Rutgers Shares PCI DSS Compliance, Security Insights

How can higher education institutions maintain Payment Card Industry Data Security Standard (PCI DSS) while mitigating new risks to security? This is a question with heightened relevance; in fact, “the security aspect of it is more important than ever” amid COVID-19-induced changes to payment process, according to Tatiana Miller, CPA, manager of E-commerce and Receivables. This inquiry guided the focus of Miller’s presentation at the Treasury Institute for Higher Education’s 2022 PCI DSS workshop, “Managing Risk: Digital Payments, Cards, and Beyond.”

In an interactive session with Christie McCloskey, senior vice president of PNC’s Public Finance Treasury Management Division, and Jim Mullane, vice president and product lead within PNC’s Corporate & Investment Banking Division, Miller tackled strategies that have helped Rutgers University to nimbly follow PCI DSS standards while adapting to an evolving payment landscape that is now relying on digital means to an increasing and unprecedented degree.

“We were so focused on checks and a lot of other in-person activity because we were in the office, and then suddenly everyone was remote, and we really needed to figure out how to get paid for some of the services that the university provides, and that’s where we’ve seen an uptick in electronic payment activity,” Miller attested.

The transition from physical payment methods like checks to digital options dovetails with the need for awareness of PCI DSS compliance protocols and measures that support credit card data security. For the past three years, University Treasury has devoted its focus to these two parts of electronic payment processing for central receivables through its PCI DSS compliance program. The initiative has been so transformative that, in the time leading up to the 2022 PCI DSS workshop, PNC approached Miller and University Treasury’s associate vice president and associate treasurer at that time, to speak about the insights that derived from this endeavor.

“They felt like it would really resonate with the other university representatives in attendance because the need for more electronic payment offerings, central oversight for payments and receivables, and PCI compliance is something that they’ve been hearing from many of their clients; a lot of universities are focusing on electronic payments and data security,” Miller said.

At the workshop, Miller took attendees through the various stages of Rutgers’ PCI compliance program. It began with an internal audit aimed at reviewing the university’s practices around PCI compliance and just how closely major departments with a high volume of credit card transactions were following PCI DSS standards. University Treasury also reviewed the equipment used to process credit card transactions for digital purchase-driven areas like athletics, recreation, and dining.

The audit identified aspects that “definitely needed improvement, both from the perspective of central treasury oversight, as well as from the standpoint of what our departments were doing and how they were interacting with credit card data, securing that data, and so on and so forth,” Miller said.

From there, University Treasury staff, including Miller, engaged a third-party consultant dedicated to PCI DSS compliance. Their collaboration with the consultant led to the establishment of a portal, where all the university’s data is now organized for all merchants, defined as anyone who accepts credit cards at Rutgers.The portal is used to house each merchant’s Self-Assessment Questionnaire (SAQ), a resource used to support PCI DSS compliance. Merchants use the portal to confirm their PCI compliance on an annual basis, track their equipment, and store their department’s PCI procedures. This gives Treasury oversight into the stages of completion of all SAQs, providing a pathway for follow-up with merchants as needed.

The team also worked in collaboration with the Office of Information Technology’s Information Protection and Security department to develop a formal annual PCI training program. “We’re supposed to train our university population that handles credit cards on an annual basis,” Miller said. “It’s a mandatory requirement for PCI DSS, and we weren’t really doing that; we were kind of training them once when we set them up, and then not again.”

The advent of the portal and the annual training program is the result of University Treasury’s interplay not only with the third-party consultant, but also with the University Finance and Administration (UFA) Project Management Office and the Office of Information Security. By embodying University Finance and Administration’s guiding principles, including accountability, support and collaboration, and strategic alignment, the departments worked together to bring about a better infrastructure to support PCI DSS compliance while reducing the risk for credit card data compromise.

“We’ve come a long way in the past three years,” Miller reflected. The progress that University Treasury and Rutgers at large have made in upgrading and streamlining collections and receivables in this PCI DSS context provided the content for Miller’s presentation, underscoring Rutgers’ status as a leader in the higher education arena. And in a testament to one of UFA’s key values, support and collaboration, Rutgers, University Treasury, and Miller can be expected to continue bolstering the related processes at the university and beyond, while taking cues from what colleagues at other institutions in this space are doing.

“The meeting led to a lot of great contacts to reach out to about some of these things, because it’s really such a small population that even knows what PCI DSS is,” Miller concluded. “So, to have some of these peers that I’ve been able to make contact with and have as a resource to reach out to is going to be extremely helpful for me as I work on some of the changes that we are going to implement.”