Posted by: Arian Eigen Heald
Compliance, PCI DSS, Security
The Payment Card Industry (PCI) Data Security Standard (DSS) has taken many educational institutions by surprise. If your College or University accepts payment cards on campus or online, you must comply with this standard designed for safe handling of sensitive consumer information. Examine such areas as tuition payments, fees and the campus bookstore.
So here are some tips for assessing what risk you have with the DSS:
Know Your Total Transactions:
How many credit card transactions does your institution generate per year? This includes all the credit cards together, not separately. “All” includes Visa, MasterCard, Discover, American Expres, and Diners Club. It no longer matters whether the transactions are online or at a physical storefront. Make sure you can identify the different banking relationships that support the different cards.
What is Your “Merchant Level*?” If you are accepting credit card payments, the PCI considers you a “merchant.”
Level 1. Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year.
Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
Level 2. Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.
Level 3. Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.
Level 4. Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.
** Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.
You might be surprised at how many transactions you really have in your environment.
Know the Requirements:
Some institutions believe that because they are nonprofits that they are not required to meet DSS requirements. Other businesses believe that because they out-source their credit card transactions, the requirements do not apply to them. None of these statements are true.
Any organization that uses credit card transactions is responsible for meeting the standards. If your institution outsources transactions to a service provider, you must make sure that the provider has met the PCI standards. These standards apply to all entities processing or storing credit card numbers, Web-based or not. This includes database companies, telemarketing firms, or any firms that may be storing cardholder data for you.
The compliance requirements vary depending on what level of transactions (how many in total) are taking place.
Compliance Validation Basics
In addition to adhering to the PCI Data Security Standard, compliance validation is required for Level 1, Level 2, and Level 3 merchants, and may be required for Level 4 merchants.
Validation requirements and dates are determined by the merchant’s “acquirer.” That’s the bank that holds the agreement with your school or university to process credit transactions.
A table of requirements can be found here.
Know Your Data:
Determine exactly what your institution is storing from each credit card transaction. Make it practice to not retain sensitive cardholder data and encrypt all sensitive data stored on your institution’s systems.
Many older “cash” registers keep all the information on the credit card magnetic strip, or send it all to a local server, which is contrary to PCI standards. Department store TJ Maxx was storing all the data from the credit cards. When it was discovered that their security had been breached, the resulting fines and costs are well into the millions of dollars and still rising. If they had stored only the required numbers, the thieves wouldn’t have been able to use the information, and the reputation and financial damage to TJ Maxx could have been avoided.
Know Where Your Data Is:
Tracking where all the data is, who has access to it, and how it is transmitted to various parties is one of the best ways to indentify security issues. Organizations that run a software scan to determine compliance are missing the point. There is no software that can find all the places that PCI data is stored, how it is secured, and who has access to it. This can sometimes be a time-intensive search, but is well worth the investment to secure your data.
Sometimes universities have multiple credit agreements with acquiring banks and don’t realize that they have a far higher transaction count. Don’t wait to be surprised!