"Give Us Credit": Evolving Security Standards for Credit Card Information

© 2007 Kathleen Kimball and Jane Drews

EDUCAUSE Review, vol. 42, no. 5 (September/October 2007): 82–83

Consumers, start your plastic. The ubiquitous credit card funds much of our daily lives in 2007. According to a recent study, one in every seven Americans carries ten or more credit cards, and the average number of cards carried by all Americans is four.¹ Colleges and universities, reflecting the societies they serve, are very involved in this business, accepting credit cards for purchases ranging from T-shirts to textbooks to theater tickets to tuition payments. The modern higher education institution accepts credit cards at an ever-increasing volume because to do otherwise risks rendering it noncompetitive. The processing of credit card information, however, can leave consumers at risk if it occurs in an environment that is not adequately secure. This is particularly but not exclusively true of payments that are taken electronically. To help deal with the burgeoning electronic marketplace and the widespread use of plastic in lieu of cash, the credit card industry has issued security standards to which all merchants that process, store, or transmit credit card data must comply. This includes all merchants at colleges and universities that accept credit cards.

Background: PCI-DSS

To deal with the rapidly evolving network threat environment, beginning roughly in 2001 each of the major credit card companies began to develop its own set of security requirements. The most prominent of these were VISA's Cardholder Information Security Program and Mastercard's Site Data Protection Program. Recognizing the difficulty to merchants in attempting to follow multiple standards, in 2004 VISA and Mastercard agreed to follow a common set of security standards to guide compliance efforts. The other major card companies—American Express, Discover, and JCB—soon followed, allowing coherent and comprehensive industry-wide compliance requirements. The common standards, termed the Payment Card Industry Data Security Standards (PCI-DSS), took effect on June 30, 2005. Over time, the PCI-DSS have evolved in response to changes in the overall threat environment and with the formulation of associated best practices. The current version (1.1) is available from the PCI Security Standards Council (https://pcisecuritystandards.org/).

The PCI-DSS consist of six main compliance categories and twelve major requirements, as illustrated in Table 1. Each of the requirements in turn breaks down into extremely detailed measures that must be addressed in order for the merchant to be deemed compliant with the requirement. For example, the requirement to install and maintain a firewall configuration has nine separate sub-elements that must be put in place by the merchant. In addition to the detailed requirements and measures, the PCI-DSS include a four-level, tiered system for identifying merchants based on the volume of transactions processed.

Table 1. PCI-DSS Requirements

The University of Iowa Experience

The level of formal review and reporting for compliance verification varies by merchant level. The difference between compliance and compliance verification has caused confusion in the past and has led at times to the erroneous belief that compliance is voluntary for most colleges and universities. But meeting the standards is not optional. Compliance is mandatory, and substantial fines (up to $500,000 assessed independently by each affected card company) may accrue to a merchant that experiences a breach. The University of Iowa experience illustrates the seriousness with which these requirements are viewed.

Like many other colleges and universities, the University of Iowa initially thought that the PCI-DSS were a "non-issue." All of the merchants fell into the lowest level ("level 4") of compliance. Officials interpreted this to mean that the PCI-DSS were optional and that the institution had time to work toward full compliance. However, in late May 2005, one of the university's merchants experienced a security breach on a computer. In working to resolve the breach, the university discovered that compliance with the PCI-DSS was indeed not optional. Only the compliance reporting requirement is optional for "level 4" merchants, with the schedule determined by the merchant bank.

On learning that every merchant must meet the standards, the campus IT security officer immediately started a project to assess each university merchant's operations and began the laborious process of ensuring and documenting compliance with the security standards. Simply identifying the responsible technical person for each merchant account was a challenge. The initial campus assessment was positive. Although each unit typically had one or more issues that could be improved, they all operated under circumstances consistent with the standards.

The University of Iowa also adopted a Credit Card Handling Policy, which stipulates the annual reporting of PCI-DSS compliance status from each merchant, as well as regular security assessments and mandatory reporting of any processing changes. In addition, the university is working to relocate systems into areas where physical security measures can be optimized.

The University of Iowa learned some painful lessons. For example, it is PCI policy to elevate to "level 1" status any merchant that experiences a security breach. The merchant's operation must immediately undergo an analysis by a certified computer forensics firm, payable by the merchant, with the results to be reported to the university's payment processor and subsequently to the PCI. Any deficiencies that are identified must be immediately rectified, again at the merchant's expense. Subsequently, the merchant must hire a certified firm to perform a PCI-DSS security assessment and produce a (positive) Report on Compliance or "ROC," as well as hire a certified firm to perform regular security scanning of its networked operations. In addition to funding all of these requirements, the merchant is subject to significant fines being assessed by each card company independent of the others. The result at the University of Iowa was that the one automated attack, a minor breach with no data leakage, cost the institution hundreds of thousands of dollars. Although one might conclude that a "minor" security breach should not be reported, a contract term for accepting credit cards is that any security incident be reported within twenty-four hours.

The Penn State Experience

Officials at Penn State, like those at the University of Iowa, initially believed that PCI-DSS compliance was optional. However, with the experience of its peers as background, the university is taking concrete and immediate steps to address formal verification of the compliance level of its 148 merchants statewide. One of the biggest problems is the size of the institution and the distributed nature of command and control. Although each credit card processing unit is responsible for its compliance obligation, the university needs to be able to verify that the many different architectures, systems, and networks across the state are truly fulfilling the compliance requirements. This need for formal accountability led to the initiation of the Information Privacy and Security (IPAS) project in November 2006 (http://ipas.psu.edu).

The university quickly realized that a dedicated project team would be needed. With the sponsorship and support of the chief financial officer, the chief information officer, and the provost, the IPAS team drew staff from distributed units within the university to work with unit contacts to ensure compliance. The IPAS team consists of a project manager, a technical lead engineer, and a technical coordinator—all assigned full-time to the project. They in turn work with unit administrative, technical, and financial contacts, appointed by each budget executive, to examine the unit-level card-processing environments and to recommend and implement any remediation measures that must occur. A mandatory training program on PCI-DSS has been put in place for all the distributed contacts. Ambiron Trustwave (ATW), a security assessor qualified by the card industry, has been engaged to perform the security scans and gap analyses associated with PCI-DSS and to assist the project team in ensuring that analysis and remediation steps are consistent with the expectations of the credit card industry. The experience gained in the first year of the IPAS project will then be leveraged to examine and improve the security of Penn State's internal institutional data.

Summary

If a college or university must take credit cards, the PCI-DSS cannot be avoided. Even though part of a compliance strategy may involve reducing or consolidating the number of merchants that are authorized to take credit cards, it is unlikely that institutions can stop taking credit cards altogether. Given the reliance of consumers on the use of credit cards, and given the firm expectation of compliance by the credit card industry, the need for colleges and universities to examine their card-processing environments and to remediate any deficiencies is immediate—in fact, it is past due.

All higher education institutions that accept credit cards are involved in the PCI-DSS at varying levels, and all must comply. Officials at all affected institutions should be actively discussing the PCI-DSS and evaluating overall compliance; if they are not, it is time to elevate the issue and to begin both external and internal compliance verification and remediation efforts as necessary. If those of us in higher education want the credit card industry to continue to "give us credit," we must demonstrate that we are worthy of that trust.

1. Marilyn Lewis, "1 in 7 Americans," MSN Money, February 14, 2007, http://articles.moneycentral.msn.com/Banking/CreditCardSmarts/1In7AmericansCarries
10CreditCards.aspx?GT1=9113.