While it’s challenging to compile an exhaustive list of potential problems universities face when selecting a PCI QSA, here are the top issues I’ve identified that universities commonly encounter.
Universities face different challenges than standard business organizations when it comes to PCI compliance. This means choosing a PCI partner whounderstands their specific environment and concerns can be difficult.
While it’s challenging to compile an exhaustive list of potential problems universities face when selecting a PCI QSA, here are the top issues I’ve identified that universities commonly encounter.
In my experience, it’s common to find universities with dozens (or even hundreds) of merchants under their PCI umbrella that require independent assessments.
This could include admissions, athletics, dining services, bookstores, and other similar services.
The Solution:
Universities need a partner that takes the time to accurately scope everything. No individual merchant should be required to meet controls that don’t apply to them just because the merchant next door does.
Choose a partner that treats each environment separately but is also able to organize all of them into a comprehensive report on your compliance.
See Also: How USC Boosted Security Credibility
Universities are backed by donors and other stakeholders who want to ensure that money is spent as carefully as possible. This means that PCI and cybersecurity budgets are typically non-negotiable by the time your PCI assessment creeps closer.
I’m skeptical of any PCI company that doesn’t have a transparent pricing model that can work within your budget. Universities need to identify a PCI partner who won’t inflict surprise pricing or add-ons that will disrupt their budget.
Estimating your PCI assessment cost can be difficult in an industry that keeps trade secrets like the cost of a PCI audit hidden.
To combat this, SecurityMetrics has created a PCI Audit Pricing Calculator that lets you put in your university’s specific requirements to get a price range of what your audit may cost.
You can also speak directly with a SecurityMetrics expert who can give you an exact quote before you get budget approval. Even if you end up partnering with a different PCI vendor, this will ensure that you get an adequate budget for your assessment.
The Problem:
Another issue I’ve encountered when working with universities is that they often experience high turnover simply because they employ so many people. This leads to new hires who aren’t familiar with PCI DSS compliance, and feel overwhelmed by their responsibilities.
Imagine having 100+ different L4 merchants that must get compliant in order for you to be compliant. You can’t simply impose a non-compliance fee and still expect the university to achieve compliance. It’s like herding easily frustrated cats.
The Solution:
Universities will want to choose a partner that’s not only available for questions as they arrive, but also one who hosts webinars before onsite assessments in order to prepare everyone involved in PCI compliance. Because training an entire university’s staff is substantially more difficult than just a business organization, you need to vet your PCI partner properly and make sure that they have adequately trained large universities before.
I’ve also found that it’s helpful to have an audit management tool (like Suralink) that keeps track of evidence from past years so merchants can easily find what they need to complete their PCI compliance.
The Problem: Because universities have numerous departments, individual departments are likely making decisions with little to no input on the cybersecurity implications of a solution.
This is called “shadow IT” or IT that operates outside of the university’s sanctioned IT infrastructure. Unvetted technology can look like different cloud storage solutions, unsanctioned collaboration tools (like one department using Slack, while the university as a whole uses Microsoft Teams), the use of personal devices for sensitive data storage, unapproved software downloads, unsecured personal hotspots, and more.
The Solution: A solid PCI partner can be a tremendous help for universities encountering shadow IT. An excellent PCI partner will spend the time necessary to identify any unvetted IT solutions and software before and during your PCI audit.
While universities are responsible for their own IT departments and their responsiveness, a PCI partner should be able to help identify the why behind shadow IT at your university.
Maybe your IT department is too slow to respond when departments need a new solution, so they go ahead without permission. Or perhaps the problem lies in infrequent or inadequate training on the software approval protocol.
Once the why is identified, your PCI partner can help you reduce your scope, create PCI-specific policies, train your employees and stakeholders, and continually monitor your environment so that shadow IT software can be identified quickly.
The Problem:
I’ve found that universities experience lots of changes in their payment card environment, year to year. This means that university merchants will consistently face problems they haven’t previously encountered and will need assistance with.
While they may have colleagues or financial departments they can collaborate with, it’s difficult to know who to turn to without a clear PCI advisor.
The Solution:
Universities need a PCI partner that’s available year-round, not just a couple of months before a PCI assessment. If you partner with a PCI compliance vendor that’s invested in your success, they will gladly answer questions throughout the year and will have support available for all of your merchants, before, during, and after the assessment.
I can’t stress enough how important helpful and responsive support is for your merchants. They shouldn’t feel like they have to accomplish everything on their own with no guidance. You also risk them receiving information that doesn’t apply to them or isn’t accurate if they are left on their own, so be sure to choose a PCI partner who has 24/7 helpful support.
There are so many different variables at play when it comes to choosing a PCI partner.
Ultimately, you want to partner with a vendor that understands your specific concerns, will be available and responsive to you and your merchants year-round, will work with your budget and won’t tack on unexpected fees, and has past university clients who can vouch for them.
Check out the University Timeline Checklist for more information about what universities can expect from their PCI audit.
.svg)
