Six payment security and compliance considerations for higher ed institutions

Secure payment processes are critical in every industry, and especially in education. The large sums, infrequent nature, and emotions involved with paying for higher education can make students and families more vulnerable to fraud in some respects. Many of these same factors make schools targets as well.

When choosing a payment provider, it’s critical to ask informed questions to ensure that your institution and students are protected from all angles – data privacy, data breaches, and compliance – while also providing the best possible payment experience. Robust security and compliance processes will also help avoid costly fines and damage to your school’s reputation.

Here are six security and compliance considerations to keep in mind as you assess the capabilities of your payment services provider.

1. SOC II compliance

Service Organization Control (SOC) II Type 2 is a review of an organization’s internal controls to ensure data remains secure and confidential. An external auditor also evaluates the cybersecurity program to confirm the program has implemented both preventive and detective controls to avoid unauthorized access and disclosure of information. It’s important to determine who has a SOC II (your payment service provider or whoever their vendors are that touch the payment) and what is covered in their SOC audit (security, availability, confidentiality, processing integrity, and privacy). If your payment provider relies on their vendor (for instance, their hosting provider) for SOC II compliance, it will be difficult to know how robust their internal controls actually are.

2. PCI compliance

The Payment Card Industry Data Security Standard (PCI DSS) ensures that all companies that process, store, or transmit credit card information maintain a secure environment to help prevent fraud. PCI DSS v4.0 is now published, and brings significant changes that in all, move compliance from being an audit-driven, one-time event to a continuous process better suited for today’s payment security needs. There are four levels of PCI compliance depending on the number of transactions processed annually, and the scope of the audit varies by level - the lower the level, the more detailed the evaluation. Level 1 compliance is the highest standard, and when your provider has this in place, you can be sure your students’ sensitive payment card information is safeguarded.

3. Data privacy

Regulations change, and it’s important that your payments provider takes necessary steps to stay ahead to ensure compliance. From the General Data Protection Regulation (GDPR) and Personal Information Protection & Electronic Data Act (PIPEDA), to Family Education Rights & Privacy Act (FERPA), data privacy regulations can be complex and vary worldwide. Check to see if your payment providers have a privacy officer dedicated to maintaining privacy standards and find out how they stay on top of these regulations. Failure to comply may not only put you and your students at risk, but also can prove costly.

4. ADA accessibility

Payment providers can use any number of tools to assess American Disabilities Act (ADA) compliance, and the tools all vary in how and what they report on. Consider what tools each provider uses, whether they run manual audits, and how often audits are conducted. Without monthly audits and multiple assessment tools and manual checks, provider compliance may be in jeopardy.

5. Know Your Customer (KYC)

KYC laws prevent money laundering. This is a common challenge with international payments. The compliance team likely oversees this, but there are software tools you can apply in your finance system to flag suspicious payments. Any payment vendor you use should also have this capability.

6. Common tuition payment scams

Where there is money, there is usually some level of fraud. Education payments are no exception. Over the years, we have seen a variety of scams targeting students. Some target international students as bad actors try to take advantage of unsuspecting young adults and their families navigating a variety of new situations in unfamiliar surroundings. But they are not limited to international students. Check out our “Six steps to avoid payment scams” blog post for guidance to help protect students from becoming victims.

Flywire is the Trusted Choice of millions of students and thousands of education institutions, agents and partners worldwide.

First-Class Security & Privacy with Flywire

Flywire is committed to protecting education institutions and their students and families with the highest level of security and privacy standards. We undergo a SOC II review annually and are compliant with all ADA, PCI, KYC and privacy regulations. For more information, visit

See how higher ed IT leaders are tackling security and compliance in our exclusive report