Taking the Pain Out of PCI Compliance for Student Housing
No one likes to think they could be vulnerable to a data breach however according to Verizon’s most recent Data Breach InvestigationsReport (DBIR), the education sector reported a total of 99 breaches in the 12months prior. If your organization accepts credit card payments and houses considerable amounts of data, you have to deal with a wide array of security issues that are outside core operations. From selecting payment technologies to infrastructure hardening, monitoring, auditing and more, the process can be costly and time-consuming. There is clearly a lot of room for improvement, but who has the time or manpower to tackle what seems to be a daunting task?
While it may be tempting to hand the whole mess over to someone else, it is not possible to completely transfer the responsibility for security to a third party. A common balanced solution is to shift sensitive data, such as credit cards, to service providers who specialize in implementing security controls across a range of institutions, leaving you to focus on the core purpose of your organization –providing that great housing experience. In this article, we explore some areas to consider when choosing partners to reduce your compliance requirements.
Planning for PCI Compliance at your Institution
The first step in any security and compliance exercise is to get expert advice. Data security, privacy, and PCI DSS are complex fields, with a mix of technical, regulatory and process related concerns. Housing management operations are similarly complex and regulated, so a comprehensive strategy is likely to require people with a range of skills. Before choosing a partner company, ask yourself the following questions:
What is your risk for a data breach?
Understanding risk is the starting point for any strategy which involves sharing data with partner companies. Potential fines for PCI DSS breaches are well established, but data regarding what fines are imposed in practice is reasonably sparse – the most prevalent figures are that non-compliance fines are between $5000 to $100,000 per month, depending on the size of the institution. Consider the risks of losing data other than credit cards. According to the Ponemon Institute, the average cost of a breach in Education is US $155 per record breached. Multiply that by the number of entries in your database, and you have a high-level estimate of what a data breach could cost. The education industry average is US $4.77 million. When selecting partners, the importance of doing your due diligence can’t be overstated.
How do you manage software?
When looking at software, it is preferable to engage companies that have a strong security program and host on Platform as a Service (PaaS) from a reputable provider, such as Azure or AWS. By determining that the hosting is done on PaaS, you can vastly mitigate most physical and infrastructure risks associated with the software, as cloud providers are some of the most secure and compliant organizations. This lets you evaluate potential suppliers by the security controls they implement directly, rather than having to guess at what risks are part of their supply chain.
In the education industry, 52% of data breaches in 2019 involved hacking, with web applications being the leading vector, making this a primary area to move to a secure partner. Recent cyber-attacks have focused directly on portal payment pages. Hackers will inject malicious code capable of stealing cardholder information in an unencrypted format as the customer inserts their information. As ominous as this sounds, there are a range of defences available against these attacks. It is critical that your service provider is familiar with them and able to apply them.
Where is your resulting data stored?
Most institutions have data sovereignty requirements and cannot store data outside their country. This shouldn’t be an issue as cloud providers are now present in most parts of the world, allowing your services to be hosted in the same region. What you will need to determine is where your data is backed up to, and whether there are any failover capabilities in the event that your primary service is affected by an outage.
How do you manage security for physical infrastructure?
If you accept payments via a bursar’s office or another physical payment scenario, you will need to safeguard your credit card equipment from interference, such as credit card skimmers. This is an area where it is a good idea to get expert advice to set up processes and controls to protect the equipment and configure it in a secure manner.
Additionally, depending on what payment providers you have available to use, you may want to implement the PCI standard for Point to Point Encryption (P2PE). P2PE encrypts the card data from the terminal where the payment is accepted, through to the bank, so that none of the intermediary systems have access.
Choosing the right compliance partners
Now that you have assessed your risk, it’s time to choose the right partners. As we described above, due diligence on potential partners is extremely important, as is setting up the partnership. There are several steps involved in ensuring a partnership supports your overall compliance objectives:
Step 1: Define security responsibilities
Both parties need to understand what their responsibilities will be under the contract. An SLA should be in place, and there should be expectations set around incident response, disaster recovery and specific security controls, such as frequency of vulnerability updates, etc. As part of this, appropriate levels of cybersecurity insurance should be established, in the event of a breach.
Step 2: Define Privacy responsibilities
Consider where your institution operates to understand your privacy responsibilities. Depending on your area you may be required to be compliant with a range of privacy laws, such as GDPR, FERPA, PIPEDA, CaCPA, etc. The partners you choose to work with should be familiar with these laws and be able to demonstrate how they will enable you to comply with them. Be sure to set these expectations regarding how compliance will be achieved up front.
Step 3: Establish Compliance requirements
What standards of compliance are necessary for your potential partners? Think about the nature of your suppliers and where they operate. Here are a few common compliance requirements that may apply.
- PCI DSS certification is required for anyone transmitting or storing card data and applies to most institutions.
- NIST, SOC2 are US-specific standards required by public institutions and may apply on a case-by-case basis. Typically these frameworks can be met by similar compliance programs from other jurisdictions, such as ISO27000, COBIT5, etc.
- If you handle specific types of data, you may require compliance with additional laws, such as HIPAA for health data.
A final note on compliance is that while it drives positive practices in security, you should always ask to see recent vulnerability scans and penetration test reports from potential partners – this is the evidence that shows compliance is working.
Step 4: Maintain your right of audit
What happens next? Assuming everything looks great in the beginning, how do you know your data will continue to be secure? Contracts with partners should allow for an audit to ensure good practices are being maintained with your data. This will become essential in the event of a breach, allowing you to directly investigate what may have occurred at a vendor.
Addressing the remaining compliance risks
Once you have transferred as much risk as makes sense for your organization, you will still be responsible for some compliance requirements. These will generally revolve around training and maintaining secure practices. Often this training can be provided by the organizations that also assess PCI security.
The complexity of technology solutions is increasing at a rapid rate, and many of the new laws we are seeing are an attempt to keep up with the risks they introduce. It is possible to run a secure system entirely within your operation, but this takes dedicated staffing with specific skills and resources. By looking at the tools required to operate your business, and choosing secure partners for sensitive components, you can feel confident that your organization’s data is protected.
StarRez is certified with PCI DSS as a Level 1 serviceprovider. We are committed to meet and exceed data security protectionstandards.
For more information
To learn more about how StarRez keeps your data safe and our PCI certification, contact Rafe Hart at dpo AT starrez.com.
You will find more helpful resources on our blog page More StarRez Insights