State University of New York

 

Skip to Content

Login   Subscribe   Site Index   Contact Us   Google Translate™

NYS Comptroller

THOMAS P. DiNAPOLI

Taxpayers' Guide to State and Local Audits

State University of New York
Compliance With Payment Card Industry Standards (Follow-Up)


Issued: December 27, 2017
Link to full audit report 2017-F-24
Link to 30-Day Response

Purpose
To determine the extent of implementation of the three recommendations included in our initial audit report, Compliance With Payment Card Industry Standards (2015-S-65).

Background
Our initial audit report, which was issued on June 8, 2016, covering the period August 25, 2015 through March 22, 2016, determined whether selected State University of New York (SUNY) schools are in compliance with Payment Card Industry (PCI) standards and whether SUNY System Administration has provided sufficient guidance to the SUNY schools regarding PCI compliance. We found that although SUNY schools were generally knowledgeable about PCI compliance and the need to protect credit card data from unauthorized access, a range of weaknesses were still identified.  These weaknesses included issues concerning the completeness of systems’ component inventories; network segmentation; the resolution of compliance deficiencies; and the oversight of affiliated SUNY schools organizations.  The three recommendations in our initial audit report addressed the implementation of recommendations made to the various SUNY schools visited and detailed in preliminary reports, the enhancement of compliance and monitoring of PCI compliance at the SUNY schools, and the revision of contract templates by System Administration.

Key Finding
SUNY schools and SUNY System Administration have made significant progress in implementing the recommendations identified in the initial report. Of the three prior audit recommendations, two recommendations have been implemented and one recommendation has been partially implemented.

Key Recommendation
Officials are given 30 days after the issuance of the follow-up review to provide information on any actions that are planned to address the unresolved issues discussed in this review.

Other Related Audit/Report of Interest
State University of New York: Compliance With Payment Card Industry Standards (2015-S-65)


State Government Accountability Contact Information:
Audit Director: Brian Reilly
Phone: (518) 474-3271; Email: StateGovernmentAccountability@osc.state.ny.us
Address: Office of the State Comptroller; Division of State Government Accountability; 110 State Street, 11th Floor; Albany, NY 12236