Am I a Service Provider?
Am I a Service Provider?
PCI compliance is no easy feat.
PCI compliance is no easy feat. It’s even more complex for universities that have multiple units responsible for accepting and processing payments. Some institutions turn to third party service providers (TPSPs) to help manage these units, which may include dining facilities or fundraising campaigns. These TPSPs may have their own merchant accounts to process payments, but many also leverage the university’s computers or networks.
Getting the Scoop on “In-Scope”
What many universities don’t realize is that this sharing of computers and networks may make the university responsible for PCI compliance—even where those vendors are operating under their own merchant accounts. A university may use a TPSP to manage (store, process, transmit) cardholder data on its behalf or to handle the cardholder data environment (CDE), but this does not unburden the university from owning PCI compliance and ensuring that cardholder data and environment are secure.
Unfortunately, many higher ed institutions are not aware of this and believe that using a TPSP effectively transfers the risk and PCI scope to that party. It does not.
Minimizing Risk Across the Board
The good news is that the Third-Party Security Assurance Special Interest Group of the PCI Security Standards Council has provided guidance on best practices for universities to create and implement third-party assurance programs that keep all parties secure and compliant. These due diligence measures can help universities ensure that their risk is minimized and that the data and systems entrusted to TPSPs remain compliant.
In summary, here are the top considerations for merchants who opt to work with TPSPs:
Vetting & Due Diligence
Universities should carefully vet prospective TPSPs, considering skills, experience, areas of expertise— and run a risk assessment. Due diligence research may include tasks like consulting with the acquirer, reviewing participating payment card brand listings and websites, and asking the TPSP to submit relevant PCI DSS validation documentation (SAQ, AOC, data flow, etc.).
If the TPSP meets the university’s requirements up to this stage, a risk assessment of the TPSP should be performed. This includes looking at the TPSPs internal and external auditing process, whether or not it does periodic vulnerability scans, if the TPSP has ever had a data breach, if the TPSP utilizes PCI validated point-to-point encryption (P2PE), and whether or not it has policies on the transmission, storage, and processing of sensitive data. This is not a comprehensive list of due diligence and risk factors; however, it can be a good starting point.
Engagement & Setting Expectations
If the TPSP passes a risk assessment, the next step is to build a responsibility matrix between your university and the TPSP for agreement between both parties before proceeding with engagement. It’s important that the university has a clear understanding of the TPSP’s PCI compliance status and can determine an agreed-upon manner in which the TPSP will sufficiently safeguard the university’s cardholder data. Establishing written agreements and policies and procedures help clarify which PCI requirements fall under the university and which the TPSP will need to meet. Both parties should also identify primary points of contact as well as backup points of contact in case of emergencies.
TPSP Monitoring Programs for Continued Engagement
Developing a TPSP monitoring program is essential to ensure that the university is always aware of the TPSP’s PCI compliance status. This is especially helpful for universities that are engaged with TPSPs that offer a range of services; some services may be in scope while others are not. It can be helpful to establish a review results template in order to make sure no checks are missed. Universities should also consider how periodic results will be reviewed internally—and who will be involved in the review process. Finally, it is beneficial to keep these results on file for a three-year rolling period, per the official PCI guidance.
We Cut to the Chase
The Arrow Payments team is made up of PCI compliance experts. We’ve helped universities secure payments across departments and systems using the best hardware, software, and best practices. The end result? They have the most secure, efficient, PCI-compliant and cost-effective payments solutions available.
Are you looking for help streamlining and securing your campus’ payments? Reach out to one of our experts today.