How to Mitigate Payment Security Risks in Higher Education

Higher education institutions are frequent targets of cyberattacks, mainly due to the large amount of sensitive data they collect and store and the added complexity of their ecosystems. I often describe the combination of things institutions provide as a "mall of services." In addition to higher education, institutions provide dining services, housing and accommodations, gym memberships, donations and endowments, and athletic events. They also support a multitude of campus departments and organizations.

Ensuring robust security to mitigate risks and protect the sensitive data collected as part of all those operations is complex. It should come as no surprise, then, that security is one of the top concerns of the more than two hundred higher education IT leaders recently surveyed by Flywire. In fact, 98 percent of the IT leaders we surveyed expressed an increased need to focus on security and cyber threats to their institution.^Footnote1 Of course, some areas of higher education operations are more vulnerable to security breaches than others. Financial operations is an area with particular and significant risks.

Here are some things higher education IT professionals should be aware of or consider to help reduce payment security risks:

Work toward PCI DSS v4.0 Compliance

Security threats to college and university networks and systems have changed drastically over the last few years. Such threats are constantly evolving and have become far more complex.

In response, the Payment Card Industry Security Standards Council has released Payment Card Industry Data Security Standard (PCI DSS) v4.0. Institutions should be working toward complying with the new standards by March 31, 2024, when the transition period comes to an end.

Key updates include the following:

• Security awareness: PCI v4.0 focuses on security awareness training for hiring and training employees, contractors, and third-party vendors.
• Enhanced validation methods: Ensuring that security controls are up-to-date and effective is critical. PCI v4.0 introduces new validation methods of segmentation controls and requirements for reviewing segmentation.
• Expanded scope: PCI v4.0 includes new requirements for securing emerging technologies, such as cloud computing, virtualization, and mobile payments. It also includes requirements for securing the supply chain and third-party service providers.
• Testing and risk assessment: PCI v4.0 offers a bit more flexibility in testing procedures but requires institutions to implement a formal process for detecting and responding to security incidents. This has shifted to a risk-based approach and compensating controls.

PCI v4.0 also updates many existing requirements to reflect changes in security threats and technology since v3.2.1 was released in 2018.

It's important to note that there is an increased emphasis on gathering evidence of an institution's vendors' PCI compliance under v4.0. Without it, an institution will not be classified as PCI compliant. While v4.0 has only just been released, the standards will continue to evolve to meet the ever-changing security landscape. In fact, Flywire will have a stronger voice, insight, and influence on these standards over the next two years, as the company has recently been appointed to the PCI Security Standards Council Board of Advisors.^Footnote2

Achieving PCI compliance is a significant undertaking, and higher education institutions grapple daily with the question of who the responsibility for PCI lies with. About 92 percent of IT leaders we surveyed believe that they are either solely responsible for the security of payment processes or that they share this responsibility with the finance/business office, and compliance cannot be achieved without effective cross-campus collaboration.^Footnote3

Double-Down on Digitizing Student Financial Processes

Human error is a major contributor to cybersecurity breaches, either as the unintentional consequences of actions taken or not taken. Reducing the opportunity for these errors to occur can also significantly reduce security risks. This is particularly true of payments in higher education, where manual processes and—at certain times of the year—volume make it easier for security breaches to occur, whether through innocent errors or foul play.

While most higher education institutions already encourage their students to pay online using a credit or debit card, finance teams still receive a number of payments via other methods. Both wire transfers and disbursements from 529 plans in particular require an almost entirely manual and time-consuming reconciliation process that can introduce risk.

Ensuring integrated workflows can also reduce manual errors. The IT leaders we surveyed indicated that integrating third-party software with their enterprise resource planning (ERP) and student information systems (SIS) was a top challenge and a major consideration in implementing new functionality.^Footnote4

Using a financial software solution that can offer convenient local and digital payment options while integrating seamlessly into key systems will not only reduce errors, delays, and security breaches, it will also provide a positive student experience—something that 97 percent of IT leaders believe IT departments have a critical role in delivering.^Footnote5

Foster Cross-Departmental Collaboration to Mitigate Security Risks

Educating staff and students on how to reduce security risks is a major part of ensuring high levels of security—and IT departments can't assume this task alone; there has to be cross-departmental collaboration. IT leaders are already experts at collaborating across their institutions, with 33 percent of them indicating that they work most closely with finance leaders (CFO, head of finance, bursars, or financial aid officers).^Footnote6 However, other departments still operate somewhat in silos, and a lack of cooperative thinking can leave institutions open to possible security breaches; therefore, it's important to break down silos when possible.

From billing and planning to payment and collection management, higher education IT leaders have a major opportunity to improve students' financial journey—and security is a massive part of that. To learn more about what IT leaders said, read our latest report An Inside Look at the Changing World of the Higher Ed IT Pro.

Discover how Flywire unifies students' financial journey by combining billing and payments with collection management software to streamline processes.

Notes

1. An Inside Look at the Changing World of the Higher Ed IT Pro, research report, (Boston, MA: Flywire, May 2023). Jump back to footnote 1 in the text.↩
2. "Flywire's Industry Leadership on Display in Election to PCI Board of Advisors," Flywire (website), n.d., accessed July 11, 2023. Jump back to footnote 2 in the text.↩
3. An Inside Look at the Changing World of the Higher Ed IT Pro, May 2023. Jump back to footnote 3 in the text.↩
4. Ibid. Jump back to footnote 4 in the text.↩
5. Ibid. Jump back to footnote 5 in the text.↩
6. Ibid. Jump back to footnote 6 in the text.↩

David King is Chief Technology Officer at Flywire.