PCI DSS: Round the Clock Compliance
10 July 2020
If you accept payment cards, your organization is responsible for ensuring specific processes have been implemented and all requirements from the Payment Card Industry Data Security Standard (PCI DSS) are met. Although merchants are only required to attest compliance annually, PCI compliance should never be considered a “check the box” activity for your organization.
When you consider the complex environments of campus-based organizations, trying to manage multiple merchants with different payment channels across different locations, it is easy to understand how difficult year-round compliance can be. Risks and threats to payment card security are constantly evolving, as are the methods in which merchants are accepting and processing payment cards. It only takes one staff member taking a payment from a donor on their home computer to throw your organization out of compliance, so it is important to continuously monitor merchant processes.
With all of the other obligations and priorities on campus, especially right now due to the significant impact of COVID-19, many departments are trying to accomplish more work with less staff and limited funding. PCI team members are often pulled in different directions, and it can be easy to lose focus as resources are assigned to other projects and priorities. To successfully monitor and maintain ongoing PCI compliance, there must be an active, coordinated effort to prioritize tasks, assign responsibilities across departments, and utilize your vendors and partners as much as possible to augment services and responsibilities.
We reached out to a few of our customers and asked them to share how they have been able to keep PCI compliance a focus as teams and merchants have moved to remote working environments.
Drexel University - Pepe Riera, Sr. Information Security Analyst, Office of the CISO shared:
Keeping up with security and compliance takes a village. The Drexel University PCI team is formed by Pepe Riera from the Information Security team, Tom Weir from the Financial Systems department in IT, the Deputy Associate Treasurer Peter Keyes, and our experts from Campusguard.
We address PCI DSS with two separate programs: PCI Compliance and PCI Optimization. With PCI Compliance, we evaluate the current state of our credit card processes and attest compliance through Self-Assessment Questionnaires. With PCI Optimization, we find ways to reduce our scope: through policy, forbidding the storage of credit card data across the organization; implementing P2PE solutions for all our POS; consolidating or closing unnecessary merchant accounts; and centralizing our processes to a single credit card processor and acquirer (TouchNet and Heartland).
To keep the business running during the pandemic while maintaining PCI compliance, we worked with our merchants to move POS operations online. Consequently, we also had to delay annual attestation of credit card devices until the reopening of our campus.
As part of our security and compliance initiatives during the pandemic, we advised community members whose operations moved online about best security practices. We also worked with law enforcement, regulators, REN-ISAC, EDUCAUSE, and other partners to address major cyber threats. We co-led with Office of the General Counsel, Privacy, and Risk Management our major cybersecurity and privacy incident responses, including a handful of Zoom bombings. We operated core security services -scans, log inspection, certificate generation, etc., without disruption.
Tufts University - Allison Zwaschka, Merchant Services Administrator within the Finance Division shared:
When it comes to the Tufts PCI group, it is a mix of staff comprised of Information Security within IT and Treasury in Finance. I primarily manage the PCI annual program and compliance project using a project management tool, where we keep each task, assigned responsible person and other relevant details.
For example, during a recent test of the Incident Response Plan we discovered quite a few places to improve. After the test, I asked everyone to send me their feedback, so I could make a master document listing the findings and relevant details since everyone took notes based on their different perspectives. From there, I assigned each finding or task to specific people given their department role and saved the document in a shared folder so tasks could be updated as necessary. With the move to remote work, we did lose some of that inter-office communication, so having the document in a central, shared location allowed us to collaborate more effectively and ensure each individual task was being completed on time.
At the request of those involved, I set weekly PCI team meetings to track progress and triage questions in relation to the Incident Response Plan. Our team is small, therefore we each have a wide reach across the university operations. I found that maintaining a document that tracks tasks and assignments helps us quickly communicate what needs to be done and by whom. This saves all of us time. Having a clear and organized plan allows our group to tackle this project efficiently and thoroughly. A timeline is also helpful because even when we do not meet the deadlines it helps keep us accountable and on track.
While PCI compliance is consistently maintained when efforts are continuous, there are certain requirements that need to occur on a more defined schedule. Refer to the table below for the high level tasks and objectives necessary for managing your PCI compliance efforts throughout the year.
PCI Compliance Program Tasks
For more guidance on how to manage your PCI compliance program on an ongoing basis, request CampusGuard’s detailed “Business as Usual” PCI Project Plan from your dedicated Customer Advocate Team. If your team does not have the internal resources to effectively monitor and manage merchant processes, we can also share details about CampusGuard’s Premiere Partner Services.
Some additional guidance from the CampusGuard Customer Relationship Management team:
[Johnson]: The PCI program should not rely solely on technology, but must include people and processes, along with the supporting policies and procedures. PCI compliance is a shared responsibility across campus, and is led by a dedicated team who are ensuring tasks are met on an ongoing basis. Especially now, with so many organizations struggling with reduced budgets and staff furloughs, we see PCI Team responsibilities shift away from the task of maintaining compliance; time and resources are not as available to work on the ongoing tasks of monitoring merchants, updating procedures, reviewing vendor compliance, etc. It only takes one department deciding to implement a non-compliant third-party solution to create a potential opportunity for compromise, so locking in on alternative methods for success (project management software, online team collaboration tools, and compliance tracking tools like the CampusGuard portal merchant SAQ portal, etc.) becomes critical.