From the September 2008 Issue
On any given day, a typical university is humming with credit and debit card transactions. The athletic department accepts cards from students, faculty, staff members and customers who are not formally part of the school to pay for event tickets and perhaps souvenirs. Still other school entities take plastic for various expenses and contributions, including the alumni association, bookstores, cafeterias, libraries, conference centers, performing arts centers, hospitals, dental clinics and academic departments.
Payment card networks and acquirers treat colleges and universities as small cities containing dozens or even hundreds of merchants, sources say. And acquirers assign individual campus merchants an accompanying variety of merchant codes. As is the case in the off-campus world, those codes reflect what merchants sell and how they sell via Web sites, telephone interactions, point-of-sale terminals and card-imprint devices that capture card information on paper receipts.
Merchants working within higher-education environments face different challenges to comply with the Payment Card Industry Data Security Standard than do their commercial counterparts outside academia, and they also enjoy certain advantages. Most notably, most university merchants are linked to college computer networks that operate in a culture of openness, to exchange both intellectual discourse and practical information.
Such openness frees university information-technology professionals from barriers that inhibit their counterparts in the commercial sector from sharing information with competitors about security problems and how to avoid them. The disadvantage of open, interconnected computer networks is that it is more difficult to keep out those who would cause harm through those connections.
The more individuals accessing a greater number of locations within a computer network, the more likely hackers will find openings to view data they can steal.
"Schools are uniquely vulnerable with their open, flat (unsegmented) networks," says Walter Conway, founder of Walter Conway Associates LLC, a San Francisco-based consultancy that specializes in university network security. "So PCI compliance is a particular challenge to colleges and universities."
'High Risk' Merchants
Visa Inc. characterizes universities as "high risk" merchants, on the same level as restaurants. Jennifer Fischer, Visa director of enterprise risk and compliance, would not disclose specific statistics that would show differences between commercial merchant payment-data compromises and those at colleges and universities.
But she agrees that large, rambling computer networks increase the vulnerability of campus merchants. "There's a lot of different environments where universities are handling card data, and that doesn't necessarily lend itself to security and protecting that information," Fischer says.
Visa, MasterCard WorldWide, Discover Financial Services, American Express Co. and JCB International Ltd. launched PCI in 2005 to unify many of their individual security requirements for handling payment card data.
The card brands use similar, but not identical, transaction-volume designations to determine how merchants should comply with PCI and validate that compliance. Level 1 merchants accept more than 6 million Visa or MasterCard transactions per year; Level 2 merchants accept 1 million to 6 million card transactions. Level 3 merchants accept between 20,000 and 1 million e-commerce transactions, and Level 4 merchants accept fewer than 20,000 transactions.
Merchants designated Level 1, 2 or 3 must complete quarterly scans of their card-acceptance networks to look for vulnerabilities, while Level 4 merchants only need to conduct the scan once per year. Level 1 merchants must hire third parties to conduct annual on-site security assessments. Levels 2, 3 and 4 need only complete annual self-assessment questionnaires.
Despite some inherent vulnerabilities, campuses still accept fewer card transactions than do commercial mass merchants. So acquirers categorize most of their campus merchants as smaller Level 3 or Level 4 retailers, sources tell Cards&Payments.
Gerry Tilson, vice president of business intelligence at Elavon Global Acquiring Solutions, says even Elavon's largest university customers still do not accept enough transactions to qualify as Level 1 merchants. Elavon is an acquirer and processor owned by U.S. Bancorp.
And large universities sometimes split their businesses, and therefore their transaction volume, between different acquirers. "One unit might go with us, and another unit might go with another acquirer," Tilson says.
But card brands often bump small merchants to Level 1 status, with its accompanying compliance rules, after a data compromise or breach, and universities are no exception. Those merchants must wait several months to again prove they are secure and validate their PCI compliance before the card brand that penalized them allows them to return to the less-onerous Level 3 or 4 designations.
Visa in 2004 found one of the University of Houston's merchants had been compromised and moved that merchant to Level 1 status under Visa's Card Information Security Program, says Mary Dickerson, the school's information-technology manager. CISP is a precursor to PCI that still exists and that Visa employs to enforce merchant compliance with PCI rules.
Dickerson would not disclose which merchant was involved or how the compromise happened. But she says the school learned a lot about the coming PCI requirements from the qualified security assessor it hired to improve security of the compromised merchant and the entire campus.
The University of Houston established a separate, PCI-compliant computer network to handle payment card information. "Anyone using the Internet for payments was going to be part of this separate payment network," Dickerson says.
The university designates as lower risk its merchants that use card-swipe terminals that do not store card data or that outsource their online-payment functions to third parties so transaction data never enter university networks. But the school treats as higher risk those campus merchants that store transaction data or that transact electronically without outsourcing to third-party processors.
The school segments higher-risk merchants from other merchants within its payment gateway. "We've built them a separate bubble all their own," Dickerson says. That bubble helps "narrow the scope" of PCI compliance on campus, so fewer computers and smaller pieces of the campus network have to meet PCI requirements, she says.
Tilson says campus security and ID cards that also are enabled as reloadable prepaid or branded bank debit cards carry additional risk. Universities or third parties must store or have access to payment card information that will enable account reloading, he adds.
For all payments, many universities have set up gateways that segment payment activities and data from other parts of their computer networks, a practice the PCI standard encourages. University treasury or business departments often work with information-technology managers to act as subacquirers overseeing security compliance by campus merchants.
One director of merchant security for a large, multicampus university who requested anonymity says his school's payment systems never have been breached. The university's 200 or so merchants can decide whether they want to sell products and services in a general shopping section of the school's Web site or through their own, individual Web sites that are still part of the school's network. Most merchants transact through the school's payment gateway, but a few, such as event ticketers and bookstores, send shoppers off of the university network to those of third-party vendors to complete card transactions.
However they transact, the security manager is glad the school recognized as early as the late 1990s the importance of keeping card data segmented from other parts of the network. "My boss was pretty vehement about keeping card data off of the server," he says. "We also centralized that service so we could have one system processing credit cards rather than various departments having their own processors."
Many universities with outdated, less-secure payment gateways farm out payment functions to third-party providers. "If their payment gateways haven't been upgraded in awhile, they should consider outsourcing them," says David Taylor, a San Francisco-based payment data security consultant who also founded the PCI Knowledgebase, a Web site devoted to sharing card-security information.
Even with centralized payment gateways, decentralized power structures, in which various college departments and offices operate independently from each other, still create a challenge for keeping tabs on who is accepting payments and how.
"What you can have in a university setting is rogue merchants," Taylor says. Rogue merchants can be professors or fraternities that set up their own Web sites within university-network domains to pitch books they write or products they sell as a fund-raiser.
Perhaps those merchants use PayPal to collect payments or, even worse, they piggyback on merchant identification numbers acquirers provide a campus department. Both activities can draw malicious hacks and acquirer fines, Taylor says, noting one university shut down 18 such merchants last year. Many universities ask banks in their states to alert them if they receive transactions carrying university merchant IDs that occur outside the university's official payment gateways, Taylor says.
Even alumni associations, which no university would ban from accepting payments, receive threats from security managers of being fined or blocked from campus payment gateways if they do not follow security rules.
"There are going to be lots of meetings, and it will stop short of [a ban] in many cases," Taylor says.
Disciplining university employees for mishandling data also can be difficult, Conway says. "You can't say, 'do this or you're fired,'" he says. "It's very difficult even to find all the data, and you've got different departments that want to do their own things."
Still, decentralized governing structures can benefit data security if they force a representative from each merchant accepting payments to also accept responsibility for keeping those payments secure, Taylor says.
Many academic security managers have a more-sustainable approach to ongoing data security than do their commercial counterparts, he adds.
"One of the things I like about the educational institutions I've talked to is that in most cases PCI compliance is run out of their treasury departments," Taylor says. "It is much more likely to be managed as a business program, on an operational basis with a renewable budget."
With limited budgets, universities should prioritize which risks to mitigate first. Taylor suggests first securing the merchants that handle the most transactions and the biggest purchase amounts, which often are the alumni associations and athletic departments.
And simple changes can achieve PCI compliance cheaply, Conway says. For example, a small college he advises has an annual telethon fund-raiser. In the past, the school set up a bank of 10 laptops on which student volunteers would enter card numbers, expiration dates and other information about donors to send to a third-party payment processor.
"The students were checking their e-mail and logging in to Facebook between calls," which increased the vulnerability of the payment data on each laptop, Conway says. To keep the laptops secure for the months between annual telethons, the university locked them in a safe.
The solution? Conway suggested the school have students write payment card and donor information on paper forms during telethons. Then the school could lock away the forms and have a university employee enter the data on one secure computer the next day before destroying the paper.
"The IT guys were happy because they got 10 laptops back that they could assign to someone else," Conway adds.
For colleges and universities, limiting and controlling payment card data collection and corralling that data into central, segregated networks are key to improving campus-merchant security. CP