PCI DSS Compliance: Keep the registrar’s office humming: meet PCI DSS requirements
Can you imagine if your registrar’s office could not accept credit and debit card payments for tuition and fees? That could happen if you do not meet the requirements of the Payment Card Industry (PCI) to document your data security standards (DSS).
PCI DSS compliance is required for all organizations, including higher educational institutions, hospitals, and retailers that store, process, or transmit cardholder data. The number of cardholder transactions performed annually determines the process necessary to obtain PCI DSS compliance.
For higher education institutions that transmit fewer than six million transactions annually, the process starts with the proper selection and completion of a self-assessment questionnaire (SAQ). As stated in the SAQ, annual internal vulnerability scanning, quarterly external vulnerability scanning (performed by a PCI approved scanning vendor), and penetration testing are PCI DSS requirements for compliance. See full details below:
Compliance Requirements*
Number of transactions
per annum |
Self assessment
questionnaire (SAQ) |
Network security scan by an ASV |
On-site audit
by a QSA |
| More than 6 million |
N/A |
Required Quarterly |
Required Annually |
| 1 to 6 million |
Required Annually |
Required Quarterly |
N/A |
| 20,000 to 1 million |
Required Annually |
Required Quarterly |
N/A |
| All others |
Required Annually |
Required Quarterly |
N/A |
*This is Visa, Inc.'s standard
Penalties for PCI DSS non-compliance can be steep
If universities and colleges do not meet PCI DSS requirements, major payment card companies, like American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc., can deny them access to their credit services.
How to protect your organization?
Plante Moran is a PCI qualified security assessor (QSA) and a PCI DSS approved scanning vendor (ASV). Our experienced team of technology experts that specialize in higher education can help you through the PCI DSS requirements. Our technology specialists can help you figure out your path to PCI DSS compliance by assessing your current situation. Do you need an onsite assessment or can you complete a self-assessment questionnaire (SAQ)? If you have to do an SAQ, our consultants can help determine which version you need to complete, as there are multiple versions of the PCI DSS SAQ.
Once it is decided which version you should use, our technology professionals also can assist you with:
- The completion of the self-assessment questionnaire
- Scoping and performing the annual internal network scans
- Scoping and performing the quarterly external network scans
- Scoping and performing annual internal and external penetration assessments
Should any deficiencies be detected in the scans, you can depend on our specialists to recommend cost-effective ways to remedy them, thereby mitigating your risk. If needed, a follow-up scan will be performed to satisfy the PCI DSS requirements.
PCI DSS vulnerabilities detected; remediation recommended
Once all facets of the assessment are complete, we will provide you with a management level report which displays summaries of total vulnerabilities found, including the level of risk for each vulnerability, and your overall PCI DSS compliance status. An in-depth report on the vulnerabilities detected, as well as recommendations for remediation of each finding, will go to your IT staff.