Payment data is an asset that is essential for the operation of your institution, but one of the major hidden financial and reputational risks that universities and colleges have.
Payment data, when combined with personal data, is classified as Personally Identifiable Information (PII) and is a highly desirable and lucrative asset for hackers.
Why is the Payment Card Industry Data Security Standard (PCI DSS) Not Enough?
Many institutions now recognise their obligation to protect card payment data and comply with the PCI DSS. Non-compliance with the PCI DSS is penalised by the institution’s acquirer(s), although fines are set at a level that some institutions choose to accept rather than attempting PCI DSS compliance.
If you are processing payment card data, you are obliged to comply with the Payment Card Industry Data Security Standard. The PCI DSS outlines a number of specific technical and organisational measures that the payment card industry considers applicable whenever such data is being processed.
Protecting PII is enshrined within the UK’s Data Protection Act 2018, and in what the Information Commissioner’s Office (ICO) refers to as the GDPR’s “security principle”.
Although compliance with the PCI-DSS is not necessarily equivalent to compliance with the GDPR’s security principle, if you process card data and suffer a personal data breach, the ICO will consider the extent to which you have put in place measures that PCI-DSS requires, particularly if the breach related to a lack of a particular control or process mandated by the standard*.
The consequences of a data breach under those regulations could have much greater repercussions for an institution, both with respect to reputational damage and significant financial loss, whether through fines or increasingly through potential compensation claims.
The Importance of Culture Change
Institutions urgently need to go further in securing their payment data. Most institutions in the UK currently operate within a PCI DSS compliance culture, meaning their main focus in on working towards once-per-year compliance. This is not enough to ensure sustained compliance with PCI DSS and data protection legislation, and significantly raises the risks of human error and criminal activity resulting in a data compromise or financial loss.
Institutions need to adopt a payment security culture which focuses on implementing a sustainable payment security programme that looks at how the payer and the institution can be protected every single day. It is an essential business as usual activity and is only achieved via cross-departmental partnerships, which in turn protects the entire institution.
A Need to Act Now
Institutions still have an opportunity to proactively address this threat. Payment Security needs to be owned at a senior level in universities, with senior leaders committed to enshrining a culture of “Payment Security” rather than “cyclical compliance”. Dedicated resources are needed to set up and drive forward a payment security initiative in order that institutions can demonstrate they are meeting and exceeding PCI DSS compliance requirements, and protecting their customer payment information.
Download WPM Payment Security’s Free White Paper ‘Falling Through the Gaps? The Payment Security Risks Every Senior University Leader Needs to Act on Now’ to read more.
In recognition of the challenges the sector currently faces around successfully addressing payment security, and the wider COVID-19 implications on staff resources and budgets, WPM is currently making the PSMS, as well as general payment security support and advice, available to the sector free of charge.