Data and payment security are top of mind for IT leaders in higher ed

As higher education institutions expand their use of technology across their operations and curricula, IT leaders are prioritizing cybersecurity to ensure student and faculty information and payment data are protected. But it continues to be a challenge.

That was one of the takeaways from Flywire’s latest research report, “An inside look at the changing world of the higher ed IT pro” which surveyed over 200 higher ed IT professionals across the United States, Canada, and the United Kingdom.

IT leaders in higher ed are very attuned to the risks their institutions are exposed to from both legacy and new tech. Looking ahead, 98% feel an increased need to focus on security and cyber threats to their institution. It is one of the key challenges IT professionals are dealing with in relation to the technical aspects of the Enterprise Resource Planning (ERP) and Student Information Systems (SIS).

And, they are taking ownership too. 92% say IT is the department most responsible for security of payment processes, or at a minimum, that IT shares the responsibility with finance and/or the business office.

Institutions’ approach to payments can impact security and resources

Nearly a third of the IT leaders surveyed manage their tuition billing, payment plans, and other payments in-house, greatly increasing their institution's scope of responsibility when it comes to security and compliance.

At the same time, nearly 3 in 4 say they outsource some or all of their payment processing to external vendors. While this significantly reduces their payment security scope, it also means higher ed institutions (and their IT leaders) need to pay careful attention to the security capabilities of their 3rd party vendors.

The latest PCI data security standard (v4.0) incorporates some important changes including that if one of your vendors is not PCI v4.0 compliant, then neither are you. So it’s essential to ensure your external vendors meet all the requirements.

Some of the biggest changes in PCI DSS 4.0 include:

  • Security awareness – training requirements for hiring and training employees, contractors, and third-party vendors.
  • Enhanced validation methods – new forms of segmentation controls and requirements for reviewing segmentation.
  • Expanded scope – new requirements for securing emerging technologies such as cloud computing, virtualization, and mobile payments as well as the supply chain and third-party service providers.
  • Testing and risk assessment – PCI v4.0 offers more flexibility in testing procedures, but it also requires a formal process for detecting and responding to security incidents - a more risk-based approach with compensating controls.

Seeking security for SIS/ERP

80% of the higher ed IT pros surveyed say legacy tech is holding them back when it comes to meeting current tech needs. In fact, better security is the top reason for those considering migrating to a new ERP system.

When it comes to new technology additions, IT leaders are proactively collaborating with other departments to make sure they are involved in those purchasing decisions from the earliest stages. This collaboration is crucial to ensure that security and compliance requirements are factored into any purchasing decisions that are made.

With Level 1 certification for PCI DSS compliance, Flywire provides the ultimate peace of mind when it comes to security and compliance. From billing and payments to collection management, our Student Financial Software solution helps institutions unify the student financial journey. Flywire has also been appointed to the PCI Security Standards Council Board of Advisors meaning we are at the forefront of developments in payment security.

Learn more