Highway to Hell or Stairway to Heaven…One University's Journey to PCI DSS Compliance

In the fall of 2014, the University of Saskatchewan undertook to have a formal Payment Card Industry Data Security Standard (PCI DSS) compliance gap analysis performed of its’ payment card systems by external auditors. The... [ view full abstract ]

In the fall of 2014, the University of Saskatchewan undertook to have a formal Payment Card Industry Data Security Standard (PCI DSS) compliance gap analysis performed of its’ payment card systems by external auditors. The gap analysis and compliance report confirmed that the university was not compliant with PCI DSS v2 or v3. The requirement to be compliant with the PCI DSS has been a challenge not only for the U of S but for many Canadian universities based on the governance and financial models they use, and the open architecture IT networks deployed. Recently, acquiring banks have been demanding proof of PCI DSS compliance from universities.
In April 2016, the U of S successfully met its’ PCI DSS compliance deadline as demanded by its’ acquiring bank but the road to compliance has not been without its’ trials and tribulations. The usual project challenges were present such as securing resources, conflicting priorities, and buy-in from senior leaders. Compounding these challenges were significant changes required to the network architecture, implementation and roll out of a new technologies including a configuration management system, a password authentication manager, and expansion of vulnerability management scanning, two factor authentication and information security policies.
Key takeaways will include lessons learned to manage PCI compliance projects at a university.