Campus Data Security is a Tough Job
Today’s campus is a complex payments ecosystem to secure. Colleges and universities are like small cities that contain a wide variety of merchants, many using highly specialized systems. It’s no surprise that higher education, with its large number of users, is a growing target for hackers and cyber criminals.
They are targeting e-commerce anywhere it’s happening and, because higher ed institutions are conducting more e-commerce transactions than ever before, the industry is becoming a bigger and more valuable target. Today’s hackers not only want payment data but the personal data connected to it—if they can access other sensitive information about your students, parents, instructors, staff, alumni, and donors, they will take, use, and ransom that, too.
Higher education’s challenge is to acknowledge being a high-profile target while managing multiple merchants in a large, diverse payments ecosystem comprising multiple payment points, methods, and channels. Typical retailers—both large and small—operate in a much more uniform environment and therefore can deploy a more streamlined approach to payment security and compliance. Data security on campus is a more difficult challenge.
A data breach in any of these components of your campus payment ecosystem is reflected as a breach by the entire institution. The sum of the many payment points, methods, and channels is a complex and shifting landscape that must be regularly and completely secured and compliant with PCI standards.
What is PCI?
The Payment Card Industry (PCI), or more accurately, the Payment Card Industry Security Standards Council (PCI SSC), has been active for more than a decade. PCI standards define the rules by which anyone that accepts credit or debit card payments (a merchant) must protect cardholder data. The council’s mission is to enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders in the credit/debit card payment processing industry.
Any merchant that processes, stores, or transmits credit/debit card data is required to be PCI compliant. Compliance is not optional and failure to achieve compliance can be very costly.
PCI compliance is complex. Standards shift and can be difficult to understand, not to mention that the effort required to attest your compliance is also escalating.
The Trend Toward
Adding to the complexities of campus commerce are the growing expectations for omnichannel experiences. As a major contributor to student satisfaction, many campuses are working to develop a consistent experience across all payment channels, whether online, in person, or mobile. However, omnichannel should extend beyond simply a consistent user experience.
True omnichannel payments also require a streamlined back-end process so that all payment options are processed and protected in the same fashion and with the same vigor. Campuses can waste significant time and money trying to stitch together disparate solutions to handle different payment sources.
The concerns over security and the costs of data security breaches, especially ransomware, continue to increase across all industries, but specifically higher education. According to The State of Ransomware in Education 2023 by Sophos, 79% of higher education providers reported being hit by ransomware in the previous year, up from 64% in the 2022 report. The average total cost of a data breach reached $4.45 million in 2023, an increase of 15.3% since 2020, in addition to the damage to an institution’s reputation.
Payments depend on software that will securely and accurately process and transmit payment data. As technology progresses, new payment platforms are created and bad actors increase hacking and shift their tactics. Thus, the evolution of payment security and compliance standards is paramount to protecting transactions, and payment security standards change as the payment industry changes.
Achieving PCI Compliance Success
Achieving and maintaining PCI compliance is a significant undertaking, especially given the size and complexity of today’s campuses and the multiple payment points, methods, and channels involved. Implementing these high-level, wide-ranging essentials can help you succeed with your PCI compliance effort.
Key Essentials for PCI Compliance
Executive Buy-in: Develop a culture of awareness, ensure you have top down buy-in and understanding of the importance of PCI compliance.
Review Regularly: Understand the impact that changes to the PCI standards, technology, processes, and new vendors have on your compliance program.
Accountability: Designate responsibility for PCI compliance to an individual or committee who understands cardholder data flow and has knowledge of the institution, technology, and applicable PCI standards.
Communicate: Keep lines of communication open with vendors, employees, management, and external parties such as acquirers. Ensure all are informed and updated regarding expectations and activities in adherence with policies and standards.
Define Expectations: Compliance must be a daily commitment focused on continuous improvement. Strive to exceed the minimum expectations to secure payment card data.
Risk Management: Understand where risks reside and meet or exceed required controls. Start by addressing high-risk items and ensure that all vendors are adhering to the required PCI controls.
Centralize: Follow unified and consistent processes for risk management, technologies, people, and third-party relationships.
Resources: Your acquirer or third party can assist with many areas of compliance.
Standardize: Standardize technologies and processes. Develop a method to continuously update information and control assets.
Practical Steps to a Strong PCI Foundation
The day-to-day management of PCI compliance is made easier by creating a durable foundation that supports the people, processes, policies, and technology involved in payment processing.
Preparing for the Foundation
Before making card payment data secure and compliant with PCI standards, you must identify everywhere on campus cardholder data might be processed, stored, or transmitted. Defining all areas on campus involved in processing payments—as well as their payment methods, channels, and locations—is called your Cardholder Data Environment (CDE).
Knowing your CDE will help to build out your institution’s payments footprint and identify where PCI data security standards may apply. It includes not only the business office but the alumni association, student clubs, academic departments, campus food and retail shops, one-time events, and more.
Building the Foundation
Successful PCI programs start with well-made fundamentals. The following steps help build a strong foundation of a compliance and security program; a foundation that inspires credibility, ensures efficient and operationally sound processes, and enables understanding of why changes impact compliance and to what degree.
Implement Fully Certified Technology
TouchNet’s payment platform is PCI Validated Payment Software as well as compliant with PCI DSS, PTS including EMV certification.
Choose the Right Processing Partner
As your acquirer, TouchNet Merchant Services works with card brands to ensure PCI compliance.
Organize Your Merchant Structure
TouchNet assists in reducing your PCI footprint, while lowering your MID count and paperwork.
TouchNet and PCI
TouchNet is the higher education industry leader in the security and compliance of payments in accordance with PCI standards and federal, state, and industry regulations. We are on the forefront of developing software that safely processes transactions while streamlining and integrating the systems that manage payments on campus.
TouchNet products are PCI compliant and built to stay compliant as PCI standards evolve. Our solutions offer a sensible approach to securing transactions, protecting sensitive data, and simplifying the complexities of compliance. They reduce PCI scope, compliance overhead, and regulatory paperwork; and create the peace of mind that comes from having a secure, end-to-end compliance solution in place.