Asset Notebook Warehouse SecurityAccess PDC-final PDC Upcoming AdjustedSection AttendanceType ClosedSection Comment CurrentOpening DiscardScore DroppedAssignment DroppedSection InProgress MissingScore NoCount NotConnected OpenConflicts OpenSection RetainGrade ScheduledClass ScoreClarifier TransferGrade Unused VerticalSplit StudyHallScheduler SaveStyle SaveRun RunReport Rounded Link FoodMenu Diploma ClassMessage ChangeSection Bus Books Book Attachments RestrictedAccess Unpublish Publish Number0 Lightbulb GradPlanReq AVID Levels Headstart Military Number9 Number8 Number7 Number6 Number5 Number4 Number3 Number2 Number1 LetterZ LetterY LetterX LetterW LetterV LetterU LetterT LetterS LetterR LetterQ LetterP LetterO LetterN LetterM LetterL LetterK LetterJ LetterI LetterH LetterG LetterF LetterE LetterD LetterC LetterB LetterA Exclamation Ellipsis Cart-new Guidance History Unsubscribe Timespan ApproveDeny Noncritical PendingChanges CartLoad CartUnload ClearLeft nextArrow IHP Keyboard Email Unlink NSE AtRisk LEP Substitute Hourglass AddPlusLines QueuePeople Release Currency Percentage Comma IncreaseDecimal DecreaseDecimal ReleaseCompleteLater WOOF-Tile Out-Tile In-tile Break-Tile SwitchJobs-Tile TOOF-Tile Stethoscope ClipboardPencil CourseRequest Contact EmergencyContact AddPage ChangeLog Paintbrush Hide DeselectAll SelectAll UpdateBack UpdateAccounting Reselect Unschedule RollbackBudget AdvanceBudget Adjust AdjustDrop NSFCheck Private Rebuild Build AddHeader2 DontSave Draggable Stop GraduationRequirements Password Aggregate SpecialEducation Section504 PartiallyEnrolledDropped Import ReplaceReport InsertImage DropClass ScheduleChanges PartiallyEnrolled Activate Deactivate Split StudentProfile Impersonate TestScores AddCourseRequest AutoSchedule ReplaceSection Selection Revert Export DesignReport AddMainSection AccountReceivable Transparent Twitter Uncompress Underline Undo Unlock Update Upload User Utilities Vendor VerticalBottomAlign VerticalCenterAlign VerticalTopAlign View ViewCourseList Void Warning Workflow YearEnd AccountPayable ActivityAccess AddCourseList AddNote AddPlus AdminAccess AdvancedSecurity Analytics ApplySchemaChange ArrowDown ArrowLeft ArrowRight ArrowTriangleDown ArrowTriangleLeft ArrowTriangleRight ArrowTriangleUp ArrowUp Attendance BatchAndConfirm Bold BorderBottom BorderColor BorderLeft BorderRight BorderTop Breadcrumb Budgeting Calculate Camera Cancel Cart CenterAlign Check CheckBox CheckBoxPartial CheckBoxUnchecked CheckmarkConfirm ChevronDown ChevronLeft ChevronRight ChevronUp Clear ClearFilter Clone Close ClosedFolderAlt ClosedGrading Collapse CollapseAll ColumnHeight Columns ColumnWidth Community Compress Conflict Consolidate Curriculum Customization Date Default Delete Demographics DialogPrompt Discipline District Dock DockClose Download DropDate Edit Education ELogoColor Employee EmployeeAccess Enrollment Error Excel Expand ExpandAll Facebook Family FamilyAccess Fee FileSettings FileUtility Filter FontBackgroundColor FontColor FoodService Globe GooglePlus GradeBook Health Help Home Image In Info inlineEdit Italicize LeftAlign Legend Lock Lunch MainMenu ManageFiles MassAssignClose MassAssignOpen MassChange MenuCollapsed MenuExpanded MissingAssignment Money NewStudent NewStudentImport NewWindow NoImage Number OneToMany OpenFolderAlt Out Override PaddingBottom PaddingLeft PaddingRight PaddingTop PageBreak PagerArrowBackward PagerArrowForward Pause Payroll Position PrintAvailable ProcessInBackground Purchasing Queue Redo RemoveAllStudents RemoveCurrentStudent RemoveDocument Reorder ReportCard Reporting Reports RequestEdits Resume RightAlign RowAction RowOpen Save SaveAndBack SaveAndForward ScheduleBuilder School Search SecuritySmall Select Separator Settings Signature SignIn SignOut Speedometer SportsLink StarOutline StarShortcutMenu StarTenPoints StateReporting StudentAccess StudentGrades StudentSchedule StudentViewAll SubReport SuperUser TeacherAccess Text Ticket TileBrowse Time TimeOff Transfer Account

Guest Post: Demystifying PCI DSS

Payment Card Industry Data Security Standards (PCI DSS) is a business framework designed to protect cardholder data. Learn about 5 important points for PCI DSS compliance.

Ann Dunaway

SchoolPay CMO & Co-Founder

Today’s schools are suddenly responsible for understanding PCI DSS and often have annual audit requirements. Sounds scary, right?  While most public schools would not consider themselves payments experts, they manage enough payments to benefit greatly from acquiring some expertise.

In 2008, SchoolPay (under our corporate name My Payment Network), ASBO International (Association of School Business Officials), and NBOA (National Business Officers Association) conducted a K12 Payments Study. The results were enlightening. The average parent makes 28 payments per child per year directly to their school. Managing 28 payments per child per year across many departments and vendors casts a wide audit scope, increases errors and omissions, and escalates operation costs.

Paper Piles


Object Controls 

At the highest level, PCI DSS is concerned with six object controls. “Object controls” logically group related things. PCI DSS comes down to six areas of focus:
  1. Build and maintain a secure network
  2. Protect cardholder data
  3. Maintain a vulnerability management program
  4. Implement strong access control measures
  5. Regularly monitor and test networks
  6. Maintain an information security policy
Sounds easy enough, right? Well, each object control has further requirements, and if you peel back every layer you will quickly find that these six controls feed into hundreds of requirements. Any vendor that takes payments on your district’s behalf should be independently audited to prove they adhere to the hundreds of requirements. Please don’t confuse “compliance with PCI DSS” with “independently audited.” If you outsource all your payments, you still have to be compliant. Your service provider needs to be independently audited. 


Five Points that “Make Sense”

We’ve boiled down the principles. These points are by no means intended to be your  guideline for maintaining PCI DSS compliance. They merely simplify the topic for a broad introduction to what can be a very big subject.

Point #1:  PCI DSS is about more than Ecommerce.

Many people think PCI DSS is only about Ecommerce. It’s about cardholder data. If you allow in-person credit card payments, PCI DSS impacts those payments as well. 

Best practice: Every human and system location in the district that could come in contact with or leave a record of a 16-digit card number is a threat. Document these and establish a policy for that data interaction.

Point #2:  PCI DSS is not the job of one person or one department.

PCI DSS is equivalent to trusting someone with a secret. How many people does your district trust with this secret?
Best practice: Establish policies and procedures that define the behavior of everyone (staff) and everything (hardware/software) in the district that touch cardholder data.

District Payment Biosphere

Payment Biosphere

Point #3:  You must interact with cardholder data to take payments.

Best practice: Limit your scope.  
  • Reduce the number of people authorized to manage credit card payments.
  • Institute policy for taking card numbers over the phone or in person.
  • Reduce the level of data staff can access (e.g. Costco has a policy that cashiers are not allowed to even key in cardholder account numbers if the magnetic strip fails).
  • Push credit card payments to a secure solution where only the payer interacts with their card number. 

Point #4: PCI DSS is really common sense.

Maybe your common sense is on track, but do you really want to leave something this important up to every staff member’s common sense? Districts prepared to head off security breaches take all human “sense” out of the equation.
Some samples of questionable “common sense” we regularly see in schools:
  • Donation cards that collect 16-digit credit card number, expiration date and CVV that end up on desks visible to all.
  • A foundation or aftercare worker that keeps a list of cardholder numbers, etc. for payments they re-key every month. We saw one case where the staff member had it taped to the top of their desk so it was “handy.”
  • Employees empowered to take credit card numbers over the phone who then write down full account details and leave those details behind on open desks.


Best Practices:
  • Centralize payment policies across the district – don’t leave it up to every department. 
  • Put as many payments as you can onto a common, secure payment platform.
  • Know the payment credentials for all software vendors offering payment solutions.
    • Ecommerce and payments are not an “add on” feature. It’s a business in and of itself.
    • Make sure any software that collects card numbers is a Level One Independently Audited Provider.

Point #5:  You take more payments than you think.

The number and kind of credit card transactions you manage determine your PCI DSS requirements. Whether you need an independent audit or an “acknowledgement of compliance” depends on your district security policies and the volume of transactions for which your district owns the collection of cardholder data.
Even if your school outsources payments to one or more vendors, you still have annual responsibilities to PCI DSS.  All school business officers should establish an awareness of the guiding principles for protecting cardholder data.

The bottom line with PCI DSS is that while it is a huge business practice, it’s also an important way to operate.  All schools take in millions of dollars in payments annually. PCI DSS is not only good cardholder best practice; it’s also good payment-of-any-kind (cash, paper check) business practice.

For more information about PCI DSS 3.2 (the current version of PCI DSS requirements) go to


Recent articles