Article
PCI compliance in higher education: determining the security of sensitive payment card information
Feb 02, 2023 · Authored by Devon Bartlett
In the early 2000s, with the development of e-commerce and online marketplaces, the world saw an increase in the adoption of digital payments. This opportunity that allowed merchants to expand their businesses outside of brick-and-mortar stores also provided cyber criminals with new opportunities to infiltrate card processing systems for illegal gains. Credit card industry leaders took it upon themselves to develop a common set of security standards to protect cardholder data and thus the Payment Card Industry Data Security Standard[1] (PCI DSS) was born. PCI DSS is designed to safeguard the handling of sensitive payment card information during transactions and provide compliance guidance for any organization that accepts, processes, stores or transmits credit card information.
Why is PCI compliance necessary?
Credit card fraud is a growing concern in today’s digital world. Hackers are constantly finding new ways to steal sensitive payment information, putting both consumers and businesses (including higher education institutions) at risk. PCI compliance helps prevent this by requiring that institutions follow strict security protocols when handling payment card information.
Failure to comply with PCI standards can result in financial penalties and damage to a college or university’s reputation. In the event of a data breach, non-compliant institutions may lose the ability to accept payment cards and face legal action from affected customers.
What does PCI compliance involve?
PCI DSS compliance is a continuous process and involves meeting the security standards set by the PCI Security Standards Council. Standards cover a wide range of security measures, including:
- Building and maintaining a secure network: colleges and universities must install and maintain firewalls, keep software up-to-date and restrict access to sensitive information.
- Protecting cardholder data: colleges and universities must certify that sensitive payment information is encrypted and stored securely. Processes must also be in place to detect and respond to security incidents.
- Maintaining vulnerability management programs: colleges and universities must regularly test the security of systems and applications and keep them up to date.
- Implementing access controls: colleges and universities must control who has access to sensitive information and monitor access logs to detect and prevent unauthorized access.
- Regular monitoring and testing: colleges and universities must monitor networks for unusual or suspicious activity and conduct regular penetration testing to identify vulnerabilities.
- Maintaining an information security policy: colleges and universities must have a comprehensive security policy in place that outlines the steps necessary to protect sensitive information.
Institutions are required to undergo regular assessments to confirm they are meeting PCI standards.
Baker Tilly can help
We can help colleges and universities take a proactive approach by evaluating the current state of policies, processes and internal controls related to PCI compliance and identifying opportunities for improvement.
Case study: PCI compliance in action
Client need
A higher education institution needed help evaluating its current framework for managing PCI compliance to confirm it met all PCI data security standards.
Baker Tilly solution
Our team helped the institution by reviewing documentation (e.g., organizational charts, policies, procedures, workflows, job descriptions, etc.) to understand the institution’s framework for PCI compliance and assess consistency with PCI data security standards. In addition, our team assessed PCI scope to identify all processes, persons, technology and systems that touch sensitive payment data.
Results achieved
Our team identified that the institution did not have a formal PCI compliance program in place with protocols and practices for governance and oversight of compliance with the PCI DSS requirements. There were also no formalized processes in place for managing third party vendors supporting PCI transactions. Our team provided guidance on creating a more robust governance structure and drafting a PCI compliance policy to formalize the institution’s PCI compliance program and meet PCI DSS requirements.
For more information on this topic, or to learn more about how Baker Tilly’s higher education internal audit specialists can help your institution, contact our team.