Article
PCI compliance in higher education: determining the security of sensitive payment card information
Feb. 2, 2023 · Authored by Devon Bartlett
In the early 2000s, with the development of e-commerce and online marketplaces, the world saw an increase in the adoption of digital payments. This opportunity that allowed merchants to expand their businesses outside of brick-and-mortar stores also provided cyber criminals with new opportunities to infiltrate card processing systems for illegal gains. Credit card industry leaders took it upon themselves to develop a common set of security standards to protect cardholder data and thus the Payment Card Industry Data Security Standard[1] (PCI DSS) was born. PCI DSS is designed to safeguard the handling of sensitive payment card information during transactions and provide compliance guidance for any organization that accepts, processes, stores or transmits credit card information.
Why is PCI compliance necessary?
Credit card fraud is a growing concern in today’s digital world. Hackers are constantly finding new ways to steal sensitive payment information, putting both consumers and businesses (including higher education institutions) at risk. PCI compliance helps prevent this by requiring that institutions follow strict security protocols when handling payment card information.
Failure to comply with PCI standards can result in financial penalties and damage to a college or university’s reputation. In the event of a data breach, non-compliant institutions may lose the ability to accept payment cards and face legal action from affected customers.
What does PCI compliance involve?
PCI DSS compliance is a continuous process and involves meeting the security standards set by the PCI Security Standards Council. Standards cover a wide range of security measures, including:
- Building and maintaining a secure network: colleges and universities must install and maintain firewalls, keep software up-to-date and restrict access to sensitive information.
- Protecting cardholder data: colleges and universities must certify that sensitive payment information is encrypted and stored securely. Processes must also be in place to detect and respond to security incidents.
- Maintaining vulnerability management programs: colleges and universities must regularly test the security of systems and applications and keep them up to date.
Case study: PCI compliance in action
Client need
A higher education institution needed help evaluating its current framework for managing PCI compliance to confirm it met all PCI data security standards.
Baker Tilly solution
Our team helped the institution by reviewing documentation (e.g., organizational charts, policies, procedures, workflows, job descriptions, etc.) to understand the institution’s framework for PCI compliance and assess consistency with PCI data security standards. In addition, our team assessed PCI scope to identify all processes, persons, technology and systems that touch sensitive payment data.
Results achieved
Our team identified that the institution did not have a formal PCI compliance program in place with protocols and practices for governance and oversight of compliance with the PCI DSS requirements. There were also no formalized processes in place for managing third party vendors supporting PCI transactions. Our team provided guidance on creating a more robust governance structure and drafting a PCI compliance policy to formalize the institution’s PCI compliance program and meet PCI DSS requirements.
For more information on this topic, or to learn more about how Baker Tilly’s higher education internal audit specialists can help your institution, contact our team.
