Lessons in higher ed payment security: Six tips from the University of Washington to help institutions achieve PCI DSS compliance

With 60,000+ graduate and undergraduate students studying across three campus locations as well as four hospitals, 35 primary care locations, and off-campus science labs, the University of Washington has overcome significant payment security challenges stemming from a decentralized campus and approach to decision making.

The first step in their PCI journey was an internal audit of PCI DSS compliance by the University’s Internal Audit Office in 2017. In addition to compliance gaps, they uncovered significant payment security risks that needed to be addressed. These included:

  • Payment sites/channels that had been developed in-house without IT or Finance input.
  • A general lack of awareness of, or compliance with, PCI DSS or payment security coupled with few support resources.
  • Unanswered requests about PCI compliance made of third-party service providers.
  • Payment terminals of varying ages and compliance levels being used across campus.
  • Contracts for services/equipment signed without University procurement involvement.
  • Multiple (sometimes 10+) contracts with the same payment card vendor.

The lack of coordination and transparency alongside the resulting inefficiencies and overall risk exposure in such a high volume, complex payment environment was alarming.

As a result, a new department, Office of Merchant Services (OMS), was created to overhaul payment security and address PCI compliance across campus. Here are the steps the University took to turn things around:

Step 1: Changing the payment culture

To meet the University’s compliance and security goals, the Merchant Services team developed a unique strategy: consolidate and centralize the school’s payment options as much as possible to provide the operational and political power required to achieve their mission. The University’s President signed off on an updated administrative policy statement that gave OMS full authority to manage the payment card environment across the entire campus.

To accomplish its goals, the OMS team was determined to change the way people involved with payments at the University thought about security and compliance by:

  • Setting up a Help Desk for all payment card related requests: to provide staff with the support they needed to deliver immediate value.
  • Publishing regular PCI digests: to educate staff on the purpose and importance of compliance, including explanations about different types of merchants and payment methods as well as the unique variables/requirements for each.
  • Making weekly visits to different University payment sites: to lend support and help ensure devices and processes were in order.
  • Holding third-party service providers and vendors accountable: to emphasize the importance of PCI DSS requirements and only working with organizations in compliance.

Changing practices is challenging for everyone involved, particularly across a large institution, but the OMS team has been making steady progress.

Step 2: Scaling to align with compliance needs

As the payment culture changed and recognition of the importance of security and compliance took hold, the demands on the OMS team escalated quickly.

To help expand the internal team and the resources they could provide, OMS worked with the administration to implement internal merchant fees. These per-transaction/volume internal fees were enough to fund a new centralized e-commerce solution and manager, an assistant director to support policy and compliance, and the services of a Qualified Security Assessor (QSA).

All these changes enhanced payment support across the University and reinforced the expertise and value-add provided by the OMS team. It also opened the door for the team to pursue its strategy to implement additional best practices, including:

  • Taking full control of the card payment environment
  • Removing all networks from PCI scope by requiring chip/tap P2PE terminals
  • Banning the storage of credit card numbers unless an online tokenized solution was used
  • Centralizing payment vendor agreements, such as Flywire

As these changes were occuring, the University’s tuition platform was nearing end of life. OMS used this opportunity to move the University’s tuition payments over to the new e-commerce platform, further consolidating and centralizing payment activity.

Step 3: Maintain a centralized, streamlined payments environment - UW Office of Merchant Services today

As a result of the changes made, and in complying with the PCI standards, the University of Washington has become far more secure. They are also in a good position to comply with PCI V.4.0 by the March 2024 deadline.

At the same time, by consolidating vendors and service contracts, the institution-via OMS-has been able to negotiate more favorable agreements and simplify contract management.

With six full-time employees and a third-party management group, OMS now ensures the security of six million card transactions per year, processed through five major payment card platforms for eCommerce, events, cafeteria point-of-sale, stand-alone point-of-sale and a Learning Management System.

Six tips for achieving PCI compliance: lessons learned from the UW payment security journey

  1. Ensure authority:
    The diverse and decentralized nature of the higher education environments make it almost impossible to create consistency and discipline around payment processes. Without the ability to strengthen rules and requirements, it is impossible to govern PCI compliance effectively.

  2. Scale across campus:
    To be successful, you must be able to scale to work with a variety of constituents across campus. It’s important to understand that it takes a village, and to ultimately meet differing needs so it’s essential to get finance, IT and the CISO aligned.

  3. Centralize and consolidate:

    It’s much easier to manage compliance if you are managing all payment platforms. The fewer systems that need to be managed, the less risk. Consolidate where it makes sense for the institution. The same applies to vendor contracts.

  4. Reduce your PCI scope:
    Consolidating systems is one way. Taking networks out of scope with P2PE and modern ecommerce platforms is another. But, by leveraging third-party service providers, you are also delegating PCI compliance to them so it’s important to ensure you validate their PCI credentials.

  5. Create the business case for more resources:
    Take stock of what it costs to manage PCI compliance in both resources and currency as well as the risk of non-compliance and plan appropriately.
  6. Get to know PCI DSS:
    The more you know about the PCI standards and requirements, the better prepared your institution will be to improve payment security.

How Flywire can help with Payment Security

As a third-party service provider, Flywire is mandated to implement robust security controls and undergoes annual certification with PCI DSS (level 1) and SOC II to ensure the security of our solutions and payment transactions. As a participating member of the PCI Standards Council, we immediately started implementing new controls as soon as PCI DSS v4.0 was released. In fact, many were in place already.

Flywire is committed to our customers’ success and handles data securely and in compliance with all applicable laws, including, but not limited to, GDPR, PIPEDA, FERPA, GLBA and other data protection laws. Not only that but, having been recently appointed to the PCI SSC Board of Advisors, Flywire will be at the forefront of payment security standards going forward.