Remaining in compliance as a financial service provider or educational institution that performs campus commerce within the current payments landscape requires regular audits and reporting as well as experienced, knowledgeable, and creditable staff. As campus IT and business offices regularly evaluate their processes due to the pandemic changing the way schools operate, educate, and transact, keeping payments compliance top of mind is critical.
Financial and personal data privacy is of the highest importance when it comes to the higher education category. Payment security standards and regulations are always changing to ensure that cardholder data and payment system security is never at risk. When it comes to the current compliance landscape PayMyTuition is always at the forefront of data security and consistently ensures that the global payments network and innovative technologies the team at PayMyTuition has developed are always keeping up and ahead of the any new regulation changes, providing education partners peace of mind.
The PCI Software Security Framework
The current Payment Application-Data Security Standard (PA-DSS) will expire later this year and will be replaced by the PCI Software Security Framework. The transition to the PCI Software Security Framework will not just focus on on-premises databases and applications but will be comprised of the newly developed PCI Secure Software Standards and a PCI Secure Software Lifecycle that will expand in line with how payment technologies have evolved with the speed of transactions and the incorporation of cloud and mobile technologies. With innovation and increased speed of the global payments category, there is also enhanced and faster fraud that these regulations need to combat.
The PCI Software Security Framework is designed around Secure Software and Data Management and Secure Software Engineering objectives. The goal of this framework is to ensure that security is embedded in the software lifecycle while providing a secure method for how software protects payment data for the next generation of applications.
PCI-DSS Version 4.0
The PCI-SSC is currently working on a second draft of the latest version of the PCI Data Security Standard (PCI DSS), Version 4.0, that is expected to be published later this year and will go into effect in 2024. This new version covers the security of the environments that store, process, or transmit account data and applies to merchants, service providers, and financial institutions that provide security practices technologies and processes, as well as standards for developers and vendors that create secure payment products and solutions.
Feedback from key stakeholders, PCI Participating Organizations, a network of organizations affiliated with the payment card industry, including merchants, banks, processors, hardware and software developers, and point-of-sale vendors, has also been taken into account for Version 4.0 to ensure that all bases are covered for this new version of standards.
What does this mean for educational institutions?
There a few options for educational institutions to remain in compliance with the new regulations that are coming into play with PCI-DSS Version 4.0.
Institutions have the option to purchase a PA-DSS validated software application product themselves but in doing so must take on the responsibility for the infrastructure support and maintenance for the application to meet all PCI DSS requirements, including:
Having a process for securely deleting stored cardholder data that exceeds defined retention
Configuring and patching systems supporting the application to meet configuration standards
Implementing file integrity management, anti-virus, and audit logging on the systems that support the application
With a PA-DSS validated product, institutions may need to do more manual work in-house to maintain the necessary levels of information security. This process requires experienced compliance experts to be on staff, can become cumbersome as updates and new requirements emerge, can be quite time intensive for school staff, and in the end, extremely costly for the institution.
The alternative to schools purchasing a PA-DSS validated product is for them to work with a third-party provider who maintains Level 1 PCI-DSS Service Provider status themselves and can relieve institutions of most of the burden of securing payment information. This alternative would allow institutions to reallocate recourses and save costs since the application software provider would then be responsible for ensuring that the hosted environment is secure and up to date with any new changes.
When an educational institution chooses to work with PayMyTuiton they are confident with the knowledge that our business adheres to industry-leading PCI standards to manage our network, secure our web-based applications, and set policies across our organization.
PayMyTuition is currently assessed as a Level 1 PCI-DSS Service Provider, ensuring that we adhere to the following processes:
An annual PCI DSS assessment is completed annually by an external PCI-Qualified Security Assessor (PCI-QSA)
A vulnerability management process is in place that includes regular scans and penetration testing as well as timely patching based on risk
The application is developed, installed, configured, and maintained to meet or exceed PCI-DSS requirements
Security applications are in place and monitored, and engineering staff are alerted of any anomalies
Incident response, disaster recovery, and business continuity plans are in place, tested and validated
At PayMyTuition we solve and eliminate the complex challenges that educational institutions experience with traditional ways of processing student payments. Contact a member of our team to find out how we can remove the friction within your international and domestic student payments business while saving staff resources, eliminating costs, and protecting your institution from compliance related risk.