CTO point of view: Less than one year to go before PCI v4.0, are you ready?

David King
David King
is CTO at Flywire.

Higher education institutions are frequent targets of cyberattacks due to the large amounts of sensitive data they collect and store, and the added complexity of their ecosystem. I have always said higher education is like a “mall of services.” An institution provides higher education services, dining services, housing and hotels, gym memberships, donations and endowments, athletic events, and the multitude of departments and organizations, all wanting to sell something on campus. Coupling this with our mantra in higher education of openness and collaboration makes securing our expansive network extremely challenging.

The Payment Card Industry Data Security Standard (PCI DSS) was developed, at least in part, with such scenarios in mind. It is a set of security standards created to ensure that companies that accept, process, store, or transmit credit card information maintain a secure environment.

Periodically, the standard must evolve to keep up with the threat landscape. As such, the latest version, PCI DSS version 4.0 (PCI v4.0), was released on March 31, 2022. It will have a significant impact on higher education institutions that accept credit card payments for tuition and fees. We are in the transition period from v3.2.1 to v4.0. On March 31, 2024 v3.2.1 will be retired and you must be compliant with v4.0.

We are just one year away. Is your institution making progress and ready to pass v4.0?

Here’s one of the hardest parts: education institutions, as a “mall of services,” often rely on many third-party vendors. If your vendor is not PCI v4.0 compliant, then you also fail PCI. Outside of your own technical work to achieve, are you managing your vendors and making sure they are PCI v4.0 compliant?

PCI v4.0 Overview

PCI v4.0 contains several updates and changes compared to its predecessor, PCI v3.2.1 which was released in 2018. I believe we can all agree that the threats to our networks and systems have drastically changed and increased in complexity since 2018. The new version is designed to enhance security and promote a proactive approach to threat management. Some of the key updates in PCI v4.0 include:

Security awareness: PCI v4.0 has a focus on security awareness training for hiring and training employees, contractors, and third-party vendors.

Enhanced validation methods: Making sure security controls are up-to-date and effective is critical. PCI v4.0 introduced new validation methods of segmentation controls and requirements for reviewing segmentation.

Expanded scope: PCI v4.0 includes new requirements for securing emerging technologies such as cloud computing, virtualization, and mobile payments. It also includes requirements for securing the supply chain and third-party service providers.

Testing and risk assessment: PCI v4.0 offers a bit more flexibility in testing procedures, but requires institutions to implement a formal process for detecting and responding to security incidents. It has shifted to a more risk-based approach and compensating controls.

In summary, PCI v4.0 introduces several new requirements focused on increased security awareness, segmentation validation, remote access, incident response, and risk assessment. It also updates many existing requirements to reflect the changes in security threats and technology since v3.2.1 came out in 2018.

Impact on Higher Education

PCI v4.0 presents a significant challenge for higher education institutions due to its expanded scope and increased focus on securing emerging technologies. Many higher education institutions rely on third-party service providers for cloud computing, virtualization, and mobile payments, which increases the risk of data breaches. PCI v4.0 requires institutions to implement strong security controls and monitor these providers to ensure compliance.

In addition, PCI v4.0 emphasizes the importance of security awareness training for all employees. Higher education institutions often have a large and diverse workforce, including students, faculty, and staff, which makes security awareness training a significant undertaking. Institutions must develop comprehensive training programs that address the specific risks and threats facing their organization.

Finally, PCI v4.0 introduces new validation methods, including continuous monitoring and testing. This means that higher education institutions must regularly assess their security controls and demonstrate their effectiveness to maintain compliance.

Flywire can help

Flywire is a participating organization on the standards council and we immediately started implementing the new controls as soon as they were released. In fact, we had many of these in place already and are prepared to support you.

PCI v4.0 is a significant update to the PCI DSS standards, and it has a profound impact on higher education institutions. Institutions must implement strong security controls, monitor third-party service providers, and provide comprehensive security awareness training to comply with the new requirements. The increased focus on securing emerging technologies and continuous monitoring and testing makes compliance a continuous effort, rather than a one-time project. Ultimately, PCI v4.0 will help higher education institutions protect their financial information and strengthen their overall security posture.

Want to learn more?

Whether you need a payments partner or education software to manage the entire student journey for international and domestic students, Flywire has you covered.