Walter T. Conway

1948 – 2013

We've lost a colleague and, more importantly, a dear friend. Walt was unexpectedly diagnosed with advanced pancreatic cancer. While he started treatment immediately, the cancer was aggressive and he was taken from us too quickly by this awful disease.

Donations can be made to the Walter T. Conway, Jr. Fund at Episcopal Community Services, 165 Eighth Street, 3rd Floor, San Francisco, CA 94103, or online at www.ecs-sf.org.

Walt was an inspiration to many of us. This site remains as a tribute to Walt, who had put together resources to help others, sharing his knowledge, expertise and passion for the payment card industry (PCI) and higher education.

If you need any assistance with any of the resources listed or services that Walt had performed for you, the team at 403 Labs is proud to continue Walt's hard work.

PCI Compliance Philosophy

PCI compliance is a business issue, not a technology issue. There is no single technology solution that will make your organization PCI compliant. Because it is a business issue that affects the entire organization, PCI compliance calls for a multidisciplinary team including at least Finance, IT, and likely Internal Audit.

There are two fundamental realities of PCI compliance. First, your costs of card acceptance will go up. This is not a surprise because you have additional work to do, and you may decide to outsource some processes you currently do internally. Therefore, your costs may go up a little or they may go up a lot, but they will go up. Second, you will change the way you take payment cards. It is likely you have cardholder data stored at your organization. While this is permitted under the PCI compliance standard, if you retain cardholder data, you need to protect it. This is where things get expensive, so you may find a better approach is to change your procedures, limit the data you retain and even restrict how you take cards.

While there are no bad questions, there are "right" and "wrong" questions about PCI compliance. Examples of wrong questions are:

Point is that, before you even begin to address these questions, you should take a step back and look at your organization and your payment practices and policies.

Examples of some "right" questions are:

Asking these strategic questions—especially limiting your PCI compliance scope—allows your team to focus on those processes that need to be changed rather than simply dealing with things as they are. Remember the second reality of PCI compliance: you will change the way you take payment cards.

By applying this philosophy, you ask the difficult questions up front and avoid wasting time and effort on areas that may not even apply to the organization and its card acceptance environment.

PCI Compliance Guidance

As you navigate the world of PCI compliance, you will undoubtedly face situations that inspire questions. Here are some thoughts to help you with a few of those situations you may run into along the way.

Your acquirer (bank processor) is pressing you to be PCI compliant NOW.
The original deadline for PCI compliance was December, 2005. In 2007, the card brands focused on getting their larger (Level 1-3) merchants compliant through a series of incentives and penalties. The focus then shifted to Level 4 merchants. There was a series of mandates issued in October, 2007 to address Level 4 merchant compliance. If your processor is pressuring you, it is because they realize the importance of your organization becoming PCI compliant quickly. There are financial and reputational risks to noncompliance. The focus should be on organizing your team, gathering resources and developing an action plan to get your organization compliant.
Your acquirer told you to complete SAQ "D."
Your acquirer may not really understand your internal operations, so they opt for the easiest way out—for them. By conducting a payments analysis and reducing your organization's PCI scope, you can go back to your acquirer and make a case for filing one of the shorter SAQs. This step alone can save weeks or even months of effort. Before you can take this step you will need a comprehensive payments analysis, sometimes accompanied by changes to your card acceptance practices.
You have a vendor offering a "free" consultant.
What's not to like about "free?" Keep in mind that the consultant still works for the vendor and that is where their loyalty lies. Remember the line in the movie, The Godfather: "This is business, not personal." It's like that with vendor consultants—this is business. Assume that when they look at you what they see is their next paycheck, or new boat, or mortgage payment, or braces for the kids. It may sound blunt, but consider it. Sometimes "free" can be very, very expensive.
You know more about PCI than some of the QSAs you speak to.
Many organizations leap to hire a Qualified Security Assessor (QSA) as a first step and they are disappointed. This may not be the best way to start. First, not all QSAs are created equal: while some have excellent credentials with IT and audit experience, others are new to PCI and the card business. A better way to start may be to talk to a PCI expert you can trust who will give you straight answers. Focus on limiting PCI scope and minimizing your compliance effort. Then, if there are detailed technical issues, retaining a QSA at that point can be a great idea. Hiring one at the start can actually lead to a missed opportunity to focus and reduce your compliance effort from the beginning.
You are talking to a QSA, but either they don't understand the card business or they are new to your industry.
In 2007, the PCI Security Standards Council (PCI SSC) trained and certified over 1,500 new QSAs. While all of them went through the same training and passed a test, some bring more experience, knowledge and expertise than others. You should have high expectations and they should be met. Interview carefully not just the firm but also the specific individuals to be assigned to your organization before making a decision. You may also wish to retain another industry or compliance expert to provide any missing knowledge.

Making the Business Case for PCI Compliance

PCI compliance is a business issue, not a technology issue. Here are some items that you may find useful in making your own business case for compliance. You may find these resources useful in your own work.

Five Myths About the Payment Card Industry Data Security Standard

Government Finance Officers Association
Walt Conway dispels five common myths surrounding PCI compliance. These five myths can waste valuable time and resources or, more seriously, leave an organization vulnerable to a security breach.


Straight Talk About Data Security

NACUBO Business Officer
Walt Conway and Dennis Reedy discuss if you accept payment cards on campus, you need to comply with a standard designed for safe handling of sensitive consumer information. Indiana University's compliance plans offer some guidance.


Cards at School: Why Banks View Campuses as High Risk Customers

AFP Exchange
Walt Conway and Dennis W. Reedy discuss accepting credit and debit cards is a fact of life at campuses nationwide. Hand-in-hand with card acceptance comes the responsibility to safeguard and protect all transaction and consumer data. The Payment Card Industry Data Security Standard (PCI DSS) was created to help ensure the safe handling of sensitive consumer payment information

Five Strategies to Achieve PCI Compliance

AFP Exchange
Walt Conway and Dennis Reedy's follow up describing five strategies for achieving PCI compliance. The higher education environment provides a microcosm of payment card realities. These "best practices" can work in many industries.


College Door Ajar for Online Criminals

Los Angeles Times
A Los Angeles Times article citing a number of higher education security breaches.


Fending Off Digital Thieves

Roanoke Times reposted to seclists.org
A Roanoke Times article quoting Walt Conway on higher education data security.

The State of Higher Education: PCI in Schools

Secure Payments
Walt Conway offers lessons and approaches for the complex nature of PCI compliance environments within higher education institutions.


Business Case Presentation

Treasury Institute for Higher Education
Making a business case for PCI compliance from the Treasury Institute PCI workshop.


PCI in Higher Education

Treasury Institute for Higher Education
A look at PCI compliance within the higher education space.

Industry Resources

You can learn more about ecommerce and organizations that offer professional education or other resources by visiting the sites below.

Visa Security Resources
Visa's website has a comprehensive set of merchant information.

Professional Development Group II
Professional Development Group provides professional education for treasury and finance staff.

Treasury Institute for Higher Education
The Treasury Institute promotes best practices in schools and universities.

PCI Security Standards Council
The PCI Security Standards Council owns and maintains the PCI Data Security Standard (PCI DSS).

NACUBO PCI Blog
When NACUBO became a participating member of the PCI Security Standards Council, it created a partnership with the Treasury Institute for Higher Education. One result of that partnership is that the Institute has created a PCI Blog just for Education.

StorefrontBacktalk
Articles with a QSA's—and a merchant's—perspective on PCI.