Purpose

To determine whether selected State University of New York (SUNY) schools are in compliance with Payment Card Industry (PCI) standards and whether SUNY System Administration has provided sufficient guidance to the campuses regarding PCI compliance. The audit covers the period August 25, 2015 to March 22, 2016.

Background

The State University of New York (SUNY) is the largest comprehensive university system in the United States, consisting of 64 institutions and about 460,000 enrolled students. SUNY System Administration (System Administration) acts as the governance arm of the SUNY system, and provides the various SUNY schools with centralized services and support. System Administration also defines various policies and procedures that apply to all State-operated SUNY schools. This includes procedures addressing the actions required of all institutions to protect the confidentiality of sensitive data, including complying with industry standards. System Administration also evaluates schools’ system security through the use of internal security-based questionnaires.

All industries that accept credit cards as a method of payment must comply with the Data Security Standards (DSS) established by the PCI Security Standards Council. The PCI DSS is a set of technical and operational requirements designed to protect cardholder data. SUNY schools accept credit cards as a method of payment (e.g., for tuition, housing, and meals), and as such must comply with the PCI DSS to protect against electronic security breaches and theft of payment card data. Entities that do not comply with PCI DSS may be subject to fines and penalties, as well as lose the ability to accept credit card payments.

Key Findings

• SUNY schools were generally knowledgeable about PCI compliance and the need to protect credit card data from unauthorized access; however, we identified areas where system and data controls need to be improved to meet certain compliance standards. Among a range of issues, we identified weaknesses in: the completeness of systems’ component inventories; network segmentation; the resolution of compliance deficiencies; and the oversight of affiliated campus organizations.
• Guidance provided by System Administration could be further developed to help assist SUNY schools with addressing and maintaining compliance with PCI DSS requirements.

Key Recommendations

To SUNY Schools visited:

• Implement the recommendations contained in the detailed preliminary reports.

To System Administration:

• Develop strategies to enhance compliance with PCI DSS and improve monitoring of PCI compliance at all SUNY colleges.
• Revise contract templates for affiliates to address PCI DSS regulations and require affiliates’ compliance.

Other Related Audits/Reports of Interest

Office of Information Technology Services: Security and Effectiveness of Department of Motor Vehicles’ Licensing and Registration Systems (2013-S-58)
State Education Department: Security Over Online Registration Renewal and Teacher Certification (2008-S-154)