With 85% of UK higher ed institutions having experienced a cyber security attack or breach in the last year and half of institutions reporting that they have been experiencing breaches at least weekly (Cyber Security Breaches Survey 2023, Dept for Sciences, innovation and Technology), it’s clear that security - cyber, data and payment - is a key concern for the sector.
At the 12th annual Payment Security Conference in Manchester, UK, we brought together nearly 90 finance, IT and security professionals from UK higher education institutions, to hear the latest payment security insights.
Of course, PCI DSS v4.0 was the key topic of the event. Coming into force in March 2024, the updated standard firmly reflects the significant developments in the threat landscape since v3.2.1 was released in 2018. Our speakers and panel members also shared their insights and practical tips to progressing payment security and achieving PCI compliance, as insights on the wider threat landscape.
Here are the key takeaways:
Cross-campus collaboration and senior IT/CISO lead is critical to success.
While having one person with oversight of payment security will help prevent gaps in the payment security environment, that person needs to be great at collaboration. Several sessions highlighted that building relationships across campus - educating and engaging stakeholders - to create a cross-functional team focused on payment security will be the most effective way to mitigate payment security risks.
A recent Flywire report found that 92% of higher education IT leaders across Canada, UK and the United Kingdom said that IT was the department most responsible for the security of payment processes or that they share the responsibility with finance/the business office. However, almost all the speakers from UK institutions said that a key barrier to payment security was a lack of IT/Security buy-in as well as the fact that payment security was not considered as important (or as significant a risk) as cyber or data security. Payment security instead falls on an already overworked Finance role, with a lack of support, authority or resource to effect change, there was limited progress with payment security and PCI compliance.
By contrast, a universal success factor among institutions that had successfully achieved PCI compliance or are making significant progress, is that they had the support, buy-in (and in some cases resource) from IT, or having successfully linked it fell within the remit of their Chief Information Security Officer (CISO). Often this was because payment security had been successfully linked to data or cyber security). Once this was the case, those universities saw real traction in their payment security program. In a move that many with responsibility for payment security will welcome, the PCI SSC has formally assigned responsibility for payment security to an organisation’s CISO, in v4.0 Requirement 12.1.4.
Don’t skimp on scoping. And descope where possible.
Universities tend to have complex payment environments featuring many, varied, income streams, including fundraising, cafes/bars, libraries, parking, shops as well as tuition fees, accommodation payments, and more. The PCI scope for higher education institutions is significant, far broader than almost any other sector.
While it can seem onerous, taking the time and effort to fully scope the payment methods used across the university, discovering where they are used as well as the volume and value of those payments, is the critical first step in any PCI journey. In the words of one panel member “it’s amazing how payment methods hide under rocks, and only come to light during scoping”. And good cross-campus relationships will facilitate conversations that will make the scoping process much easier.
Once the PCI scope is defined, a university’s compliance footprint can be reduced by “descoping,” which can be achieved through the outsourcing and use of accredited technologies. Use of a third-party service provider (TPSP) can help reduce scope and for those third parties that act as a Merchant of Record, PCI scope can be reduced even further. PCI DSS v4.0 has much more emphasis on validating PCI compliance of TPSPs, so it is important that all third parties in scope for your assessment provide evidence to demonstrate compliance with PCI DSS as a minimum.
If, during scoping, e-commerce applications presenting significant payment security risks were identified, the advice from our panellists was to to outsource those applications to a SaaS (Software as a Service) TPSP.
Not only is scoping an essential exercise for PCI - identifying risk across the campus - it is also a means of collecting information that might never have come to light otherwise. For instance, as Kevin Doar from the University of Washington explained, during their scoping exercise it was discovered that multiple departments were using the same vendor but under separate contracts and with different pricing agreements. Armed with this knowledge, the university was able to consolidate those contracts, and negotiate better pricing, thereby saving the university (and each department) money.
Additionally, lack of resources is one of the key issues universities face. This, in turn, hinders the effective implementation of payment security. The evidence gathered for PCI scope can be put to good use as the basis for a robust business case for additional payment security resources as they pertain to support or staff.
Ensuring PCI compliance from third-party providers is critical.
PCI DSS v4.0 has an increased focus on validating the PCI compliance of TPSPs.
When investing in new payment technologies, it is important to consider the impact on scope because this could result in an increase in compliance activities for the institution. This may prove challenging as most institutions are looking to reduce their scope, not increase it.
It’s also important to have robust procurement policies and procedures in place to ensure new vendors are screened against payment security requirements. Universities are unique in that they have multiple income areas, each with their own (usually devolved) budgets for payment technology. This means that departments could feasibly source their own payment vendors, perhaps without considering relevant payment security issues. If procurement processes include requirements around payment security and demonstrating PCI compliance, potential vendors can be screened, centrally by the payment security lead, at the outset. This way unsuitable vendors can be discounted immediately and any risk they pose can be avoided.
It’s not just new vendors that will need to provide evidence of PCI compliance. The compliance status of existing vendors will need to be regularly assessed as well. As a service provider Flywire is mandated to implement robust security controls and undergoes annual certification with PCI DSS (level 1) and SOC II to ensure the security of our solution and your customers' transactions. In addition, Flywire handles customer data securely and in compliance with all applicable laws, including, but not limited to, GDPR, PIPEDA, FERPA, GLBA and other data protection laws. Not only that but, having been recently appointed to the PCI SSC board of advisors, Flywire will be at the forefront of payment security standards going forward.
Yet to look at v.4.0? Time is of the essence.
PCI DSS v3.2.1 will be retired on 31 March 2024, so institutions will need to be compliant with v4.0 by that date. Although most of the new requirements (53 that are applicable for all entities) have been future dated to 31 March 2025, there are 11 additional requirements for service providers and 13 requirements for v4.0 assessments that are applicable immediately.
So, do not delay. Look at the new standard requirements and use a gap analysis to assess where time and effort should be focused. And do not underestimate the time and resources required to do this, it will inevitably be more intensive than predicted.
Want to Learn More?
- Read the guidance column in the PCI DSS documentation, use the glossary and the FAQs available on the PCI SSC website.
- Check out our recent report "An inside look at the changing world of the higher ed IT pro"