By Ron King
This article is the second in the series
In the previous issue of the Bottom Line we discussed 10 Myths of PCI Compliance that have resulted from misunderstanding the PCI DSS or in some cases misleading advice received by campus administrators. Hopefully the information in that article has helped you better understand the responsibilities your office has regarding protecting cardholder information. The purpose of this article is to present hurdles that the higher education community has to overcome in order to demonstrate compliance.
The PCI Myths Recap
- "PCI compliance is just another Information Technology (IT) project."
- "The PCI DSS is only a recommendation and not a requirement."
- "We don’t process a large number of credit cards, so we don’t have to be compliant."
- "We’ve outsourced our card processing, so we are PCI compliant."
- "PCI only applies to ecommerce."
- "The PCI DSS is unreasonable with inflexible requirements."
- "We use a PA-DSS certified application so we are compliant."
- "Since we don’t store credit card information, we don’t have to be PCI compliant."
- "We use a certified card processor, therefore we don’t have to be PCI compliant."
- "Passing an ASV scan means we are PCI compliant."
Higher Ed Is Unique
The United States is a society of openness and freedom, values especially central to campuses of higher education. This environment presents a particularly difficult task for colleges and universities because we serve students, faculty and the community, and it becomes much more challenging to completely lock the door from a security perspective because we are supposed to be open by our very nature.
There are unique aspects of higher education that sometimes compound achievement. The campus environment is markedly different from more traditional merchants because of:
- The open nature of the college physical and technical environment
- Departmental decentralization that sometimes inhibits central policy enforcement
- Data-rich information systems that create a natural target for hackers
- Sophisticated intruders, with potential criminal intent
- Over-loaded IT staff which prevents or delays focus on security measures
- Numerous independent payment systems across the campus relying on multiple third parties
- Fiscal constraints
Compared with almost any other sector of the economy, or more specifically, against any other operation that takes credit cards for payment – higher education is far more complicated. How do we defend that statement? Let's use the food services segment as an example. McDonald’s, Subway, and Starbucks presently have just over fifty thousand locations in the U.S.:
Subway:.....................25,549
McDonald’s:...............14,350
Starbucks:..................11,910
Source: consumerist.com
Compare the 50K locations with the number of Title IV, degree granting colleges and universities:
4-year....................2,968
2-year....................1,738
Source: National Center for Education Statistics
What is the significance? Subway, McDonald’s, and Starbucks locations all have one, simple method for the credit card transaction – swipe at a terminal – while every college campus has multiple locations taking card payments using every conceivable form of transaction type. Another way of looking at it: there are over four thousand different ways of doing business, or actually four thousand times "n" number of departments on campus!
Where the Credit Cards Are
Looking at the business side of a typical campus, here is a list of just some of the locations that take credit cards:
- Athletics – ticketing and concessions
- Performing Arts
- Business Office / Bursars
- Library – fines and copying fees
- DVD rental vending
- Campus Safety Office (parking fees and fines)
- Dining
- Residence halls
- Book Store
- Student Center (student activity fees, student newspaper advertising, food courts)
Open networks designed to facilitate knowledge sharing pose these information security concerns of college CIOs:
- What/Where is my data?
- How sensitive is it?
- Who’s responsible for it?
- Who has access to it?
- Do I need to keep it?
- What if it gets in the wrong hands?
Source: Educause
Whose Responsibility?
One consequence of decentralization on campus is that there is always the issue of whether the business office or information technology has responsibility for compliance. Since it is through the Merchant Agreement with the Acquiring Bank that PCI compliance is mandated, the Business Office is usually designated as the responsible party. However, it is information technology/network security that has the major efforts.
To make that work requires a great amount of teamwork and communication between Business and IT. Since this article is directed to Community College Business Officers, here is a primer for discussing technology issues with your IT counterparts:
IT Term |
Possible Business Office Understanding |
What IT Means
|
Driver |
A driver drove me from the airport
|
Computer program that operates a type of service
|
Server |
The server delivered my ice tea
|
A program that provides services to other computer programs and their users
|
Boot |
Boots are worn when leaving the house
|
To start or restart a computer
|
Port |
A type of wine |
Either physical or virtual connection points
|
Firewall |
A construction used in buildings to keep fire from spreading
|
A network security system that controls incoming and outgoing network traffic
|
Source: Crossing the DMZ Presentation at Payments, 2015, Ruth Harpool, Indiana University; Jeffrey Hopkins, Purdue University
While I am sure communication isn’t quite that difficult on your campus, there are risks of not understanding what IT means. Decisions made without a clear understanding of the situation are usually costly decisions in terms of security and dollars. Lesson here: Don’t be a rubber stamp. It’s better to take the time and understand clearly. Know what is being said, so that you can translate or approve:
- It is always OK to ask questions
- If you hold the approval power, or if you sign the checkbook, then you have an obligation to understand
Handling Grief Over PCI Compliance
In 1969 Elisabeth Kubler-Ross originally theorized the five stages of grief as a theory that suggests that as individuals work through grief over negative events in their lives they go through five stages. First, they deny that the event happens. Then, they feel angry about the event occurring and may express their outrage. Next, they begin to bargain with a higher power, the universe or an unidentified entity in an effort to return life back to the way it was. They then may experience a period of depression before finally accepting that life has been forever altered.
The Five Stages model is considered useful by many therapists as well as doctors. Maybe the basic structure can also help community college business officers understand the stress and emotional process that may occur with the realization that PCI Compliance is real. So, breaking it down into identifiable steps that are easy to recognize:
- Denial: It doesn’t apply to me
– PCI compliance is mandatory (refer to Myth #2)
- Anger: It isn’t fair
– The rules apply to everybody (refer to Myth #5)
- Bargaining: I’ll do some of it
– PCI is "pass / fail" (see Myth #10)
- Depression: I’ll never get there
– Many campuses already have (see Myth #6)
- Acceptance: It will be OK
– The PCI DSS addresses best practices that would protect all sensitive information (see Myth #6)
Summary
The open, decentralized nature of higher education presents many information security challenges to college campuses when compared with almost any other sector of the U.S. economy. The Business Office should take responsibility for PCI compliance, and through clear communication with Information Technology the campus can attest full compliance, protecting the credit card information entrusted by students, faculty and the community served by the college.
Ron King is President of CampusGuard
(972) 964-8884
rking@campusguard.com