As business offices evaluate their processes in the wake of COVID-19 restrictions, changing school policies, and ever-evolving technology priorities, keeping payment compliance top of mind is critical. Maintaining compliance for software applications that process payments is demanding, requiring regular audits and reports as well as knowledgeable staff.

The security of cardholder information is of the highest importance. Schools face a choice: Install a software application on premise and maintain PCI DSS compliance for all payments processed at your school, or partner with a Software as a Service (SaaS) vendor or Application Service Provider (ASP) who maintains the software to meet PCI DSS compliance, reducing the school’s compliance scope.

Historical overview

Payment processing applications are governed primarily by the Payment Card Industry Security Standards Council (PCI SSC), which maintains security policies and procedures based on requirements from the major payment brands, like VISA.

“PCI DSS covers the security of the environments that store, process, or transmit account data,” said Patricia Ellington, IT Manager for Cyber Security at FACTS. “This includes requirements for the security management, policies, procedures, network architecture, secure software design, security awareness training, and other critical protective measures.”

The Payment Application-Data Security Standard (PA-DSS), established in 2008, is derived from the PCI DSS, and details payment application requirements to be PCI DSS compliant (and therefore what a payment application must support to facilitate the school’s PCI DSS compliance). PA-DSS requirements are intended to help software vendors develop secure payment applications that support PCI DSS compliance when installed within their customer’s PCI DSS environment.

“In other words, PA-DSS validated payment applications must facilitate – not prevent – PCI DSS compliance,” Ellington said. “When a school purchases a PA-DSS validated product, they receive a software application and the responsibilities for the infrastructure support and maintenance that will support the application; installing the application in a PCI DSS complaint manner; and maintaining, administering and supporting the application, all within their PCI DSS environment.”

This entails a lot of work for the school. IT staff will use the vendor’s Implementation Guide to install the application on premise in a PCI DSS compliant manner. The PA-DSS software is required to meet applicable PCI DSS requirements, including:

  • Having a process for securely deleting stored cardholder data that exceeds defined retention;
  • Configuring and patching systems supporting the application to meet configuration standards;
  • Implementing file integrity management, anti-virus, and audit logging on the systems that support the application.

Compliance requirements vary depending on the number of transactions processed annually by an institution. A smaller school with a limited number of transactions per year may be able to complete a Self-Assessment Questionnaire (SAQ), a self-validation tool to assess security for cardholder data. Large schools that process high volumes of payment transactions may be required to work with a PCI Qualified Security Assessor (QSA) to complete more in-depth assessments.

“FACTS is PCI DSS Level 1 assessed based on the number of transactions we process annually,” Ellington said.

A PCI DSS assessment can take around two or three months, and will evaluate evidence for compliance with PCI standards that covers an entire year. This validates that their business as usual activity — the activity throughout the year, not just during the evaluation period — supported PCI DSS compliance requirements.

“The PCI QSA annually confirms you are meeting both technical and non-technical requirements throughout the year. In order to accomplish this, the PCI QSA requires evidence, interviews and also some hands-on reviews of devices, files and procedures during the assessment period.” Ellington said.

The PCI QSA is assuring that you meet all PCI DSS requirements.

“Many people are unaware that there are many non-technical requirements that are evaluated, including hiring practices, security awareness training, assigning roles and responsibilities to meet the requirements, maintaining and testing incident response, and creation of policies, standards and processes to support the intent of the requirements,” Ellington said. “There are also many technical requirements, including periodic reviews of firewalls and routers, file integrity monitoring, anti-virus and malware protection, backup and restoration validations, logging activities, meeting retention requirements, timely patching of devices, operating systems and applications, and vulnerability management, including internal and external quarterly scans and annual penetration tests.”

Those are just some of the many technical requirements that will need to be maintained and will be reviewed by the PCI QSA.”

Relieving the burden – a hosted solution

On the other hand, schools that choose vendor-hosted solutions or SaaS software find that they have reduced their compliance scope, since the application software provider is then responsible for ensuring that the hosted environment is secure.

“The PCI SSC does not require that an entity use a PA-DSS validated application. An application with the PA-DSS certification only denotes that the application can be configured to meet PCI DSS requirements,” Ellington explained.

When a client decides to use our PCI DSS validated SaaS solutions, they know that FACTS adheres to industry-leading PCI standards to manage our network, secure our web-based applications, and set policies across our organization. FACTS has its own cyber security group, which works closely with the corporate cyber security group of parent company Nelnet, Inc. Together we employ an array of experts in compliance and security. We are assessed as a Level 1 PCI DSS Service Provider, which means that FACTS is responsible to ensure that:

  • A PCI DSS assessment is completed annually by an external PCI Qualified Security Assessor (PCI QSA)
  • A vulnerability management process is in place that includes regular scans and penetration testing as well as timely patching based on risk:
  • The application is developed, installed, configured and maintained to meet or exceed PCI DSS requirements
  • Security appliances are in place and monitored, and engineering staff are alerted of any anomalies
  • Incident Response, Disaster Recovery, and Business Continuity Plans are in place, tested and validated

“We ensure that PCI compliance is part of our business-as-usual process by monitoring security controls; reviewing hardware and software technologies to ensure they are supported by the vendor and meet security standards; evaluating changes to the environment or the organizational structure; performing periodic reviews and communications to confirm all PCI DSS requirements continue to be in place and personnel are following secure processes; and verifying that appropriate evidence is maintained to assist in the PCI DSS compliance assessment,” Ellington said.

Building trust

While protecting cardholder data is key, schools must take into account the full scope of their compliance responsibilities. This becomes especially important as many institutions are facing tighter budgets. In order to continue to best serve your students and the broader school communities of alumni, sports fans, donors, and neighbors, institutions must be able to provide flexible payment options that are mobile-friendly and secure.

“Knowing that FACTS is taking the above responsibilities provides our customers assurance that we are taking the proper steps to secure the data they have entrusted to us,” Ellington said.