No one likes to think they could be vulnerable to a data breach however according to Verizon’s most recent Data Breach InvestigationsReport (DBIR), the education sector reported a total of 99 breaches in the 12months prior. If your organization accepts credit card payments and houses considerable amounts of data, you have to deal with a wide array of security issues that are outside core operations. From selecting payment technologies to infrastructure hardening, monitoring, auditing and more, the process can be costly and time-consuming. There is clearly a lot of room for improvement, but who has the time or manpower to tackle what seems to be a daunting task?
While it may be tempting to hand the whole mess over to someone else, it is not possible to completely transfer the responsibility for security to a third party. A common balanced solution is to shift sensitive data, such as credit cards, to service providers who specialize in implementing security controls across a range of institutions, leaving you to focus on the core purpose of your organization –providing that great housing experience. In this article, we explore some areas to consider when choosing partners to reduce your compliance requirements.
The first step in any security and compliance exercise is to get expert advice. Data security, privacy, and PCI DSS are complex fields, with a mix of technical, regulatory and process related concerns. Housing management operations are similarly complex and regulated, so a comprehensive strategy is likely to require people with a range of skills. Before choosing a partner company, ask yourself the following questions:
Understanding risk is the starting point for any strategy which involves sharing data with partner companies. Potential fines for PCI DSS breaches are well established, but data regarding what fines are imposed in practice is reasonably sparse – the most prevalent figures are that non-compliance fines are between $5000 to $100,000 per month, depending on the size of the institution. Consider the risks of losing data other than credit cards. According to the Ponemon Institute, the average cost of a breach in Education is US $155 per record breached. Multiply that by the number of entries in your database, and you have a high-level estimate of what a data breach could cost. The education industry average is US $4.77 million. When selecting partners, the importance of doing your due diligence can’t be overstated.
When looking at software, it is preferable to engage companies that have a strong security program and host on Platform as a Service (PaaS) from a reputable provider, such as Azure or AWS. By determining that the hosting is done on PaaS, you can vastly mitigate most physical and infrastructure risks associated with the software, as cloud providers are some of the most secure and compliant organizations. This lets you evaluate potential suppliers by the security controls they implement directly, rather than having to guess at what risks are part of their supply chain.
In the education industry, 52% of data breaches in 2019 involved hacking, with web applications being the leading vector, making this a primary area to move to a secure partner. Recent cyber-attacks have focused directly on portal payment pages. Hackers will inject malicious code capable of stealing cardholder information in an unencrypted format as the customer inserts their information. As ominous as this sounds, there are a range of defences available against these attacks. It is critical that your service provider is familiar with them and able to apply them.
Most institutions have data sovereignty requirements and cannot store data outside their country. This shouldn’t be an issue as cloud providers are now present in most parts of the world, allowing your services to be hosted in the same region. What you will need to determine is where your data is backed up to, and whether there are any failover capabilities in the event that your primary service is affected by an outage.
If you accept payments via a bursar’s office or another physical payment scenario, you will need to safeguard your credit card equipment from interference, such as credit card skimmers. This is an area where it is a good idea to get expert advice to set up processes and controls to protect the equipment and configure it in a secure manner.
Additionally, depending on what payment providers you have available to use, you may want to implement the PCI standard for Point to Point Encryption (P2PE). P2PE encrypts the card data from the terminal where the payment is accepted, through to the bank, so that none of the intermediary systems have access.
Now that you have assessed your risk, it’s time to choose the right partners. As we described above, due diligence on potential partners is extremely important, as is setting up the partnership. There are several steps involved in ensuring a partnership supports your overall compliance objectives:
Both parties need to understand what their responsibilities will be under the contract. An SLA should be in place, and there should be expectations set around incident response, disaster recovery and specific security controls, such as frequency of vulnerability updates, etc. As part of this, appropriate levels of cybersecurity insurance should be established, in the event of a breach.
Consider where your institution operates to understand your privacy responsibilities. Depending on your area you may be required to be compliant with a range of privacy laws, such as GDPR, FERPA, PIPEDA, CaCPA, etc. The partners you choose to work with should be familiar with these laws and be able to demonstrate how they will enable you to comply with them. Be sure to set these expectations regarding how compliance will be achieved up front.
What standards of compliance are necessary for your potential partners? Think about the nature of your suppliers and where they operate. Here are a few common compliance requirements that may apply.
A final note on compliance is that while it drives positive practices in security, you should always ask to see recent vulnerability scans and penetration test reports from potential partners – this is the evidence that shows compliance is working.
What happens next? Assuming everything looks great in the beginning, how do you know your data will continue to be secure? Contracts with partners should allow for an audit to ensure good practices are being maintained with your data. This will become essential in the event of a breach, allowing you to directly investigate what may have occurred at a vendor.
Once you have transferred as much risk as makes sense for your organization, you will still be responsible for some compliance requirements. These will generally revolve around training and maintaining secure practices. Often this training can be provided by the organizations that also assess PCI security.
The complexity of technology solutions is increasing at a rapid rate, and many of the new laws we are seeing are an attempt to keep up with the risks they introduce. It is possible to run a secure system entirely within your operation, but this takes dedicated staffing with specific skills and resources. By looking at the tools required to operate your business, and choosing secure partners for sensitive components, you can feel confident that your organization’s data is protected.
StarRez is certified with PCI DSS as a Level 1 serviceprovider. We are committed to meet and exceed data security protectionstandards.
To learn more about how StarRez keeps your data safe and our PCI certification, contact Rafe Hart at dpo AT starrez.com.
You will find more helpful resources on our blog page More StarRez Insights