Key Takeaways
- By July 1, 2010, colleges and universities must comply with a new credit card industry data security standard — the Payment Application Data Security Standard.
- While institutions that perform transactions must comply with the PA-DSS, the standard also provides an independent validation of the design, coding practices, security encryption, and release procedures of payment applications.
- Meeting the new standard enables colleges to protect and serve the financial security and privacy of their students and other constituents.
An important financial services security deadline is looming for colleges and universities across the country. The deadline, which also affects retail stores and online merchants, requires that by July 1, 2010, the software that handles any credit card transaction must meet a new security standard, the Payment Application Data Security Standard (PA-DSS). This standard is the latest requirement in an evolving process begun about five years ago. It was obvious then that too many software applications were touching too much sensitive payment data, specifically the names, account numbers, and related information associated with the private finances of individuals. Whether due to increased exposure from the growing number of retailers, to honest mistakes like a misplaced laptop computer or criminal activity by hackers, tales of credit card security breaches were rampant and continue to be common.1
Colleges and universities depend on a public perception that personal information held in their databases is safe and secure. Accordingly, institutions should do everything possible to enhance security, especially of sensitive financial information belonging to students, their families, and other constituents.
Three Levels of Standards
The payment card industry’s coordinated data security efforts effectively began in 2004 when five major payment card organizations formed the PCI Security Standards Council "to enhance payment account data security by driving education and awareness of the PCI Security Standards." The standards apply to three levels of systems necessary to support the conduct of electronic financial transactions:
- Manufacturers of payment cards, scanning terminals, and devices used at the point of sale (POS). This level is the PIN Transaction Security Standard (PTS). Universities should only use PIN entry approved by the council.
- Software vendors and others that develop secure payment applications that are sold, distributed, or licensed to third parties. This level is the Payment Application Data Security Standard (PA-DSS).
- Merchants, including colleges, universities, and contractors or vendors who collaborate with colleges or universities, or those entities that conduct financial transactions using POS equipment, instruments, and systems. This level is the Payment Card Industry Data Security Standard (PCI DSS), which spells out specific requirements based on agreed principles.
At the first level, makers and distributors of payment cards, POS "swipe" devices, and similar equipment and peripherals must certify that these devices and tools accept and transmit account and payment information securely. If the acquiring financial institution — usually, the institution’s bank — has approved the device, the device probably meets PTS specifications.
At the second level, PA-DSS requirements taking effect this July essentially mandate that the second of these levels — software vendors and application developers and integrators — not store prohibited data, such as full magnetic stripe, CVV2, or PIN data, and ensure their payment applications comply with the PCI DSS.
Regarding the third level, the PCI Security Standards Council says, quite simply, "If you are a merchant who accepts or processes payment cards, you must comply" with the PCI Data Security Standard (PCI DSS). Affected parties specifically include colleges and universities plus any departments, offices, business units, vendors, or contractors who use the institution’s transaction system, ranging from a bursar who accepts a payment card for tuition to the barista in the student union coffee shop.
While the middle level — developers of systems and software that support transactions — face the July 1 deadline to meet PA-DSS, colleges and universities and other merchants also must verify that the software, applications, and systems they use are listed as certified, either through their acquiring financial institution or by inclusion on a list maintained on the PCI website’s PA-DSS page.
While each of these three standards is mutually exclusive, they are collaboratively inclusive. The merchant’s swipe terminal must comply with PTS if taking a debit transaction using a PIN, as must the software that actually processes the transaction and any components connected to any cardholder data.
A key link in this relationship is the acquiring financial institution, sometimes referred to as the merchant processor. This institution is a bank, another financial institution, or a third-party representative of such institutions that processes and settles a merchant’s daily credit card transactions. This entity separately has a responsibility to verify each participating merchant’s compliance status. However, regardless of whether the acquiring financial institution has taken steps to verify compliance by the merchants, the risks from noncompliance remain with the college or university.
Funnel the Data
The compliance process may seem daunting, especially if there are dozens or even hundreds of transaction points on campus. Indeed, for even one transaction the technology required to comply with the data security standard is quite complicated. A typical institution must facilitate and manage online transaction sessions, authentications, credentials, data exchanges, ERP updates, transaction flows, and workflows in a dynamic, high-volume environment. To maintain data security, the transaction should be locked down from start to finish in a PCI-certified environment. This can be accomplished on any campus through real-time integration of complex systems linking all college or university departments, vendors, contractors, or others who conduct business in or associated with the institution’s name.
A simple strategy helps alleviate the complexity of this process: The best solution is to reduce the number of applications that actually touch the sensitive data that the standards were established to protect. For example, before a student gets to the "pay now" point of an online shopping session, the transaction should shift to a separate, secure payment system where the student enters payment card data that is then authorized, processed, and stored. This might be accomplished on campus or through an external organization. For an introduction to the steps involved, see the PCI Security Standards Council’s quick guide to complying with the PCI DSS.2
Five-Point Approach
Minimizing the funnel points at which payment card data is handled requires a comprehensive review process. While involved and perhaps costly, this will pay significant future dividends, including not only simplified future data security compliance but also increased operational efficiency.
To prepare for the PA-DSS deadline of July 1, 2010, colleges can take the following steps:
- Inventory your campus merchants and their payment systems.
- Determine if each payment system is listed on the PCI Council’s website of certified payment applications.
- Contact those vendors whose systems are not listed and ask them for a letter that explains their position on PA-DSS certification.
- Move payment processes to a centralized, PA-DSS certified payment environment.
- Develop a plan to educate all campus merchants about PA-DSS and PCI DSS.
The centralized environment is a key step in this approach. In its simplest terms, this environment is illustrated by the "Pay Now" button for online transactions; or by the point in other campus business applications where the transaction is moved before any payment card data is entered. At this transaction point, the user (online customer) is linked out to a separate, secure payment system where payment information is entered, authorized, processed, and stored. The transaction is thus locked down from start to finish in a PCI-certified environment.
For "cashiering type" transactions the key is to use PIN Transaction Security (PTS) compliant swipe devices with station software that is PA-DSS certified. In addition, any payment card station should comply with the set-up requirements of PCI-DSS.
Conclusion
Is PA-DSS important? Yes, because it’s a requirement for vendors and integrators whose systems handle payment card information. Beyond being a requirement, though, PA-DSS is an independent validation of the design, coding practices, security encryption, and release procedures of payment applications. It’s another level of assurance that the payment software is certified to industry best practices. Thus, it becomes an important cog in the integrity of the entire information security program of a college or university. Although PA-DSS is in every respect a back-shop function, in its highest respect this standard enables the institution to protect and serve the financial security and privacy of students, parents, alumni, donors, and many other constituents.
- See the Chronology of Data Breaches, an ongoing database maintained by the Privacy Rights Clearinghouse.
- See the "PCI Quick Reference Guide: Understanding the Payment Card Industry Data Security Standard version 1.2," which provides information for merchants and organizations that store, process, or transmit cardholder information.
© 2010 Dan Toughey. The text of this article is licensed under the Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 license.