Lakehead University’s road to achieving and maintaining PCI compliance was a complicated but worthwhile journey. The first the Canadian campus heard of something called PCI was when they received a surprise request for them to attest to their PCI certification. University officials were not familiar with PCI and didn’t know where to start or where to look for help. After months of researching and investigating, they had more questions than answers. Eventually, they decided to test the market with an RFP to identify a Qualified Security Assessor (QSA), a professional who validates whether institutions adhere to a set of requirements known as PCI-DSS. With their help, institutions can process, store, and transmit credit card information securely to reduce the campus’ exposure and risk of costly breaches, heavy fines, and potential brand and reputational damage. Eventually, campus officials chose a QSA.
Under the supervision of their QSA, the university identified and remedied numerous issues that could have resulted in expensive breaches and fines. “I found handwritten records on both campuses from as far back as the 80’s of credit card information and expiration dates,” says Patrick Larin, manager of financial projects at Lakehead. “Personal student information was also being stored in unlocked filing cabinets in an unlocked building.”
Fast-forward to 2019, and Lakehead’s QSA had just announced his retirement. The public research university would have most likely launched another RFP to find his replacement, except campus administrators had such a positive experience when implementing TouchNet’s transaction solution, they decided to explore the company’s PCI-EZ solution, a combination of software and access to PCI subject matter experts.
“In 2019, we implemented PCI EZ, and it was one of the best solution implementations that I've been a part of in my 21 years at Lakehead University. If one of our employees comes to us with questions that we can’t answer, we have a place where we can go to get what we need. It’s similar to having a guard dog at home that can alert you to danger. If you have PCI management, you can come up with an answer when you need it.”
— Patrick Larin, Manager of Financial Projects at Lakehead University
The importance of integration
Another major factor that helped Larin choose TouchNet was that all of the company’s solutions truly integrate with multiple ERPs, including Ellucian Colleague. As a Colleague institution, this was important functionality to Lakehead University staff.
“Many vendors will say they integrate with your ERP no matter the flavor, only to find out that what they mean is you’ll have to key in all of the transactions manually,” says Larin. “With Colleague and TouchNet, you can believe the hype that they are truly integrated.”
Reducing manpower and months of internal work
PCI-EZ provides access to experts who are knowledgeable of PCI compliance standards and how these complicated standards should be implemented. One of the more arduous tasks of staying PCI compliant includes answering annual Self-Assessment Questionnaires (SAQs). All institutions that accept card payments must complete the appropriate SAQ which can include as many as 400 questions to assess security and protection for cardholder data. As part of the PCI-EZ program, TouchNet works with a third-party QSA to answer as many of these questions on behalf of colleges and universities to reduce the scope of their PCI footprint across campus.
“When doing this the manual way, you’re basically faced with a giant, all-encompassing form, which takes up quite a bit of horsepower to get done and has taken us a few months to complete,” says Larin. “With PCI-EZ, that experience is eliminated. And for the questions I do have to answer, the program guides me through a menu-driven process that auto-fills areas on the form where applicable, depending on how certain questions are answered. We were able to do this for each of our 40 merchants instead of having to sit down with each of them and do this over and over again.”
When Larin worked with a QSA prior to TouchNet, he was able to fill out the form once because he had enough knowledge to share the information needed with his 40 merchants. “But if I was ever to leave or change positions, it would have been very difficult to replicate what I did,” he says. “With PCI-EZ, it’s intuitive enough where it can be handed off to multiple individuals if you have a distributed AR model.”
Keeping track of important compliance deadline
The university greatly benefits from PCI-EZ’s self-service portal that stores and tracks all compliance information in one place, including downloadable reports and SAQs.
“PCI-EZ was a better solution than our previous iteration because it basically tracks everything we need in one place and sends out reminders of what activities are required for each merchant to ensure they’re in compliance,” says Larin. “Case in point, I was reminded this morning from some automated emails that we have two SAQs for two merchants that will need to be reviewed later this month. It provides a lot of tools to keep track of all of your assets, and you do not have to know everything.”
Expanding and standardizing PCI training
Implementing any type of PCI compliance initiative requires a comprehensive campuswide training program as PCI touches every department and office that takes payments. Lakehead had already implemented a training program when the university first began working with QSAs before adopting PCI-EZ, but quickly realized they could use and benefit from PCI-EZ’s database of downloadable and customizable policies and documents, including security awareness training blueprints.
“When compared to our own developed training, the tools in PCI-EZ identified holes in places we hadn’t even thought of, including potential issues that needed to be addressed and topics that we had to go over,” says Larin. “PCI-EZ allowed us to expand and standardize our training to ensure everyone was learning the same processes and procedures.”