Article
PCI compliance in higher education: determining the security of sensitive payment card information
Feb. 2, 2023 · Authored by Devon Bartlett
Loading...
Article
Feb. 2, 2023 · Authored by Devon Bartlett
In the early 2000s, with the development of e-commerce and online marketplaces, the world saw an increase in the adoption of digital payments. This opportunity that allowed merchants to expand their businesses outside of brick-and-mortar stores also provided cyber criminals with new opportunities to infiltrate card processing systems for illegal gains. Credit card industry leaders took it upon themselves to develop a common set of security standards to protect cardholder data and thus the Payment Card Industry Data Security Standard[1] (PCI DSS) was born. PCI DSS is designed to safeguard the handling of sensitive payment card information during transactions and provide compliance guidance for any organization that accepts, processes, stores or transmits credit card information.
Credit card fraud is a growing concern in today’s digital world. Hackers are constantly finding new ways to steal sensitive payment information, putting both consumers and businesses (including higher education institutions) at risk. PCI compliance helps prevent this by requiring that institutions follow strict security protocols when handling payment card information.
Failure to comply with PCI standards can result in financial penalties and damage to a college or university’s reputation. In the event of a data breach, non-compliant institutions may lose the ability to accept payment cards and face legal action from affected customers.
PCI DSS compliance is a continuous process and involves meeting the security standards set by the PCI Security Standards Council. Standards cover a wide range of security measures, including:
Institutions are required to undergo regular assessments to confirm they are meeting PCI standards.
We can help colleges and universities take a proactive approach by evaluating the current state of policies, processes and internal controls related to PCI compliance and identifying opportunities for improvement.
A higher education institution needed help evaluating its current framework for managing PCI compliance to confirm it met all PCI data security standards.
Our team helped the institution by reviewing documentation (e.g., organizational charts, policies, procedures, workflows, job descriptions, etc.) to understand the institution’s framework for PCI compliance and assess consistency with PCI data security standards. In addition, our team assessed PCI scope to identify all processes, persons, technology and systems that touch sensitive payment data.
Our team identified that the institution did not have a formal PCI compliance program in place with protocols and practices for governance and oversight of compliance with the PCI DSS requirements. There were also no formalized processes in place for managing third party vendors supporting PCI transactions. Our team provided guidance on creating a more robust governance structure and drafting a PCI compliance policy to formalize the institution’s PCI compliance program and meet PCI DSS requirements.
For more information on this topic, or to learn more about how Baker Tilly’s higher education internal audit specialists can help your institution, contact our team.