Main Navigation

Securing payments on a mostly cashless campus

The University of Utah securely processes a multitude of credit card transactions each year.

This article originally appeared on Node 4.

Each year, the University of Utah accepts and processes a multitude of credit card transactions worth millions of dollars. Clinical services in MyChart, parking, tuition, and ticket sales are just some of the digital payments that make the U a custodian to vast sums of restricted data.

As context, here are some recent credit payment processing figures for the university, courtesy of Financial & Business Services (FBS).

Payment processing activity July 2018 – June 2019 (CY) July 2019 – June 2020 (CY) Year-over-year change (%)
Net sales: $415,015,306 $403,499,902 – 2.8
# of transactions: 3,530,348 3,253,636 – 7.8
Avg. transaction amount $120.24 $127.85 + 6.3


To keep this information locked down, the university adheres to strict payment card industry data security standards (PCI DSS) developed by major card issuers, Policy 3-070: Payment Card Acceptance, and the PCI report on compliance (ROC), an annual assessment that confirms the effectiveness of processes and security controls on IT system components connected to environments with cardholder data.

The report is essentially an external audit of payment card systems university business processes that signals to banks that the U is “safe” to accept credit cards for another year. Banks and credit card companies may fine or deny noncompliant organizations the ability to accept credit payments.

“People often think of compliance as a one-and-done, but compliance requires everyone’s involvement and a real culture change to achieve consistently,” said Trevor Long, associate director of UIT’s Governance, Risk & Compliance (GRC) team.

Michael Adair, GRC information security and risk analyst, noted one caveat: Departments, colleges, and organizations must set up a merchant account to process credit cards through FBS — not on their own — for the sake of compliance, but also because various methods for accepting online payments are available. An applicant may, for instance, require a UMarket shopping cart, need to coordinate with University Advancement to accept donations on a website, or choose to use a third-party vendor with certain restrictions (it, too, must be PCI DSS compliant).

Steffany Forrest, associate director of Income Accounting and Student Loan Services in FBS, leads the group in charge of setting up credit-processing accounts.

“If it’s a third-party vendor, the university requires attestation of the company that basically says, yes, they are PCI compliant. That’s the first thing we need to determine before we can move any further,” Forrest said. “Then our department works with the bank to get everything set up so departments can use processing devices for credit card payments.”

Forrest urges potential applicants to start by reviewing the information on FBS’ Payment Card Acceptance and E-Commerce webpage.

One of the university’s goals, Adair said, is to reduce PCI scope. Any IT system that interacts with cardholder data or systems containing it is considered “in scope.” If the scope is narrow, some systems may leave cardholder data insufficiently secured, leading to a greater risk of a security breach. On the other hand, if the scope is too broad, excessive security controls can lead to extra costs and user-unfriendly systems. Scope reduction, Adair said, is the most effective way to meet compliance obligations as efficiently as possible.

Adair said two technologies have taken a big step in that direction —  transparent redirect and point-to-point encryption (P2PE).

“As these solutions have become more popular, with more vendors offering them, we’re getting closer to shrinking [PCI] scope other than in a few places where we need to stay in scope like [over-the-phone credit card] transactions when someone calls in to a customer service agent,” Adair said.

Long said GRC occasionally receives feedback that PCI compliance measures are too prescriptive, while in fact, his team closely follows security best practices. He said, for example, accepted PCI security measures align closely with the top 20 controls from the Center for Internet Security (CIS), a prioritized set of cybersecurity best practices. In fact, CIS documents how their controls map specifically to PCI DSS.

“PCI security is part of a general risk-reduction strategy that the university pursues,” Long said.