Perhaps one of the biggest challenges that the higher education sector faces today is the threat of a data breach. According to Verizon’s 2016 Data Breach Investigations Report (DBIR), the education sector ranked sixth overall in the U.S. for the total number of reported “security incidents” in 2015.
With large quantities of student and faculty information on hand, complicated information systems and distributed environments spread across departments, higher education institutions are a lucrative target for hackers. In fact, education’s cost per record comes in at a staggering $300, second only to the most breached industry, healthcare, at $363 per record.
In 2016, there were 1,093 reported data breaches, a 40% increase over the 2015 data breach number of 781. Data breaches commonly occur at the point of sale (POS), where payment data is collected. The cause of a POS breach, most often, is malware, and like most industries, higher education has experienced an increase in malware breaches, accounting for 35% of incidents in 2015, up from 26% in 2015.
Verizon’s DBIR report states that there are five malware attacks every second, or 170 million each year. As the statistics for data breaches continue to rise, the importance for higher education to secure their card payment data and maintain PCI compliance becomes more challenging.
Treasury Institute PCI DSS Workshop
The continuing rise in data breaches in the higher education sector will certainly be top of mind at next week’s Treasury Institute for Higher Education’s PCI DSS Workshop, held April 23-26, 2017 in Orlando. The workshop is geared toward business and financial professionals within the higher education sector that are responsible for PCI-DSS, exploring the various PCI compliance challenges facing higher education institutions. The goal of the event is to create a deeper understanding of PCI, and how institutions can achieve and maintain compliance, as well as the opportunity to network with peers facing the same challenges.
General Session – The State of Data Breaches in Education
Treasury’s Wednesday General Session, appropriately titled The State of Data Breaches in Education, offers an in-depth look into malware, data breaches and how educational institutions can protect themselves from fraud.
The session includes Middlebury College’s Jane Aube, Loan Programs and Compliance Specialist, Student Financial Services, and Ruston Miles, CPP, PCIP, Chief Innovation Officer, SVP, of Bluefin Payment Systems. The session provides a detailed overview and case study on PCI-Validated Point-to-Point Encryption (P2PE) and its role in devaluing card data, securing network systems, and reducing PCI compliance scope. Specifically, the session will discuss:
The current state of payment security, including 2016 breach numbers
- How malware operates to steal card data
- The role of EMV, Tokenization and P2PE
- The origin of PCI-validated P2PE and how it differs from non-validated solutions
- PCI-validated P2PE scope reduction and cost benefits
- Use cases for PCI-validated P2PE in the educational setting
- Industry Case Study: Middlebury College’s Implementation of PCI-validated P2PE
P2PE – Why it Works
Bluefin and Middlebury’s session will take a deep dive into PCI-validated Point-to-Point Encryption, detailing how and why it works. PCI-validated P2PE, which differs from end-to-end encryption, is a payment security solution that instantaneously converts confidential credit card information into indecipherable code at the time the card is swiped to prevent hacking and malware fraud.
In 2011, the PCI SSC introduced PCI-validated P2PE as the solution that prevents clear-text card data from entering the POS while reducing PCI scope. The “gold standard” of P2PE products, PCI-validated P2PE can only be offered as a validated P2PE solution by companies that have been audited and approved by PCI.
In March 2014, Bluefin Payment Systems became the first North American company to receive validation by PCI for a P2PE solution. Bluefin’s PCI-validated P2PE solution encrypts cardholder data at the point of interaction (POI) in a PCI-approved P2PE device, preventing clear-text cardholder data from being present in a merchant or enterprise’s system or network, where it could be accessible in the event of a data breach.
P2PE – Middlebury’s Perspective
The final portion of Bluefin and Middlebury’s general session will serve as a live case study, offering Middlebury’s perspective on the importance of PCI-validated P2PE and the benefits the institution has seen from adopting the solution.
The following questions will be asked to Jane Aube, as educational professionals will hear first-hand Middlebury’s P2PE experience.
- What made Middlebury become interested in implementing a P2PE solution?
- Why did you see it as important to choose a P2PE solution that was PCI-validated?
- What challenges – technology or adoption – did you have to overcome to implement P2PE?
- In adopting a P2PE solution, what were some of the considerations in terms of Finance and IT?
- What are your thoughts on the increasing number of card data breaches in higher education?
Jane Aube’s answers will help educational professionals to better understand how PCI-validated P2PE solutions can be successfully implemented as well the results Middlebury has seen since its adoption.