Conferences & Events
Events for all Levels and InterestsStay
Jump Start Your Career GrowthStay
Get on the Higher Ed IT MapStay
Uncommon Thinking for the Common Good™Stay
SAS 70, SSAE 16, PCI-DSS
Our College is considering a new vendor to handle e-transcripts and paper transcripts. The vendor says they are PCI-DSS “Level 2” compliant (they accept credit cards from students). The scheme includes an ssl pipe from their servers in the cloud back to our ERP which transfers data (student records including ssnums, ppi, and pii, but no cc nums) out to their servers for processing and mailing the xcripts. The vendor claims that they only temporarily store the data, presumably only long enough to process – and then they delete it. The vendor has at least 50 colleges who are currently using their services.
We have had a policy in the past requiring a current SAS 70 or SSAE16 audit report from vendors we plan on doing business with with where we transfer sensitive data to them. This particular vendor says they have chosen not to have a SAS 70 or SSAE 16 audit, and instead they rely on their compliance with the PCI-DSS level two compliancy.
For those who know more than I about these audit standards, does anyone feel that there is a reason to avoid this vendor due to their choice to not audit with SAS 70 or SSAE 16? Also, I’m unaware if the vendor has an audit document showing their “compliancy” with PCI-DSS, but if they do would that hold the same weight or higher as the other audit report standards? Our goal obviously is ensuring the safety of our student data.
Any other pointers or tips on what we should be asking for from candidate vendors would be appreciated in helping us understand and make the best choices to protect student data. Especially helpful would be anyone who has a policy statement they are willing to share that lists required criteria or credentials for vendors to ensure data security.
Dean of Information Technology
Cayuga Community College
197 Franklin Street, Auburn, NY, 13021-3099