RFPs and Needs Assessments for Higher Education

September 29, 2015, Jon Bonham, Director, State and Local Government / Higher Education

In this blog post, I will be discussing RFP best practices for Higher Education Institutions.  Having worked with higher education organizations for a number of years, I’ve noticed some trends that could be useful as you and your department or institution head into another year of projects that may include going out for RFP.
 
Campuses can be diverse, complex entities.  Large or small, trying to comply with Payment Card Industry (PCI) Data Security Standard (DSS) as well as validating compliance with a Self-Assessment Questionnaire (SAQ) or a Report on Compliance (ROC), can be a daunting undertaking.  All the acronyms alone are enough to get frustrated! 
 
A typical campus can collect and process credit card transactions based on many different business needs.  The first questions that come up are the collection of money and how to account for it.  Questions typically include:

  • Where do we reconcile our transactions?
    • to a department’s budget tools
    • by campus treasury to a specific general ledger
  • Can the point-of-acceptance technology (eCommerce, virtual terminal, dial-out terminal) facilitate our business and accounting process?

  • Is there one technology that meets campus treasury, department, and customer demands?

These questions can be even more challenging when considering the various ways that campuses can collect payments.  From brick-and-mortar sales, online ordering, and phone collections, the campus must manage the transactional risks of their credit card technologies and business processes.  They must protect their campus community’s financial information and meet their acquiring bank’s compliance expectations.

Many organizations quickly find that achieving compliance is a tough, and ongoing, process.  After trying SAQs, campus-wide assessments, or going out to bid to see if there’s someone who can do it all for you, you will soon learn that the real exercise is truly understanding your businesses’ needs and the risks involved with each of the potential solutions.
 
For example, a campus might need to store the credit card information for a deposit or recurring billing. This is a very specific business practice; one that campuses are not necessarily used to dealing with from a data security perspective.  There should be real controls in place to protect that information.  Where is it stored; what information is required to be stored; how long should it be stored; does it need to be encrypted?  You must answer these to build a secure environment. 
 
Credit card data that a network stores, processes or transmits is in scope for PCI compliance.  So the FIRST STEP is to define your Cardholder Data Environment (CDE).  The key here is to define the environment as narrowly as possible.  Asking questions like “Does Wi-Fi need to be included? Are firewalls set up to segment parts of the network that process credit cards? Is it a flat network? Are the answers different for each department and entity across the campus?” is a good start in scoping CDE.  These are also important to consider when building an RFP.  Every department may be different, so requesting generic or broad information in an RFP may not get you to a solution that really addresses the needs for the entire campus. 
 
You will also have to understand how you handle Merchant IDs (MIDs) and if each needs its own SAQ.  There could be options for combining MIDs under one SAQ, thus saving the university a lot of money.  Knowing if the CDE is required to have scans or penetration testing will also affect the total cost.  In summary, it might not be as simple as cost X quantity here, but the overall compliance outcome and clear, meaningful pricing will be the result. 
 
You can see that it gets really complicated, really fast.
 
If the scope of effort looks enormous, you may want to consider hiring a Qualified Security Assessor (QSA) to perform a needs assessment before creating a RFP so that you can have a clearly defined CDE; and understand the actual gaps you really need filled.  A needs assessment can also help you identify all the risks of the campus and classify merchants to low, medium and high risk categories.  If you can pinpoint the size of the environment you need to secure and the various levels in which each entity is categorized, you can get a much better cost estimate during the RFP process.  If you just generalize MIDs, number of SAQs, and the level of merchant, you may have more work and more cost than is really required to become compliant.
 
If you are looking to have someone help you meet your compliance mandates, here are some useful questions to include in a Higher Education Compliance RFP:

  1. Is the vendor in good standing on the PCI’s Security Council’s Qualified Security Assessors (QSA) Approved Scanning Vendors (ASV)?  And if applicable, PCI Point-to-Point Encryption program (P2PE) certification lists?
  2. How many clients does the vendor have with complex, multiple merchant and multiple credit card application environments?
  3. Has the vendor been in remediation with the PCI council?
  4. Is the vendor certified by the PCI Security Council to conduct QSA assessments in the United States?
  5. How many QSA’s are on staff?
  6. Will the vendor certify that they will use full time staff and not contractors for their QSA assessments?
  7. What process will you use to determine that the correct SAQ form is being filled out for each entity?
  8. If using an application to collect data, will it print out the forms in the format of the PCI council?
  9. Does the management tool allow for the organization to identify who has access to different assessments and evidence, based on roles and responsibilities?
  10. Does the tool allow you to upload and identify evidence for individual controls?
  11. Does the tool identify non-compliant controls and allow the organization to assign remediation action items?
  12. Does the tool provide access to centrally monitor compliance activities across all campuses / merchants?
  13. Does the tool provide the ability to store evidence and documentation of compliance?
  14. Does the tool flag non-compliant responses to be assigned remediation actions?
  15. Does the QSA firm provide templates such as policies and procedures or data flow diagrams?
  16. Describe the methodology that you plan to use to manage the PCI-DSS program.

Doing this “heavy lifting” scoping on the front end of any RFP will greatly increase your chances of ultimately creating a highly secure PCI environment on your campus.  It will also create a compliance program that you can successfully manage quarter after quarter.  And by sizing the project right, you can stay within budget considerations, all while achieving a high level of compliance and reducing the risk of attacks.  Note: If you are interested in a Higher Ed RFP template that can help you build out your own RFP, please don’t hesitate to ask any of the Coalfire sales team.

Jon Bonham

Author

Jon Bonham — Director, State and Local Government / Higher Education

Recent Posts

Post Topics

Archives

Tags