PCI DSS: Round the Clock Compliance

If you accept payment cards, your organization is responsible for ensuring specific processes have been implemented and all requirements from the Payment Card Industry Data Security Standard (PCI DSS) are met. Although merchants are only required to attest compliance annually, PCI compliance should never be considered a “check the box” activity for your organization.

​When you consider the complex environments of campus-based organizations, trying to manage multiple merchants with different payment channels across different locations, it is easy to understand how difficult year-round compliance can be. Risks and threats to payment card security are constantly evolving, as are the methods in which merchants are accepting and processing payment cards. It only takes one staff member taking a payment from a donor on their home computer to throw your organization out of compliance, so it is important to continuously monitor merchant processes.

​With all of the other obligations and priorities on campus, especially right now due to the significant impact of COVID-19, many departments are trying to accomplish more work with less staff and limited funding. PCI team members are often pulled in different directions, and it can be easy to lose focus as resources are assigned to other projects and priorities. To successfully monitor and maintain ongoing PCI compliance, there must be an active, coordinated effort to prioritize tasks, assign responsibilities across departments, and utilize your vendors and partners as much as possible to augment services and responsibilities.

We reached out to a few of our customers and asked them to share how they have been able to keep PCI compliance a focus as teams and merchants have moved to remote working environments.

​Drexel University – Pepe Riera, Sr. Information Security Analyst, Office of the CISO shared:

​Keeping up with security and compliance takes a village. The Drexel University PCI team is formed by Pepe Riera from the Information Security team, Tom Weir from the Financial Systems department in IT, the Deputy Associate Treasurer Peter Keyes, and our experts from Campusguard.

​We address PCI DSS with two separate programs: PCI Compliance and PCI Optimization. With PCI Compliance, we evaluate the current state of our credit card processes and attest compliance through Self-Assessment Questionnaires. With PCI Optimization, we find ways to reduce our scope: through policy, forbidding the storage of credit card data across the organization; implementing P2PE solutions for all our POS; consolidating or closing unnecessary merchant accounts; and centralizing our processes to a single credit card processor and acquirer (TouchNet and Heartland).

​To keep the business running during the pandemic while maintaining PCI compliance, we worked with our merchants to move POS operations online. Consequently, we also had to delay annual attestation of credit card devices until the reopening of our campus.

​As part of our security and compliance initiatives during the pandemic, we advised community members whose operations moved online about best security practices. We also worked with law enforcement, regulators, REN-ISAC, EDUCAUSE, and other partners to address major cyber threats. We co-led with Office of the General Counsel, Privacy, and Risk Management our major cybersecurity and privacy incident responses, including a handful of Zoom bombings. We operated core security services -scans, log inspection, certificate generation, etc., without disruption.

​Tufts University – Allison Zwaschka, Merchant Services Administrator within the Finance Division shared:

When it comes to the Tufts PCI group, it is a mix of staff comprised of Information Security within IT and Treasury in Finance. I primarily manage the PCI annual program and compliance project using a project management tool, where we keep each task, assigned responsible person and other relevant details.

For example, during a recent test of the Incident Response Plan we discovered quite a few places to improve. After the test, I asked everyone to send me their feedback, so I could make a master document listing the findings and relevant details since everyone took notes based on their different perspectives. From there, I assigned each finding or task to specific people given their department role and saved the document in a shared folder so tasks could be updated as necessary. With the move to remote work, we did lose some of that inter-office communication, so having the document in a central, shared location allowed us to collaborate more effectively and ensure each individual task was being completed on time.

​At the request of those involved, I set weekly PCI team meetings to track progress and triage questions in relation to the Incident Response Plan. Our team is small, therefore we each have a wide reach across the university operations. I found that maintaining a document that tracks tasks and assignments helps us quickly communicate what needs to be done and by whom. This saves all of us time. Having a clear and organized plan allows our group to tackle this project efficiently and thoroughly. A timeline is also helpful because even when we do not meet the deadlines it helps keep us accountable and on track.

While PCI compliance is consistently maintained when efforts are continuous, there are certain requirements that need to occur on a more defined schedule. Refer to the table below for the high level tasks and objectives necessary for managing your PCI compliance efforts throughout the year.

PCI Compliance Program Tasks:

DAILY

• Review security logs.

WEEKLY

• File Integrity Monitoring – Change-detection comparisons against baseline.

MONTHLY

• Install critical security patches.
• Review physical security – ensure processes are in place for device inspections (and logging those inspections!)

QUARTERLY

• Identify and document all the areas that accept payment cards in any capacity.
• Confirm complete inventory of all systems, processes, and people that store, process, or access cardholder data.
• Engage with your merchants. Make periodic unannounced visits to the merchants on campus to verify various payment processes in place, ensure applicable documentation is up to date, current device inspection logs, etc.
• Update documentation as processes change. Dedicate a shared, central location for collecting and storing all documentation and evidence necessary for attesting compliance and provide access to responsible team members. This way you aren’t scrambling to gather all of the necessary policies, logs, scan reports, etc. when your attestation date rolls around.
• Review potential new vendors and ensure their processes are compliant.
• Make sure appropriate security controls have been applied against each system that interacts with cardholder data.
• Ensure access control logs for sensitive areas/visitor logs contain the most recent 3 months.
• Identify the quarterly vulnerability scanning schedule (external and internal).
• Test for the presence of wireless access points.

ANNUALLY

• Perform a formal risk assessment or gap analysis annually to identify any changes in process and the amount of effort needed to maintain compliance. Having this documented assessment can also help secure executive-level support with a commitment to the necessary budget and resources.
• Ensure all third-party service providers are known and documented, track their compliance status, and request required/up-to-date documentation.
• Review vendor and remote access accounts, and verify that all permissions are up to date and the appropriate levels of privileges have been assigned. Remove access if it is not required and disable or delete accounts not in use.
• Review organizational security policies.
• Have staff review and acknowledge payment card policy and procedures.
• Create your security awareness training program or review and update as needed to reflect latest trends and risks. Determine the date for annual training, as well as a plan for ongoing training activities and reminders.
• Review firewall inbound and outbound network rules as applicable.
• Perform any required annual penetration and/or segmentation tests. Remediate all findings and re-test as necessary.
• Review your incident response plan. Schedule a tabletop exercise to test the plan and ensure all individuals know their responsibilities in the event of a suspected breach or compromise.
• Work with merchants to identify the appropriate SAQ assignment for their area and work with them to complete their individual SAQs.
• Attest compliance and submit necessary documentation to the Acquirer.

​​If you accept payment cards, your organization is responsible for ensuring specific processes have been implemented and all requirements from the Payment Card Industry Data Security Standard (PCI DSS) are met. Although merchants are only required to attest compliance annually, PCI compliance should never be considered a “check the box” activity for your organization.

​When you consider the complex environments of campus-based organizations, trying to manage multiple merchants with different payment channels across different locations, it is easy to understand how difficult year-round compliance can be. Risks and threats to payment card security are constantly evolving, as are the methods in which merchants are accepting and processing payment cards. It only takes one staff member taking a payment from a donor on their home computer to throw your organization out of compliance, so it is important to continuously monitor merchant processes.
​
With all of the other obligations and priorities on campus, especially right now due to the significant impact of COVID-19, many departments are trying to accomplish more work with less staff and limited funding. PCI team members are often pulled in different directions, and it can be easy to lose focus as resources are assigned to other projects and priorities. To successfully monitor and maintain ongoing PCI compliance, there must be an active, coordinated effort to prioritize tasks, assign responsibilities across departments, and utilize your vendors and partners as much as possible to augment services and responsibilities.

We reached out to a few of our customers and asked them to share how they have been able to keep PCI compliance a focus as teams and merchants have moved to remote working environments.
​
Drexel University – Pepe Riera, Sr. Information Security Analyst, Office of the CISO shared:

Keeping up with security and compliance takes a village. The Drexel University PCI team is formed by Pepe Riera from the Information Security team, Tom Weir from the Financial Systems department in IT, the Deputy Associate Treasurer Peter Keyes, and our experts from Campusguard.
​
We address PCI DSS with two separate programs: PCI Compliance and PCI Optimization. With PCI Compliance, we evaluate the current state of our credit card processes and attest compliance through Self-Assessment Questionnaires. With PCI Optimization, we find ways to reduce our scope: through policy, forbidding the storage of credit card data across the organization; implementing P2PE solutions for all our POS; consolidating or closing unnecessary merchant accounts; and centralizing our processes to a single credit card processor and acquirer (TouchNet and Heartland).
​
To keep the business running during the pandemic while maintaining PCI compliance, we worked with our merchants to move POS operations online. Consequently, we also had to delay annual attestation of credit card devices until the reopening of our campus.
​
As part of our security and compliance initiatives during the pandemic, we advised community members whose operations moved online about best security practices. We also worked with law enforcement, regulators, REN-ISAC, EDUCAUSE, and other partners to address major cyber threats. We co-led with Office of the General Counsel, Privacy, and Risk Management our major cybersecurity and privacy incident responses, including a handful of Zoom bombings. We operated core security services -scans, log inspection, certificate generation, etc., without disruption.

Tufts University – Allison Zwaschka, Merchant Services Administrator within the Finance Division shared:

When it comes to the Tufts PCI group, it is a mix of staff comprised of Information Security within IT and Treasury in Finance. I primarily manage the PCI annual program and compliance project using a project management tool, where we keep each task, assigned responsible person and other relevant details.

For example, during a recent test of the Incident Response Plan we discovered quite a few places to improve. After the test, I asked everyone to send me their feedback, so I could make a master document listing the findings and relevant details since everyone took notes based on their different perspectives. From there, I assigned each finding or task to specific people given their department role and saved the document in a shared folder so tasks could be updated as necessary. With the move to remote work, we did lose some of that inter-office communication, so having the document in a central, shared location allowed us to collaborate more effectively and ensure each individual task was being completed on time.
​
At the request of those involved, I set weekly PCI team meetings to track progress and triage questions in relation to the Incident Response Plan. Our team is small, therefore we each have a wide reach across the university operations. I found that maintaining a document that tracks tasks and assignments helps us quickly communicate what needs to be done and by whom. This saves all of us time. Having a clear and organized plan allows our group to tackle this project efficiently and thoroughly. A timeline is also helpful because even when we do not meet the deadlines it helps keep us accountable and on track.

While PCI compliance is consistently maintained when efforts are continuous, there are certain requirements that need to occur on a more defined schedule. Refer to the table below for the high level tasks and objectives necessary for managing your PCI compliance efforts throughout the year.
​​
For more guidance on how to manage your PCI compliance program on an ongoing basis, please reach out to us. If your team does not have the internal resources to effectively monitor and manage merchant processes, we can also share details about CampusGuard’s Premiere Partner Services.
​
Some additional guidance from the CampusGuard Customer Relationship Management team:
​
[Johnson]: The PCI program should not rely solely on technology, but must include people and processes, along with the supporting policies and procedures. PCI compliance is a shared responsibility across campus, and is led by a dedicated team who are ensuring tasks are met on an ongoing basis. Especially now, with so many organizations struggling with reduced budgets and staff furloughs, we see PCI Team responsibilities shift away from the task of maintaining compliance; time and resources are not as available to work on the ongoing tasks of monitoring merchants, updating procedures, reviewing vendor compliance, etc. It only takes one department deciding to implement a non-compliant third-party solution to create a potential opportunity for compromise, so locking in on alternative methods for success (project management software, online team collaboration tools, and compliance tracking tools like the CampusGuard portal merchant SAQ portal, etc.) becomes critical.