Purpose

To determine the extent of implementation of the three recommendations included in our initial audit report, Compliance With Payment Card Industry Standards (2015-S-65).

Background

Our initial audit report, which was issued on June 8, 2016, covering the period August 25, 2015 through March 22, 2016, determined whether selected State University of New York (SUNY) schools are in compliance with Payment Card Industry (PCI) standards and whether SUNY System Administration has provided sufficient guidance to the SUNY schools regarding PCI compliance. We found that although SUNY schools were generally knowledgeable about PCI compliance and the need to protect credit card data from unauthorized access, a range of weaknesses were still identified.  These weaknesses included issues concerning the completeness of systems’ component inventories; network segmentation; the resolution of compliance deficiencies; and the oversight of affiliated SUNY schools organizations.  The three recommendations in our initial audit report addressed the implementation of recommendations made to the various SUNY schools visited and detailed in preliminary reports, the enhancement of compliance and monitoring of PCI compliance at the SUNY schools, and the revision of contract templates by System Administration.

Key Finding

SUNY schools and SUNY System Administration have made significant progress in implementing the recommendations identified in the initial report. Of the three prior audit recommendations, two recommendations have been implemented and one recommendation has been partially implemented.

Key Recommendation

Officials are given 30 days after the issuance of the follow-up review to provide information on any actions that are planned to address the unresolved issues discussed in this review.

Other Related Audit/Report of Interest

State University of New York: Compliance With Payment Card Industry Standards (2015-S-65)