Compliance: the C word all universities dread


Written by Richard Marks

Published October 2019

In this article...

As the mania of Freshers’ Week dies down and students settle into their new schedules, universities continue in their endeavour to provide the best possible student experience.

Whilst the new arrivals grapple with their class timetables, attend sports team fixtures and buy tickets to the best events the Student Union has to offer, university staff, including those within the finance department, are hard at work in the background making it all possible. For example, the core teaching and support services, from dining functions, housing, student gyms and library facilities, are all underpinned by a variety of payment technologies managed by the university finance department.

With one in 10 UK adults and one in six young people choosing to live a largely cashless life in a world of contactless and mobile payments, universities have had to adapt. Where once cash was king, students and their parents require convenience. This means offering a range of different payment options to suit their needs – whether online, face-to-face or over the phone. With the right payment technologies, universities can ensure fees can be processed quickly and revenues aren’t jeopardised – an important consideration when you realise that 32% of people would walk away from a typical purchase if they couldn’t pay by card.

But just as young people favour contactless, older generations such as students’ parents and grandparents may prefer traditional payment options such as the ability to pay via phone – it’s this that presents a compliance concern for universities.

How universities can stay on the right side of compliance

Taking payments over the phone presents particular compliance responsibilities according to the requirements of the Payment Card Industry Data Security Standard (PCI DSS). Organisations must be able to prove they’re compliant or risk the consequences. Specifically, organisations could face additional PCI charges every month, risk having the ability to process card payments withdrawn and at worst – in the case of a data breach- suffer significant fines and huge reputational damage.  

Along with the requirement to follow PCI DSS procedures, the standard also stipulates that the three or four digit code usually printed on the back of a card cannot be retained after the payment authorisation has been completed. This means that if universities record phone calls for staff training purposes, they could be unintentionally holding these details without knowing, and therefore be in breach.

Additionally, problems can occur when staff write down card details to process later or when they check card details with the card holder, repeating them back over the phone for – potentially - an entire office to overhear.  

These standards also have a number of other requirements, including the encryption of data when transmitted across public networks, that user authentication is implemented for staff, that no more than the first six and last four digits of Primary Account Number (PAN) data is displayed… and that it is unreadable when stored. To say universities have a lot to consider to avoid falling on the wrong side of the regulations is perhaps an understatement.

The good news is that there are technology solutions that can help universities remove some of this compliance burden, allowing them to simplify their processes and ultimately reduce risk across all communications channels – including when taking phone payments.

The other compliance concerns keeping universities up at night

The PCI DSS isn’t the only regulation universities need to comply with. The General Data Protection Regulation (GDPR), which came into force in May 2018, represents additional – and often complex - compliance responsibilities. As the aim of the regulation is to improve the data privacy of European citizens by changing how organisations store, process and manage customer data, all universities processing payment information and holding student data need to take note. With the Information Commissioner’s Office (ICO) already issuing big fines to well-known brands for breaking the data protection rules, universities need to ensure compliance is high on their agenda.

An upcoming area to be aware of is the requirement for Strong Customer Authentication (SCA) as specified by the EU's second Payment Services Directive (PSD2). Universities taking online payments need to ensure that when students or parents make a payment, they are secured by two-factor authentication. This means that in addition to entering a card or account number, they also need to be authenticated by a device in their possession e.g via a mobile phone, by entering a code or through a fingerprint or facial scan.

The world of transactions is one that is complicated and far-reaching when it comes to compliance. However, there are experts at hand who understand the unique challenges faced by universities and who can support them in meeting their business aims and their compliance responsibilities. With their expertise, universities will be able to put the right processes and systems in place which best serve their needs.

Understanding the next steps

Whether universities need to support additional payment methods or understand how best to avoid non-compliance issues when taking payments over the phone, a full payments MOT is a good place to start. Pay360 By Capita, who offer next generation payment solutions, can help. See how they’ve helped the University of Hertfordshire modernise its online student experience and how they support other universities and higher education institutions.  

Interested in finding out more?

Call us on 0333 313 7160

Speak to an expert