Guest Post: Demystifying PCI DSS
Today’s schools are suddenly responsible for understanding PCI DSS and often have annual audit requirements. Sounds scary, right? While most public schools would not consider themselves payments experts, they manage enough payments to benefit greatly from acquiring some expertise.
In 2008, SchoolPay (under our corporate name My Payment Network), ASBO International (Association of School Business Officials), and NBOA (National Business Officers Association) conducted a K12 Payments Study. The results were enlightening. The average parent makes 28 payments per child per year directly to their school. Managing 28 payments per child per year across many departments and vendors casts a wide audit scope, increases errors and omissions, and escalates operation costs.
At the highest level, PCI DSS is concerned with six object controls. “Object controls” logically group related things. PCI DSS comes down to six areas of focus:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
Sounds easy enough, right? Well, each object control has further requirements, and if you peel back every layer you will quickly find that these six controls feed into hundreds of requirements. Any vendor that takes payments on your district’s behalf should be independently audited to prove they adhere to the hundreds of requirements. Please don’t confuse “compliance with PCI DSS” with “independently audited.” If you outsource all your payments, you still have to be compliant. Your service provider needs to be independently audited.
Five Points that “Make Sense”
We’ve boiled down the principles. These points are by no means intended to be your guideline for maintaining PCI DSS compliance. They merely simplify the topic for a broad introduction to what can be a very big subject.
Point #1: PCI DSS is about more than Ecommerce.
Many people think PCI DSS is only about Ecommerce. It’s about cardholder data. If you allow in-person credit card payments, PCI DSS impacts those payments as well.
Best practice: Every human and system location in the district that could come in contact with or leave a record of a 16-digit card number is a threat. Document these and establish a policy for that data interaction.
Point #2: PCI DSS is not the job of one person or one department.
PCI DSS is equivalent to trusting someone with a secret. How many people does your district trust with this secret?
Best practice: Establish policies and procedures that define the behavior of everyone (staff) and everything (hardware/software) in the district that touch cardholder data.
District Payment Biosphere
Point #3: You must interact with cardholder data to take payments.
Best practice: Limit your scope.
- Reduce the number of people authorized to manage credit card payments.
- Institute policy for taking card numbers over the phone or in person.
- Reduce the level of data staff can access (e.g. Costco has a policy that cashiers are not allowed to even key in cardholder account numbers if the magnetic strip fails).
- Push credit card payments to a secure solution where only the payer interacts with their card number.
Point #4: PCI DSS is really common sense.
Maybe your common sense is on track, but do you really want to leave something this important up to every staff member’s common sense? Districts prepared to head off security breaches take all human “sense” out of the equation.
Some samples of questionable “common sense” we regularly see in schools:
- Donation cards that collect 16-digit credit card number, expiration date and CVV that end up on desks visible to all.
- A foundation or aftercare worker that keeps a list of cardholder numbers, etc. for payments they re-key every month. We saw one case where the staff member had it taped to the top of their desk so it was “handy.”
- Employees empowered to take credit card numbers over the phone who then write down full account details and leave those details behind on open desks.
- Centralize payment policies across the district – don’t leave it up to every department.
- Put as many payments as you can onto a common, secure payment platform.
- Know the payment credentials for all software vendors offering payment solutions.
- Ecommerce and payments are not an “add on” feature. It’s a business in and of itself.
- Make sure any software that collects card numbers is a Level One Independently Audited Provider.
Point #5: You take more payments than you think.
The number and kind of credit card transactions you manage determine your PCI DSS requirements. Whether you need an independent audit or an “acknowledgement of compliance” depends on your district security policies and the volume of transactions for which your district owns the collection of cardholder data.
Even if your school outsources payments to one or more vendors, you still have annual responsibilities to PCI DSS. All school business officers should establish an awareness of the guiding principles for protecting cardholder data.
The bottom line with PCI DSS is that while it is a huge business practice, it’s also an important way to operate. All schools take in millions of dollars in payments annually. PCI DSS is not only good cardholder best practice; it’s also good payment-of-any-kind (cash, paper check) business practice.
For more information about PCI DSS 3.2 (the current version of PCI DSS requirements) go to https://www.pcisecuritystandards.org.