When student housing providers set out to create a great housing experience for their students, PCI compliance is likely to be the last thing on their mind. But residents are trusting the organizations to keep their data safe and that means security controls need to be a top priority. Fortunately, we have a few suggestions that can take the pain out of compliance.
No one likes to think they could be vulnerable to a data breach however according to Verizon’s most recent Data Breach Investigations Report (DBIR), the education sector ranked third amongst industries reporting the most security incidents and breaches in 2017. If your organization accepts credit card payments and houses considerable amounts of data, you have to deal with a wide array of security issues that are outside core operations. From selecting payment technologies to infrastructure hardening, monitoring, auditing and more, the process can be costly and time-consuming. There is clearly a lot of room for improvement, but who has the time or manpower to tackle what seems to be a daunting task.
While it may be tempting to hand the whole mess over to someone else, it is not possible to completely transfer the responsibility for security to a third party. A common balanced solution is to shift sensitive data, such as credit cards, to service providers who specialize in implementing security controls across a range of institutions, leaving you to focus on the core purpose of your organization – providing that great housing experience. In this article, we explore some areas to consider when choosing partners to reduce your compliance requirements.
Planning for PCI Compliance at your Institution
The first step in any security and compliance exercise is to get expert advice. Data security, privacy, and PCI DSS are complex fields, with a mix of technical, regulatory and process related concerns. Housing management operations are similarly complex and regulated, so a comprehensive strategy is likely to require people with a range of skills. Before choosing a partner company, ask yourself the following questions.
What is your risk for a data breach?
Understanding risk is the starting point for any strategy which involves sharing data with partner companies. Potential fines for PCI DSS breaches are well established, but data regarding what fines are imposed in practice is reasonably sparse – the most prevalent figures are that non-compliance fines are between $5000 to $100,000 per month, depending on the size of the institution. Consider the risks of losing data other than credit cards. According to the Ponemon Institute, the average cost of a breach in Education is $166 per record breached. Multiply that by the number of entries in your database, and you have a high-level estimate of what a data breach could cost. When selecting partners the importance of doing your due diligence can’t be overstated.
How do you manage software?
When looking at software, it is preferable to engage companies that have a strong security program and host on Platform as a Service (PaaS) or Functions as a Service (FaaS) from a reputable provider, such as Azure or AWS. By determining that the hosting is done on PaaS or FaaS, you can vastly mitigate most physical and infrastructure risks associated with the software, as cloud providers are some of the most secure and compliant organizations. This lets you evaluate potential suppliers by the security controls they implement directly, rather than having to guess at what risks are part of their supply chain.
In the education industry, 26% of data breaches in 2017 involved hacking web applications, making this a primary area to move to a secure partner. Recent cyber-attacks have focused directly on portal payment pages. Hackers will inject malicious code capable of stealing cardholder information in an unencrypted format as the customer inserts their information. This sounds ominous and it is, but don’t worry, there is a range of defenses available against these attacks. It is critical that your service provider is familiar with them and able to apply them.
Where is your resulting data stored?
Most institutions have data sovereignty requirements and cannot store data outside their country. This shouldn’t be an issue as cloud providers are now present in most parts of the world, allowing your services to be hosted in the same region. What you will need to determine is where your data is backed up to, and whether there are any failover capabilities in the event that your primary service is affected by an outage.
How do you manage security for physical infrastructure?
If you accept payments via a bursar’s office or another physical payment scenario, you will need to safeguard your credit card equipment from interference, such as credit card skimmers. This is an area where it is a good idea to get expert advice to set up processes and controls to protect the equipment, and configure it in a secure manner.
Additionally, depending on what payment providers you have available to use, you may want to implement the PCI standard for Point to Point Encryption (P2PE). P2PE encrypts the card data from the terminal where the payment is accepted, through to the bank, so that none of the intermediary systems have access.
Choosing the right compliance partners
Now that you have assessed your risk, it’s time to choose the right partners. As we described above, due diligence on potential partners is extremely important, as is setting up the partnership. There are several steps involved in ensuring a partnership supports your overall compliance objectives:
Step 1: Define security responsibilities
Both parties need to understand what their responsibilities will be under the contract. An SLA should be in place, and there should be expectations set around incident response, disaster recovery and specific security controls, such as frequency of vulnerability updates, etc. As part of this, appropriate levels of cybersecurity insurance should be established, in the event of a breach.
Step 2: Define Privacy responsibilities
Consider where your institution operates to understand your privacy responsibilities. Depending on your area you may be required to be compliant with a range of privacy laws, such as GDPR, FERPA, PIPEDA, CaCPA, etc. The partners you choose to work with should be familiar with these laws and be able to demonstrate how they will enable you to comply with them. Be sure to set these expectations regarding how compliance will be achieved up front.
Step 3: Establish Compliance requirements
What standards of compliance are necessary for your potential partners? Think about the nature of your suppliers and where they operate. Here are a few common compliance requirements that may apply.
- PCI DSS certification is required for anyone transmitting or storing card data and applies to most institutions.
- NIST, SOC2 are US-specific standards required by public institutions and may apply on a case-by-case basis. Typically these frameworks can be met by similar compliance programs from other jurisdictions, such as ISO27000, COBIT5, etc.
- If you handle specific types of data, you may require compliance with additional laws, such as HIPAA for health data.
A final note on compliance is that while it drives positive practices in security, you should always ask to see recent vulnerability scans and penetration test reports from potential partners – this is the evidence that shows compliance is working.
Step 4: Maintain your right of audit
What happens next? Assuming everything looks great in the beginning, how do you know your data will continue to be secure? Contracts with partners should allow for an audit to ensure good practices are being maintained with your data.
Addressing the remaining compliance risks
Once you have transferred as much risk as makes sense for your organization, you will still be responsible for some compliance requirements. These will generally revolve around training and maintaining secure practices. Often this training can be provided by the organizations that also assess PCI security.
The complexity of technology solutions is increasing at a rapid rate, and many of the new laws we are seeing are an attempt to keep up with the risks they introduce. It is possible to run a secure system entirely within your operation, but this takes dedicated staffing with specific skills and resources. By looking at the tools required to operate your business, and choosing secure partners for sensitive components, you can feel confident that your organization’s data is protected.
StarRez is certified with PCI DSS as a Level 1 service provider. We are committed to meet and exceed data security protection standards.
For more information
To learn more about how StarRez keeps your data safe and our PCI certification, contact Rafe Hart at dpo AT starrez.com.
You will find more helpful resources on our blog page More StarRez Insights