PCI compliance in a campus environment is akin to applying PCI to a small village. You are often dealing with a number of departments and schools that may have multiple ways of collecting and processing credit card payments. Too often the responsibility and burden of attesting to and maintaining PCI DSS compliance for a university is given to one poor soul in the Treasury or IT Security group. Not only does this individual have the joy of performing this task alone, they usually have no authority over the groups they are tasked to bring into compliance. This 'prophet in the wilderness' scenario where one individual is preaching PCI to the unrepentant masses is a recipe for failure. To build a successful campus compliance plan, try redistributing the knowledge and responsibility of PCI DSS compliance among the employees and administrators of the various campus entities that have chosen to accept credit card payments.
Before you begin to build such a distributed campus compliance model, you should attempt to get the appropriate authoritative backing. Begin discussing the importance of PCI compliance and cardholder data security with management (VP of Finance, CIO, etc.). Help them to understand the potential cost the institution would face in the even of a breach or the fines that could be levied by the merchant bank for non-compliance. It will be important to have this executive backing when you begin to work with individual campus merchants.
Once you have gained a sufficient amount of executive backing, spend some time reviewing the PCI DSS requirements that each merchant identified during the discovery phase (see the blog post titled "Understanding Your PCI Scope, a Journey of Discovery") will need to comply with. Determine which of these requirements will be handled centrally (either by central IT, the treasury, or other support group) and which can be delegated to the individual campus merchant. For most institutions policies and managed centrally while most procedural documentation can be managed by each campus merchant. Institutions with a consolidated central IT group may also manage firewall rules
(PCI DSS requirement 1), provide antivirus (requirement 5), perform vulnerability scans (requirement 11), manage data center security (requirement 9), etc. Some institutions will have the treasury manage service provider relationships centrally (requirement 12.8), while others will leave the annual compliance monitoring of service providers to each merchant. Usually processes and procedures surrounding the securing of physical media, security of POI device (requirement 9.9), and ensuring security awareness training has been properly performed would remain the responsibility of the individual campus merchant. If it makes sense to centralize the deployment of a PCI control, that responsibility could be removed from the campus merchants. For areas where procedures must be tailored for the individual merchant or where centralization does not provide improved efficiencies, you are better off leaving the responsibility with each campus merchant. By the end you should have a responsibility matrix for each campus merchant that identifies the group that will be responsible for each applicable PCI control. For a good example of such a responsibility matrix, look at the Windows Azure Customer PCI Guide.
Redistributive philosophies are not always popular and may be difficult to pull off, but the benefits are worth the effort. Gaining appropriate administrative support and assigning compliance responsibilities to groups throughout the campus will take a great deal of time and effort but in the end you will have a sustainable compliance framework that will be able to guide the institution's compliance efforts.
