Keeping Credit Card Data Secure - PCI (Payment Card Industry) ComplianceWhat is it? As a Merchant Services Provider (MSP) it is Diamond Mind’s responsibility to inform and educate you on your PCI responsibilities. If you are leveraging a third party provider’s servers to process your payments or to host your web site through which credit card information will be transmitted, PCI Compliance will make demands of these system providers as well, as they are acting on your behalf. Why is it important? Schools, like other educational institutions, tend to be non-hierarchical. Thus, there has traditionally been vulnerability in the area of data security due to their tendency to develop their IT infrastructure and networks “organically.” Recent data breaches at the University of Notre Dame in 2006 and Iowa State University in 2005 demonstrate why awareness of PCI Compliance is critical to the educational community. Independent schools may also have a heightened concern about a possible breech of credit card data and the resulting doubt on the security of the student’s personal information. Is PCI Compliance difficult? The good news is, because most independent schools have a relatively low number of annual credit card transactions (below 20,000), they can achieve PCI Compliance and self-validate their Compliance through a relatively straightforward process. Given this level of transactions, there is no need for a third party to validate your compliance. There are five components to achieving PCI Compliance. You must:
Why hasn’t your Merchant Account Provider mentioned PCI Compliance? Most Merchant Account Providers service a spectrum of high risk (100,000s of transaction per year) to low-risk clients (20,000 or fewer transaction per year) and their energies are primarily focused on the clients with higher liability and risk. As previously mentioned, most schools process fewer transactions and therefore their liability and risk level are relatively low. If you process with a “generalist’ Merchant Account provider such as a bank, they are more likely focusing their energy on the high risk customers. The unfortunate result of this is that independent schools receive less (if any) education regarding PCI Compliance. Diamond Mind is not a “generalist.” Independent schools are one third of our business – in fact, we have a separate division that works exclusively with independent schools. Throughout our company we ONLY service low-risk clients (fewer then 20,000 transactions per year), so our energies are 100% devoted to educating and working with clients in these specific market niches. How does Diamond Mind demonstrate commitment to PCI Compliance? When making selections on how to accept credit cards, we recommend that you acknowledge and balance three key variables: convenience, data security, and cost. Each payment method you select – be it for the annual auction, an online giving form, or tuition – presents options. These options focus around the “payment gateway” and the application you will buy from a 3rd party i.e. InfoSnap, Final Site, CamperReg, or develop with your in-house IT staff. Each option carries a different profile of convenience to staff and parents, data security risk, and cost. Diamond Mind staff aim to help you make a wise and appropriate selection for your school by educating you on the options. Explaining the typical methods of online credit card acceptance and assisting your IT staff in determining the approach that fits your school’s willingness to assume risk is a reflection of our commitment to PCI Compliance. We also provide online access to a complimentary wizard created by ScanAlert – a leading provider of PCI Compliance to Fortune 500 companies nationwide. The complimentary wizard leads you through an interactive self-assessment questionnaire to identify vulnerabilities throughout your network and provide you with suggested fixes to strengthen those areas of weakness. It also provides you with a comprehensive security policy and an appropriate methodology for implementation, before finally creating a downloadable Certificate of PCI Compliance once you’ve met all the standards. What if there’s a data breach and you’re not PCI Compliant? The penalties vary depending on the school’s records of its good-faith efforts and can be extremely serious if the institution is found to be non-compliant. Schools can be barred from processing credit card transactions, charged with higher processing fees, or in the case of a serious security breach, fined up to $100,000 for each instance of non-compliance. We believe that data security breaches are a real danger but also largely preventable. Now that the major card brands Visa, MasterCard, American Express, and Discover, are requiring mandatory PCI compliance, and have set the standards for us, you have the obligation and the means to protect your own financial information, and equally importantly, the personal information of your children. Schools only need to invest the time to do so. For more information on PCI Compliance, explore http://www.PCIStandards.org
|
