Objectives

To determine whether the City University of New York (CUNY) has provided sufficient guidance to the CUNY colleges regarding Payment Card Industry (PCI) compliance and whether selected CUNY colleges are in compliance with PCI standards. Our audit scope covered the period November 7, 2018 through May 2, 2019.

About the Program

CUNY – the nation’s largest urban public university – comprises 25 colleges located throughout New York City’s five boroughs. As of January 2019, CUNY offered 1,400 academic programs, 200 majors leading to associate and baccalaureate degrees, and 800 graduate degree programs to over a half-million students in a single integrated system. CUNY Central Office is responsible for issuing various CUNY-wide policies in areas such as academic affairs, legal and compliance issues, facility management, and IT security, including credit card payment processing.

All industries that accept credit cards as a method of payment must comply with the Data Security Standards (DSS) established by the PCI Security Standards Council. The PCI DSS is a set of technical and operational requirements designed to protect cardholder data. Entities that do not comply with PCI DSS may be subject to fines and penalties, as well as lose the ability to accept credit card payments. CUNY colleges accept credit cards as a method of payment (e.g., donations, events) and, as such, must comply with the PCI DSS to protect against electronic security breaches and theft of payment card data.

Key Findings

While Central Office recognizes the importance of PCI DSS compliance and is committed to maintaining strong internal controls, it has not provided its colleges with sufficient guidance and direction for addressing and maintaining compliance with PCI DSS requirements.

• The four CUNY colleges we visited were significantly unfamiliar with the PCI DSS requirements, compliance thereof, and the need to protect credit card data from unauthorized access.
• We identified areas where system and data controls need to be improved to meet compliance standards.

Key Recommendations

To Central Office:

• Develop strategies to enhance compliance with PCI DSS and improve monitoring of PCI compliance at all CUNY colleges.

To the CUNY Colleges Visited:

• Implement the recommendations detailed during the audit for strengthening technical controls over cardholder data.