Universities and colleges have a legal and moral obligation to protect personal data which also includes data collected and processed as part of payment processes, specifically institutions are obligated to comply with the Payment Card Industry Data Security Standards (PCI DSS).
Many institutions are struggling to move beyond ‘point-in-time compliance’ to take a ‘security first’ approach. However, things are changing and an increasing number of institutions recognise the need to implement a centrally managed payment security programme with appropriate buy-in and participation from stakeholders across Finance, IT, Internal Audit and Information Governance. A key driver for information security and governance relates to risk; and institutions need to be asking themselves if they are suitably managing risk in payment security and therefore protecting their payers and institutions from data compromise, financial loss, and potentially significant reputational damage.
What Is Payment Security?
Payment Security encompasses the processes, procedures and physical security measures that should be in place to protect personal information (including card data), collected during payment processes. The aim is to ensure a ‘security first’ approach is implemented; ensuring both legal obligations around GDPR and PCI DSS are met, and further prudent steps are taken to go beyond minimum requirements.
How Does Payment Security Fit With PCI DSS Compliance?
The Payment Card Industry Data Security Standards (PCI DSS) are a detailed set of controls, first developed in 2004, that all merchants should be compliant with. The goals of compliance are:
- Cardholder data protection
- Vulnerability management program maintenance
- Regular network monitoring and testing
- Secure network & system maintenance
- Information security policy maintenance
- Strict access control measures implementation
However, PCI DSS compliance is a ‘point-in-time’ measure. To ensure that Payment Card Data is robustly protected, payment security needs to be embedded throughout your institution as a “business as usual” activity and be integrated into your Information Security processes and procedures.
Killer Questions All Senior IT, Information Governance & Finance Professionals Should Be Asking Themselves
Consider some of the questions below to understand what kind of payment security risks your institution might be facing:
- How many payment transactions are you taking each year?
- What payment channels are you using?
- What payment methods are you accepting?
- Do you know what needs to be protected within the current landscape?
- Are you looking to de-scope your payment security environment or secure everything as it currently is?
- Do you have a documented, robust and repeatable methodology for scoping?
- Are payment types, systems and ownership documented for all payment locations?
How Do I Start To Address Payment Security?
If you’re struggling to find answers to the above questions, then there is a risk that you aren’t meeting your legal obligations to protect payment data, which is a highly desirable asset for criminals and fraudsters.
The risks around payment data are exacerbated by the fact that many universities don’t have a solid grasp of their current payment landscape, a strategy for how they plan to accept payments going forward and what secure payment processing actually looks like in their environment.
WPM can help you to develop a Payments Strategy, providing a framework within which to make decisions about adding, maintaining or removing a payment method. This will make it easier for you to scope and manage the Payment Data Environment (“PDE”), and ensure your income collection solution is secure and fit for purpose, now and in the future.
How Can WPM Help Me Address Payment Security?
WPM provides institutions with the knowledge, tools and support they need to implement a comprehensive and sustainable Payment Security programme, ensuring a holistic approach to PCI DSS, and wider data protection requirements.
We have developed a comprehensive and robust toolkit to enable our clients to tackle Payment Security in a more efficient and sustainable way.
WPM Payment Security is also a PCI DSS Qualified Security Assessor (QSA) Company.