Episode 407: Understanding the New PCI Standards for Higher Ed

08/02/22 • 21 min

The latest version of the Payment Card Industry Data Security Standard (PCI DSS) was recently released and higher ed institutions should start preparing to comply. Adherence to the new PCI DSS 4.0 will require colleges and universities to update how they manage PCI compliance campuswide. To outline the major points of the new standards and how to approach, FOCUS podcast invited Walid Barakat to share his expertise on the subject. Barakat is the senior vice president of IT governance, risk, and compliance at Global Payments, where he and his team are responsible for PCI compliance, merchant compliance, IT risks, and cloud business.

What is PCI DSS 4.0?
Like past standards, PCI DSS 4.0 is a set of payment security regulations for organizations (merchants) that process transactions with payments cards. Merchants are partnered with an assessor to understand the maturity level of their security and advise in ways to strengthen security programs. PCI DSS 4.0 is a complete rewrite of the existing 3.2.1 standard, created with feedback from the PCI community. Requirements have been restructured to include the intent behind them and how to validate them. With this fresh new look at security standards, the goal of PCI DSS 4.0 is to ensure security year-round.

“There are some new requirements to really drive best practices, recommendations, and enhanced accountability for organizations to maintain compliance year-round,” said Bakarat. “Not just when it's time for the assessment, or working directly with an assessor.”

What institutions can expect
The latest version of PCI standards includes clearer requirements, more testing guidance, and the opportunity for institutions to work with an assessor to tailor the validation approach to their unique environment. The new regulations place greater ownership on merchants, encouraging campuses to review their security posture to see how controls are being met.

When it comes to the timing of PCI DSS 4.0 implementation, institutions are offered a multi-phase approach. The first phase begins in March 2024 with a small set of requirements focused on defining roles and responsibilities and higher-level risk posture. This will set them up for remaining requirements that will become effective in March 2025.

Institutions will need to minimize their security profile, which can be done with multi-factor authentication (MFA). Ensuring that MFA, appropriate security controls, and firewalls are properly in place and documented minimizes the scope and threat vector for PCI assessing and overall security risk.

The PCI Council has made PCI DSS 4.0 available to the public, which means anyone who accesses the council website can easily confirm how they’ve been using documentation, see a comparison to prior standards, and see published awareness documents and FAQs.

The importance of assessors and ISAs
Barakat suggests two ways for institutions to go about processing PCI DSS 4.0 and moving towards compliance. The first is to take advantage of the time between now and 2024 to partner with the assessor to understand what the current security posture is and take their guidance under consideration. The assessor will be able to show institutions where they might need to provide additional emphasis and maturity in controls.

The second approach is training current staff members to become internal security assessors (ISAs). With an ISA, institutions are able to have someone who already knows the ins and outs of systems be trained by the PCI Council’s program to understand standards, the overall PCI process, and what is needed for reports on compliance. The council will also offer free PCI DSS 4.0 training to all ISAs, making it even easier for compliance to take place.

Final advice
Barakat’s final advice to colleges and universities is to always have defined roles and responsibilities among staff and make sure everyone is able to understand how their daily tasks add to compliance. He also advises institutions to make good use of documentation for more streamlined assessments. A transparent relationship with the assessor and listening to their guidance throughout the entire year are also key. Find additional resources on PCI DSS 4.0 here.

Looking for tips on how to build a strong PCI foundation? Download TouchNet’s PCI Explained eBook for an introduction to payment card terminology, how payments are processed, and best practices in building resources and processes vital to streamlining PCI compliance.

Special Guest: Walid Barakat.

Special Guest: Walid Barakat.

Previous Episode

Episode 406: Streamlining Payments for Campuswide Compliance with College of Charleston

Streamlining Payments for Campuswide Compliance with College of Charleston

Institutions are always on the search for solutions to streamline payments and ease the processes of accounts receivable and reconciliation for student and administrative use. David Katz, treasurer of the College of Charleston, found the solution in consolidating all payment systems under one platform, TouchNet, which he shared on the latest episode of the FOCUS podcast. Discover key insights from Katz on the adoption of a platform approach, which resulted in more efficient processes, unified payments, and simplified PCI compliance.

Integrated Solutions Provide a Better Experience

The College of Charleston has long worked with TouchNet to provide solutions for various types of payments. To aid with international payments, the college uses TouchNet partner TransferMate to streamline reconciliation of payments made in foreign currencies. Before this integration, payments could be difficult to process because of language barriers and naming conventions. With TransferMate, payments automatically post into the general ledger with all the required information needed to apply payments to the correct student accounts.

Katz’s team also uses TouchNet’s PayPath, saving the college almost $1 million in merchant fees since 2010. With the money saved, the institution has been able to maintain lower tuition, helping students afford their education. PayPath also makes the online payment process easier for students—all they need to do is a single sign on, pay, then when the payment is posted they’re done for that billing cycle.

TouchNet’s payment solutions even made it easy for the College of Charleston to offer six different payment plan s with installments spread across the semester. . These plans allow for better customer service and lower wait times for students needing support, as now they have an entire semester to reach out. The addition of required autopayments has drastically reduced end of semester accounts receivable and write off accounts over the three-year period since implementation.

TouchNet’s solutions have greatly eased the pressures of the College of Charleston’s accounts receivable and reconciliation by creating more automated and seamless payment processes.

The Platform Approach Adoption Process

While the College of Charleston has seen great success with adopting a platform approach, the adoption process didn’t happen overnight and is constantly being improved. The success was dependent on adapting existing systems to work with TouchNet and vice versa; rather than deciding how they wanted each solution to work on its own. Additionally, Katz believes the key to campuswide adoption is listening to staff, which is why he takes time to reexamine solutions with different departments to see what works and what needs to be adjusted.

“It all comes down to solving the needs on campus [by] listening to what people need, listening to what the problems are, and trying to come up with solutions. And when you work with everybody on the campus and not just force something upon them, you really get a widespread adoption over a period of time,” said Katz.

Vetting solutions for functionality and in-depth training are integral in making the adoption process successful. They take a ‘train the trainer’ approach—. training a few people, who then train others and create a procedures and policies manual, which is updated yearly.

PCI Compliance

During TouchNet solution training, Katz makes sure to bring departments together for PCI compliance workshops. All higher education institutions must follow PCI standards, which help to keep online payments and account info secure.

At these workshops, faculty is trained on how to make compliance easier and how to provide good customer service. Consistently training and letting policies be known has changed the way PCI compliance is approached campus wide. A big part of simplifying PCI compliance is giving staff recognition and ownership in their training. Katz found that when his team reinforced the good being done by staff keeping up with training and new policies, staff took more pride in their training and protecting the college.

Final advice

Katz’s final advice to other institutions hoping to consolidate their payments under one platform is to continue training as many people as possible on new processes and PCI compliance. He also advises institutions to set their credit card close times as close to midnight as possible for reconciliation, because it’s much easier to work with a midnight-to-midnight schedule across different time zones. Finally, test and map out solutions through their entire processes to understand how every moving piece will affect the other.

Special Guest: David Katz.

Next Episode

Episode 408: Modernizing Payments with Canberra Institute of Technology

Modernizing Payments with Canberra Institute of Technology

Karl Caig, director of corporate services at the Canberra Institute of Technology (CIT), joined the FOCUS podcast to share his experience with the Ellucian Payment Center by TouchNet. At CIT, Caig is responsible for maintaining key systems and processes that support operations and student management. His next goal is to reposition the institution by focusing on flexible education and training delivery, and to completely overhaul current student systems and interfaces.

This is why Caig turned to Ellucian Payment Center by TouchNet, which has provided tremendous improvement in processes, staff experience and student experience since implementation. Read along to learn more about CIT’s journey with the Ellucian Payment Center and Caig’s advice for other institutions.

Why the Ellucian Payment Center by TouchNet was the perfect fit

The Canberra Institute of Technology is a dual sector institute—serving students across technical trades, community college programs, apprenticeships, and bachelor programs. Each of the programs CIT offers is regulated by a different level of the Australian government, with different students making their payments to and receiving concessions from different entities. Previous payment systems were overly complicated and untimely because funding came from different buckets and communication between different government levels could be inefficient. As a result, payments had to be handled and calculated manually.

Caig knew that this was not a sustainable system, especially with a new strategic plan to expand into the online environment, and the need for a fully digital enrollment process. The institution was already using the Ellucian Banner for student information management, and any new solution they implemented needed to work with existing systems and fit with their strategic plan for the institution.

“We really had to make sure that as a government entity that the government was happy with our requirements, that whatever solution we had was a secure solution that obviously worked well with the Australian payment environment,” said Caig.

Luckily, the Ellucian Payment Center by TouchNet was the perfect fit to help CIT modernize their payment system and get the institution ready for its online future. This solution integrated seamlessly with the existing Ellucian Banner and opened up opportunities for new efficiencies on campus.

How CIT has benefited from TouchNet

Since implementation, the Ellucian Payment Center by TouchNet has modernized CIT’s payment system, improving both staff and student experiences. Tracking student payments is now easier, and Caig is able to see in real time who has and has not paid on time. His team can then direct them to a payment portal digitally, rather than spending weeks getting students up to date on payments. This has drastically reduced the institution’s credit risk and increased the amount of students who pay their bill on time.

Delivery of student refunds has been improved from a week’s long process to an almost instantaneous refund under this solution. Students no longer have to wait to receive refunds from a government banking system and are now issued them directly through the Ellucian Payment Center.

Automated payments have also freed up staff, who can now devote time to customer service and help students navigate payment options. CIT is now able to offer more flexible payment options for interested students.

During the pandemic, CIT was able to fully transition their learning and enrollment processes online, which Caig believes wouldn’t have been possible without the implementation of TouchNet’s solution. Also, the pandemic gave CIT a needed nudge to make these modern solutions the norm, because there was no other option.

TouchNet’s solutions also empowered CIT to stay on top of cybersecurity and PCI compliance with high confidence. TouchNet handles all of CIT’s payments and card data in accordance with PCI standards, which saves the institution time from the tedious process of managing it themselves.

Advice for other institutions

As campuses begin to look towards modernizing payments, Caig advises them to model their online payment systems after what students are already using in the marketplace. Students want the ability to make seamless and painless payments that they can manage anytime, anywhere. It has to be quick, easy, and straightforward. Look to the future state and see what’s out there that people already use, because there are solutions that exist that can do that for institutions, like what TouchNet has to offer.

Special Guest: Karl Caig.