Related Articles

 

Come Together, Right Now: Advanced Lighting for a Forward-Thinking Campus - Paul McCartney and John Lennon had other thoughts in mind...

 

Choosing the Right Access Control Technology for Student Housing - One of the most important aspects of on-campus housing is...

 

Automating Attendance, Visitor and Asset Tracking in University Environments: Taking Attendance Like Never Before - Universities are constantly advancing technology and...

 

Advanced IP Radio Systems for Campus Security - When it comes to campus security, radio systems play an...

 

Upgrading Your Campus to Higher Security Credentials - Keeping a university safe and secure is one of the most...

 

Colleges and Universities as Prime Cyberattack Targets: Behind the Threat - When it comes to cyberattack targets, many think of...

 

Situational Awareness: The Key to Smarter Campus Risk Management - My daughter Elizabeth starts college in a few weeks, so...

 

Video Insight Establishes $250,000 School Security Grant - A Pilot Program has been developed to help underfunded ...

 

Understanding Testing Standards for High-Performance Entraces - There is a growing need to create entrances in our...

 

Communications for Campus Security - As another school year approaches, security departments are...

 

Campus Safety Budgeting: Improving Efficiency and Measuring ROI - When budgets are tight, accountability is crucial. As...

 

7 Tips For Getting The Most Out of Your Analog Cameras With Video Encoders - Video encoders turn analog cameras into IP video - creating...

 

Security and Solar Window Films: Campus Safety and Other Benefits - As universities beef up security on their campuses because...

 

A.L.I.C.E at Point Park University: Alert Lockdown, Inform, Counter, & Evacuate - A man calmly walks into the Academic Hall and enters the...

 

LED Lighting A Green Way To Improve Campus Safety - As college tuition continues to rise, so do the costs of...

 

Teaching and Technology: Regaining Key Control - A key part of providing a high-quality educational...

 

Video Surveillance Management and Centralization: How Campuses Achieve Cost Savings While Keeping Students and Property Safe - The industry-wide migration to IP video surveillance over...

 

The Safety and Sustainability Factors of Filtered Fume Hoods, Ductless Fumed Hoods, and Ducted Fume Hoods - Fume hoods are a central component in most laboratories....

 

Enhancing Campus Wide Radio Communications - The traditional school year comes to a close, but...

 

Protecting Student Belongings as Part of Campus Security Plan - Student security lives at or near the top of every...

 

Private Universities are Getting Smart About Student ID Technology - Whether a card or mobile phone, credentials are becoming...

 

Life Safety, Security, & Operational Conflicts - Our world is full of threats. Unfortunately, some of those...

 

The Technology of Lightning Warning Systems - Lightning warning technology has evolved over the last 23...

 

Archives > September 2014 > PCI Compliance & Questions of Security

PCI Compliance & Questions of Security

Colleges and Universities strive for PCI compliance, but are they really secure? The Payment Card Industry Data Security Standard (PCI DSS) has been with us since 2006, and version 3.0 was made effective January 1, 2014.

By: Ron King

Version 3.0 is a watershed moment, as the PCI Security Standards Council has made great strides in stressing that the Standard should help campus merchants "make payment security a part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and security as a shared responsibility."

COMPLIANCE VS. SECURITY
I have been involved with the PCI DSS since its inception (in the early 2000s), and during that time I have seen many colleges and universities confuse "compliance" with the DSS as the same as reaching "security." Since there are still some very public breaches and compromises every year, we have to ask: Is compliance the same as security? Let's agree on the terms "compliance" and "security" first.

Compliance programs merely include controls that are considered by a regulatory body to represent the minimum requirements to which an organization (e.g.,campus) should adhere to given the risk to data. Compliance with relevant standards (PCI DSS, HIPAA, FERPA, GLBA, etc.) is important and necessary, and they can help colleges and universities develop useable frameworks and policies. However, compliance alone should never be considered the final answer on security-nor should compliance be considered a measuring stick by which campuses evaluate their security posture. You can pass an audit and still be vulnerable to an attack.

Security can be described rather simply as the implementation of controls to counter or address vulnerabilities or threat to the asset being protected. Bob Russo, general manager of the PCI Security Standards Council, says "Though a company might be certified as PCI compliant, it's important to remember the compliance certification is just a snapshot in time. You can be in compliance today and totally out of compliance tomorrow, because of a failure to implement some small security measure. This is really about security-not about compliance. These (the PCI controls) are the bare minimum things you should be doing."

A simple example can be seen in your own home. If you install a lock on the front door, you are implementing a control (the lock) to address vulnerability (an unlocked door) and a threat (that an unauthorized person will enter). The assets being protected include the personal safety of you and your family, your assets and even your privacy.

Checking off mundane procedures tempts security professionals to become complacent. Complacency creates security gaps. It is incumbent upon an organization to ensure that the security team does not lose sight of the objective and focus. In fact, organizations serious about security make it an enterprise-wide priority. They formalize and enforce corporate security policies, rather than simply seeking to ensure compliance with external standards. They prioritize employee education alongside technology deployment and they build defenses into every layer.

Troy Leach, CTO of PCI SSC, explains that there is a real emphasis in the new standard on the process of making things secure. When it comes to PCI-DSS testing, the testing is now intended to make sure that the process is secure, rather than just making sure a company has a specific security technology in place. "We have incorporated policy and ongoing risk assessment throughout the standard," Leach said. "What that does, especially in large organizations, is it helps to achieve more consistency around process-oriented controls. There is also more of an emphasis on having an ongoing responsibility that extends beyond just the point-in-time when a PCI-DSS audit takes place."

WHY IS THIS SO DIFFICULT FOR HIGHER EDUCATION?
Information security is a particularly difficult task for colleges and universities because there are unique aspects of higher education that sometimes compound achievement. The campus environment is markedly different from more traditional merchants for a variety of factors. First, the open nature of the college/university physical and technical environment is distinct. Second, departmental decentralization can sometimes inhibit central policy enforcement. Third, colleges and universities that offer a data-rich information system create a natural target. Fourth, there are now more sophisticated intruders, with potential criminal intent. Fifth, an over-loaded IT staff could prevent or delay focus on security measures. Sixth, there are numerous independent payment systems across the campus. Finally, there may be fiscal constraints.

A survey of colleges and universities taken for the 2014 PCI Workshop put on by the Treasury Institute for Higher Education revealed a very interesting phenomenon: prior to the conference, 48% said their campus was compliant, but after three days of training on what being compliant really means, the same respondents when asked reported fewer than 10% were actually in compliance.

BUSINESS AS USUAL
"Version 3.0 will help organizations make payment security part of their business-as-usual (BAU) activities by introducing more flexibility, and an increased focus on education, awareness and security as a shared responsibility," the PCI Council says. "Overall updates include specific recommendations for making PCI DSS part of everyday business processes and best practices for maintaining ongoing PCI DSS compliance; guidance from the Navigating PCI DSS Guide built in to the standard; and enhanced testing procedures to clarify the level of validation expected for each requirement."

The PCI SSC is hoping that by building the controls into organizations' BAU, then the biggest problem in maintaining compliance will be diminished. Examples of how PCI DSS should be incorporated into BAU activities include-but are not limited to-the following:

• Monitoring security controls to ensure that they are operating effectively and as intended.

• Ensuring that all failures in security controls are detected and responded to in a timely manner.

• Reviewing changes to the environment prior to completion of the change.

• Changing organizational structure should result in a formal review of the impact to the PCI DSS scope and requirements.

• Reviewing and communicating to confirm that the PCI DSS requirements continue to be in place and personnel are following secure processes.

• Reviewing hardware and software technologies at least annually to confirm that they continue to be supported by the vendor and can meet the organization's security requirements, including PCI DSS.

CONCLUSIONS
The PCI DSS is about protecting cardholder data. This can only be achieved if security best practices are applied on a daily basis. Although the PCI DSS is only audited annually, security can only be achieved when the controls are implemented as business as usual. To ensure adherence to the Standard (and therefore certification) organizations need to record evidence of everyday use of the controls that the Standard mandates.

The question that the new standard will help merchants to answer is "Do we have the culture to protect our customers' cardholder data every day and every hour that we're doing business?"

Information security can be challenging, as it requires both consistency and adaptability. That is surely a difficult balance to achieve. However, as breaches continue to take center stage among the boardrooms, media, and regulators, achieving that balance is more important than ever.

 

 

About The Author
Ron King

is president and co-founder of CampusGuard, A QSA firm dedicated solely to assisting higher education with PCI compliance and security as well as other personally identifiable information. Ron is also the co-chairman of the Treasury Institute for Higher Education's annual PCI Workshop.

 

 

 

PUPN Magazine is a trademark of Flaherty Media, LLC, copyright 2017. PUPN Magazine and all contents are properties of Flaherty Media, LLC.