With HE institutions and students facing increasing risks at every point along the student journey, the need for robust defence through compliance with PCI DSS, GDPR, POCA, and cyber essentials, is more critical than ever. Given the large number of payments taken across campus and borders, developing a robust defence to payment risks is no easy task. It takes dedicated time, cross-campus collaboration, and senior leadership buy-in, not to mention a clear understanding of the issues, solutions available and a strong incident response plan.
These were the core messages heard by over 80 attendees at Flywire's 13th annual Payment Security and Compliance conference in Manchester last week. Read on for more details.
1. Achieving PCI DSS compliance is challenging—collaboration and dedicated time are critical success factors.
With 230+ requirements across the 12 principal requirements, achieving PCI DSS compliance, is a daunting and challenging task that “takes hard work,” John Bloomfield, Standards Development Manager at PCI Security Standards Council acknowledged. He also emphasised the importance of thoroughly understanding the requirements, particularly new ones released in v.4.0 that are either already in force or will do so in March 2025.
Louise O’Neill, Head of Finance Business Systems at Coventry University, recognised that the PCI requirements seem overwhelming at first glance but she, along with Sarah Tose, Head of Finance MKU & Strategic Projects at Cranfield University, and Iain Waite, Head of Finance Operations at the University of Lincoln, had some tips for the audience:
- Make IT your friends: While this can be a challenge, O’Neill recommended seeking buy-in and cooperation from key teams, particularly IT/Digital Services because, as Flywire Consultant Jo Brewin expressed, “when the IT team gets it and they get on board, things move really quickly.”
- Form a dedicated payment security project team headed by a tenacious project manager: Waite advocated appointing a tenacious team leader to lead a dedicated PCI project team. He, O’Neill, and Tose attributed their PCI compliance success to the division of responsibilities amongst team members who were, critically, held accountable for action. They recommended the team include a member of senior leadership, someone who has the power to remove roadblocks as necessary, and weekly PCI project team meetings to carve the necessary time out to progress PCI.
- Align PCI DSS with ISO 27001 or other strategic projects: Often universities have already done some of the leg work necessary for PCI DSS compliance as part of other strategic projects, for instance, ISO 27000, an international information security standard. Not only can existing, relevant evidence or documentation be mapped across, but alignment can also help raise the profile of payment security within the organisation's risk management strategy.
Ultimately, O’Neill, Tose, and Waite agreed that they are now reaping the rewards of their hard work. As O’Neill remarked, “working towards v.4.0.1 compliance doesn’t seem so daunting now I’ve got my head around sharing the workload.”
2. Correctly defining the Cardholder Data Environment (CDE) scope is critical; descoping is the “proven way forward to compliance.”
According to Flywire’s Lead Security Consultant, David Neild, the first crucial step towards PCI DSS compliance—scoping the CDE—is often done incorrectly, leading many universities to exclude people, processes and technology from scope and complete the wrong SAQs.
Scoping CDEs in higher education is particularly challenging due to their complexity. Cranfield’s Tose said that one of her biggest challenges was "digging through layers of a multi-faceted institution," one experienced by many in the room. Coventry University’s O’Neill added that "non-compliant processes were crawling out of the woodwork," and extensive fieldwork was necessary to identify not only vulnerabilities but also the teams/people responsible for their upkeep.
The panelists were adamant that seeking support was critical, whether that be from an internal project team or external sources. Flywire offers a Payment Security Management System (PSMS) which provides a robust framework for PCI compliance. As PSMS clients, O’Neill, Tose, and Waite found the support they received from Flywire consultants invaluable, particularly during scoping and the next stage, descoping. Descoping, according to Neild, "is the proven way forward to achieving compliance" by simplifying payment processes and using secure technologies to simplify compliance requirements.
According to UCISA, most UK universities host at least one of their key systems on-site, potentially putting those systems and the networks they sit on, within the PCI scope. Network segmentation can help to reduce scope, but this can usually only go so far. Neild advocated for universities to "utilise tech and consider moving to a SaaS-first approach," outsourcing vital systems to PCI-compliant Third Party Service Providers (TPSPs). He also suggested using a TPSP that can act as Merchant as Record (MoR) to help descope university’s IT systems; outsourcing the risk and significantly reducing the PCI implementation and audit tasks on university staff. However, it is important to note that this approach will only be effective if universities comply with PCI DSS v.4.0 requirements in 12.8. and have robustly undertaken due diligence to assure their TPSP, sought clarity on lines of responsibility and appropriate evidence of the TPSP’s PCI compliance.
As one such TPSP, Flywire undergoes external audits for SOC I, SOC II, and PCI DSS and has third-party attestations of compliance and many other security measures such as penetration testing, as detailed by Senior Risk Manager William Raun in his overview of Flywire’s risk and security framework. What’s more, as a PCI SSC Participating Organisation and member of the Board of Advisors, Flywire is helping to shape PCI DSS and improve payment security across the globe.
3. Consider a risk-based approach to protect institutions and students from fraud and money laundering risks.
Universities are easy targets for criminals looking to exploit vulnerable systems or people. With the cost of public sector fraud estimated to be £50bn and three-quarters of students having been targets, it’s clear that fraud and money laundering is a real problem for the sector, stated Flywire Consultant Bridget Walker.
While the higher education sector is not yet regulated, Walker explained, it’s important to be aware of any elements of university operations that will require compliance with anti-money laundering (AML) regulations. However, she said that adopting a risk-based approach, following money laundering regulations despite being unregulated would deliver protection for university and its students, to whom the university has a duty of care. She also highlighted that regulation could be coming as the All Party Parliamentary Group had made a recommendation to broaden the scope of Money Laundering regulations to include universities in the Economic Crime Manifesto II, published in April 2024.
Flywire Consultant Jo Brewin recommended universities have a clearly documented payment process, detailing how the university will accept payment and any documentation requirements, and that this should be consistently communicated to all students, and all internal and external stakeholders (e.g. agents). Brewin also recommended that universities had high level robust and proportionate AML policies in place to address potential risks throughout the payment process lifecycle. These should be supported by procedures that could be easily amended as risks and regulations change, and include key elements:
- No cash payments and no bank account details available to payers
- Student due diligence (ID and payer relationships), including periodic ID review
- Source of funds information
- Red flags
- Reporting procedures and appointment of MLRO
- Regular AML training for staff
She highlighted the importance of stakeholder engagement, including the Change team, when implementing new services. This would ensure that AML and fraud were addressed at the earliest stages of new projects that would be impacted, such as the implementation of a new payment system. Brewin also stressed the importance of using a Trusted Third Party or Merchant of Record (MoR) to help mitigate institutional risk and that due diligence must be undertaken on a regular basis. Anyone interested in joining the AML Special Interest Group, who meet quarterly (online) to share knowledge and experiences, should contact their Relationship Manager.
In her frighteningly informative session, Dr Nicola Harding from charitable organisation We Fight Fraud, emphasised the importance of student education in the fight against criminal activity on campus. According to her research, 3 in 5 students have been approached by criminals—to be a “money mule” or have been a victim of fraud—before they’ve even reached university, making them far more vulnerable to exploitation than they think they are. To combat this, We Fight Fraud has produced resources, free to universities, to support the duty of care universities have to educate their students and keep them safe. By doing this, universities also help mitigate the risks they, as an organisation, face.
4. Robust incident response plan is critical to mitigating the impact of inevitable attacks.
Compliance with PCI DSS, ISO, and GDPR regulations requires incident response plans to be in place and tested. Doing so can have a big impact as demonstrated by two examples shared at the conference:
- A large UK university’s systems were accessed by an unauthorised party via a phishing attack. Once the breach was identified, the university’s incident response plan was activated. As Neild noted, “They’d prepared, had a playbook, and had done incident response testing so they were able to respond efficiently and effectively,” allowing them to keep many systems online during what could have been a devastating attack.
- In 2018, British Airways (BA) suffered a significant data breach when its systems were modified to harvest card details as customers entered them. Initially, BA faced a £183 million fine. However, because their response was swift, robust, and effective, the fine was reduced to just £20 million, which highlights how significant incident response can be as a mitigating factor in official investigations.
Having an effective incident response plan in place will strengthen a university’s overall security posture and, importantly, ensure institutions can minimise operational, reputational, and financial effects of an attack. Prioritising risk management—proactively addressing risks and having solid risk management practices—will increase resilience, but it will also mean students and their families feel their institution is trustworthy.
Click here to listen to the session replays from Payment Security and Compliance Conference for more tips and insights.