Main Nav

Hello,

Our College is considering a new vendor to handle e-transcripts and paper transcripts. The vendor says they are PCI-DSS “Level 2” compliant (they accept credit cards from students). The scheme includes an ssl pipe from their servers in the cloud back to our ERP which transfers data (student records including ssnums, ppi, and pii, but no cc nums) out to their servers for processing and mailing the xcripts. The vendor claims that they only temporarily store the data, presumably only long enough to process – and then they delete it. The vendor has at least 50 colleges who are currently using their services.

 

We have had a policy in the past requiring a current SAS 70 or SSAE16 audit report from vendors we plan on doing business with with where we transfer sensitive data to them. This particular vendor says they have chosen not to have a SAS 70 or SSAE 16 audit, and instead they rely on their compliance with the PCI-DSS level two compliancy.

 

For those who know more than I about these audit standards, does anyone feel that there is a reason to avoid this vendor due to their choice to not audit with SAS 70 or SSAE 16? Also, I’m unaware if the vendor has an audit document showing their “compliancy” with PCI-DSS, but if they do would that hold the same weight or higher as the other audit report standards? Our goal obviously is ensuring the safety of our student data.

 

Any other pointers or tips on what we should be asking for from candidate vendors would be appreciated in helping us understand and make the best choices to protect student data.  Especially helpful would be anyone who has a policy statement they are willing to share that lists required criteria or credentials for vendors to ensure data security.

 

Many thanks,

-          John

 

John Taylor
Dean of Information Technology

                                                     

    Cayuga Community College

    197 Franklin Street, Auburn, NY, 13021-3099

    315.294.8520  x2220

 

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.

Comments

John,
    Backing up a bit, it really depends on what you want.  You have to remember that while passing a SSAE16 audit is a positive step it only states that the vendor is doing what they say they will do and says little if anything about their practices being at a level that would be acceptable to you for protecting your data.  So you may want to get a of their security policies first to see if they are acceptable then use the SSAE16 (or other compliance audit tool) to verify that they are or were doing what they claimed at the time of the audit.  An extreme example would be that if the vendor states that their policy is to transmit passwords in the clear and they are doing this then the audit passes.

Good luck
Barry

On 01/07/2014 02:43 PM, John Taylor wrote:

Hello,

Our College is considering a new vendor to handle e-transcripts and paper transcripts. The vendor says they are PCI-DSS “Level 2” compliant (they accept credit cards from students). The scheme includes an ssl pipe from their servers in the cloud back to our ERP which transfers data (student records including ssnums, ppi, and pii, but no cc nums) out to their servers for processing and mailing the xcripts. The vendor claims that they only temporarily store the data, presumably only long enough to process – and then they delete it. The vendor has at least 50 colleges who are currently using their services.

 

We have had a policy in the past requiring a current SAS 70 or SSAE16 audit report from vendors we plan on doing business with with where we transfer sensitive data to them. This particular vendor says they have chosen not to have a SAS 70 or SSAE 16 audit, and instead they rely on their compliance with the PCI-DSS level two compliancy.

 

For those who know more than I about these audit standards, does anyone feel that there is a reason to avoid this vendor due to their choice to not audit with SAS 70 or SSAE 16? Also, I’m unaware if the vendor has an audit document showing their “compliancy” with PCI-DSS, but if they do would that hold the same weight or higher as the other audit report standards? Our goal obviously is ensuring the safety of our student data.

 

Any other pointers or tips on what we should be asking for from candidate vendors would be appreciated in helping us understand and make the best choices to protect student data.  Especially helpful would be anyone who has a policy statement they are willing to share that lists required criteria or credentials for vendors to ensure data security.

 

Many thanks,

-          John

 

John Taylor
Dean of Information Technology

                                                     

    Cayuga Community College

    197 Franklin Street, Auburn, NY, 13021-3099

    315.294.8520  x2220

 

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.



--
Rice University:  GO OWLS!
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.

Hi,
We follow this and we put the standard in our RFP processes if possible:


1)  Service Providers that we share student data with, in advance of the service provision, etc:  PCI Compliance certificate and an SSAE #16 (SOC 1) report will be obtained annually.

2)  Service Providers that only collect data on our behalf:  PCI Compliance certificates annually.  We will request updated data security documents (SOC 2) as needed, such as when PCI standards or best practices change substantially.

Just about every vendor we work with complains and says "no one else", but when pushed, they come up with the documents.

Theresa