Keeping security a priority while relieving the compliance burden

Keeping payment compliance top of mind is critical as businesses evolve with modern technologies, changing school policies, and an ever-changing world. Although maintaining this compliance for cloud-based software is incredibly important, it can also feel demanding at times. Regular audits and reports, as well as a highly knowledgeable staff, are all essential to keep payment security prioritized at a school.

So how can schools keep the security of the cardholder and their information as a top priority without burdening themselves with endless work?  Schools have a choice here: install a software application on site and maintain PCI DSS compliance for all payments processed or partner with an SaaS vendor or ASP who maintains the software to meet that PCI DSS compliance for you, reducing compliance scope. Do you know which choice you’ve made?

What is PCI DSS compliance? 

Payment processing applications are governed primarily by the Payment Card Industry Security Standards Council (PCI SSC), which maintains security policies and procedures based on requirements from major payment brands like VISA.

PCI DSS covers:

  • The security of the environments that store, process, or transmit account data
  • Requirements for the security management, policies, procedures, network architecture, secure software design, security awareness training, and other critical protective measures

The Payment Application-Data Security Standard (PA-DSS) is derived from the PCI DSS and details payment application requirements to be PCI DSS compliant.

When a school purchases a PA-DSS validated product, they receive not only the software application, but also the responsibilities for:

  • The infrastructure support and maintenance that will support the application
  • The installation of the application in a PCI DSS compliant manner
  • The maintenance, administration, and support of the application within a PCI DSS environment

These responsibilities are a lot of work for a school. IT staff will have to use a vendor implementation guide to install the application on-site in a PCI DSS compliant manner. The PA-DSS software is required to meet the applicable PCI DSS requirements, which include:

  • Having a process for securely deleting stored cardholder data that exceeds defined retention
  • Configuring and patching systems supporting the application to meet configuration standards
  • Implementing file integrity management, anti-virus, and audit logging on the systems that support the application


Compliance requirements vary depending on the number of transactions processed annually by your school. A smaller school with fewer transactions per year may be able to complete a Self-Assessment Questionnaire (SAQ) to assess security for cardholder data, but a larger school that processes a high volume of payment transactions may be required to work with a PCI Qualified Security Assessor to complete a more in-depth assessment.

How to relieve the compliance burden at your school

Looking for an alternative? One way to reduce this compliance scope is to choose a vendor-hosted solution or SaaS software solution for your school. With these solutions, the application software provider is responsible for ensuring the hosted environment is secure, greatly reducing the burden on the school.

When a school decides to use FACTS’ PCI DSS validated SaaS solutions, they can feel confident knowing that we adhere to industry-leading PCI standards to manage our network, secure our cloud-based applications, and set strong policies across our organization. We even have our own cyber security group, which works closely with the corporate cybersecurity group of our parent company Nelnet, Inc. Together, we have an array of experts in compliance and security.

FACTS is assessed as a Level 1 PCI DSS Service Provider, which means that we are responsible to ensure that:

  • A PCI DSS assessment is completed annually by an external PCI Qualified Security Assessor (PCI QSA)
  • A vulnerability management process is in place that includes regular scans and penetration testing as well as timely patching based on risk
  • The application is developed, installed, configured, and maintained to meet or exceed PCI DSS requirements
  • Security appliances are in place and monitored, and engineering staff are alerted of any anomalies
  • Incident response, disaster recovery, and business continuity plans are in place, tested, and validated

We ensure that PCI compliance is part of our standard process in a number of ways, including:

  • Monitoring security controls
  • Reviewing hardware and software technologies to ensure they are supported by the vendor and meet security standards
  • Evaluating changes to the environment or the organizational structure
  • Performing periodic reviews and communications to confirm all PCI DSS requirements continue to be in place and personnel are following secure processes
  • Verifying that appropriate evidence is maintained to assist in the PCI DSS compliance assessment

Trust between school and vendor

While protecting cardholder data is key, schools must consider the full scope of their compliance responsibilities. To best serve school constituents, including students, alumni, donors, and other stakeholders, schools must be able to provide flexible payment options that are both mobile-friendly and fully secure.

Schools can rest assured that FACTS has taken the appropriate steps to secure the data they’ve entrusted to us, and in doing so, are committed to relieving their institutional compliance burden.