In the early 2000s, with the development of e-commerce and online marketplaces, the world saw an increase in the adoption of digital payments. This opportunity that allowed merchants to expand their businesses outside of brick-and-mortar stores also provided cyber criminals with new opportunities to infiltrate card processing systems for illegal gains. Credit card industry leaders took it upon themselves to develop a common set of security standards to protect cardholder data and thus the Payment Card Industry Data Security Standard[1] (PCI DSS) was born. PCI DSS is designed to safeguard the handling of sensitive payment card information during transactions and provide compliance guidance for any organization that accepts, processes, stores or transmits credit card information.
Why is PCI compliance necessary?
Credit card fraud is a growing concern in today’s digital world. Hackers are constantly finding new ways to steal sensitive payment information, putting both consumers and businesses (including higher education institutions) at risk. PCI compliance helps prevent this by requiring that institutions follow strict security protocols when handling payment card information.
Failure to comply with PCI standards can result in financial penalties and damage to a college or university’s reputation. In the event of a data breach, non-compliant institutions may lose the ability to accept payment cards and face legal action from affected customers.
What does PCI compliance involve?
PCI DSS compliance is a continuous process and involves meeting the security standards set by the PCI Security Standards Council. Standards cover a wide range of security measures, including:
- Building and maintaining a secure network: colleges and universities must install and maintain firewalls, keep software up-to-date and restrict access to sensitive information.
- Protecting cardholder data: colleges and universities must certify that sensitive payment information is encrypted and stored securely. Processes must also be in place to detect and respond to security incidents.
- Maintaining vulnerability management programs: colleges and universities must regularly test the security of systems and applications and keep them up to date.
- Implementing access controls: colleges and universities must control who has access to sensitive information and monitor access logs to detect and prevent unauthorized access.
- Regular monitoring and testing: colleges and universities must monitor networks for unusual or suspicious activity and conduct regular penetration testing to identify vulnerabilities.
- Maintaining an information security policy: colleges and universities must have a comprehensive security policy in place that outlines the steps necessary to protect sensitive information.
Institutions are required to undergo regular assessments to confirm they are meeting PCI standards.
Baker Tilly can help
We can help colleges and universities take a proactive approach by evaluating the current state of policies, processes and internal controls related to PCI compliance and identifying opportunities for improvement.
