A new data security standard is showing promise for protecting payment cardholder

Transcription

1 Data Security Standards Begin to Take Hold By Walter Conway and Dennis Reedy A new data security standard is showing promise for protecting payment cardholder information a large area of data vulnerability for higher education institutions. We reported on the Payment Card Industry (PCI) Data Security Standard (DSS) in the article Straight Talk About Data Security, in the December 2007 issue of Business Officer (to access the article, go to We pointed out that compliance with the standard is required and that it is also good business practice for all colleges and universities taking payment cards. Payment card associations and issuers were pushing to achieve compliance by the end of So how are institutions doing? To find out, we surveyed representatives of colleges and universities, asking them how they are complying with PCI DSS requirements on their campuses. This online, anonymous survey was conducted in April and May of 2008 as part of the Treasury Institute for Higher Education s PCI Workshop. The response rate was high: 74 responses from the 114 attendees representing higher education institutions nationwide. Some schools sent multiple attendees and not all respondents answered each question, so results should be interpreted only broadly. Nevertheless, while they shouldn t be used as a basis for best practices, the results provide a snapshot of current PCI activities at campuses nationwide. Following are the major findings and an analysis of some of the factors related to PCI compliance.

2 Significant Findings We began by analyzing the results from all institutions taken together. To identify significant differences in attendee responses, we then viewed the results through three different lenses: public vs. private institutions; large vs. smaller card programs; and PCIcompliant vs. non-compliant institutions. Some of the more significant findings of these analyses included the following: Roughly half of the institutions surveyed are PCI-compliant today or expect to be within six months. Responsibility for PCI compliance and validation is a team effort, most often led by the finance or treasury office. The information technology (IT) division has a major role to play. Most institutions fund PCI compliance centrally, although individual campus merchants (i.e., departments, auxiliaries) pay for their unique remediation costs. The median number of institution staff dedicated to PCI compliance is.5 full-time equivalents. Compliant institutions, however, and those with more than 100 payment card merchants dedicate one FTE or more to the effort. Slightly more than half of responding institutions have experienced a data breach. About 12 percent of the time, a breach involved losing payment card information. Between 5 and 10 percent of institutions have been fined by a card brand for the breach. Institutions are not satisfied with the support they receive from their acquiring bank or processor. Institutions look to their acquirers for training, support, and

3 knowledgeable answers to their questions,. Too often they report being disappointed by their acquirers unresponsiveness. The following analysis digs deeper into the data behind these findings. Participant Profile Roughly three-fourths of survey respondents represented public institutions, with the remaining one fourth representing either private institutions or associations. The chart that follows shows the breakdown. The distribution of the number of card merchant IDs an indicator of the number of card-accepting locations on campus and, therefore, the size of card program was skewed. Respondents represented quite a few institutions that have 50 or fewer merchants. But, we also saw a few campuses with more than 200 merchant IDs. Using the median value, we found that half of responding institutions had between 51 and 100 merchant IDs on campus. Later we will use this median value to look for differences between larger (more than 100 merchants) and smaller (100 or fewer merchants) card programs. See the following chart for details.

4 One of the more positive findings from the survey was that half of all institutions either were PCI compliant currently or expected to be compliant within six months. The other half of respondents either expected their compliance efforts to take longer or had not yet established a target date. The following table indicates institutions various points on the compliance curve. Elements of PCI Implementation Respondents described various ways to administer the necessary components of PCI compliance. Their answers to the following questions offer some guidance for those working on such a process.

5 Who takes the lead? Half of respondents said that their finance or treasury department had primary responsibility for PCI compliance for the institution, while only about 6 percent indicated that the IT department took the lead. However, a surprisingly large number (44 percent) indicated areas other than finance, treasury, or IT. In their comments, this group explained that no single department in their institution controlled their compliance effort. Rather, it was truly a shared responsibility often involving audit, purchasing, legal, and other areas in addition to finance and IT. Who pays the cost? More than two-thirds (68.5 percent) of respondents said their institution centrally funded PCI compliance. While this is often the case, individual departments accepting payment cards (i.e., merchants) generally pay their own direct costs either for particular remediation or to upgrade systems or services. How many people does it take? We asked each respondent to estimate the number of full-time equivalent staff dedicated to PCI compliance. We chose this approach because often persons working on compliance also have other duties as part of their job. In spite of the difficulty in estimating FTE, nearly every respondent answered the question. The result is the skewed distribution in the following chart.

6 Because the distribution is skewed, we used the median or middle value as a measure of central tendency. Based on the responses, institutions dedicate approximately 1 FTE to PCI compliance. The range of responses, however, was wide, with nearly onefourth of respondents indicating no dedicated resources (possibly misinterpreting the question) and slightly less than one fourth indicating one-half FTE. Nearly 10 percent of respondents had four or more FTE dedicated to PCI compliance. Based on these results, you can expect to allocate about one FTE to PCI compliance at a minimum. If we ignore replies specifying no people assigned to compliance (maybe they have not started yet), the median number increases to 1.5 FTE. What policies are in place? We asked respondents if they had in place the four specific written policies required for PCI compliance: information security; payment card acceptance; PCI compliance; and cardholder data access. We also asked if there was a formal process for adding new campus merchant IDs. The following table details their responses.

7 Most institutions had both an information policy and a payment card acceptance policy in place. Fewer than half of institutions, however, had formal policies with respect to PCI compliance and cardholder-data access. About two-thirds of institutions had a formal policy/process for adding new merchant IDs for campus departments launching or expanding card acceptance. These results are not surprising. Most institutions have had information security policies in place for years; and, since they accept payment cards, we would expect policies stipulating acceptable payment channels and procedures (including adding new merchants). And while all four policies are required for PCI compliance, the last two may be newer to higher education. Since we noted earlier that about half of respondents are or soon will be PCI compliant, we expect roughly the same percentages of institutions to have these final two policies in place as they accomplish compliance. How do you keep informed? A wide variety of PCI information sources are available, and respondents indicated that they used many of them. They also indicated that other valuable resources included their state treasurer, consultants, specialized publications, and other PCI conferences such as the Treasury Institute for Higher Education s workshop.

8 Are acquirers helpful? A particularly knowledgeable source for PCI information should be the institution s card processor or acquirer (note the high response rating). After all, the acquirer is the financial institution that stands between the college or university and its card brands, particularly Visa and MasterCard. Acquirers belong to the payment associations. Institutions expect their acquirers to be informed on everything having to do with PCI. We learned, however, that most institutions are not satisfied with their acquirer s support in achieving PCI compliance. We centered our questions around four particular area of support, ranging from answering questions promptly to providing PCI training. With respondents rating their acquirers on a scale of 1 to 5, in which a 1 meant extremely dissatisfied and a 5 meant

9 extremely satisfied, all but one of the questions rated an average response below 3 ( somewhat satisfied ). The open-ended comments which numbered 22, or more than one-third of respondents expressed a frustration with the lack of support from the institution s acquirer. Highest on the list of frustrations were: finding the right person at the bank to ask about PCI; getting an accurate reply in a timely manner; discovering few PCI training opportunities for merchants; and perceiving a general lack of PCI knowledge on the part of the acquirer s staff. Has there been a data breach? In addition to asking respondents about their institution s experience with data breaches, we asked if any of the breaches included the loss of payment card data, which PCI DSS is designed to protect. We learned that more than half of the 64 respondents who answered this question had suffered a data breach. About one in eight institutions suffered a breach that compromised payment card data. Four institutions reported being fined by a card brand. This data confirms other publicly reported breaches, indicating that such incidents are common in higher education institutions and that a significant number of those

10 breaches involve payment card data. Therefore, the increased interest in and emphasis on PCI compliance by colleges and universities are prudent and justified. Differences Among Institution Segments Having seen the results for all respondents, we were curious to see what variations, if any, existed between different types of institutions. We compared the responses for three separate groupings: private vs. public institutions; larger vs. smaller card programs; and compliant vs. non-compliant institutions. Following are our findings: Public vs. private institutions. The results for public and private institutions were similar, sometimes even identical, on many points. However, three areas of difference between public and private institutions were reported and are illustrated in the following table.

11 Compared to public institutions, private colleges and universities are much more likely (92%) to fund PCI compliance centrally than are institutions as a whole. The private institutions are slightly less likely to be PCI-compliant, and they have suffered fewer breaches with 56 percent reporting no data breach as opposed to only 42 percent of public institutions that can make that claim. Larger vs. smaller card programs. Our objective was to determine any major differences in the PCI-compliance experiences of larger and smaller institutions. Since we cannot identify a particular institution or its response, we used the number of card merchants as a proxy for size. While this approach is not perfect, it does have the advantage of focusing directly on payment card activity. As mentioned earlier, for the purposes of this analysis we defined larger card programs to be those with more than 100 merchant accounts ( merchant IDs ) on campus. Smaller programs are those with 100 or fewer merchant accounts. The results for large and small programs were quite similar overall, but we noted three areas of difference between large and small programs.

12 Institutions with larger merchant programs are much more likely to have a policy in place for new campus merchants, and they have slightly more staff (an additional.5 FTE) devoted to PCI compliance. Only one-third of large programs can claim to have had no security breaches. Yet, while they have had more breaches, larger programs appear to have lost cardholder data (CHD) less often than smaller programs. Compliant vs. non-compliant institutions. We defined compliant to include those respondents who answered that they either were compliant presently or would be within 6 months. Non-compliant institutions were those that planned to take longer or had no firm target date set for compliance. The overwhelming percentage of compliant institutions had payment and security policies in place, since these are required for PCI compliance. Compliant institutions also had more staff devoted to PCI (an additional.5 FTE), a finding that indicates the added resources may be producing results. Most interesting, however, are the differences in security breach statistics. Only about one-fourth of compliant institutions can say they have not had a security breach as opposed to nearly half of all institutions. Similarly the

13 rates for losing cardholder data and being fined are higher. Combining these findings with anecdotal evidence suggests a link between an institution suffering a security breach in the past and it s having a robust PCI compliance effort today. Conclusions While the results of this survey do not represent best practices in PCI DSS compliance, some of the institutions activities offer food for thought for colleges and universities that are working on their own compliance efforts. In particular, the following information may be of value: Most institutions centrally fund PCI compliance, although individual campus merchants pay for their unique remediation costs. Compliance requires staff support. Depending on the size of the payment card volume, institutions devote from.5 to 1 FTE or more to the process. Responsibility for PCI compliance and validation is a team effort most often led by the finance or treasury office. Information technology has a major role to play. As noted, roughly half of the institutions surveyed at the Treasury Institute for Higher Education s workshop are PCI-compliant today or expect to be within six months. Where does your institution fit on this timetable?

14 WALTER CONWAY is president of Walter Conway Associates, LLC, San Francisco, and DENNIS W. REEDY is the managing director of treasury operations for Indiana University, Bloomington. ###