Case studies

Lakehead University improves PCI compliance with PCI Services

Lakehead University’s road to achieving and maintaining PCI compliance was a complicated but worthwhile journey.

The first experience the Canadian campus had with PCI Compliance was a request from a merchant for them to attest to their PCI certification. University officials didn’t know where to start or where to look for help. After months of researching and investigating, they had more questions than answers. Eventually, they decided to test the market with an RFP to identify a Qualified Security Assessor (QSA), a professional who validates whether institutions adhere to a set of requirements known as PCI-DSS. With their help, institutions can process, store, and transmit credit card information securely to reduce the campus’ exposure and risk of costly breaches, heavy fines, and potential brand and reputational damage. Eventually, campus officials chose a QSA.

Under the supervision of their QSA, the university identified and remedied numerous issues that could have resulted in expensive breaches and fines. “The standard in the industry went from one where every merchant took an imprint of credit cards in order to process charges against the customer accounts and moved to one where the storing of that information was subject to penalties from the Credit Card industry,” says Patrick Larin, manager of financial projects at Lakehead.

Fast-forward to 2019, and Lakehead’s QSA had just announced his retirement. The public research university would have most likely launched another RFP to find his replacement, except campus administrators had such a positive experience when implementing TouchNet’s transaction solution, they decided to explore the company’s PCI Services solution, a combination of software and access to PCI subject matter experts.

“In 2019, we implemented PCI Services, and it was one of the best solution implementations that I've been a part of in my 21 years at Lakehead University. If one of our employees comes to us with questions that we can’t answer, we have a place where we can go to get what we need. It’s similar to having a guard dog at home that can alert you to danger. If you have PCI management, you can come up with an answer when you need it.”

— Patrick Larin
Manager of Financial Projects at Lakehead University

The importance of integration

Another major factor that helped Lakehead University choose TouchNet was that all of the company’s solutions truly integrate with multiple ERPs, including Ellucian Colleague. As a Colleague institution, this was important functionality to Lakehead University staff.

“Many vendors will say they integrate with your ERP no matter the flavor, only to find out that what they mean is you’ll have to key in all of the transactions manually,” says Larin. “With Colleague and TouchNet, you can believe the hype that they are truly integrated.”

Reducing manpower and months of internal work

PCI Services provides access to experts who are knowledgeable of PCI compliance standards and how these complicated standards should be implemented. One of the more arduous tasks of staying PCI compliant includes answering annual Self-Assessment Questionnaires (SAQs). All institutions that accept card payments must complete the appropriate SAQ which can include as many as 400 questions to assess security and protection for cardholder data. As part of the PCI Services program, TouchNet works with a third-party QSA to answer as many of these questions on behalf of colleges and universities to reduce the scope of their PCI footprint across campus.

“When doing this the manual way, you’re basically faced with a giant, all-encompassing form, which takes up quite a bit of horsepower to get done and has taken us a few months to complete,” says Larin. “With PCI Services, that experience is eliminated. And for the questions I do have to answer, the program guides me through a menu-driven process that auto-fills areas on the form where applicable, depending on how certain questions are answered. We were able to do this for each of our 40 merchants instead of having to sit down with each of them and do this over and over again.”

When Larin worked with a QSA prior to TouchNet, he was able to fill out the form once because he had enough knowledge to share the information needed with his 40 merchants. “But if I was ever to leave or change positions, it would have been very difficult to replicate what I did,” he says. “With PCI Services, it’s intuitive enough where it can be handed off to multiple individuals if you have a distributed AR model.”

Keeping track of important compliance deadline

The university greatly benefits from PCI Services' self-service portal that stores and tracks all compliance information in one place, including downloadable reports and SAQs.

“PCI Services was a better solution than our previous iteration because it basically tracks everything we need in one place and sends out reminders of what activities are required for each merchant to ensure they’re in compliance,” says Larin. “Case in point, I was reminded this morning from some automated emails that we have two SAQs for two merchants that will need to be reviewed later this month. It provides a lot of tools to keep track of all of your assets, and you do not have to know everything.”

Expanding and standardizing PCI training

Implementing any type of PCI compliance initiative requires a comprehensive campuswide training program as PCI touches every department and office that takes payments. Lakehead had already implemented a training program when the university first began working with QSAs before adopting PCI Services, but quickly realized they could use and benefit from PCI Services' database of downloadable and customizable policies and documents, including security awareness training blueprints.

“When compared to our own developed training, the tools in PCI Services identified holes in places we hadn’t even thought of, including potential issues that needed to be addressed and topics that we had to go over,” says Larin. “PCI Services allowed us to expand and standardize our training to ensure everyone was learning the same processes and procedures.”