Battling the Data Breach Epidemic: Securing Your Campus
Colleges and universities have become a favorite target of cybercriminals because of the sheer volume of student information they handle. This is because payment processing happens all over campus, from the ticketing office to the bursar’s office to the cafeteria. In addition to endangering students and damaging the reputation of the institution, the financial costs of a data breach could include legal representation, fines, and the expense of notifying impacted individuals. Properly safeguarding all campus payment data—while staying compliant with Payment Card Industry Data Security Standards (PCI DSS)—is no simple task. Fortunately, advances in payment technology, such as point-to-point encryption (P2PE), are helping to secure campus data more effectively.
In this web seminar, data security experts at Bluefin Payment Systems and Nelnet Campus Commerce discussed the data breach epidemic in higher ed, which included ways to better secure any campus.
Director, Product Development & Strategy
Nelnet Campus Commerce
Chief of Strategy & Innovation
Bluefin Payment Systems
Daryl Robinson: Nelnet is a $2 billion publicly traded company. We are a payment technology provider serving more than 900 colleges and universities across the United States. Our systems process nearly any type of payment you can think of on campus, and we integrate with all of the major ERP systems. We process tens of millions of payments each year, making us a Level 1 PCI gateway provider. We’ve been validated as a Level 1 processor since the inception of the PCI Standards Council in 2004.
We provide campuses with a number of secure e-commerce solutions, including in-person payments via encrypted card swipe devices to minimize transactional risk. We now are taking that a step further by partnering with Bluefin Payment Systems, a recognized leader in payment security in the higher ed industry. By integrating with Bluefin, we have become the first major payment technology provider in the space to offer PCI Security Council recognized point-to-point encryption of P2PE.
Ruston Miles: Data breaches are on the rise. Because hackers have gotten smarter and more advanced, they have been able to automate tens of thousands of attacks all over the internet, which is where most people in sales and workstations are connected. Malware is the culprit in over 50 percent of the breaches. When we get into the point-of-sale payment data, it gets upward of 90 percent. It’s definitely the No. 1 attack vector.
“Malware” is an umbrella term. It includes all sorts of things: viruses, worms, Trojan horses, ransomware, malicious programs—and often it’s all of these things at once. Once the bad guys get it on the system, the software will choose what it will do. It could be RAM scraping the swiped credit card data, logging all the keystrokes, or locking down the system. The software gets in, sits there silently, and scours your network looking for clear text credit card data.
Educational institutions are prime hacker targets. According to Verizon’s Data Breach Investigations Report for 2016, the education sector ranked sixth overall in the U.S. Why? Because there’s so much rich data. A hacker can go into higher ed systems and get not only credit card data, but also a lot of personally identifiable information. They can get health records, history, addresses—all sorts of information that can be used to conduct identity theft.
How do we protect against this? There are two choices that have been used in the industry. The first is called “defending the data.” This includes implementing firewalls, network perimeters, monitoring systems and security staff. This is taking all 335 security requirements from the PCI Data Security Standard and maintaining them 365 days per year. If a vulnerability or exposure happens on any one of those controls on any one of those days, you have a breach. If a hacker gets in, all of that work is down the tubes. The stakes and costs of a breach are very high.
The second approach that we’re starting to see is to “devalue the data.” If the bad guys should get in, all they acquire is encrypted data, so they can’t do anything with it. As data is transmitted through networks, it is encrypted with a unique, high-strength, high-security encryption key for every transaction. So, if you do 1 million transactions this year, there are 1 million NSA-strength keys used. This frustrates hackers. It could take them months to crack just a single key, and how do they come up with a million months to crack a million credit cards? It’s not going to happen. So they move on to the next low-hanging fruit that the university is not encrypting or tokenizing.
This is where PCI’s point-to-point encryption standard, also called P2PE, comes in. PCI’s P2PE standard combines a PCI validated point-of-interaction device, or payment terminal, that encrypts card data at the point of entry. This happens whether the card is swiped, keyed, or dipped. A unique key per transaction protects the card data until it reaches the P2PE solution provider’s secure decryption environment. The solution provider then securely passes the card data back to the merchant’s processor for normal processing.
In 2014 Bluefin became the first company in North American to receive PCI validation for our P2PE solution, and in 2017 we partnered with Nelnet to provide our P2PE solution directly to their clients through the Nelnet Campus Commerce platform.
Is P2PE easy to implement? Very easy. It’s plug and play. The device that we worked on together with Nelnet uses a USB and keyboard emulation, so there are no special drivers required. You just plug it in, turn something on in Nelnet to make sure that it’s allowing the device through, and you’re ready to go.
Daryl Robinson: Together, Nelnet and Bluefin have a combined 35 years’ experience in higher education. Bluefin has more than 17,000 merchant relationships, including those in the higher ed space. While Nelnet already offered an end-to-end encryption solution, having a P2PE validated option for our partners was a logical next step in payment security. The beauty of this partnership is that institutions can continue to use their existing merchant accounts. Institutions don’t have to use a new merchant acquirer or new merchant IDs. Their existing MIDs and the payment flow within Nelnet products remains the same. Now, thanks to our partnership with Bluefin, we can offer our clients the P2PE solution that many of them are increasingly interested in.
To learn more about Nelnet Campus Commerce and Bluefin Payment Systems’ partnership, visit CampusCommerce.com/UBWebinar.
To watch this web seminar in its entirety, visit www.universitybusiness.com/ws120517