Verizon recently released their Payment Security Report 2020*, the headline findings being that in 2019 only 27.9% of organizations achieved 100% compliance during their interim compliance validation. A percentage which has been in continuous decline since 2016.
Payment Security in the Higher and Further Education Sectors
Nearly 10 years ago, the UK’s higher and further education sectors came together to create a membership organisation called the PCI DSS Special Interest Group (PCI DSS SIG), which support members as they work together to achieve and maintain compliance. Members also benefit from a comprehensive PCI DSS training and qualification programme, as well as access to member events, resources and knowledge sharing.
Yet in 2019, and even with the support of the PCI DSS SIG, nowhere near 100% of members reported even achieving once-per-year compliance. The challenge of achieving sustained compliance is even greater, meaning that potentially even fewer higher and further education institutions are protecting payment-related information all of the time. Unsurprisingly the sector is reported as being a target for cyber crime, and the start of the 2020/21 term saw a spate of indiscriminate, and well-publicised, cyber-attacks on both universities and colleges.
Effective Security Depends on Long-Term Thinking
A key reason that organizations are struggling to achieve continuous compliance, argues Verizon, is a lack of long-term security thinking. In universities and colleges, responsibility for achieving PCI DSS compliance often sits squarely with the finance team, whereas long-term data security and compliance success requires the combined efforts of multiple roles across the organization. For that to be successful senior management need to ensure that a security culture is embedded at every level of the institution and aligned with PCI DSS compliance and other key organizational requirements.
The Role of Finance Leaders
Whilst strong senior leadership in universities and colleges is required to create and execute on a wider information security strategy, threats to payment-related data continue to increase and impact the payment security landscape.
Finance leaders need to commit to driving forward a payment security initiative that will not only protect payment information and ensure sustained compliance with PCI DSS, but will also influence and impact how information security strategies are formed across the institution.
WPM Payment Security has invested significantly in creating a sector-specific package of resources and support called the WPM Payment Security Management System (PSMS) that will enable higher and further education institutions to drive forward a payment security initiative.
In recognition of the challenges the sector currently faces around successfully addressing payment security, and the wider COVID-19 implications on staff resources and budgets, WPM is currently making the PSMS, as well as general payment security support and advice, available to the sector free of charge.