Sign In
Bookmark and Share
Data Security (PCI DSS)
Does your college or university comply with the payment card industry’s (PCI) data security standards (DSS)? To avoid fines and possible service interruptions, our PCI DSS specialists can access your situation, recommend needed remediation, and help with compliance.

Data Security (PCI DSS)

PCI DSS Compliance:  Keep the registrar’s office humming: meet PCI DSS requirements

Can you imagine if your registrar’s office could not accept credit and debit card payments for tuition and fees? That could happen if you do not meet the requirements of the Payment Card Industry (PCI) to document your data security standards (DSS).

PCI DSS compliance is required for all organizations, including higher educational institutions, hospitals, and retailers that store, process, or transmit cardholder data. The number of cardholder transactions performed annually determines the process necessary to obtain PCI DSS compliance.

For higher education institutions that transmit fewer than six million transactions annually, the process starts with the proper selection and completion of a self-assessment questionnaire (SAQ). As stated in the SAQ, annual internal vulnerability scanning, quarterly external vulnerability scanning (performed by a PCI approved scanning vendor), and penetration testing are PCI DSS requirements for compliance. See full details below:
 

Compliance Requirements*

Number of transactions
per annum
Self assessment
questionnaire (SAQ)
Network security scan by an ASV On-site audit
by a QSA
More than 6 million  N/A  Required Quarterly  Required Annually 
1 to 6 million  Required Annually Required Quarterly  N/A 
20,000 to 1 million  Required Annually Required Quarterly  N/A 
All others   Required Annually Required Quarterly  N/A 


*This is Visa, Inc.'s standard
 

Penalties for PCI DSS non-compliance can be steep

If universities and colleges do not meet PCI DSS requirements, major payment card companies, like American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc., can deny them access to their credit services. 

How to protect your organization?

Plante Moran is a PCI qualified security assessor (QSA) and a PCI DSS approved scanning vendor (ASV). Our experienced team of technology experts that specialize in higher education can help you through the PCI DSS requirements. Our technology specialists can help you figure out your path to PCI DSS compliance by assessing your current situation. Do you need an onsite assessment or can you complete a self-assessment questionnaire (SAQ)? If you have to do an SAQ, our consultants can help determine which version you need to complete, as there are multiple versions of the PCI DSS SAQ.

Once it is decided which version you should use, our technology professionals also can assist you with: 

  • The completion of the self-assessment questionnaire 
  • Scoping and performing the annual internal network scans 
  • Scoping and performing the quarterly external network scans 
  • Scoping and performing annual internal and external penetration assessments

 
Should any deficiencies be detected in the scans, you can depend on our specialists to recommend cost-effective ways to remedy them, thereby mitigating your risk. If needed, a follow-up scan will be performed to satisfy the PCI DSS requirements. 

PCI DSS vulnerabilities detected; remediation recommended

Once all facets of the assessment are complete, we will provide you with a management level report which displays summaries of total vulnerabilities found, including the level of risk for each vulnerability, and your overall PCI DSS compliance status. An in-depth report on the vulnerabilities detected, as well as recommendations for remediation of each finding, will go to your IT staff.

​“We’ve worked with Plante Moran on a wide variety of consulting projects, including a new ERP system, storage area network, video on demand, and process redesign. Their technology team guided us through these projects, providing technical and business expertise. Their knowledge and professionalism gave us the comfort level we needed to make decisions and move forward. We plan on working with them for many more years and will continue to depend on them as we work with other two‐year schools in Ohio to create a shared services environment.”

Director of Information Systems & Services
Community College