PCI-DSS and Other Standards Make Securing University Networks More Complicated, Leave them Vulnerable
By Joe Bush, CardNotPresent.com
A 2014 survey of higher education IT professionals by the SANS Institute revealed the extent to which colleges and universities are concerned and able to be vigilant against data breaches. Their concern is well-placed: Institutions of higher learning gather increasing amounts of data about their alumni, staff, students and their parents.
The SANS Institute, a private company that teaches security information and certifies trainees, got responses from 300 analysts, administrators and senior-level managers on questions about their challenges balancing the need for openness in a naturally collaborative educational culture with protecting sensitive data.
While higher education institutions are easy to overlook as cyberattack targets, The EDUCAUSE Center for Analysis and Research (ECAR) revealed 562 reported breaches at 324 unique institutions between 2005 and April 25, 2014, with most of them involving unintended disclosure of sensitive information or hacking and malware.
The non-profit Open Security Foundation found that 35 percent of all breaches take place in higher education, and that half of the breaches are internal. The sheer amount of users and touch points involved with environments that encourage academic freedom and the use of personal devices is best illustrated by a SANS survey example: “a population of 46,000 individuals on a network each having five devices (some personal, some institution issued) creates 230,000 potential breach points.”
Strained resources and understaffing go hand-in-hand at the top of the survey respondents’ list of concerns, followed by compliance with not only PCI standards, but others that require protection of data. One designed especially for higher education, the Family Educational Rights and Privacy Act, was cited by 75 percent of survey participants as the most important regulation they must adhere to. PCI DSS was next, at 71 percent.
New PCI Standard, New Responsibilities
PCI DSS 3.0 is the newest set of updates to the PCI standards—the first in three years—and could add strain to these put-upon IT staffs. It addresses password requirements, underlines the importance of provider compliance, and helps businesses integrate compliance best practices with minimal daily process disturbance.
While creativity is a plus for IT professionals hampered by scarce resources, a consequence is low reporting of critical security systems and practices. Just 45 percent of responding institutions have existing formal risk assessment and remediation policies, and only 31 percent of organizations with fewer than 2,000 employees.
The respondents’ prioritized their worries as: administrative systems that handle student and financial records (70 percent percent), followed by web applications that deal with student financial and financial aid records, and faculty and staff computers, each cited by 64 percent. Sixty percent chose the vulnerability of faculty and staff mobile devices as a top concern.
Three quarters of the respondents are vigilant about personally identifiable information (PII), with 76 percent having institutional policies restricting access to PII and 71 percent avoiding storage of PII.
To the extent he’s allowed, Gil Salazar, a senior information security analyst at the University of Arizona, gives a view into how one institution grapples with protecting financial data.
“We follow all the standard PCI rules,” says Salazar. “We’re governed by the PCI standards. We make sure we’re assessed every year, to make sure we’re following all the proper safeguards.”
He says the handful of campus entities that deal with credit card payments require compliance with PCI DSS through the top three Self-Assessment Questionnaires, or SAQs. SAQ A, SAQ B and SAQ C-VT are for users that don’t store credit card information, whether they are 100 percent card-not-present or some percentage less than that, such bookstores or student union restaurants. SAQ D is merchants who have Internet payment terminals and store card information.
“We wish everybody would be a SAQ A if possible, and we try to minimize the amount of SAQ C, and we definitely don’t want any SAQ D,” says Salazar. “The university campus would be for the most part a SAQ A or B, meaning they don’t really touch the credit cards at all. When payments are asked for, you get kicked off to a trusted third party who’s PCI approved and enter the credit card data there. It takes place on a whole different server. We don’t touch it on our servers, it’s not stored on our servers.
“If someone would break into one of our servers, they shouldn’t find any credit card data.”
Salazar says using a third party—UA’s primary gateway is CyberSource – is a matter of security, simplicity and specialty.
“We’re not a bank, credit cards is just another part of our business, we don’t want to spend the man hours running a credit card industry business,” he says. “We don’t have to put in the special servers and put all those different controls in place. It’s working; we haven’t had any breaches.”
Third-Party Provider? You’re Still Responsible
Arizona’s reliance on a third party to process its online transactions is a strategy many institutions of higher learning are relying on to lessen the security burden associated with accepting payment. But an important part of the new PCI 3.0 requirements includes strict guidelines about the responsibility merchants—in this case colleges and universities—bear regarding the third parties they use to process payments.
Troy Leach, chief technology officer of the PCI Security Standards Council, has called third-party security a “weak point” for organizations. Simply handing off the function to a third party does not absolve institutions of the responsibility to secure data. In fact, according to PCI-SSC, “ultimate responsibility for compliance resides with the entity, regardless of how specific responsibilities may be allocated between an entity and its [third-party provider].”
Even after hiring a third-party payment provider, institutions must be aware of the new requirements that include careful due diligence before signing a contract, understanding how the third party’s services correspond to the PCI requirements, specific and detailed written agreements between the school and the payment provider that spell out all responsibilities and monitoring the third party’s compliance.
Educating Users in Addition to Students
For internal safety, Salazar says education of users is important because, “We have all the safeguards in place, but you can’t safeguard against losing a password or someone giving it out.”
He says UA has replaced the use of social security numbers with student ID numbers and recently instituted two-factor authentication.
“We try to educate the students as much as possible and everybody affiliated with us,” Salazar says. “We do a lot of awareness campaigns, talking to them about phishing and protecting their password.”