Relieving the burden of a hosted solution – the impact of PA-DSS.

In Brief:

  • When an institution purchases a PA-DSS validated product, they not only receive the software application, but also take on the responsibility for the infrastructure support and maintenance that will support the application.
  • With a PA-DSS validated product, institutions may need to do more work in-house to maintain the necessary levels of information security.
  • Partnering with a provider who maintains Level 1 PCI-DSS Service Provider can relieve institutions of most of the burden of securing payment information, allowing them to focus their energies on providing students with educational opportunities.

Share

Author: Linda Hansen

With nearly 10 years’ experience in writing proposals, Linda enjoys collaborating with various security and technical staff to provide pertinent answers to clients’ concerns. She joined Nelnet Campus Commerce in 2019, bringing experience in journalism, customer support, and business writing to her role as Proposal Writer. When not answering long lists of questions, Linda can be found reading fiction or playing board games.

View all posts by Linda Hansen

Blog Post

As campus IT and business offices evaluate their processes in the wake of COVID-19 restrictions, changing campus policies, and ever-evolving technology priorities, keeping payments compliance top of mind is critical. Maintaining compliance for software applications that process payments is demanding, requiring regular audits and reports as well as knowledgeable, credentialed staff.

The security of cardholder information is of the highest importance. Institutions face a choice: Install a software application on premise and maintain PCI-DSS compliance for all payments processed on your campus, or partner with a Software as a Service (SaaS) vendor or Application Service Provider (ASP) who maintains the software to PCI-DSS compliance, reducing the institution’s compliance scope.

Historical overview

Payment processing applications are governed primarily by the Payment Card Industry Security Standards Council (PCI SSC), which maintains security policies and procedures based on requirements from the major payment brands, like VISA.

“PCI-DSS covers the security of the environments that store, process, or transmit account data,” said Patricia Ellington, IT Manager for Cyber Security at Nelnet Business Services (NBS). “This includes requirements for the security management, policies, procedures, network architecture, secure software design, security awareness training, and other critical protective measures.”

The Payment Application-Data Security Standard (PA-DSS), established in 2008, is derived from the PCI-DSS, and details payment application requirements to be PCI-DSS compliant (and therefore what a payment application must support to facilitate the school’s PCI DSS compliance). PA-DSS requirements are intended to help software vendors develop secure payment applications that support PCI-DSS compliance when installed within their customer’s PCI-DSS environment.

“In other words, PA-DSS validated payment applications must facilitate – not prevent – PCI-DSS compliance,” Ellington said. “When a school purchases a PA-DSS validated product, they receive a software application and the responsibilities for the infrastructure support and maintenance that will support the application; installing the application in a PCI-DSS complaint manner; and maintaining, administering and supporting the application, all within their PCI-DSS environment.”

This entails a lot of work for the institution. IT staff will use the vendor’s Implementation Guide to install the application on premise in a PCI-DSS compliant manner. The PA-DSS software is required to meet all PCI DSS requirements, including:

  • Having a process for securely deleting stored cardholder data that exceeds defined retention;
  • Configuring and patching systems supporting the application to meet configuration standards;
  • Implementing file integrity management, anti-virus, and audit logging on the systems that support the application.

Compliance requirements vary depending on the number of transactions processed annually by an institution. A smaller institution with a limited number of transactions per year may be able to complete a Self-Assessment Questionnaire (SAQ), a self-validation tool to assess security for cardholder data. Large institutions that process high volumes of payment transactions may be required to work with a PCI Qualified Security Assessor (QSA) to complete more in-depth assessments, with the level of certification depending on the number of annual transactions.

“Nelnet Campus Commerce is PCI Level 1 assessed based on the number of transactions we process annually,” Ellington said.

A PCI-DSS assessment can take around two or three months, and will evaluate evidence for compliance with PCI standards that covers an entire year. This validates that their business as usual activity — the activity throughout the year, not just during the evaluation period — supported PCI-DSS compliance requirements.

“The PCI-QSA annually confirms you are meeting both technical and non-technical requirements throughout the year. In order to accomplish this, the PCI-QSA requires evidence, interviews and also some hands-on reviews of devices, files and procedures during the assessment period.” Ellington said.

The PCI-QSA is assuring that you meet all PCI DSS requirements.

“Many people are unaware that there are many non-technical requirements that are evaluated, including hiring practices, security awareness training, assigning roles and responsibilities to meet the requirements, maintaining and testing incident response, and creation of policies, standards and processes to support the intent of the requirements,” Ellington said. “There are also many technical requirements, including periodic reviews of firewalls and routers, file integrity monitoring, anti-virus and malware protection, backup and restoration validations, logging activities, meeting retention requirements, timely patching of devices, operating systems and applications, and vulnerability management, including internal and external quarterly scans and annual penetration tests.”

Those are just some of the many technical requirements that will need to be maintained and will be reviewed by the PCI-QSA.”

Relieving the burden – a hosted solution

On the other hand, institutions that choose vendor-hosted solutions or SaaS software find that they have reduced their compliance scope, since the application software provider is then responsible for ensuring that the hosted environment is secure.

“The PCI SSC does not require that an entity use a PA-DSS validated application. An application with the PA-DSS certification only denotes that the application can be configured to meet PCI-DSS requirements,” Ellington explained.

When a client decides to use our PCI-DSS validated SaaS solutions, they know that NBS adheres to industry-leading PCI standards to manage our network, secure our web-based applications, and set policies across our organization. NBS has its own cyber security group, which works closely with the corporate cyber security group of parent company Nelnet, Inc. Together we employ an array of experts in compliance and security. We are assessed as a Level 1 PCI-DSS Service Provider, which means that NBS is responsible to ensure that:

  • A PCI DSS assessment is completed annually by an external PCI-Qualified Security Assessor (PCI-QSA)
  • A vulnerability management process is in place that includes regular scans and penetration testing as well as timely patching based on risk:
  • The application is developed, installed, configured and maintained to meet or exceed PCI-DSS requirements
  • Security appliances are in place and monitored, and engineering staff are alerted of any anomalies
  • Incident Response, Disaster Recovery, and Business Continuity Plans are in place, tested and validated

“We ensure that PCI compliance is part of our business as usual process by monitoring security controls; reviewing hardware and software technologies to ensure they are supported by the vendor and meet security standards; evaluating changes to the environment or the organizational structure; performing periodic reviews and communications to confirm all PCI-DSS requirements continue to be in place and personnel are following secure processes; and verifying that appropriate evidence is maintained to assist in the PCI-DSS compliance assessment,” Ellington said.

Building trust

While protecting cardholder data is key, institutions must take into account the full scope of their compliance responsibilities. This becomes especially important as many institutions are facing tighter budgets. In order to continue to best serve your students and the broader school communities of alumni, sports fans, and neighbors, institutions must be able to provide flexible payment options that are mobile-device friendly and secure.

Partnering with a provider who maintains Level 1 PCI-DSS Service Provider can relieve institutions of most of the burden of securing payment information, allowing institutions to focus their energies on providing their students with educational opportunities.

“Knowing that NBS is taking the above responsibilities provides our customers assurance that we are taking the proper steps to secure the data they have entrusted to us,” Ellington said.