa’s Stephanie Ericksen when she said, “We really see October 1st as the starting point, not the endpoint.”

The coming holiday season will be flooded with news stories about chip cards and whether we like them or not. But that’s better than the holiday news stories in 2013 about major breaches to point-of-sale systems. Yes, EMV appears to be off to a slow start, but don’t be fooled. It is here to stay, and momentum will build quickly as rollouts ramp up. Sometime soon, your students, parents, and other campus constituents will come to believe that “dipped” cards (chip cards) are the secure and safe payment method and “swiped” cards (magnetic stripe cards) are not. Don’t lose sight of EMV on your campus.

Keep in touch,


Daniel Toughey

The Efficiency Trap

September 2, 2015

I sometimes find myself in conversations with acquaintances outside of Higher Education talking about what TouchNet does. The discussion many times turns to the rising cost of a college education and the perception that campuses must emulate businesses and become more efficient. For years, growth in administrative staff has far outpaced enrollment and growth in academic staff. It now seems that most people outside of higher education—and some on the inside—simply don't understand how complicated the "business" of higher education has become.

For example, let's start with campus commerce. A typical college or university payment environment is a complex web of varied and focused merchants, more like a small city than a business entity. Imagine trying to make all of the merchants in a city conform to a single business style or a common check-out process. Mass standardization works for a business like Walmart, but would be as futile in our imaginary city as it is on today's campuses. Measuring campus efficiencies the same way a business does is not going to work. It creates the wrong expectations and is a sure fire way to frustrate both those inside and those outside of higher education.

Yet institutions understand that today's escalating costs cannot be sustained. What can institutions do today to run business better and operate more efficiently? The answer is to "know your numbers." First, define and track those goals and key performance indicators important to your campus. Know the source of your high-cost credit card transactions. Understand your PCI compliance status. Track peak transaction volumes. Then, in order to aggregate information accurately, make sure all commerce applications, technologies, and services should run on, or through, a single enterprise commerce platform—a platform that delivers real-time integration of disparate systems, offers end-to-end data security, and provides easy access to campuswide commerce information.

This is the answer to higher education’s efficiency trap—how to create a more manageable environment without deploying massive standardization.

Keep in touch,


Daniel Toughey

Pocket Pay Phones

August 6, 2015

Most of us have used a pay phone before. They were once a staple at airports; you would exit from your arrival gate and see mobs of people standing at pay phones. Recently, I walked through a familiar airport concourse and saw people standing where I knew there was once a bank of phones. It turns out those pay phones have been turned into rows of charging stations. Those bulky old pay phones, like bulky old mainframe computers, have been replaced by smartphones small enough to fit in your pocket.

Of course, your students most likely have never used a pay phone. However, they think nothing of making purchases using their smartphones and a credit or debit card. Increasingly tech savvy students are using smartphones to pay for anything they want, as well as order pizza, register for classes, etc. It’s second nature to them.

From a campus perspective, it can be very confusing when today’s self-service phone payments are lumped in with the broader category of all mobile payments. Let’s define two distinct initiatives:

  • Mobile Self-Service Payments This technology has been available for the past several years. Students can use their smartphones to access web applications and make account payments and a variety of other campus purchases with just a few clicks. Mobile self-service payments should be a slam dunk on campus. They are leapfrogging fixed-location payment kiosks just like smartphones leapfrogged the old pay phones. This approach also reduces your institution's PCI footprint and makes compliance reporting much simpler.
  • Mobile "Wallet" Payments A new level of technology is emerging and is represented by new products from Apple, Google, Samsung, and others. Here, the smartphone is used as a surrogate payment card for point-of-sale transactions. Contact and contactless solutions have both been announced. Some are closed loop, others are open; some are available in limited use while others are in the planning stages. We all agree the smartphone will become the next generation payment card, but the crystal ball is quite cloudy at this time about which technology will win the race.

If your campus hasn't yet joined the mobile revolution, now is the time. As you prepare for the hectic arrival of a new semester, don't relegate all mobile payments to the back burner waiting to see how the newer technologies evolve. Mobile self-service payments can deliver benefits today, giving you time to evaluate coming attractions for tomorrow.

Keep in touch,


Daniel Toughey

Chips & Dip

July 10, 2015

By now, most of us have heard about the "new" EMV payment cards. EMV stands for Europay-MasterCard-Visa. This group of companies developed standards for credit/debit cards with embedded computer chips (smart cards) over two decades ago. Since then, EMV technology has successfully reduced fraud in Europe and other parts of the world. Card brands are now rolling out EMV in the United States. Chip cards are meant to be “dipped,” not swiped. Consumers insert their cards in card readers and leave them there until their payment transactions are complete. This means consumers (and merchants) will need to be retrained on how to use their cards at the point of sale.

On October 1, 2015, the card brands will shift the liability for the cost of fraudulent payments to merchants who do not process card payments using EMV technology. It is not likely, however, that the industry (merchants, processors, service providers) can be fully ready for chip cards by then. Changing the U.S. payment infrastructure is a massive and complex project. For most colleges and universities, though, the number of fraudulent transactions is quite small compared to other types of retailers, and this liability shift may not be a significant issue. However, the shift in consumer acceptance of chip cards might signal bigger problems. When consumers become familiar with the new dipping process, they'll soon accept it as the norm and consider "swipe" to be an old technology, unsecure and risky.

So, regardless of the potential impact of the liability shift, it is still important for higher education to work towards full EMV enablement as solutions become available. After all, this is the first major payment security initiative entirely visible to consumers (i.e., students); they will either dip or swipe. Expect the next year to be a year of "chips and dip."

Keep in touch,


Daniel Toughey

ED Says Yes to Refund Reform

Overview – Part II

June 10, 2015

In my last email on June 1st, I reviewed the newly proposed Department of Education (ED) Cash Management rules from the standpoint of the disbursement process itself and offering new bank accounts to students. Now it’s time to focus on the campus administrative compliance aspects of the proposed rule. Most of this applies to your institution only if it has a relationship with a service provider and/or a financial institution to offer new financial accounts to students and parents.


If your campus is offering new financial accounts directly to students, then you will have new requirements in the areas of reporting, disclosure, and due diligence. Below is a brief recap of the key provisions:

Annual Reporting

All institutions and providers of financial accounts to students will have to disclose within 60 days after the most recently completed award year:

  • - The contract(s) establishing the arrangement between the institution and third-party servicer and/or financial institution, with a few noted exceptions for privacy and security;
  • - The total value of services for the most recently completed award year paid or received by the parties (monetary or non-monetary) under the terms of the contract (the quid pro quo part of the relationship);
  • - The number of students and parents who had financial accounts under the contract at any time during the most recently completed award year;
  • - The mean and median of the actual costs incurred by account holders.

The contract governing T1 and/or T2 arrangements and cost information will have to be displayed conspicuously on the campus web site, and the URLs will become part of a centralized database ED is providing for easy public consumption.

Students' Best Interest

Institutions will also be required to evaluate T1/T2 arrangements and conduct ongoing due diligence on their disbursement program on a regular basis to make sure the financial accounts they offer are competitive and in the best interest of students. In that regard schools will have the right to terminate their contracts with financial account providers if the campus determines the financial accounts are the target of too many complaints or generally not in the best interest of their students. This affirms your fiduciary role and gives you more leverage to negotiate the best deal for your students.

COMMENTARY: ED is convinced that more transparency and accountability are the best way to bring better solutions forward for students. The Credit CARD Act has similar requirements for schools to disclose publicly their banking relationships to the Federal Reserve and CFPB annually. This has been deemed to be successful in reducing the number of questionable programs. Additionally, giving schools the leverage to cancel contracts with their service providers is seen as a solution to schools being stuck in relationships that are bad for students. Interestingly enough, there are no actual prohibitions in the proposed rule against contractual revenue sharing or marketing ploys within Tier 1 or Tier 2 arrangements. The regulatory strategy is to focus on full disclosure of fees, revenue sharing, and costs, and let the publicized data provide incentives for all parties to act in the best interest of students.


In addition to the fiduciary and disclosure requirements above, there are other provisions that your campus will need to understand. These two jump off the page as most important:

Joint Responsibility

The Department is reaffirming its stance that schools and their financial services providers are jointly and severally liable for all the activities related to the disbursement of financial aid money. The bottom line for schools is this: you cannot “outsource” your responsibilities to a third party, and third parties need to be active participants in compliance as well. ED is strongly stating its position that schools have a responsibility to act as a fiduciary in the student relationship and monitor the activity of service providers. This was a key finding of the Office of Inspector General report issued March 2014, which found schools were not doing a good job of managing the activity of their vendors and business partners.

The Federal Option

The proposed rule has reserved for the Secretary of Education the right to issue payments directly to students and parents if the Secretary so chooses. The model for this would be the U.S. Treasury program for Social Security payments. The Treasury program has been considered a success, with over 95% of payments disbursed electronically. Only a small percent of benefits recipients select the Treasury Direct debit card as their disbursement method; the rest select Direct Deposit to a bank account.

COMMENTARY: If transparency and full disclosure don’t clean up perceived problems in financial aid credit balance disbursements, then the ultimate hammer is the ability for the Secretary to take over the disbursement process entirely and eliminate banks, service providers, and schools from the process of making financial aid payments. Hopefully this provision will not be necessary. There is, however, precedence for the Federal government replacing private business operations with the Direct Loan Program of 2010.

There is much information to be considered in the new rule, and schools will have only a limited time to implement its requirements once the rule is formally published. It will force some tough decisions for some colleges and universities as well as their service providers. Does it still make sense to offer a debit account from a financial viewpoint? Will the compliance and fiduciary responsibility lessen the attractiveness of offering student choice? No doubt there will be a lot more written and discussed about it in the coming weeks and months, especially as the comment period comes to a close on July 2nd. Of course, nothing is done until the final rule is published. However, it is not too soon to consider your options now as the next generation of financial aid refund solutions start to come to market. Stay tuned.

Keep in touch,


Daniel Toughey

ED Says Yes to Refund Reform

Overview – Part I

June 1, 2015

What a difference a day makes! On Thursday two weeks ago, I wrote “by summer … we’ll know if refund reform is ‘dead or alive’.” On the very next day, the Department of Education (ED) published its Notice of Proposed Rulemaking (NPRM), which that included revisions to Cash Management regulations for disbursement of Title IV credit balances.

You’ll find this email is much longer than normal, but refund reform is a big deal, and the changes are complex. Part I focuses on the impact of the proposed regulations from the disbursement side. My next email, Analysis - Part II, will focus on the institution’s administrative obligations to manage compliance within the proposed new regulation. Nothing, however, will replace a deep-dive reading of the proposed regulations now available on the Federal Register website [NPRM] above, and nothing is a “done deal” until ED publishes the final rule. So with those disclaimers, here we go:

Direct Deposit – The Default Option

First and foremost, it is important to understand that Direct Deposit to a student’s or parent’s existing financial account is the Department’s preferred method for disbursing credit balances. Not only is Direct Deposit the preferred choice, but the NPRM states that Direct Deposit must be the first, most prominent, and default choice in a list of disbursement options. Further, establishing Direct Deposit to an existing account cannot be more onerous than opening a new financial account, or delivery of credit balance funds any less timely. If your institution only offers Direct Deposit, then much of the new rule does not apply to you. It is only when a new financial account is offered does much of Subpart K – Cash Management apply.

COMMENTARY: Most of the negotiators in last year’s negotiated rulemaking committee expressed their preference for Direct Deposit. Numerous reports and studies indicated that 85% or more of students already have a bank account, and the case for the “bankless” student wasn’t substantiated according to ED’s report. Inhibiting a student from using their existing bank account or enticing a student into a new one was viewed as the number one problem in the market.

Student Choice - The Selection Process.

If you choose to offer a new financial account to students, then you must offer a “selection process” as defined by the proposed regulation. The selection process must include informing students they are not required to open a new account in order to get their credit balance. You and your service provider must present students with a list of all disbursement options in a clear, fact-based, and neutral way, with Direct Deposit as the first choice. Plus, you must present students with a list of key features and fees associated with the new financial account in a standardized format that will be forthcoming from ED after the new rule is published in November. You and your financial services provider can no longer send a physical card (access device) to a student without the student’s affirmative request for the new financial account and you can only provide limited information (name, address and email address) to the servicer. Finally, if you offer a new financial account option, then you must also offer the option of a paper check or cash.

COMMENTARY: This is all very consistent with the discussion and proposals addressed during the negotiated rulemaking sessions last year. The selection process adds several new steps and will result in fewer students selecting the new financial account option. The conclusion was too many students were ending up with a new bank account that wasn’t needed or wanted.

Financial Accounts –The Compromise.

ED is making a distinction between “service providers” that play a direct role in the process of disbursing financial aid and “financial institutions” (banks and credit unions) that offer financial accounts to students through traditional financial services. The service provider model is called Tier-1 (T1) arrangement and the financial institution is a Tier-2 (T2) arrangement. It appears that both T1 and T2 arrangements allow the use of a campus logo or mascot’s image on marketing materials and access devices, but would be subject to the new regulation. Here is a brief recap of the key rules for each:

Tier-1 Arrangements. T1 service providers have a long list of restrictions on the financial accounts. The reasoning is they have direct access to students and have proven to the primary cause of concern for ED and other regulators. T1 accounts must provide surcharge free ATM access to refunds via a regional or national network of ATM machines that are both conveniently located on or near campus and of a sufficient quantity to handle student’s cash withdrawal needs. In addition, T1 financial accounts cannot charge point-of-sale fees (PIN fees) and cannot charge overdraft fees. T1 providers must also have a 30-day window where students can access their money without charges.

Tier-2 Arrangements. This is a compromise position to address those interests on the negotiated rulemaking committee who wanted banks exempt from any additional regulation. ED says T2 account providers are less likely to harm students because they generally have a much longer view of the relationship i.e. banks want students to become customers long after college. Many T2 financial institutions have affiliation with schools for linking student ID cards to bank accounts. The only fee related requirement on T2 accounts is that students have convenient, surcharge-free access to an “in-network” ATM machine in sufficient quantity on or near campus. Surprisingly there are no restriction on overdraft fees which is the one of the most controversial fees according to regulators and consumer advocacy groups. The Department is hoping T2 account providers will play nicely without many account restrictions.

COMMENTARY: Although the two-tier system is a clever approach to a difficult area, there are many things than need more clarification. Will this become the backdoor for banks and others financial firms to shirk the tougher requirements of Tier 1 accounts? The key is to make sure the definition of a service provider is broad enough to include any entities directly involved and able to influence student behavior. Hopefully, more feedback will happen in this area to make sure the two-tier system doesn’t cause a whole new set of problems.

NPRM Feedback – The Last Chance.

ED has invited comments on their proposed regulation. You can send comments by selecting Submit a Formal Comment on the Federal Register website. Comments are due on or before July 2, 2015.

COMMENTARY: To view a list of the topics on which ED is specifically interested in receiving feedback, visit and view Topics for Comments. We’ll keep this website updated with pertinent information as the Department of Education’s process of refund reform continues. Think of it as a resource page for additional information and links to key source material.

If, as expected, the new regulation is formally published by November of this year, it will take effect July, 2016. There are many questions to answer and the next year will be filled with confusion and change. I’ve never been a fan of more regulation or government intervention in private business practices. However, there is tax payer money involved and sometimes things simply go too far. There are some challenging aspects to the proposed regulations, such as the differentiation between Tier-1 and Tier-2 arrangements; hopefully, they will be addressed before final publication. All in all, most of the provisions were actively debated last year and no one following the process should be too surprised at this result. My next email (Analysis - Part II) will focus on the new requirements institutions have in contracting, reporting, and transparency of offering students and parent’s financial accounts.

Keep in touch,


Daniel Toughey

Refund Reform: Dead or Alive?

May 14, 2015

Three years have passed since the release of the PIRG Report, Campus Debit Card Trap, and not much has really changed in the use of debit cards for financial aid refunds. Sure, there have been hearings, studies, lawsuits, and even a hotly contested negotiated rulemaking session, but the fact remains, there has been a lot more said than done. There are no new rules, and most schools are still in a holding pattern, wondering which way the wind will blow.

A year ago the Department of Education (DoE) concluded its negotiated rulemaking process with no consensus by the committee. A couple of new rules were published last summer, but none about campus debit cards. Now, speculation is that this will be the year, and it's only a matter of time before we see action on refund reform. However, any new rule would have to be published for public comments, submitted to the Office of Management and Budget for approval, and published by November 1st in order to become effective the following July. There's a lot to do in the next six months, but plenty of time if DoE really wants to get it done. The big question is, how high on the DoE's priority list is refund reform?

It's important to keep in mind that the Department of Education is not the only force that can bring changes. Other federal agencies, like the Federal Trade Commission, Consumer Financial Protection Bureau, and Federal Reserve can and already have taken action. In addition, state governments can join the fray. The Oregon state legislature is considering a bill to strengthen oversight and tighten regulations for financial service providers that are involved in student financial aid payments and disbursements. Other states could follow.

Those of you wanting to see which way the winds of change will blow shouldn't have much longer to wait. We'll all have a better understanding of the timing and scope of any changes by this summer. Then, we'll know if refund reform is "dead" or "alive."

Keep in touch,


Daniel Toughey

MC Debit Discounted

April 17, 2015

In a surprise move, MasterCard recently published new debit card interchange fees applicable to colleges and universities. The new interchange rate is 0.65% plus $0.15 per transaction, with a cap of $2.00 per transaction. In addition, they have introduced a new convenience fee pricing model that caps the convenience fee charge for debit cards at no more than $4.95, or no more than 1.0% of the transaction amount, per debit card transaction.

Some have asked why there is suddenly a lot of attention on debit card fees. Didn't the Durbin amendment lower the cost of interchange rates for debit cards back in 2011? The answer to both questions is that Durbin only lowered the cost of processing a debit card transactions for about 2/3 of all transactions (regulated debit), but the other 1/3 were not subject to Durbin interchange restrictions and have been left unregulated. These unregulated debit transactions, from smaller financial institutions, flow through the system at "full price."

MasterCard's recent announcement is good news for most merchants, but the interchange rate is only part of the equation. The other part is the change to the systems and processing platforms used by the many service providers required to implement the new rates and caps. MasterCard's thirty-day notice to the industry to accommodate these changes is not only unrealistic, but also risky. MasterCard has said they understand that these major systems changes are difficult and will take time.

So, let's look at three models for accepting debit transactions on campus:

Direct Debit Card Acceptance.
When your campus accepts debit cards directly, you absorb the discount fees as a cost of doing business. When a lower rate goes into effect, your concern should be whether or not the savings get passed through to you by your payment processor. The only way to be sure this happens is to have a “cost plus” pricing contract and then verify that your processor charges you the lower cost.

Indirect Debit Card Acceptance.
When your campus outsources debit card acceptance to a third party, the service provider incurs the processing cost in exchange for an added convenience fee charged to the user. In most cases, the payer is charged the same fee for using a debit or credit card. MasterCard is encouraging service providers to build and implement a new two-tier convenience fee pricing model – one fee for debit transactions, another for credit. This, however, will not happen quickly, due to the practical realities of changing mission-critical financial systems.

ACH / eChecks.
ACH (Automated Clearing House) debits, or electronic checks, are popular and well accepted in Higher Education. Most schools encourage the use of ACH payments. They are very low-cost to process and nicely suited for high-dollar payments such as tuition. Though ACH lacks the real-time authorizations that make credit/debit card transactions so desirable, their transaction volume still dwarfs that of debit cards in the business office. Consider ACH / eChecks as your preferred debit payment method for big ticket payments.

In general, MasterCard is continuing the work of the Durbin amendment. The cost of processing debit card transactions is going down, and that's a good thing for merchants. What is truly amazing to me, however, is that there is so little discussion about the growing costs of processing credit cards, primarily driven by the ever increasing generosity of reward programs. The best strategy to manage the overall cost of accepting payments on campus is still to promote ACH payments as the primary debit payment method, while minimizing the volume of payment card transactions accepted.

Keep in touch,


Daniel Toughey

1 Version of the Truth

April 1, 2015

At a recent industry conference, I talked to several people about consolidating their multi-vendor commerce systems into a single-vendor platform. They voiced frustration with disjointed reconciliation processes and out-of-sync information, and they were worried about PCI implications of supporting multi-vendor systems. That got me thinking: what does it really take to unify commerce systems and arrive at "one version of the truth" throughout the campus enterprise?

Payments Integration
The first thing required is a single commerce platform capable of handling all payment types from all payment channels and all payment points. That's a tall order, but essential. That means a technology platform capable of handling payments made online, in person, via mobile, or by mail using credit cards, debit cards, ACH, or campus cards for everything from tuition payments to parking passes to alumni donations. But while this is a good start, it's not enough.

Deep Integration
Creating deep, interactive, real-time integration with your ERP system is difficult to do. Nonetheless, your ERP system (student and financial systems) is the "master system of record" on campus. Keeping your ERP data in sync, moment-by-moment, with your payment data is the key to building a single version of the truth. Your users expect it. But it's still not enough.

Broad Integration
One software system cannot possibly provide functional support for every possible application on campus. So, your commerce platform must offer API's (Application Programming Interfaces) that allow departmental business applications to integrate easily with your central commerce platform for payment processing. However, campus IT resources are at a premium, so the API's have to be useable with little technical support.

Achieving this level of unification requires a focus on your commerce platform. It's not so much the screens and buttons you see, but the sophistication of the underlying technology that's important. The right technology will be a foundation for growth whenever and wherever new applications are needed. The lack of such technology perpetuates the need to support disparate systems and to face the hassles of managing multiple services and service providers. Your campus commerce platform is a critical element on your path to "one version of the truth."

Keep in touch,


Daniel Toughey

Payment Processing "Enigma"

March 5, 2015

Recently I went to see "The Imitation Game," a movie about the efforts of mathematician Alan Turing and many others to decode German encrypted military communications during World War II. Some historians say that breaking the "Enigma Code" shortened World War II by as much as two years and saved countless lives. A few days later, I was in the middle of a discussion about payment processing fees for colleges and universities, and my thoughts returned to the movie. Higher Education spend's a considerable amount of money to process campuswide payments. Yet, most are frustrated because they find it difficult to decode the fees charged by their payment processors.

Campuses today have a choice of two major options for payment processing. First, they can choose a "fixed fee" model with a single fee rate on all transactions, regardless of type. Second, they can opt for "cost plus" transaction pricing, where "cost" is the transaction's actual interchange fee and assessments set by the card brands and payment networks. The "plus" is a fixed, negotiated rate for the payment processor's services. The first choice makes it very simple to project costs and reconcile results. However, it tends to be more costly for the institution. The second choice gives campuses the promise of lower transaction costs, yet it is very hard to get the information needed to analyze actual results.

Management information tools have not caught up with the complexity of processing card payments yet. But that is about to change. There are new tools coming that can give you a clearer look at payment settlement data, permitting consistent access to the level of transaction details needed to know where and what actual fees are paid. These new tools will help decode payment processing fees and make the cost-plus pricing model desirable for a wide range of colleges and universities. As you evaluate your processing pricing model, look at combining highly functional campus commerce software with open and transparent payment processing to achieve true automated payments.

Keep in touch,


Daniel Toughey

CFPB Shifts Focus from Students to Schools

February 5, 2015

The Consumer Financial Protection Bureau (CFPB) is stepping up its efforts to protect students from what it sees as questionable deals related to financial products on campuses. In the past, the CFPB has focused on informing students on how to be good consumers. Now they are expanding their strategy to include educating colleges and universities on how to be better buyers. The CFPB has previously said that campus administrators have a responsibility to work in the best interest of students because of the special relationship between students and colleges.

To that end, the CFPB has created a "Safe Student Account Scorecard." It is designed to help schools evaluate fees, features, and sales tactics used in the delivery of bank accounts and debit cards to students. The CFPB has asked for comments from colleges and universities about its new scorecard in a Request for Information (RFI) issued on January 14. The deadline for submission of those comments is March 16, 2015.

Before the Credit CARD Act of 2009 (CARD Act), banks heavily marketed credit cards to students, using clever marketing practices in some cases. While the CARD act restricted the marketing of credit cards, it did not have any restrictions on debit cards or prepaid cards. As a result, banks and service providers shifted their focus to the distribution of bank accounts/debit cards, particularly for the distribution of financial aid. According to the CFPB, about 40% of all schools now contract with outside service providers to disburse Title IV credit balances using various forms of bank accounts and debit cards. Just as the Credit CARD Act reduced the number of credit card deals co-marketed and co-branded by colleges and universities, the CFPB would like to influence the process of selecting campus debit card service providers by providing "safe student account" guidelines for campuses.

If you have some ideas or thoughts to share about the CFPB's scorecard, now is the time. Send your comments (identified by Docket # CFPB-2015-0001) to the CFPB before March 16. Regardless, the CFPB has a reputation for quick resolutions and major enforcement actions. This issue is definitely something you'll want to keep on your radar.

Thanks for reading.


Daniel Toughey

On the Radar: Rules and Regs

January 13, 2015

We can already see that 2015 will bring major changes in rules and regulations affecting campus payments. These new rules will come from many directions and different sources. Here are a few that you will want to keep on your radar this year:

  • EMV Chip Cards [brought to you by the Payment Card Brands]
    The card brands have set October 2015 as the deadline for merchants to replace older card swipe devices with newer EMV (EuroPay, MasterCard, Visa) compliant equipment. On October 1, your old equipment will still work, but the card brands will shift the liability of fraudulent card use to merchants (you) who choose not to deploy newer equipment. Expect to see a rapid growth in students with integrated chip cards in hand by the end of the year. It's time to swap your swipes!

  • PCI 3.0 [brought to you by the Payment Card Industry Security Standards Council]
    January 1 was the effective date for complying with the PCI 3.0 specification. PCI 3.0 is an evolutionary change, and the theme is continuous compliance rather than just "snapshot" compliance. There are a few new items included; the requirement to track payment points and devices, for example, seems simple, but nothing is easy in the complex world of higher education payments.

  • Title IV Disbursement Rules [brought to you by the U.S. Department of Education]
    Although the Department of Education has been looking at campus disbursements of credit Title IV funds for almost three years now, there are signs that this is the year we’ll finally see new rules published for review and approval. These new rules will most likely mandate that direct deposit to a bank account should be the first and easy choice for students, regardless of other campus choices. In addition, there could be new restrictions on marketing and fees and new requirements for reporting of debit card products offered by schools and their service providers.

  • Prepaid Debit Card Rules [brought to you by the Consumer Financial Protection Bureau]
    Last November, the CFPB published its proposed rule changes for prepaid (general purpose reloadable) cards. It's a broad-brush approach to bring these financial instruments under federal controls similar to the ones that consumers find on credit and debit (demand deposit accounts) cards. This impacts higher education because these cards are sometimes used in the Title IV disbursement process. In addition, the CFPB is planning to publish new guidelines and best practices to help colleges and universities better understand how to negotiate and contract for debit cards offered to students. Look for this very soon.

  • Proposed Regulations on Consumer Privacy [brought to you by the White House]
    On January 12, President Obama called for companies to be more transparent with customers after a data breach and proposed a national standard for how and when businesses notify consumers after personal information has been compromised. He also called for better protection for consumers from identity theft by strengthening security features in credit cards and the terminals that process them.

New rules and regulations will continue to come forth as fallout from the Great Recession and the big breaches in 2014. It's obvious that this year's payment industry changes are being driven by two admirable goals: better payment security and stronger consumer (i.e., student) protection. I will continue to keep you posted as the year progresses.

Thanks for reading.


Daniel Toughey

Is There an Elf on Your Shelf

December 8, 2014

Prior to this year, I had vaguely been aware of a growing holiday tradition called "Elf on the Shelf." This year, however, accounts of the Elf on the Shelf have been all over television news and social media. The Elf on the Shelf is a small elf doll that "watches" children during the day to see if they are being naughty or nice. Each night, it purportedly leaves to report results directly to Santa Claus and then returns the next morning, finding a different vantage point from which to watch. The idea is, of course, that children know someone is watching, so they had better behave nicely.

A couple of weeks ago, CBS aired a 60 Minutes segment about credit card security, calling 2014 the "Year of the Breach." The report focused on what identity thieves are doing to steal your credit card data. Like the Elf on the Shelf, thieves are constantly watching your systems, determining which are easy to penetrate (naughty for you; nice for them). The segment discussed the countless ways crooks can find their way into your systems. Is someone watching your campus payment systems now? Probably so.

What can you do to secure your payment systems? Here’s a short list of activities (work the list and then check it twice):

  • Swap your swipes for the new EMV technology.
  • Embrace new security standards and End-to-End-Encryption.
  • Move all credit card data to PCI certified data center.
  • Pick your campus commerce partners wisely, ensuring they are PCI compliant.
  • Train your staff on PCI requirements.

Unlike the Elf on the Shelf, which is a seasonal visitor, identity thieves are continually testing your systems to determine if they are "naughty" or "nice." Let 2015 be all about making your systems more secure.

Thanks for reading.


Daniel Toughey

Student Refunds: The Saga Continues

November 20, 2014

Many schools have told us that the past several years have been a period of turmoil for deciding the right way to disburse Title IV credit balances to students. We have seen fines, lawsuits, Dear Colleague Letters, consumer alerts, and more surrounding student refunds on campuses. I've dubbed this situation the "DisburseMess." It's no wonder that many institutions have concerns and are postponing plans to implement changes until the confusion clears up a bit.

Adding to this confusion, The Department of Education (ED) missed their November 1st deadline to publish new mandates in order for them to become effective next year. Nevertheless, I expect the ED to publish new rules for public hearings by next spring. These new rules should closely resemble the last proposed rules changes (Issue 4 - Cash Management) published this May for the Department's Negotiated Rulemaking Committee. If ED publishes a final version by November 2015, it will become effective July 2016.

A recent news story has added another facet that colleges and universities are evaluating. Until this month, only service providers and their bank partners have been fined or sued over student refund processes. Last week, a student sued the University of Montana for violating his rights under FERPA. This suit alleges UM provided its refund service provider with the student's personal information (to "pre-setup" bank accounts/debit cards) without the student’s permission. Whether or not the UM lawsuit ever reaches court, it is significant because it is the first time an institution of higher education has been named as defendant for its financial aid disbursement practices. The act of providing campus vendors with student information most likely will be addressed by new ED rules.

I look forward to a time when we have more clarity in Title IV refund requirements and I'm sure you are, too. Although the timeline has been very frustrating, it is possible that 2015 will be the year when we learn how the next generation of refund solutions will take shape. Stay tuned.

Thanks for reading.


Daniel Toughey

Apple Takes a Bite

October 30, 2014

Last week, Apple launched its new mobile payment service, Apple Pay. Suddenly electronic wallets are in the news again. Apple embedded NFC (Near Field Communications) in its iPhone 6 to work with its e-wallet app and NFC-equipped POS (Point-of-Sale) terminals to make "contactless" credit card payments.

The question is, will Apple's magic make this successful where other e-wallets have so far failed? That is, will you soon have students storming the campus with pitchforks and torches shouting "kill the plastic monster?" Not likely, but here are some things to consider as you keep an eye on developments:

  • WHAT? Apple Pay eliminates the "onerous" task of swiping a plastic card in a magnetic stripe reader device. Unfortunately for Apple, paying with a card in the U.S. is fast and easy. Consumers know how to do it. Cashiers know how to take it. It's simple and very hard to replace.
  • WHERE? Another problem for Apple is the number of merchants that accept NFC payments. Best estimates put NFC-equipped merchants at about 2.5% of total U.S. merchants. That's not enough to drive rapid adoption. What’s missing is a “killer app”—that is, an application that makes Apple Pay the "must have" choice for making payments. Want to be the next zillionaire? Just invent an iPhone 6 killer app that leverages Apple Pay.
  • HOW? How does Apple Pay work? It uses the iPhone's thumb print reader in conjunction with encrypted NFC to initiate and authenticate a credit card payment. Thereafter, the transaction acts like today's card-swipe payments, with this exception: Apple takes a bite out of the card issuer's interchange fees. That could make Apple a new, major player in the credit card payment industry and a factor putting additional upward pressures on merchant fees.

It's worth keeping an eye on Apple Pay developments. But more critical to campuses now is the mandated move to the added security of EMV technology. For most campuses, this means "swap-the-swipe," a move to more secure POS devices. The good news is that most EMV-capable POS devices also are NFC enabled. Once you swap your swipes for EMV security, you shouldn't have to swap them again for NFC. There is now no doubt that we're seeing the first wave of real mobile momentum.

Thanks for reading.


Daniel Toughey

Heard at EDUCAUSE 2014

October 9, 2014

Last week, I attended my 20th EDUCAUSE conference (previously CAUSE and now EDUCAUSE). I find it a great way to stay current with technology trends in higher education and to spend time talking to TouchNet clients. In general, people are feeling better about the improving economy and budgets, but also are concerned about some key issues. Here's a quick recap of the top three topics I was hearing in the trenches.

Here are a few things to do now:

  • Data Security Campuses have worked hard to lock down and protect sensitive data from the bad guys. But now, with all the big breaches taking place, there's a heightened feeling of urgency that data security must be a top priority. Campus IT professionals know the stakes are high and the impact of a breach is big. Maybe PCI 3.0 will help re-energize the effort!
  • Financial Aid Refunds I heard loud and clear the growing concern for "Refunds 1.0" – today's debit card refund solutions and all their corresponding regulatory and legal issues. Institutions realize the game is changing and are looking for the next generation of refund solutions. One way or another, schools will have to have a plan B ready.
  • Cloud Solutions There was a lot of conversation about moving to cloud computing. In the Campus Commerce space, cloud computing has been happening for years, with security concerns providing the push. Speaking from experience, the biggest challenge now in higher education is connecting clouds to other clouds and making disparate systems work together. Integration is still "king!"

With the start of spring registration and payment cycles around the corner, now is a good time to reflect on changes for the coming year to help make next year's cycle even better. If you get a few extra minutes, send me an email to let me know which initiatives you think are key to your campus for the coming year.

Thanks for reading.


Daniel Toughey

Moving to a Mobile Mindset

September 18, 2014

How is your campus coming along in developing a mobile mindset? That is, how far has it moved towards thinking of mobile as a primary business platform and not just an add-on? Smartphones. Tablets. Pads. Phablets. Whatever you call them, they are powerful computers that we carry in our pocket or purse. Apple's recently announced Apple Pay, another variation on e-wallets, will likely bring additional market power to mobile payments. Offering mobile is not just good business; it's now becoming a standard business requirement.

Think of your move to mobile as a continuum starting with these levels:

  • 1. Mobile Information. Displaying web content on smartphones and tablets is level one. That means first modifying content for ease of display on smaller screens and then making the content richer. Many campuses start with campus maps, events, payment deadlines, account balances, and GPS linkable directions.
  • 2. Mobile Transactions. The next level provides the ability to perform real-time financial transactions. This is what students expect. You should too. You want them to be able to pay fees, buy books, or remit parking fines when they think about it, wherever they may be. You also want alumni to make donations by smartphone to that special fund advertised inside the football stadium during the game! It would be great to have stored credit card numbers in an e-wallet to facilitate the payment process.
  • 3. Mobile Staff. Is your staff tethered by a cable to the wall? The third level of a mobile mindset allows campus departments to take in-person payments anywhere. During football games, let the marching band set up a pavilion to sell tees and sweatshirts using mobile point-of-sale (mPOS) systems. The key is to have mPOS transactions integrated into your campus payments infrastructure like traditional payments, so they can be monitored and tracked from one central location to promote data security, streamline reconciliation, and synchronize reporting.

Moving mobile is about keeping up with your constituents and making it easy for them to do business with you. The mobile revolution is just beginning—Google glasses, Apple watches, and other smart devices are here and more will follow. The best advice is to make mobile a priority and continue to build on your mobile momentum.

Thanks for reading.


Daniel Toughey

Point-of-Sale Systems Still Targeted

August 26, 2014

You may have seen front-page news articles regarding “Backoff” malware. The malware is capable of scraping computer memory for credit/debit card track data from Point-of-Sale (POS) systems, logging keystrokes, and communicating back to its command and control center. The Secret Service is attributing over 1,000 breaches to this malware (virus) and its variants in the last year alone. This is the same type of malware said to have affected Target, and its most recent victims are 51 UPS stores. We are not aware of any "Backoff" incidences reported in Higher Education, but wanted to bring the threat to your attention.

In the Target breach, the thieves broke into the main network and then deployed the malware to over 1800 cashier stations. Once installed on the cashiering station, credit card numbers were copied to a central server in the Target network and then periodically sent out to the bad guys. Now it appears the hackers are moving to a station-by-station approach and looking for individual cashiering PCs with an “open door” to deploy the Backoff malware. The most vulnerable open doors appear to be remote desktop access software that is used for maintaining and troubleshooting desktop computers.

Here are a few things to do now:

  • 1. Disable completely or otherwise secure remote access solutions. If your PC is handling credit card numbers, remote access should be disabled or at least locked down tight. Two-factor authentication is one of the best ways to reduce the risk of unauthorized access to a system.
  • 2. Check your firewalls and anti-virus systems. A firewall should be in place to deny all traffic that is not required for a specific business function. Also, make sure your antivirus is up-to-date and someone is monitoring and responding to alerts.
  • 3. Enable Point-to-Point Encryption (P2PE) for Cashiering. If your campus POS systems have this important technology available, you should take advantage of it ASAP. This technology will dramatically reduce your risk of memory scraping malware and key logging viruses on cashiering computer workstations. Ask your Cashering vendor if you have access to P2PE technology.

It is apparent that attacks on POS systems are getting broader and more sophisticated. If you haven’t done so already, now is the time to make sure your systems are properly protected.

Thanks for reading.


Daniel Toughey

Top 10 Ways to Save on ePayments

July 16, 2014

We all want to reduce expenses these days, and payment processing costs are an inviting target. Here are my Top 10 Ways to Save on ePayments – a list (in no particular order) of some of the best ways to lower your bank fees fast. Some are easy; some are not. Most require reviewing campus payment points to determine the best strategies for each.

Recently Expedia, Dish Network, and announced that they are accepting Bitcoins, and many are wondering if Bitcoin has become a viable alternative payment method. Those merchants get the hype for being early adopters, but are they really doing anything new? In reality, these retailers use a service that converts Bitcoin payments to US Dollar deposits in a manner similar to accepting credit cards, including transaction fees for the conversion process.

  • Make sure your merchant accounts are set up for the best Emerging Market rate available. Visa has had the best rate for Higher Education for years.
  • Use the convenience fee model if you have no state restrictions on surcharges. Recently, more community colleges have been moving to the convenience fee model, too.
  • Encourage students/parents to store their ACH account information. If they store it, they will use it. Plus, it can provide an efficient method to disburse financial aid.
  • Mail paper refund checks instead of offering check pick-up on campus. This creates the right incentive for students to get their refunds electronically.
  • Reduce the number of merchant accounts you have with your bank/processors. Most banks charge monthly fees for each account – they add up fast!
  • Require automatic payments for tuition payment plans. Reduce your delinquent accounts receivable.
  • Only accept debit cards for A/R payments. Durbin transformed the cost of most debit card payments from percents to "cents."
  • Make it easy for students to pay tuition and fees through third-party sponsorships. And make it easy for your staff to bill sponsors.
  • Unify campus commerce with a single platform everywhere money moves on campus. You'll save on processing fees, reduce overhead, and limit your PCI compliance scope.
  • Tell everyone to bring you cash in a brown paper bag! (Oh wait! Cash is the most expensive payment method. Forget it.)

Thanks for reading.


Daniel Toughey

To Bitcoin, or not to Bitcoin

June 19, 2014

"To be, or not to be" is Shakespeare's famous line where Prince Hamlet worries out loud about the general unfairness of life, but also considers that the alternative may be worse. This is similar to the current mix of electronic payment options: credit cards are expensive and hard to secure, but not taking them and adopting new payment alternatives may be even more worrisome.

Recently Expedia, Dish Network, and announced that they are accepting Bitcoins, and many are wondering if Bitcoin has become a viable alternative payment method. Those merchants get the hype for being early adopters, but are they really doing anything new? In reality, these retailers use a service that converts Bitcoin payments to US Dollar deposits in a manner similar to accepting credit cards, including transaction fees for the conversion process.

About Bitcoins

  • Bitcoins are a new digital currency used online for trading goods and services.
  • Bitcoin values fluctuate wildly and are not a regulated currency.
  • Bitcoins can be hard to purchase and few students or parents hold Bitcoins today.
  • There are transaction fees for consumers who buy Bitcoins and for merchants who convert them to dollars.

The fact is merchants really don't want Bitcoins; they want the dollars represented by the Bitcoin. Operationally, Bitcoins are a stored payment method or value accessed via an online "wallet." Many schools already offer a type of stored wallet with students and parents storing credit, debit, ACH, and campus ID cards for future use. This is a good time to embrace the idea of stored payment methods and get the infrastructure in place so your constituents become accustomed to paying with virtual money from a stored wallet. This is clearly the future direction of money - both for online and in person payments.

Ultimately, Prince Hamlet learned that you can never be certain of anything because the world is complex. This sounds similar to the decision merchants must make when it comes to which payments to accept. Because there are fewer middlemen, the cost of processing Bitcoins transactions may ultimately be lower. The best course of action is to embrace today's technology including stored payment profiles while preparing for future payment alternatives.

Thanks for reading.


Daniel Toughey

To Bitcoin, or not to Bitcoin

June 19, 2014

"To be, or not to be" is Shakespeare's famous line where Prince Hamlet worries out loud about the general unfairness of life, but also considers that the alternative may be worse. This is similar to the current mix of electronic payment options: credit cards are expensive and hard to secure, but not taking them and adopting new payment alternatives may be even more worrisome.

Recently Expedia, Dish Network, and announced that they are accepting Bitcoins, and many are wondering if Bitcoin has become a viable alternative payment method. Those merchants get the hype for being early adopters, but are they really doing anything new? In reality, these retailers use a service that converts Bitcoin payments to US Dollar deposits in a manner similar to accepting credit cards, including transaction fees for the conversion process.

About Bitcoins

  • Bitcoins are a new digital currency used online for trading goods and services.
  • Bitcoin values fluctuate wildly and are not a regulated currency.
  • Bitcoins can be hard to purchase and few students or parents hold Bitcoins today.
  • There are transaction fees for consumers who buy Bitcoins and for merchants who convert them to dollars.

The fact is merchants really don't want Bitcoins; they want the dollars represented by the Bitcoin. Operationally, Bitcoins are a stored payment method or value accessed via an online "wallet." Many schools already offer a type of stored wallet with students and parents storing credit, debit, ACH, and campus ID cards for future use. This is a good time to embrace the idea of stored payment methods and get the infrastructure in place so your constituents become accustomed to paying with virtual money from a stored wallet. This is clearly the future direction of money - both for online and in person payments.

Ultimately, Prince Hamlet learned that you can never be certain of anything because the world is complex. This sounds similar to the decision merchants must make when it comes to which payments to accept. Because there are fewer middlemen, the cost of processing Bitcoins transactions may ultimately be lower. The best course of action is to embrace today's technology including stored payment profiles while preparing for future payment alternatives.

Thanks for reading.


Daniel Toughey

The Bark Was Worse Than The Bite

May 5, 2014

Since the introduction of the PCI DSS v3 Self-Assessment Questionnaires (SAQ) at the end of February, there has been a wide range of speculation and confusion on the interpretation of one of the new SAQs, SAQ A-EP. The implication of the broadest interpretations would have been nothing short of a tectonic shift in scope for PCI DSS compliance - by bringing any and all sites that link to an eCommerce service provider in-scope for the connecting merchant. You may have sensed my growing frustration in last week's Toughey Talks Payments, "PCI: The Tail that Wags the Dog."

TouchNet has been staying close to this issue, working with industry professionals and voicing our concerns to the PCI Security Standards Council (PCI SSC). Until Friday, the PCI SSC had yet to clarify the definition and intent of SAQ A-EP. Guidance to put speculation to rest has now been published in the document, "Understanding the SAQs for PCI DSS v3.0."

The document is clear: eCommerce payment channels outsourced to Level 1 hosted payment providers remain eligible for the merchant to utilize the "short form" SAQ A. Meanwhile, SAQ A-EP should be used for situations where the merchant creates the payment form with a direct post to the payment processor, or where the merchant otherwise provides functionality that supports the creation of the payment page and/or how the cardholder data is transmitted to the payment processor.

We believe that the guidance strongly supports our position that "moving the button" is the right thing to do to secure payments and reduce PCI scope. While it is prudent to secure your web servers that link to outsourced eCommerce channels, controls should be put in place as determined by your risk assessment and security program, not governed by the PCI Standards.

Let's keep moving the button.


Daniel Toughey

PCI: The Tail that Wags the Dog

May 2, 2014

I've often said that PCI is the tail that wags the dog. Take a look at the most recent example: last October, PCI 3 was released, and most of us thought there were only minor changes to deal with. In late February, the new SAQs were published, and it has become apparent that the PCI Security Council has decided to crack down on merchants - by extending the scope of PCI compliance to any server that touches a server which takes payment. Sound crazy? Read on.

The old rule used to be "type or swipe a card number" into a campus system and you're in PCI scope. The new rule adds servers that connect or redirect campus payers to a payment server anywhere, and both servers are in scope. To me this means the global internet is in scope as it pertains to e-commerce transactions. As a result, many campuses will now be required to change from the previous "short form" SAQ A to the much longer and much more costly SAQ A-EP.

Right now, there is no such thing as a silver bullet to eliminate the new requirements, but there are a few thoughts to consider. First, if your campus is a Level 4 merchant, you might be able to continue with the short form if your acquiring bank approves. Level 4 merchants have volume of less than 20,000 e-commerce transactions apiece for Visa and MasterCard. They also have the most flexibility when it comes to PCI compliance. Another possible solution is to strive to reduce your credit/debit e-commerce volume. Embrace electronic checks for online transactions and limit credit/debit transactions to only certain items. This sounds extreme, but could be a strategy for shrinking your PCI footprint. One more thought is to move more campus systems to the "cloud" to limit your scope. Of course, this would require both a significant time investment and operational change, but cloud computing is the wave of the future, and this at least could be a driver to help get you there.

We all want safe and easy financial transactions, and no merchant wants to be in the headlines because of a breach. However, between the costs of processing a credit card, securing the transaction, and compliance, the cost-to-benefit tradeoff is tilting in the wrong direction. Working towards lowering credit/debit card transaction volume may be the best way for the dog to bite back.

Thanks for reading,


Daniel Toughey

Rules & Regs R Rolling

April 3, 2014

As I was sitting in the latest round of negotiated rulemaking at the Department of Education (ED), it occurred to me how many new rules and regulations are rolling off the presses. So, in an effort to keep things straight, here’s a quick list of the main things in motion right now that should be on your radar.

  • Europay, MasterCard, and Visa (EMV aka chip cards): The major card brands established October 2015 as the deadline for merchants to be chip card enabled at the point-of-sale (POS) or face a shift in fraud liability. Before the Target breach, there was speculation that the deadline would be extended. Now the smart money is betting against an extension. It's time to take an inventory of every POS on campus and plan for the conversion.

  • PCI 3 / SAQs: The latest version of PCI security standards were released in October, but the corresponding Self-Assessment Questionnaires were just published 3 weeks ago, creating lots of confusion. In particular, the new SAQ A-EP for "partially outsourced" hosted payment pages greatly increased the requirements for merchants who previously might have filed SAQ A. Right now, even the PCI Security Council is not 100% clear; they have promised more information in the coming weeks as PCI 3 goes into effect January 2015.

  • Financial Aid-to-Debit Cards: Last week ED proposed a new set of rules for using debit cards to deliver Title IV financial aid credit balances. Two rounds are done, with two more to go, but it looks like there will be a long list of new rules for schools and service providers to comply with starting in July 2015. The mainstream Higher Ed press is following this closely now, so there are several ways for you to keep in touch on this issue.

  • PLUS Loan Eligibility: Another topic of the ED rulemaking progress is credit underwriting requirements for parent PLUS loans. In 2011, ED implemented a new method of determining credit worthiness, which caused a large number of recipients to be ineligible. Now they are considering ways to revise their underwriting standards to be more consistent with the goals of the program. PLUS loans have been an important part of the student loan package for some institutions.

  • Convenience Fees: A New York law banning credit card surcharges or convenience fees was ruled unconstitutional last year. A US District Judge found that the law violated free speech rights by penalizing merchants for adding surcharges for credit cards while allowing them to provide discounts for cash. The judge issued a temporary injunction against enforcing the law while the case is finalized. This action could eventually remove convenience fee restrictions in all states and should be watched closely.

  • Durbin Amendment: Last week a judge upheld the Federal Reserve Board's (FRB) formula for regulating debit card fees in compliance with the Durbin Amendment. That nullified a previous ruling in favor of retailers who had charged that the FRB set the rate too high at $.21 per transaction. This is unwelcome news for merchants hoping for an even lower debit card interchange rate, but we can take this one off the list now.

Wow - there is no shortage of important payment topics to follow, and this list is not all inclusive. There's also a new courtroom battle between Walmart and Visa that launched last week, new P2PE specs coming in the fall, and more fallout from the Target breach. It looks like Toughey can keep Talking for the foreseeable future. Stay tuned for more updates.

Thanks for reading,


Daniel Toughey


March 11, 2014

A week ago the PCI SSC published a new set of Self-Assessment Questionnaires (SAQ's) for merchants to use for compliance reporting with PCI DSS 3. PCI 3 was released last October and becomes required on January 1, 2015. Even though PCI DSS 3 was originally presented as just an update to the PCI spec - without many major new requirements - the new SAQs for merchants are much more than a mere update. Plus, there are two completely new SAQs to deal with.

Of interest to higher education are the new SAQ A-EP for Partially Outsourced eCommerce Merchants, the expansion of requirements in SAQ C, and the new SAQ B-IP Payment swipes. Although there are still more questions than answers, here's a quick take on each:

  • eCommerce: One of the new SAQs is SAQ A-EP, which is for merchants that host their eCommerce web sites but redirect to a third party hosted payment provider. A merchant operating under the new SAQ A-EP will be required to separate their eCommerce web sites in a segmented network and perform a much higher level of testing and access controls to those networks. At this point, it does not appear to include full payment applications where the service provider controls all aspects of the site. However, there is considerable debate on the definition of fully outsourced in SAQ A vs. partially outsourced in SAQ A-EP and therefore which form to use. The PCI Council will have to provide more guidance on this soon to help everyone understand the impact on their scope. Also, your acquiring bank and QSA (Qualified Security Assessor) will play a big role in determining which form(s) your campus should use for compliance. We will continue to research and look for ways to minimize the impact of change.

  • In-Person Payments: SAQ C has added new reporting and testing requirements, including penetration testing, logging and log review of all in-scope system activity, and change-detection monitoring (commonly referred to as file integrity monitoring). Also, SAQ C can no longer be used for eCommerce payments as it was commonly used in the past, for both eCommerce and in-person payment channels. The new SAQ B-IP relates to payment terminals directly connected to a third-party payment processor. Such environments require firewalls, network segmentation, two-factor authentication, and external network vulnerability scans.

One thing that has become very clear to me is that new PCI requirements can flow from either the actual specification or from the reporting forms. I wonder if the Target breach provided the PCI Council with enough "air cover" to take a more aggressive position since PCI DSS 3 was released in October. Either way, PCI compliance continues to be a moving target and the cost and risk of handling electronic payments continues to grow. We'll stay close to the conversation and let you know more as quickly as we can.

Thanks for reading,


Daniel Toughey

Round One is Done

February 27, 2014

Last week I returned from round one of the Department of Education (ED) negotiated rulemaking committee in Washington D.C., where we discussed the 6 topics on the Department's rulemaking roster. One of the items the committee is charged with is determining the right way to manage debit cards and other banking methods to disburse excess financial aid. The outcome may change many of the ways the Higher Ed community handles Federal Aid refunds in the coming year.

The discussion on the debit card topic was lively - taking up a full day - and included the release of the General Accounting Office's (GAO), College Debit Cards report. Along with the GAO, a list of Federal agencies including the CFPB, FDIC, ED, and several members of Congress have all now weighed in on this hot regulatory concern.

Conversation and concerns centered on these key issues:

  • Unbanked Students - How and why students are unbanked, the difference between unbanked and unbankable students, and how to best serve them.

  • Push Marketing - An implied endorsement could be made of the institution with debit cards that are directly mailed to every student without being requested. This could lead to confusion, forcing students to open new debit card accounts they do not want or need.

  • Student Steering - When students are prompted toward how excess financial aid should be disbursed to them, sometimes the options are not presented equally or there are obstacles for direct deposit into their existing bank account.

  • Account Fees - What are the true costs of new bank accounts , taking into account all fees the account can incur, including fees for using a PIN for a debit transaction, fees to check balance at an ATM, fees for an inactive account, and more.

  • ATM Access - What constitutes "convenient" access to cash - a current ED requirement that needs clarity. How many ATMs should be on campus, and what is "convenient access" for online students or students who are home for the holidays.

The committee is faced with the challenge of coming to 100% agreement, not only on the debit card issue, but all 6 topics on the roster. If no consensus is reached, ED is free to propose regulations of its own. At the next session on March 26-28, the negotiators will be presented with draft language of the proposed rule changes by ED. Stay tuned.

Thanks for reading,


Daniel Toughey

P.S. Read more about the Committee membership and the topics on ED's Rulemaking Roster on the Ed Update page at


January 7, 2014

The headlines just keep getting worse for Target. First, a massive security breach during the busiest shopping days of the year; next, the announcement by Chase that they would restrict debit card purchases for customers that were part of the breach; then, the news by Target that PIN numbers were also stolen, followed by the notice that Target's REDcard program was included. What a mess.

It's hard to say if the worst is over for Target. TJ Maxx was the last major retailer to have a breach and it cost them more than $250 million. The Target breach is about the same size, but will cost them much more. Why? Target is a household, name and the number of lawsuits, fines, and penalties will be extraordinary.

So what changes can we expect as a result of the Target breach?

  • Expect the PCI Security Standards Council to become more aggressive with Point to Point Encryption (P2PE) technology. P2PE is currently a voluntary standard, but will most likely become mandatory in the near future.

  • Expect card brands (Visa, MasterCard) to turn up the heat on EMV chip card technology. Up until now, there has been a “chicken or the egg” standoff between merchants to upgrade terminals and card brands to issue chip cards. The Target breach will add new fuel to the fire to upgrade card swipe devices before the existing October 2015 deadline.

  • Expect Target to become a champion of credit card security and retool their whole payment system. In addition, they will use all their marketing might to convince consumers to forgive and forget. The biggest cost in this breach is the loss of customer confidence.

Would P2PE and EMV technology have prevented the Target breach? No one can say, but we do know the black hats look for low hanging fruit, and these technologies make it harder to get at cardholder data. Somewhere at Target headquarters, there probably is a proposal on someone's desk to “swap the swipes” to the latest generation of technology and devices. Security is always hard to budget for - until you get targeted - and then the money flows.

Thanks for reading,


Daniel Toughey

IN-N-OUT Payments

December 10, 2013

Whether money is coming in or going out on your campus, a good commerce strategy is to keep payment transactions simple for students and staff. One of my favorite examples of this philosophy is the popular California hamburger chain called IN-N-OUT Burgers. IN-N-OUT serves burgers, fries, and drinks - and that's it. No chicken, wraps, chili, salads, or breakfast; just burgers. Imagine how much simpler it must be to buy, supply, prepare, and serve food with a focused menu like this.

How can you apply IN-N-OUT's keep-it-simple philosophy on your campus? Start by having students and parents store their bank account number in your bill payment system. Then use ACH transactions for both "in" and "out" payments. When students owe you, they just pick and click the payment amount and date. When you owe them, send a direct deposit.

"In-N-Out" ACH Payments deliver big benefits for both payers and your business office:

  • Lower Costs

    ACH transactions are the lowest cost electronic payment method to process. The more ACH tuition payments you have, the lower your merchant processing fees.

  • Student Satisfaction

    Students need a bank account to make ACH transactions work. Most students already have a bank account, and if they don't, they should get one. Students are most satisfied when they pick an account convenient for them.

  • Easier Compliance

    ACH payments can help reduce compliance risks associated with both PCI and Title IV. Payment Card Industry (PCI) applies only to debit and credit cards issued by banks and their partners, not ACH payments. Title IV disbursements are regulated by the Department of Education; that agency clearly states using EFT to a bank account selected by the student is a best practice.

"In-N-Out Payments" are a low-cost and high-value solution that works in Higher Education because of the trusted and ongoing relationship you have with students and parents. Although there will always be a few exceptions, think about how you can increase ACH payments as a first choice - both coming in and going out.

Thanks for reading,


Daniel Toughey

P.S. Speaking of compliance…the nominations for the Department of Education negotiated rulemaking committee for cash management/debit cards are open until December 20th. Find details on serving or supporting a nomination here.

New Negotiated Rulemaking Committee

November 19, 2013

Changes will be coming from the Department of Education (ED) that will most likely impact how your institution deals with Title IV Financial Aid credit balance disbursements (Student Refunds). Today, the Department of Education published official notice of the formation of a Negotiated Rulemaking Committee to address the use of debit cards and other banking mechanisms for disbursing excess financial aid. They have held two previous public hearings on the topic and are now ready for action. The process will move fast with formal meetings already scheduled in February, March, and April 2014. By mid-2014, we will all have a much clearer picture of the new rules that will impact financial aid being disbursed to debit cards.

TouchNet has been a consistent voice on student refunding options. We have been clear in our belief that the best choice for disbursing credit balances is via direct deposit to a student's existing bank account. At the same time, we are not opposed to offering debit cards for the small population of students who do not already have bank accounts, if done properly. The Negotiated Rulemaking Committee will be charged with determining the right way to provide debit cards and establishing boundaries for marketing these cards, ATM access and fee structures. The committee will include many points of view, including Students, Consumer Advocacy Groups, State Attorneys Generals, Banking and Lending groups, Business and Industry Groups, and Higher Education Institutions. The Committee's outcome will undoubtedly affect how your campus deals with Title IV Financial Aid disbursements in the coming year.

I will be volunteering to serve on this committee to share our experiences in this area. If you would like to be nominated for this committee, please email me or Wendy Macias at the Department of Education. This will be an investment in time and resources for each party, but an investment we believe will help schools streamline the process and provide a better experience for the student. Committee nominations are due by December 20, 2013.

Change is coming. We don't know exactly what will happen at the end of this process - but we do know there will be new rules and regulations in the distribution of Title IV Financial Aid. Whether you are active in the process or just observing, it's important that you stay tuned in as anything that impacts the flow of financial aid to students, impacts the entire Higher Education community.

Thanks for reading,


Daniel Toughey

Third Time is a Charm

November 7, 2013

PCI 3.0 was released today and goes into effect on January 1st. The Payment Card Industry Security Standard Council (PCI SSC) releases a new version of its main specification every 2 years. Similar to a major software release, version 3 is typically about smoothing out the rough edges, and that's exactly what PCI 3.0 does. According to PCI SSC, the changes "... will help companies make PCI DSS part of their business-as-usual activities by introducing more flexibility, an increased focus on education, awareness and security as a shared responsibility."

What caught my attention about this statement was the reality that colleges and universities are neither a company nor do business-as-usual. Higher Education is different than most merchants, and compliance with PCI is much harder. Colleges and universities often resemble a small city, with a variety of campus merchants using a wide variety of business systems. Standardizing payment processes continues to be a big challenge for even the most dedicated campus leaders.

If you were hoping for specific rules for mobile point-of-sale, you won't find them in PCI 3. PCI SSC is still holding steady with its guidelines published in 2012 - which made it clear that using a consumer device (smartphone or tablet) with multiple applications is problematic. The "app for that" concept introduces too many issues for securing sensitive cardholder data. Point to Point Encryption (P2PE) is also playing a major role in the mobile POS answer. However, P2PE needs to be paired with a dedicated payment device to make the cut.

So what is "charming" about PCI 3? For the first time in years, there are no major new requirements or deadlines to meet. Even so, all campus administrators should be aware of the new recommendations, guidance, and best practices in the latest release to maintain control, security, and accountability on campus. It's also a timely reminder that PCI compliance is never finished - it is an ongoing and daily process of evaluating policies and practices. So let's stay focused on the goal of continuously securing campus commerce.

Stay Tuned!


Daniel Toughey

Two Sides of the Same Coin?

October 24, 2013

Earlier this month, U.S. District Judge Jed S. Rakoff blocked enforcement of New York State's "no surcharge" ban on credit card transactions. Five small retailers challenged the state law, claiming their First Amendment freedom of speech rights was being violated. Section 518 of New York's General Business Law prevents merchants from charging a consumer more for paying with a credit card vs. cash or similar method. At the same time, the New York law gives merchants the right to discount for cash. Isn't that really just two sides of the same coin?

In January, Visa and MasterCard relaxed their no surcharge rules as part of a pending settlement with merchants. The impact of those relaxed rules is blunted by years of lobbying at the state level, where currently 11 states representing 40% of the population have no surcharge laws on the books. In the New York case, the merchants claim there is no difference between a discount for cash and upcharge for credit - it's simply a matter of expression and therefore a First Amendment right. The District Judge agreed and granted the merchants an injunction against prosecution while the case is being litigated.

How does this affect us in Higher Education? Think about convenience fees. They are common at many institutions where they are not prohibited by state law. While major card brands continue to push hard for no surcharge laws, the New York Court action has the potential to remove the restrictions in all states. This is important because at least 19 more states are considering legislation preventing surcharging credit (and debit) card transactions.

Further proceedings are expected in this case before a final judgment is reached. The challenge is in making heads or tails of laws that seem to be contradictory. Stay tuned to legislation in your state that may impact your payment strategy.

Thanks for reading


Daniel Toughey

CFPB Targets Campus Debit Cards

October 2, 2013

While lawmakers were unsuccessfully trying to avoid a government shutdown on Monday, heavyweight players in the student banking industry were gathering at a forum hosted by the CFPB (Consumer Financial Protection Bureau) to review the agency's findings on student banking practices. Representatives from the CFPB, The Department of Education, the FDIC, and the New York Attorney General's Office were present along with industry representatives, including NACUBO and TouchNet. Consumer advocate groups US PIRG and The National Consumer Law Group joined current and former students to present their views on student banking.

CFPB Director Richard Cordray made it clear that the agency is not pleased with the direction campus finance is heading. "I am concerned that some of our colleges and universities, whether well-intentioned or not, may be encouraging or even requiring our young people to use financial products that do not offer the best deals," Cordray said. The New York Attorney General's office referenced an earlier investigation that revealed students thought a school logo on a financial product meant the school was endorsing the product - and expressed concern that the same thing is happening with debit cards and bank accounts now. Students and recent graduates pointed out via YouTube that excessive fees from many debit cards increase their education debt loads.

Like most discussions in Washington, there was not unanimous agreement on how banks and colleges should work together to best serve the financial needs of a diverse student population. One thing I think most of the panel agreed on: it's clearly best if students select their own bank accounts and use those accounts for financial aid disbursements. The theme TouchNet presented was making direct deposit the first choice - not the hard choice. The option for students to easily use their own existing bank account would solve many of the debit card problems.

This topic is not going away, and we can expect more in the coming months. Whether or not everyone agrees with the conversation, the tide has turned and we should all expect change on this front sooner or later. So let's be prepared.

Thanks for reading


Daniel Toughey

PS: You can find more coverage of the CFPB forum in the Knowledge Center

P2PE: "That's good. One less thing."

September 12, 2013

One of my favorite movies is Forrest Gump - Tom Hanks has so many great one-liners that make me stop and think. For example, when Forrest learns how much money he made in his "fruit company" investment (which turns out to be Apple Computer), he responds by saying "That's good. One less thing." (to worry about). The same can be said for Point-to-Point-Encryption (P2PE) payment technology.

P2PE enables card readers to encrypt cardholder data immediately when a card is swiped and before it passes through campus computers and networks. This makes in-person payments more secure and potentially reduces your PCI scope. As good as it is, P2PE can be confused with other new payment technologies like EMV. Let's take a look at a couple of the top myths surrounding P2PE.

P2PE: Myths vs. Reality

P2PE is a PCI requirement.
P2PE is not required by the PCI Security Council or by any of the card brands. New standards often are voluntary in teh early stages and later become requirements.
P2PE is for all payment transactions.
P2PE applies only to in-person payments from card swipe devices. Online transactions are not impacted.
P2PE is related to EMV.
P2PE is not related to the move to EMV (Euro MasterCard Visa). EMV is chip card technology used for better authentication. P2PE is data encryption technology used for more secure data transmission.

While they are different technologies, P2PE and EMV both focus on in-person payment security. Right now, P2PE is voluntary; EMV is a requirement of the card brands, and the deadline for merchant compliance is approaching in 2015. As you make the transition to new EMV systems, take a closer look at P2PE and include it in your overall transition plan. To paraphrase Forrest: "And when I got there I figured since I'd gone this far, I might as well just keep on going."

That's all I have to say about that.


Daniel Toughey

PS: The Consumer Financial Protection Bureau (CFPB) has scheduled a "Banking On Campus" public forum in Washington, D.C. on Monday, September 30th.

Wire Fires

August 22, 2013

As the number of international students grows, so does the number of wire fires in the business office. What's a wire fire, you ask? It's a good student payment gone bad. All too often, the business office is faced with the time-consuming and tedious task of reconciling wire payments that land in the campus bank account with no information about the sender. Then the fun begins: trying to match the payment to a student receivable before it catches on fire - meaning the student is dropped from class for non-payment and a call arrives from an upset parent.

I know personally how frustrating this can be, because it happened to me the other day. The bank called and said a wire payment had been made to our account, but they would not release it until I was able to tell them the sender and the amount. While our business office was scrambling to figure out the source of that single wire, I could only imagine how challenging it is when you multiply that by the growing number of international students paying with wires.

Some schools use standalone money transfer services or make their bank account available for wire payments. These methods can work, but may cause delays, extra paperwork, and confusion for students, parents, and you. A better solution is for international payments to be fully integrated into the bill payment process. Wire payments should be just another option in the drop-down box alongside credit cards, debit cards, and electronic checks. Once the payment is received at the bank, it should be posted to the student account in real time.

With the number of international students constantly increasing, wire payments will play a bigger role in your payment mix in the coming years. Providing international students with a hassle-free way to pay improves their experience, makes good business sense for you, and helps prevent wire fires before they start.

Thanks for reading


Daniel Toughey

The Fed Misread Durbin

July 31, 2013

Today, U.S. District Judge Richard Leon sided with merchants who claimed the Federal Reserve Bank did not follow the mandate of the Durbin Amendment – and ruled that the Fed must rewrite the formula for regulating debit card interchange rates. This is a victory for all merchants and is based on a lawsuit filed by the National Retail Federation in November, 2011. The lawsuit claimed that the Fed acted “unreasonably and in excess of its statutory authority” by including costs into their formula that were not provided for in the Durbin Amendment.

Specifically at issue is the Durbin requirement that the Fed consider only the costs associated with a debit transaction: authorization, clearing, and settlement (ACS). The Fed originally proposed a 12¢ cap on debit interchange which only considered ACS costs. The final Fed rule that went into effect on October 1, 2011 was set at 21¢ plus 5 basis point ad valorem, which included other costs such as hardware, software, network connectivity, labor, transactions monitoring, and fraud losses.

What does the new ruling potentially mean for colleges and universities? On large debit card transactions like tuition payments, many schools have been reaping the benefits of the new regulated interchange and are saving significant money. However, on small transactions under $12.00, the cost of processing a debit transaction has actually increased. Going forward it looks like this problem may be corrected and there will be positive savings on small transactions as well. My guess is the original proposed rate of 12¢ for all nonexempt debit transactions will be back on the table.

Barring an appeal, we can all look forward to another round of proceedings at the Federal Reserve. In the meantime, the current debit rate will stay in effect until the Fed resets the rates. This could happen soon as Judge Leon said he was inclined to give the Fed “months, not years,” to rewrite the rule.

Stay Tuned!


Daniel Toughey

Learn more about the Durbin Amendment

E Pluribus Unum

July 18, 2013

At the annual NACUBO convention in Indianapolis last week, we heard a lot of conversations about enrollment and demographic changes in Higher Education — and what colleges and universities should do about them. For the first time in more than a decade, college enrollment is trending down. It is not unusual for enrollments to fall when the economy improves; this time there are also fewer 18-to-24-year-olds in the student population.

Concerned schools are focusing on filling seats with students from new niche sources. One of them is sponsored students from the business community. Businesses are once again eager to attract and retain the best people; spending on employee learning and development jumped over 12% last year alone. Employee-sponsored students — not students from the government and military — is where the growth will be in the coming years.

Here is where “E Pluribus Unum” comes in: out of many (students), one (bill). These new students bring not only a new source of revenue, but also a new level of billing complexity for business offices. In fact, NACUBO has been studying new ways to handle the influx of third party contract payers and the need for more advanced contract payment systems. If you have sponsored students today, you already know how big a hassle it is to do “routine” billing and collections. Schools that are not prepared will be faced with more paper, more people, and more manual processes.

So, take a look at your business office operations and make sure you are ready to respond to the needs of the new kind of student coming to your campus. Catering to businesses and organizations capable of “paying the bill” for many students will become a major source of revenue going forward.

Thanks for reading,


Daniel Toughey

PS: I’m sad to say the Higher Education community has lost a good friend and good man – Walt Conway. Walt was a real PCI pro, and he will be missed.

Cracking the Code

June 28, 2013

Are you confused about how to decipher your Merchant Processing statements to determine if you are getting the best deal? Join the crowd. Monthly statements from card processors are notoriously complex, with hundreds of interchange rate categories to decode. Sometimes a bundled fixed rate package looks simple, but preset rates end up costing you money. To help you quickly determine your effective payment landscape, check these three key measurements:

  • Percentage of Debit Cards vs. Credit Cards

    Nationally, debit transactions now represent more than 50% of total payment card volume. Debit cards are generally cheaper to process than credit cards now that the Durbin Amendment has changed the game.

  • Regulated vs. Unregulated Debit Cards

    Separate the debit transactions into regulated cards issued from banks over $10 billion in size and unregulated debit cards issued by banks under $10B. Durbin lowered interchange rates on the regulated cards, but exempted* small banks from the lower debit interchange rates.

  • Emerging Market Rate

    Make sure you are getting the "emerging market rate" that is available to colleges and universities as an incentive to offer credit and debit cards. Unfortunately, many reward cards ("What's in Your Wallet") are excluded from this lower rate. Ask your processor if you are getting the special Higher Ed rate.

As a rule of thumb, if your numbers are approaching 50% in each of these three key areas, then your payment mix is trending in the right direction. If your credit card transactions are out of balance, consider accepting only ACH and/or debit cards for tuition payments. Cracking the interchange code is not easy – but understanding the key metrics is the first step towards saving your campus money.

Thanks for reading,


Daniel Toughey

* Some campuses may have a high amount of unregulated debit (high cost) transactions because they offer debit cards for financial aid refunds.

Opt-in Options

June 6, 2013

No doubt, you have many projects on your to do list for the upcoming school year. The notion that the summer months are down time for colleges and universities is a myth. They're actually a short sprint to install updated systems, improve business processes, and focus on new ways to serve students better. So, as you plan for the new term, here are three seemingly simple things you can ask students to do that will deliver big returns to the business office.

  1. Email and Text Notifications

    Ask students and parents to opt in to text messages. Most schools already assign an email account to students. However, most students arrive on campus not only proficient in texting but also believing that texting is the only way to communicate. Meet their expectations and make sure to enable text notifcations for payments.

  2. Stored Payment Information

    Ask students to opt in to stored payment profiles. Encourage them to enter their bank account number and check the box to use it for student refunds as well. This will make it easy for them to pay you and you to pay them (i.e., financial aid disbursements). ACH transactions and direct deposits are still the most cost effective payment methods for taking and making large payments.

  3. Authorize Parents and Payers

    Ask students to opt in authorized payers. Parents (or guardians, grandparents, etc.) are often involved in helping students pay campus bills. They should have limited access to account information and be able to make payments on behalf of their students. And don't forget to ask parents to opt in to stored payment profiles and text notifications, as well.

These may seem like simple, no-brainer actions. Yet experience shows that high participation in these options leads to shrinking receivables, reduced errors, and lower cost of processing payments. In fact, for some schools they are "key performance indicators" for measuring the overall effectiveness of online billing and payment systems. Now is the perfect time to start a mini marketing campaign to promote key opt-in options. Make fall payment deadlines work better for everyone.

Thanks for reading,


Daniel Toughey

DisburseMESS Update

May 14, 2013

Around this time last year, the refund-to-debit-card trend in Higher Education became big news. Student protests led to a series of class action lawsuits. Not far behind was the Department of Education (DoE) with its rulemaking committee and public hearings. Then came the US PIRG report (The Campus Debit Card Trap), and a media frenzy was in full swing. For many, campus debit cards became too hot to handle and Higher Education had a new mess on its hands. The gist of the controversy focused on deceptive marketing practices, hidden fees, and lack of convenient student access to ATMs.

By late summer, however, the topic had faded from the public eye as the media turned their attention to U.S. elections and other stories. With the spotlight shining elsewhere, some thought the student refund problem had passed; it was back to business as usual. In January of this year, however, the Consumer Financial Protection Bureau (CFPB) stepped up and requested information from interested parties about business practices surrounding the marketing of bank products to college students. The Department of Education is back at it, too, renewing its intent to form a negotiated rulemaking committee to consider new regulations on debit cards, among other topics. Both the CFPB and DoE are still concerned about how federal money is being handled by schools and banks alike.

By late summer, however, the topic had faded from the public eye as the media turned their attention to U.S. elections and other stories. With the spotlight shining elsewhere, some thought the student refund problem had passed; it was back to business as usual. In January of this year, however, the Consumer Financial Protection Bureau (CFPB) stepped up and requested information from interested parties about business practices surrounding the marketing of bank products to college students. The Department of Education is back at it, too, renewing its intent to form a negotiated rulemaking committee to consider new regulations on debit cards, among other topics. Both the CFPB and DoE are still concerned about how federal money is being handled by schools and banks alike.

Thanks for reading,


Daniel Toughey

PS: For more information about P2PE and mobile POS, see Be PCI or Be Square.

mCommerce: Money on the Move

April 24, 2013

While the craze to download an "app for that" is fading, use of mobile-enabled websites for payments, banking, purchases, and other business activities is skyrocketing. It reminds me a lot of the World Wide Web in its early years. At first, websites displayed static visual data, such as maps or other previously printed documents that were transplanted to the web. But static displays quickly gave way to more robust and secure websites that gave consumers the confidence to do real-time business transactions online. Mobile technology is following the same arc from static data to real-time transactions, only its evolution has been much faster.

Today's mobile devices do the work previously done on computers-checking email, sending texts, checking Facebook. We still refer to "cell phones" or "mobile phones," even though we no longer use them primarily for telephone conversations. Today's mobile devices have replaced what desktops did just a few years ago. They are really "pocket PCs."

If the World Wide Web gave us easy access to information and services, mobile technology is giving us immediate access to goods and services. In turn, this is creating "instant consumers." Whether standing in line, seated in a waiting room, or stuck in traffic, instant consumers are always ready to do business with their pocket PCs. This shift in consumer behavior will profoundly change the way business is done in every consumer-driven industry, including and maybe especially, Higher Education.

But that's only half the story. Forward-thinking schools are beginning to equip their staff to be "instant merchants" by converting the "pocket PC" into a "pocket POS." Merchants now are free to follow the money as it moves throughout the campus enterprise. They are no longer tethered to the counter in the same way that consumers are no longer tethered to a wired telephone or desktop computer. The combination of mobile technology and new point-to-point encryption (P2PE) security is transforming the relationship between merchant and consumer. If your campus hasn't moved to mobile, now is the time. The mass movement to mobile is in motion.

Thanks for reading,


Daniel Toughey

Southwest's Simple Secret

April 3, 2013

I've spent a good deal of time on airplanes recently and, more often than not, they have been Southwest Airlines flights. We jokingly call Southwest Airlines our "corporate jet." Southwest has been a model of success for more than 40 years in an industry littered with constant failures, bankruptcies, and consolidations. Year after year, they outperform their peers in almost every category, including financial, safety, and customer satisfaction. Today, they are one of the largest airlines in the world. So what's their "secret sauce?"

The answer is simple. Instead of maintaining a fleet of different types of aircraft, each with separate parts, configurations, and manufactures, Southwest flies just one type, a Boeing 737. All Southwest pilots and crew are trained on one aircraft. All planes have the same parts, equipment, fuel economy, passenger capacity, and boarding procedures. All mechanics are trained on one airframe. Because of Southwest's zeal for standardization, they are able to keep their "assets in the air" more hours per day than other airlines and have achieved an unprecedented level of business performance.

Colleges and universities can embrace Southwest's "zeal for standardization" to help them create a more effective and efficient campus payment environment. Disconnected and disparate payment systems consume too many resources and cost too much time and money. They also increase institutional risk by making it difficult for schools to achieve real PCI compliance and safeguard payment data properly. On the other hand, schools standardizing on a unified commerce management platform improve accountability and controls, simplify training and support, and lower payment processing costs.

In Higher Education, the challenge of standardizing decentralized operations is not easy. Yet many campuses have made tremendous progress down the path to realizing a fully integrated, real-time campus commerce environment. It all starts with the basics—a unified commerce management platform. Disconnected payment systems are fast becoming a thing of the past.

Thanks for reading,


Daniel Toughey

PS: Next stop: Ellucian Live in Philadelphia April 7-10th.

Be PCI or Be Square

March 14, 2013

In my last email (Time to Swap Your Swipes), we looked at three new technologies that will improve data security for point-of-sale (POS) payments. Each requires an upgrade to your card swipe devices. However, we didn't talk about the growing interest in using mobile POS card readers for in-person payments. The fact is, not all situations are suited to traditional countertop devices, and the idea of using a smartphone or tablet as a "mobile cash register" does make sense.

That said, however, the PCI Council has been very clear about using consumer devices (smartphones, pads, tablets, etc.) for taking payment card transactions. They will not support consumer devices unless these devices use an attached card swipe that enables P2PE (Point to Point Encryption). The concern here is that a phone app could "siphon off" cardholder data unbeknownst to the merchant. The answer is to make sure the actual card swipes encrypt cardholder data before passing it to (or through) consumer devices. This can eliminate the primary risk associated with taking mobile POS payments. Although device certification is still to come, the PCI Council has now published its guidelines for mobile payment security.

Perhaps you've seen some of today's mobile card swipes used in TV commercials. They come in a variety of sizes and shapes and plug directly into smart phones and pads. Although attractive from a simplicity standpoint, they may not be well suited for the Higher Education environment. It's just not "cool" to be out of PCI compliance. So, don't be "square." If your campus is considering mobile POS solution, look for one that is truly enterprise-strength and operates within PCI guidelines. New mobile POS devices can be a valuable tool to enhance your campus payment systems. Selecting the right tool for the job is always a good idea.

Thanks for reading,


Daniel Toughey

PS: Remember, March 18th is the CFPB's (Consumer Financial Protection Bureau) deadline for comments on using debit cards for student refunds.

It's Time to "Swap Your Swipes"

February 25, 2013

Even though merchants have implemented PCI controls, security for in-person payments at point-of-sale (POS) terminals remains a huge concern for the card brands. The main problem is that old magnetic stripe technology is vulnerable to fraud. While most merchants dislike the hassle and cost of replacing credit card terminals, it looks like new payment security measures will cause you to "swap your swipes." Here are three new technologies that are designed to better secure POS transactions:

  1. EMV.

    EMV (originally Europay, MasterCard, and Visa) is a standard for processing payment cards that contain integrated circuit chips. These "chip cards" provide better, safer authentication and fraud protection, but they require new terminals that can read the chip embedded in the card. Visa and MasterCard have announced their schedule for the U.S. rollout of EMV (see Chip and PIN or POS In Motion). They've included a PCI "carrot" as an incentive for you to make the change to new terminals now. The "stick" comes in 2015 if you don't.

  2. P2PE.

    Another emerging POS technology is Point-to-Point Encryption (P2PE). All devices (including cashiering PCs) that touch non-encrypted cardholder data are in your PCI scope and are subject to PCI DSS restrictions. If your card swipe could encrypt cardholder data immediately upon swiping instead of passing it on to your cashiering PC, your PC would no longer be in your PCI scope. That is precisely what P2PE does.

  3. NFC.

    Another new technology, Near Field Communications (NFC), eliminates the "swipe" entirely. Instead, you "wave" your NFC enabled smartphone "wallet" near a terminal — no plastic, no mag stripe, no swipe needed. Some say this is a safer way to pay, while others say it just presents a new set of problems. Either way, payment cards with magnetic stripes are based on very old technology and need to be replaced.

It's really only a matter of time before you will be asked to trade in your older POS terminals for newer and more secure devices. As you're getting ready to "swap your swipes," there is no better time to evaluate your existing payment points and determine what combination of technology will be right for you. And while you're thinking about POS and card security, take a look at the next big payment issue: smartphones, tablets, and other mobile devices. I'll talk more about that in my next email.

Thanks for reading,


Daniel Toughey

PS: Remember, March 18th is the CFPB's (Consumer Financial Protection Bureau) deadline for comments on using debit cards for student refunds.

The "DisburseMESS Widens

February 7, 2013

A few months ago, we discussed the growing uproar stemming from debit cards and bank accounts involved in the disbursement of Title IV student financial aid refunds. We dubbed this conflict "DisburseMESS." During the recent elections and holidays, the topic seemed to drop from the public eye. Last week, however, two announcements brought it back to the spotlight and even expanded the scope of the discussion to state governments.

  • The National Consumer Law Center (NCLC) issued its 2013 Survey of Unemployment Compensation Prepaid Cards. NCLC surveyed 42 states' unemployment disbursement practices. They found that some states still inhibit the choice of direct deposit. According to the report, "most workers will select direct deposit to their own accounts when offered the choice, but states vary in how easy they make it to sign up for direct deposit." Minnesota, which makes direct deposit the first choice, not the hard choice, has a direct deposit enrollment rate of 82%. On the other hand, Arizona has only 16%.

  • The Consumer Financial Protection Bureau (CFPB), the country's top consumer-finance watchdog, is launching an investigation into the relationships among banks, colleges, and the financial products being sold to students. According to Richard Cordray, Director of the CFPB, "We have seen many colleges establish relationships with financial institutions to offer banking services to their students. The Bureau wants to find out whether students using college-endorsed banking products are getting a good deal." The CFPB is seeking comments and information by March 18th (Request For Information Regarding Financial Products Marketed to Students Enrolled in Institutions of Higher Education).

The CFPB will find the same thing in Higher Education that the NCLS found with state governments. When schools make direct deposit the first choice, students select it most often. When direct deposit is hard to get, students end up with new bank accounts that are both unneeded and unwanted. The fact that the CFPB is now investigating the use of debit cards on campus means that change is on its way. The CFPB is an agency with broad regulatory and enforcement powers. In their short history, they have shown the inclination to act quickly and decisively to correct perceived consumer mistreatment.

Stay tuned,


Daniel Toughey

Straight Talk 2013

January 17, 2013

As 2013 begins, I look forward to another year of sharing my thoughts on newsworthy items affecting Higher Education payments, security, and regulations. It has been my policy to avoid promoting TouchNet in these "Toughey Talks" emails. This one is slightly different. It is about a TouchNet-sponsored educational seminar called "Straight Talk 2013."

We started our first Straight Talk seminar series in 2003 during the initial rollout of the Payment Card Industry Data Security Standard. Each seminar was a one-day boot camp on campus commerce. We wanted to help college and university administrators cut through the confusion of PCI compliance rules and regulations. Since then, thousands of attendees have joined us for each new Straight Talk series to stay abreast of dynamic developments in campus payments and best practices.

In Straight Talk on Campus Commerce 2013, we'll cover timely topics like these:

  • Visa has changed its convenience fee rules. What are these changes and how can I comply to find more savings?
  • PCI-DSS will adapt to new Point-to-Point Encryption (P2PE) and the Euro/MasterCard/Visa (EMV) standards. How will this simplify my PCI compliance?
  • NFC (Near Field Communications) will soon enable smart phones for point-of-sale payments. How can I take advantage of new technology and remain PCI compliant?
  • The Department of Education is focusing on campus Title IV refund disbursement practices. How should I prepare for anticipated rule changes?

Straight Talk is a concise, one-day, no cost program for everyone on campus who needs to understand how rules, regulations, and technology will shape college and university payment systems. It's a great way to learn a lot in a short period of time and earn three CPE (Continuing Professional Education) credits, too. Click for the location and date of a seminar in a city near you.

Thanks for reading,


Daniel Toughey

Business Plan in a Gift Box

December 5, 2012

The holiday season is a busy time for most of us as we wrap up the current year and work on plans for the next. So, in the spirit of giving, allow me to provide you with a time-saving "Instant Campus Commerce Plan" for the new year. It's quick and easy. Just print, personalize, and present to your boss. That's it - your 2013 plan is done! Relax and enjoy the season. What could be easier?

2013 Campus Commerce Business Plan

  • Goal: Reduce the Cost of Taking Payments

    • Q1 Save six figures with Visa's new Convenience Fee Program for Higher Education.
    • Q2 Position debit (ACH and debit cards) as the primary campus payment method.
    • Q3 Go green and stop printing paper bills, checks, statements, and 1098-Ts.
    • Q4 Eliminate spreadsheets and manual processes for contract payments.
  • Goal: Enhance Student Services and Satisfaction

    • Q1 Enable mobile payments for students, parents, and other constituents.
    • Q2 Provide students with fast, easy direct deposit e-refunds.
    • Q3 Improve campus communications with automated texts and emails.
    • Q4 Tailor installment payment plans to help students manage tuition payments.
  • Increase Security of Campuswide Commerce

    • Q1 Update/maintain an accurate definition of Cardholder Data Environment (CDE).
    • Q2 Utilize commerce dashboard to manage and monitor campus-wide payments.
    • Q3 Deliver annual PCI training to all campus merchants.
    • Q4 Find and fix unsecured sensitive data (PII) on campus computers and networks.

OK, I may have over-simplified things a bit. You'll need to add a "few" more details---each item can expand in size and scope by a multiple of 10. Yet, these key goals probably have appeared in your previous years' plans and they certainly remain relevant for 2013 and beyond. The important thing is to keep chipping away at them, every year, and you'll stay ahead of the curve.

Thanks for reading,


Daniel Toughey

Visa Says "Yes" to Higher Education

November 6, 2012

A very big announcement by Visa may be overshadowed by today's election. After years of saying "No" to percentage-based convenience fees for tuition, Visa reversed its position. As of today, Visa will now allow percentage-based convenience fees for Higher Education just as they do for Government payments. This means that qualified Visa credit transactions can have a surcharge added based upon a percentage of the payment amount. Although effective today, the new program may take some time to get started because payment processors must adapt to the new Visa rules.

In September, I wrote that Visa was moving towards variable fees as part of their settlement in a long-running class action suit. I said that the issue was "a kaleidoscope of moving parts." Well, this part of the trend is very much your friend, and it's moved to help Higher Education now, separate from any settlement actions.

Schools, for years, have wanted to include Visa credit card transactions in their convenience fee programs. But Visa's rules prevented percentage-based rates and convinced most schools to avoid the inclusion of Visa transactions. Visa is looking to regain the lost acceptance by Higher Education merchants. So they've added Higher Education to their special government payment program, which does allow percentage-based fee rates.

Two transactions must occur in this arrangement, one for the cardholder purchase of goods or services and the second for the added service fee. Plus, the percentage-based rate applies only to SEC 8220 (tuition, fees, and fines) transactions, not for all campus payments. Nonetheless, Visa's inclusion of Higher Education in its special program is another illustration that merchants are gaining ground in their efforts to control payment expenses.

Thanks for reading,


Daniel Toughey

Merchant in the Middle

October 24, 2012

Last week was COMTEC 2012, our TouchNet Client Conference. Once again, it was a great opportunity for me to talk with many of you and hear firsthand about the state of payments on your campuses.

One topic I frequently heard discussed at the conference was Wednesday's Keynote Session on payments, called "Merchant in the Middle." Two industry experts presented ideas concerning how difficult it is for colleges and universities (merchants) to balance the ever-increasing cost of processing payments on one hand and the growing concerns of students and regulators about fees and fairness on the other.

Here's a very brief synopsis of each presenter's comments:

Processing Costs

Richard Crone, founder of Crone Consulting LLC, opened the session with a detailed look at the cost of processing credit and debit cards and how merchants are learning to steer their customers to lower-cost solutions. Of course, recent regulation of certain debit card interchange fees has helped some, but banks are now "incenting" consumers to start using credit cards more than ever. Why? More interchange revenue for the bank card industry. From there, Mr. Crone talked about the future of payments and how to "enroll" your constituents into burgeoning eWallets. This may help to manage payment processing costs and provide new opportunities for campuses to leverage constituent relationships.

Regulatory Concerns

Payments going out are just as important as payments coming in. Rich Williams, Higher Education Advocate for US PIRG and Student PIRG and co-author of "The Campus Debit Card Act," addressed student refunds. Though he understands that schools are under pressure to tighten budgets, he urged us to remember that Title IV financial aid money is very important to the long term health of Higher Education. His advice was to avoid being "penny wise and dollar foolish" by cutting corners in student financial aid disbursement. Financial aid has been the engine of enrollment growth during the past decade. It's best to make sure Title IV money doesn't get tainted with "bad actors" jumping into the middle of the money flow.

As merchants, you will continue to feel squeezed as regulations become more complex and banks reshuffle their basket of consumer products. The good news is that many schools are finding ways to both lower costs and maintain student-friendly services. These schools ask students to arrive on campus with the bank account of their choosing in hand. Then, students store their bank account information in ACH payment profiles that enable low-cost ACH payments both coming in (tuition) and going out (financial aid refunds). It seems, in this case, that being in the middle is the best place to be.

Thanks for reading,


Daniel Toughey

What a Difference One Word Makes

September 27, 2012

Undoubtedly you've seen recent examples of negative publicity related to fees and questionable marketing practices surrounding debit cards and Title IV "student refunds." It seems to me that most of today's problems could have been avoided if the "Credit" CARD Act of 2009 had focused on being the "Payment" CARD Act (or just CARD Act) instead. Though well intentioned, the Credit CARD Act missed the mark by referencing only credit cards instead of all payment cards. The one word "credit" made a big difference.

As a refresher, the Credit Card Accountability Responsibly and Disclosure Act of 2009 was a response to concerns about lack of transparency in fees and misleading business practices by card issuers (i.e., banks). As consumers, you and I could probably agree that many of the provisions of the legislation were necessary and fair. More important for this conversation, the Credit CARD Act also had specific language for colleges and universities to protect students from overly aggressive business practices by the credit card issuers (Nacubo summary).

The conclusion that the spirit of the CARD Act should apply to all payment cards, not just credit cards, has been reached by others. Senator Sherrod Brown of Ohio recently published a letter written to one campus vendor of financial products for students in his state. His comments included, "While the Department of Education imposes some requirements on financial aid disbursement accounts, I urge your company to go beyond those requirements and implement reforms similar to those provided in the Credit CARD Act."

Handling campus debit cards within the same consumer protection guidelines as the Credit CARD Act could deflect a lot of today's critical scrutiny. Doing so might even act to delay additional legislation under consideration to tighten regulations specific to debit card use in student refunds. At the end of the day, ensuring all campus debit card vendors comply with the spirit of the Credit CARD Act is the best thing for everyone.

Thanks for reading,


Daniel Toughey

Visa Says "Yes" to Surcharge...Maybe.

September 6, 2012

You may have seen the recent news about a proposed settlement to a class action suit against Visa and MasterCard. Note that a key word here is "proposed." It is not clear whether the parties are still negotiating or the deal is unraveling, but the participants have until next month to reach an accord, or the suit goes to trial, unless there are further delays.

Visa and MasterCard are offering big money and temporary interchange concessions to retailers in the hopes of ending the long battle. If the settlement is accepted, Visa/MasterCard also will allow retailers to pass on the cost of processing credit cards to the consumer in the form of a surcharge or convenience fee. However, the settlement comes at a price for merchants because they would agree to waive their rights to take action against the credit card brands in the future.

For Higher Education, perhaps, this settlement is somewhat "old hat." Colleges and universities have had the ability to surcharge credit card transactions for decades, and many are doing so today. However, Visa is generally not included because of its restriction on only using a flat fee structure for surcharges. Under the proposed settlement, Visa would lighten its rules and allow percentage-based surcharges similar to those of MasterCard, Discover, and AMEX. This would be a good thing for higher education.

As it stands today, the settlement and its impact are a kaleidoscope of moving parts. Even if an accord is reached, merchants will have another 180 days to decide whether to opt out. If too many merchants opt out, the settlement would be nullified. Also keep in mind that ten states still have laws restricting surcharges to credit card purchases, trumping any settlement terms.

We have a long way to go before this is resolved. Stay tuned. We'll keep you informed of changes and updates.

Thanks for reading,


Daniel Toughey

Storm Warning - CFPB Issues Student Advisory

August 14, 2012

A new acronym you will be hearing a lot about is the CFPB. The Consumer Financial Protection Bureau was established by the Dodd-Frank Wall Street Reform Act in 2010 to protect consumers from questionable practices by the financial services industry. The new bureau is starting to show its muscle and is becoming a force to be reckoned with. In fact, in July, it levied its first enforcement order; it fined Capital One $25 million and ordered restitution of $140 million for its credit card marketing practices.

Last week, the CFPB issued a consumer advisory to all students expecting to receive scholarship and student loan proceeds onto-what appears to be-a school-endorsed debit card. I urge you to read the full text of the student advisory. There are several interesting twists in the CFPB announcement:

  1. The advisory was issued directly to your students, bypassing the campus Business Office altogether.

  2. The CFPB is encouraging students to use social media as a channel to gather complaints and expose questionable business practices.

  3. The CFPB has set up a web site for students to register their complaints and then publish the resolutions, if any. They have done the same thing for credit card and student loan complaints, as well.

What does this mean to colleges and universities and the vendors that serve them? Quite simply, you can add the CFPB to the growing list of powerful government entities, including the Department of Education and the U.S. Congress, that are actively engaged in protecting students throughout the loan-to-disbursement cycle. Higher Education's financial aid disbursement process has become a point of contention in today's consumer-sensitive environment. The winds of change are blowing in fast, and there is no way to predict where the storm will hit, but you can see it coming nonetheless.

Thanks for reading,


Daniel Toughey

POS in Motion

July 19, 2012

In my last email, I talked about a new payment card technology called "Chip and PIN." Chip and PIN technology, also referred to as EMV (Europay, MasterCard, and Visa) is widely used in Europe, Canada, and other parts of the world. EMV technology will soon be coming to the U.S. according to plans announced by the major card brands. Using a classic "carrot and stick" approach, Visa is offering both rewards and penalties to encourage the adoption of the new technology by merchants and processors at the point of sale (POS). Here is Visa's Roll-Out Plan as it stands now.

  • October 1, 2012 - Merchants Get a Reward

    You can eliminate filing certain PCI DSS assessment reports when you update your POS devices to new dual-interface readers (see below) and process at least 70% of all in-person payment transactions through the new equipment.

  • April 1, 2013 - Processors Must Be Ready

    Payment processors and service providers must be able to process all payment transactions using the new technologies, including handling extra data and required encryption.

  • October 1, 2015 - Fraud Liability Will Shift

    Visa will shift liability for card fraud from card issuers (today's arrangement) to the merchant acquiring bank side if you have not implemented the new EMV-capable equipment.

At first glance, it is easy to assume that this plan is focused on enhancing credit card security, and it does do that. However, the push to Chip and PIN also is about something much bigger - enabling mobile phones as contactless payment devices. The new dual-interface readers referenced above are not "dual" in the sense of today's magnetic swipe combined with the newer chip cards, as one might expect. Instead, the new dual-interface readers combine "EMV" technology with "NFC" (Near Field Communications) technology for mobile phone payments. This means this new generation of POS readers will support both contact and contactless payments.

For all this to happen, there are a lot of dominos that need to fall into place. First, merchants (like you) and services providers (like TouchNet) have to build the foundation with new POS devices and enhanced cashiering systems. At the same time, third-party payment processors must be ready to handle the new transactions, card issuing banks will need to reissue hundreds of millions of new chip cards, and mobile phone companies must embrace NFC technology as a built-in standard. That's a lot to get done, but expect Chip and PIN to become a reality, nonetheless. Now is the time to start thinking about your next generation POS systems.

Thanks for reading,


Daniel Toughey

Chip and PIN

June 28, 2012

If you've travelled to Europe recently or had students studying abroad, you've no doubt heard about "Chip and PIN" payment technology. Chip and PIN technology, widely used in Europe and Canada, is also known as EMV technology (for Europay, MasterCard, and Visa, developers of the technology’s standards). A cardholder must enter a four-digit PIN on an EMV-enabled keypad in order to use the card at the point of sale. The chip authenticates the PIN, accepting or rejecting the transaction. Unlike early "smartcards," today's cards use their chips only for fraud prevention.

Chip and PIN technology isn't available in the United States yet. Merchants haven't wanted to invest in new payment systems until card companies and banks provided the new chip cards. At the same time, bank card issuers haven't wanted to roll out chip cards until merchants were in a position to accept them. Visa and MasterCard have decided that now is the time to promote Chip and PIN technology in the U.S. It's a decision motivated by a desire both to reduce fraud and to establish a global standard. EMV-enabled cards are the most secure cards available, and this will help reduce the growing problem of counterfeit cards and fraudulent transactions.

You should see the first wave of changes towards Chip and PIN technology this year. I'll talk more about Visa's rollout plans in another email. The move to chip cards will help everyone in the payment chain, especially the card brands and other card issuers that today carry most of the financial burden of card fraud. The problem is that, once again, merchants will be asked to "retool" for the good of all. Sounds a little like PCI, doesn't it? Anyway, look for "Chip and PIN" to come soon to a swipe near you.

Thanks for reading,


Daniel Toughey

Up in the Air

June 4, 2012

Wow! What a week it has been for Higher Education payments. I traveled to Washington, D.C. on Wednesday to present comments to the Department of Education concerning Title IV financial aid disbursements, aka "student refunds." When I landed, my phone was full of messages concerning a study released by US PIRG called "The Campus Debit Card Trap." Over 350 news outlets across the U.S. picked up the story, reporting that banks and financial firms are taking advantage of unsuspecting students with high-fee bank products used in the financial aid disbursement process. This is unfortunate since neither banks nor colleges and universities are doing well in the press lately, and now they are being packaged together for questionable business practices.

We've been following the topic of student refunds very closely for years and have acquired a lot of knowledge along the way. As I've said before, there is nothing wrong with offering a low-fee debit card option within a comprehensive Title IV disbursement program (see our concept for student-friendly refunds, "4 for Title IV EDisbursement Framework"). The key to an effective student refund program is to make direct deposit the primary method of disbursement. Let's face it, most students already have a bank account and they do not want another. For those students who do not have an existing bank account, a debit card can be a good choice. One big problem has been the hard sell of new bank accounts at the expense of other options. When direct deposit to an existing bank account is the "jump through the hoops" choice, students are in effect being pushed to the bank account option. There is no reason why direct deposit should be the cumbersome choice. This manipulation of the process has caused as much or more student dissatisfaction as the high fees themselves.

This story has legs and won't go away soon. The odds are high that the Department of Education will make recommendations for changes in order to protect students. But that will take time. For now, make sure you are in a position to answer the tough questions-from the press, students, parents, and campus executives-about your disbursement process. In the complex world of electronic payments, I'm "up in the air" on some things, but how students get their Title IV refunds is not one.

Thanks for reading,


Daniel Toughey

Click here to read my public comments to the Department of Education.

Speak Up on Student Refunds

May 21, 2012

My last email ended with a postscript about the U.S. Department of Education's intent to form a Negotiated Rulemaking Committee. They are holding public hearings this month on how to reduce fraud and how to regulate the use of debit cards and bank products in the financial aid disbursement process. It seems the Department is following the money "downstream" from student loans to student refunds in reaction to growing unrest with fees and other business practices of concern. Here's how they put it:

The process of convening a committee begins with public comments. It is important they hear from people in the trenches about what should be best practices for electronic refunds. If you could wave a magic wand, how would the financial aid disbursement process work? In particular, how should debit cards and banking products be included in the mix with ACH/Direct Deposit options? You can submit your written comments to the Department of Education until May 31st; just click here and complete the form. You can also present your comments verbally at one of two public hearings scheduled for May 23rd in Phoenix, AZ, and May 31st in Washington, DC.

I will be presenting my thoughts in Washington on the 31st. I'll be talking about our "4 for Title IV Framework" for student-friendly Title IV refunds. Learn more about the framework and other important information in the new TouchNet Knowledge Center. Things are moving fast; May 31st is just next week! Now is the time to speak up on student refunds. This could impact the way we do business for years to come.

Thanks for reading,


Daniel Toughey

PS: The TouchNet Knowledge Center also has a recording of our 20-minute Webinar, "Speak up on Refunds," which was broadcast on May 16th.

Dear College, Are You Ready for the Spotlight

May 10, 2012

Higher Education is in the spotlight and it's not to highlight the good work that so many of you do day in and day out. You can't watch the news or read the paper without seeing a negative story about tuition increases or the explosive growth of student debt. Politicians are tuned in, and the media are on the hunt for controversy.

While student loans are getting a lot of the attention, the Department of Education (DOE) is also shining the spotlight further downstream on the bank accounts that students are being asked to open in order to manage funds disbursements. That's why I read with interest the DOE's April 26th "Dear Colleague Letter" published under the subject Disbursing or Delivering Title IV Funds Through a Contractor. Here are a few of the topics addressed:

  • Can you use third-party servicers to disburse funds?

    Yes, you can. But your third-party servicers must comply with the same Title IV, HEA, and FERPA restrictions and requirements that you do. Simply put, you can never outsource your responsibility for compliance with student privacy rules and regulations---just like you can't outsource your responsibility for PCI compliance.

  • Can you give student PII to third-party servicers?

    Yes, again. But only when those third-party servicers are acting as a "school official." Schools can pass on student information if the third-party servicers are going to use it the same way the institution would. However, a school cannot give PII (Personally Identifiable Information) to a third-party servicer to set up bank accounts, offer students additional financial products, or pre-load yet-to-be activated debit cards without the students' written permission. Plus, all pertinent fees and potential charges must be disclosed beforehand.

  • How can a school control the cost of delivering Title IV credit balances to students?

    The letter advises institutions to encourage incoming students to open a bank account at a financial institution of their own choosing or require them to provide an existing bank account where the institution can make credit balance payments cheaply and expeditiously via electronic funds transfers (ACH).

I encourage you to read the full DOE Dear Colleague Letter. Now is a good time to review your campus Title IV processes. Try to understand how outsiders, such as politicians or reporters looking for a good story, might perceive them. Then, remember the advice attributed to Mark Twain: "Never pick a fight with someone who buys his ink by the barrel."

Thanks for reading,


Daniel Toughey

P.S. Also, the Department of Education has just announced its intent to establish a negotiated rulemaking committee (read the DOE announcement) that will address fraud and funds disbursement (through both EFT and debit cards) in Federal Student Aid Programs. You might want to stay in touch with this as well.

The Case for mCommerce

April 23, 2012

I recently got a new case for my iPhone. It has a compartment in the back large enough to carry a driver's license and credit card. Since I have images of insurance cards and other key information on the phone itself, the phone is now "Dan's digital wallet." That sounds pretty cool, doesn't it? After all, there is a lot of talk about digital wallets (e-wallets) going around today.

What's an e-wallet? Basically, it is a system that securely stores a consumer's payment card data and other information, like consumer IDs, to facilitate shopping and electronic payments. The fact is, your campus commerce software may already be using an early form of e-wallet called a stored payment profile. The profile makes it easy for your constituents to pay you without digging out credit cards or bank account numbers. Other industry offerings may soon expand the concept of e-wallets to a more universally accepted method.

In the meantime, it's important not to confuse e-wallets with mobile payments. They are not the same. The swirl of excitement around pending e-wallet technology tends to hide the fact that mobile commerce is here, now. In the U.S., mobile shopping rose by 200% to over $1 billion from 2009 to 2010 according to a study by ABI Research. eBay reports that one item is now purchased every two seconds using the eBay mobile app. Even mobile banking is on the rise; according to TowerGroup, 29% of adult U.S. smartphone users now do banking transactions with their phones. How long will it be before mobile phones and tablets will be the preferred devices to register for classes, pay their bills, or make donations?

No doubt about it, people are moving away from mobile web for "fun" to mobile web for "function." This is true at colleges and universities, too. So, don't delay your move to m-commerce waiting for a universal e-wallet.

Thanks for reading,


Daniel Toughey

P.S. I'm looking forward to a true "digital wallet" so my phone will once again be thin enough to fit in my pocket!

Another Major Cardholder Data Breach

April 3, 2012

By now, most of us have heard the news about the recent cardholder data breach in a major payment processor's network. Reportedly, up to one-and-a-half million card numbers were compromised by "unauthorized access." Visa, subsequently, has removed the processor from its registry of compliant service providers. Here are a few key items to consider when news like this surfaces:

  1. A data breach to a payment processor can have widespread effects. Processors are a major link in the payment processing chain. The good news is that, as reported, no merchants systems were compromised. In this case, you, as a merchant, have no responsibilities for notifying your customers of any potential data loss. However, if at any time you are advised that you are part of a breach, remember there are 48 states that have data security laws requiring notification to customers within specific timelines.

  2. The decision by Visa to remove (at least temporarily) this processor from its list of compliant service providers may have an impact on your campus. This is not the first time a major processor has been "delisted," but in that case, it took several months to be re-listed. If you have any questions about this, I suggest you talk to your Acquiring Bank about your specific circumstances. Acquiring Banks are responsible for merchant compliance. As always, it is important to review the lists of approved service providers (ie. Visa and Mastercard) on a regular basis.

  3. One-and-a-half million cards may seem like a large number, but similar breaches in the past have affected many more cardholders. While the remediation process plays out, some of those affected cards might be used for payments to your campus. This may cause you to experience a higher than usual number of failed transactions.

This breach reminds us all to be prepared. PCI compliance and prevention of a data breach are important to your campus. But breaches can happen to anyone. It is critical to have a plan in place for what happens when the breach alarm goes off - the steps you would go through to manage the crisis and speed an eventual recovery.

Thanks for reading this Special Edition,


Daniel Toughey

The Business Next Door

March 22, 2012

For several years now, you've managed your bottom line by cutting costs and streamlining processes. Now, many of you say you've cut as deep as you can and it is time to focus on the top line. But there are several dynamics in motion that will work against increasing revenue: declining support from state governments; an improving economy; and a declining pool of traditional students. So where will revenue growth come from in the next 5-10 years? The answer may be closer than you think - it could be the "business next door."

A NACUBO poll has shown that third-party (Sponsor) billing is a growing source of revenue for many campuses. Businesses of all sizes contract with college and university campuses to pay students' tuition. However, tuition is only the tip of the iceberg. These Sponsors represent a gold mine of future revenue opportunities! Your goal should be to transform them from sponsors into full-fledged campus Supporters.

Here are some issues to address to help make the transition a reality:

  • Think Like a Business

    You're an institution of higher education, so it might be hard to consider your campus a business. But it is. Growing sponsor account revenue means nurturing solid business-to-business (B2B) relationships.

  • Capitalize on Billing

    The most common "touch point" for Sponsors is the bill. But your current billing process is probably painful for you and your staff, as well as your Sponsors. Make it easier for organizations to do business with you and you'll reap the benefits, too.

  • Leverage the Relationship

    Consider your Sponsors as an excellent source of sustainable revenue. Grow their business by offering them additional services—conference and meeting hosting; research partnerships; employee training; and more.

Thinking like a business can help you attract more revenue opportunities. Putting B2B systems and technology in place now will make your revenue push more manageable in the future. The "business next door" can be a major supporter of your campus tomorrow, but you must nurture the relationship today.

Thanks for reading,


Daniel Toughey

Zappos Gets Zapped

February 23, 2012, a popular, online shoe retailer known for its customer service slogan, "delivering happiness," was attacked by hackers last month, and over 24 million customer records were exposed. This was not a happy time for the company or their many customers. However, it seems no critical cardholder data was compromised.

Are PCI compliance efforts starting to pay off? For Zappos, the answer is yes. Assuming things don't change, their financial exposure should be significantly less than the industry average of $204 per record. At that rate, the cost to Zappos could have been staggering. Zappos did many things right. But let's face it, they have a single-channel, single-merchant system to secure. Even though they sell a massive number of shoes, their CDE "footprint" (Cardholder Data Environment) is small.

How about your campus? It probably has multiple payment channels in multiple merchant systems from multiple campus vendors, all of which you must monitor and safeguard. The fact is, most campuses have a larger CDE footprint than companies like Zappos, and that makes it more challenging to answer the question, "Is your campus PCI compliant?" Here's a good litmus test you can use to help answer that question. Go to your campus PCI "czar" and ask for a list of all of the pay points on campus. If you don't know whom to ask, or cannot get an accurate list within 24 hours, then chances are your campus still has compliance issues to resolve.

None of us are immune from the possibility of a data security breach. At the same time, none of us want to become the poster child for "what not to do." As we start 2012, Zappos is showing us that "delivering happiness" can also mean being PCI compliant.

Thanks for reading,


Daniel Toughey

"That's right...."It's Groundhog Day!"

February 2, 2012

This is a quote from one of my favorite movies, Groundhog Day starring Bill Murray. It's a classic that never fails to deliver a few chuckles. The story is about a man who must re-live Groundhog Day, over and over, until he learns to get things right. In some ways, the movie is similar to your credit card processing costs; they, too, have a certain "déjà vu - all over again" quality about them.

Over the past couple of years, you may have seen a leveling-off or even a slight decrease of your credit card merchant fees. Why? Consumers were "deleveraging" and using less credit during the Great Recession. Now, consumers are starting to feel better about the economy and are embracing credit cards again. The irony is that this plays into the hands of banks that are encouraging consumers to use more credit and less debit in order to offset the negative impact of the Durbin Amendment.

For the first time in nearly a decade, credit card usage is growing faster than debit card usage. Any savings expected from new debit interchange rates will likely be consumed by the growth in use of credit cards and a corresponding decline in the use of debit cards. This trend is NOT your friend.

Payment processing costs are going up. There are some things you can do to help: add convenience fees to your credit card transactions, consider limiting your exposure with minimum and maximum amounts for credit card payments, implement a debit-only strategy, or offer students a discount for cash (and cash-like) payments. Take action today, and like Bill Murray's character in Groundhog Day, avoid waking up tomorrow to the "same old song."

Thanks for reading,


Daniel Toughey

Lines, Calls and Spreads: Your 2012 Playbook

January 12, 2012

If you are a football fan, you've heard a lot about lines, calls, and spreads by this time of year. However, even if you are not a football fan, lines, calls, and spreads can represent a practical, no nonsense way to focus on campus commerce fundamentals. Let's take a quick look at each:

  • Lines

    Wherever there are students standing in line, the question to ask is "Why? Do we really need to see this person and do they really need to see us?" There are valid reasons why a student might need to do business in person. However, these would be the exception, and lines generally point to opportunities for technology to streamline business operations.

  • Calls

    Like lines, telephone calls to the Business Office typically mean your constituents are either confused or lacking timely information. Once again, the question is "Why are students/parents calling?" Most campus administrators I talk with view such calls as costly and inefficient. Analyzing the type and quantity of incoming telephone calls will show you which calls should be automated versus which need personal service.

  • Spreads

    "Spreads" is shorthand for spreadsheets. Wherever you find spreadsheets, you will find potential problems, including data integrity, security issues, and dependence on the knowledge of a few people. Large spreadsheets are often a target of both internal and external auditors looking for undisclosed campus risk. Find a spreadsheet and you likely have found a business process that needs to be reengineered.

As you plan your 2012 projects, remember lines, calls, and spreads. They are your keys to exposing business practices that are not best practices. They also can help identify potential compliance issues and areas of campus risk. To paraphrase Lou Holtz, concentrating on the fundamentals will help you focus on What's Important Now (WIN).

Thanks for reading,


Daniel Toughey

A.M. Edition

A.M. Edition Archives:

Toughey Talks Archives:

Stay In the Know!