Payment Card Industry Data Security Standard (PCI-DSS)
Is your students’ Payment Card information safe?
Tertiary Education Institutions (TEI’s) offer products and services to students, staff and external clients. The multiple payment types that are available across a variety of business processes make TEIs highly attractive to cyber security criminals looking to profit from card payment fraud.
Even when security considerations have been part of the payments’ process design, it can still be difficult to get the design right whilst maintaining security, commercial and legal obligations over time. Difficulties include:
- The diversity, volume and physical spread of payment systems across campuses;
- The number of stakeholders involved including students, staff, vendors, suppliers and affiliated organisations;
- Colleges that require the ability to sell items independently direct to students and other customers; and
- The variety of software systems including those used by general and academic staff, those controlled by TEI Technology departments and software as a service applications.
A robust system should be in place to handle payments in a secure way. To be able to confirm to a TEI’s bank(s) and other stakeholders (e.g. students, Audit and Risk Management Committee, etc.) that such a system is in place, a complete understanding is needed of a University’s card payment footprint.
Considerations should also be given as to how much effort is required to address high and medium risks versus the effort required for a full compliance approach. This would provide an indication of the relative risk appetite within a TEI.
What is PCI-DSS?
The Payment Card Industry (PCI) Data Security Standard (DSS) represents a set of fundamental security requirements, industry tools and measurements that address the handling of sensitive (i.e. cardholder) information.
PCI DSS is comprised of the following six control objectives:
- Build and Maintain a Secure Network;
- Protect Cardholder Data;
- Maintain a Vulnerability Management Program;
- Implement Strong Access Control Measures;
- Regularly Monitor and Test Networks; and
- Maintain an Information Security Program.
Maintenance of the PCI-DSS is overseen by the PCI Security Standards Council, an organisation founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International. However, the enforcement of the standard in New Zealand is usually driven by the banks, which means that PCI DSS is a commercial contractual issue rather than a regulatory or legislative issue.
Risks and consequences of not addressing PCI-DSS
Following a series of high profile data security breaches overseas and locally in New Zealand, consumers who use payment cards are increasingly concerned about the security of not only their financial information, but also their personal information. Some recent examples are:
- Ticketmaster (Personal and payment information breach. NZ customers affected): https://www.nbr.co.nz/article/ticketmaster-notifies-nz-customers-security-breach-ms-p-216594
- Marriott: (Personal and payment information breach. NZ customers likely affected): https://www.stuff.co.nz/business/109016514/marriott-security-breach-exposed-data-of-up-to-500-million-guests
Banking agreements/contracts normally refer to PCI DSS, which means that not addressing the standard can be a contractual issue between a TEI and their bank.
Such high profile risks may require a new way of thinking for TEIs. The loss of customer card data has the potential to be time consuming, costly, and can erode brand value.
Organisations that suffer losses of customer card data and have not addressed PCI-DSS face potential fines, and could ultimately risk losing the ability to process card payments. The impact of this is significant brand risk, coupled with lost revenue.
Key considerations for addressing PCI-DSS
Strong technical skills and an understanding of PCI is required to correctly identify a PCI footprint. The more decentralised the systems and channels used for taking payments are, the more complex the PCI-DSS footprint is.
This in turn leads to higher effort and costs required for on-going maintenance and compliance activities. Payment Card security not only links to PCI-DSS, but also other broad risk mitigations related to cyber, privacy and identity management.
To provide confidence to senior leadership teams that card payment data is being securely handled, a holistic approach across different initiatives is required. These include business process change, contract management, project and change management, and risk management.
The traditional tactical approach of replacing the most critical payment application with a slightly “better” one doesn’t necessarily work for maintaining a long term, sustainable and acceptable PCI risk profile.
A strategic approach for implementing payment solutions is recommended. This approach should be driven by the business rather than IT, and needs to look into the agreed PCI footprint from the top down to identify relevant risks and address compliance issues.