Relieving Some of the Burden of Payment Security

As business offices evaluate their processes in the wake of changing school policies and ever-evolving technology priorities, keeping payment compliance top of mind is critical. Maintaining compliance for software applications that process payments is demanding, requiring regular audits and reports as well as knowledgeable staff.

The security of cardholder information is of the highest importance. Schools face a choice: Install a software application on premise and maintain PCI DSS compliance for all payments processed at your school or partner with a Software as a Service (SaaS) vendor or Application Service Provider (ASP) who maintains the software to meet PCI DSS compliance, reducing the school’s compliance scope.

Payment processing applications are governed primarily by the Payment Card Industry Security Standards Council (PCI SSC), which maintains security policies and procedures based on requirements from the major payment brands, like VISA.

“PCI DSS covers the security of the environments that store, process, or transmit account data,” said IT Manager for Cyber Security at FACTS. “This includes requirements for the security management, policies, procedures, network architecture, secure software design, security awareness training, and other critical protective measures.”

The Payment Application-Data Security Standard (PA-DSS), established in 2008, is derived from the PCI DSS, and details payment application requirements to be PCI DSS compliant (and therefore what a payment application must support to facilitate the school’s PCI DSS compliance). PA-DSS requirements are intended to help software vendors develop secure payment applications that support PCI DSS compliance when installed within their customer’s PCI DSS environment.

“In other words, PA-DSS validated payment applications must facilitate – not prevent – PCI DSS compliance,” FACTS IT Manager continued. “When a school purchases a PA-DSS validated product, they receive a software application and the responsibilities for the infrastructure support and maintenance that will support the application; installing the application in a PCI DSS complaint manner; and maintaining, administering, and supporting the application, all within their PCI DSS environment.”

This entails a lot of work for the school. IT staff will use the vendor’s implementation guide to install the application on premise in a PCI DSS compliant manner. The PA-DSS software is required to meet applicable PCI DSS requirements, including:

Compliance requirements vary depending on the number of transactions processed annually by an institution. A smaller school with a limited number of transactions per year may be able to complete a Self-Assessment Questionnaire (SAQ), a self-validation tool to assess security for cardholder data. Large schools that process high volumes of payment transactions may be required to work with a PCI Qualified Security Assessor (QSA) to complete more in-depth assessments.

FACTS is PCI DSS Level 1 assessed based on the number of transactions processed annually.

A PCI DSS assessment can take around two or three months, and will evaluate evidence for compliance with PCI standards that covers an entire year. This validates that their business as usual activity — the activity throughout the year, not just during the evaluation period — supported PCI DSS compliance requirements.

The PCI QSA annually confirms you are meeting both technical and non-technical requirements throughout the year. In order to accomplish this, the PCI QSA requires evidence, interviews, and also some hands-on reviews of devices, files, and procedures during the assessment period.

The PCI QSA assures that you meet all PCI DSS requirements.

“Many people are unaware that there are many non-technical requirements that are evaluated, including hiring practices; security awareness training; assigning roles and responsibilities to meet the requirements; maintaining and testing incident response; and creation of policies, standards, and processes to support the intent of the requirements,” FACTS IT Manager said. “There are also many technical requirements, including periodic reviews of firewalls and routers, file integrity monitoring, anti-virus and malware protection, backup and restoration validations, logging activities, meeting retention requirements, timely patching of devices, operating systems and applications, and vulnerability management – including internal and external quarterly scans and annual penetration tests. Those are just some of the many technical requirements that will need to be maintained and will be reviewed by the PCI QSA.”

On the other hand, schools that choose vendor-hosted solutions or SaaS software find that they have reduced their compliance scope, since the application software provider is then responsible for ensuring that the hosted environment is secure.

“The PCI SSC does not require that an entity use a PA-DSS validated application. An application with the PA-DSS certification only denotes that the application can be configured to meet PCI DSS requirements,” FACTS explained.

When a client decides to use our PCI DSS validated SaaS solutions, they know that FACTS adheres to industry-leading PCI standards to manage our network, secure our web-based applications, and set policies across our organization. FACTS has its own cyber security group, which works closely with the corporate cyber security group of parent company Nelnet, Inc. Together we employ an array of experts in compliance and security. We are assessed as a Level 1 PCI DSS Service Provider, which means FACTS is responsible to ensure that:

FACTS ensures that PCI compliance is part of our business-as-usual process by monitoring security controls, reviewing hardware and software technologies to ensure they are supported by the vendor and meet security standards, evaluating changes to the environment or the organizational structure, performing periodic reviews and communications to confirm all PCI DSS requirements continue to be in place and personnel are following secure processes, and verifying that appropriate evidence is maintained to assist in the PCI DSS compliance assessment.

While protecting cardholder data is key, schools must take into account the full scope of their compliance responsibilities. This becomes especially important as many institutions are facing tighter budgets. In order to continue to best serve your students and the broader school communities of alumni, sports fans, donors, and neighbors, institutions must be able to provide flexible payment options that are mobile-friendly and secure.

Knowing that FACTS is taking the above responsibilities provides customers assurance that we are taking the proper steps to secure the data they have entrusted to us.