Business Office compliance priorities
Credit card payment processing compliance
With dozens of offices on campus accepting credit card payments for various reasons, a great deal of behind-the-scenes activity in the University’s Business Office is necessary to ensure payments are processed safely.
The University learned about the need to meet industry standards mandated by credit card companies to avoid credit card theft in 2009, and its efforts to meet the standards began in earnest in 2010, said John Cordi, associate vice president for business affairs. “We didn’t know much about the industry standards then but we needed to be Payment Card Industry (PCI) Security Standards Council compliant. PCI’s Data Security Standard (DSS) is mandated by the credit card companies for anyone accepting credit card payments and that’s what we’re complying with.”
“The standards themselves are complex and include IT for the security aspect to segment networks and make sure we have the proper firewalls and that every terminal that processes payments is completely locked down so no other systems can access them,” added Erin Neske, director of finance.
“On the business systems side,” Neske said, “we need to monitor our processes so that numbers are not written down on a random paper somewhere, our front-end staff understand what is compliant and that they are dealing with sensitive data, and how we need to process transactions safely and securely so our customers are safe.”
“It’s difficult because it requires not only functional but technical processes. It takes a lot of collaboration across the Business Office, ITS, and the department processing credit cards,” said Cordi.
Neske developed an annual Web-based training for those involved in credit card transactions through WeComply and has worked to educate people to be aware of compliance requirements. “We’re up to almost 300 employees who are required to be trained annually,” she said. “These are the people who are in the card holder data environment, who have access to the data. P-card holders aren’t required to take this training because they are making payment, not accepting or processing it.”
There are consequences for failing to comply as well. “If there is a breach, the most significant consequence would be the harm to our students. In addition, fines to the campus could go into the hundreds and even millions of dollars range. Campus would also likely suffer negative publicity and loss of reputation,” said Cordi.
“We have an incident response team should a staff person believe there may have been a breach or data has been compromised,” Neske said. “In the case of a breach, we are required to report up to the card brands themselves and they can investigate as they want.”
The University has come a long way since 2010, said Neske. “When we started this, it was all over the place and we accepted credit cards on campus just about any way you could. Now we’re working with all of the departments with tightened-up compliance initiatives, department by department, and now we’re light years ahead of previous years’ attempts.
“We’re really trying to enforce the training and we’ve increased awareness, which is really the foundational component. Departments want to comply, and want to participate,” she added.
The requirements certainly became a priority said Cordi, noting that an employee hired last year spends about 50 percent of his time on PCI compliance.
For example, the University is required to perform network vulnerability scans on the IT side every quarter, and they actually randomly attempt to attack our system through what is called penetration testing, Neske said.
There is also a self-assessment component to compliance. “To confirm we have validated ourselves, there is a required self-assessment questionnaire so we can self-assess,” said Neske. “Due to our size, each department responds online annually to a questionnaire that it is or is not compliant and if not, what they’re doing to improve and when they will be compliant. Our bank also touches base each year.”
“We’re responsible and our role is to make sure that vendors are also compliant, even those who don’t directly touch credit cards, including adding liability language in contracts,” said Neske.
The Business Office continues to work to create awareness of compliance issues, sending a newsletter every other month to those involved in credit card transactions. A website also provides information. http://www.binghamton.edu/revenue-accounting/pcidss.html
Minority and Women-Owned Business compliance
Over the past five years, purchasing from minority and women-owned businesses (MWBE) has increasingly become a priority in New York State, as well as on SUNY campuses. Under Gov. Andrew Cuomo’s administration, the percentage of purchases to be made from MWBEs that are certified in New York State increased from 20 to 30 percent effective Jan. 1, 2015.
The governor’s goal is to ensure that MWBEs have equal access to contracts and that New York state business stays in New York state, said Matt Schofield, director of procurement. “Our challenge is that there is only 1 percent minority- and 5 percent women-owned businesses in our area, so it’s hard for us based on limited local demographics.”
Binghamton University, does meet the mandated percentage, but it’s not easy and involves close attention to detail to do so, said Schofield. “Over the last year or two we have established a position in the Purchasing Office as well as identified someone in Physical Facilities to assist with MWBE procurement, he said. “We needed the resources to help us reach these goals so we’ve partnered with Physical Facilities and perform extensive research to hit our goals. We’re one of the top SUNY campuses and are doing better than the majority of SUNY schools.”
Five years ago, only 5 to 6 percent of campus purchases were coming from MWBE vendors, but now that it’s at 30 percent, it takes a campus-wide effort, said John Cordi, associate vice president for business affairs. “Bill Panko is our MWBE coordinator, and we appointed him to that position before SUNY mandated it,” Cordi said. “It is a unique area that most people on campus don’t initially think about because they’re just interested in buying a quality product or service to do their job and don’t necessarily focus on who is providing it. We help them identify these certified MWBE vendors.”
Panko and Schofield have placed an emphasis on outreach efforts, both in Albany and at local events, to educate MWBEs on what it takes to become a certified New York state MWBE vendor. “It takes about a year, including a full background check and proof that if it’s a woman-owned business that the woman owns at least 50 percent,” said Schofield. “On April 7, I’m going to the Small Business Development Center to talk to local MWBEs about the process of getting certified and will show them how procurement works with SUNY and how to work with SUNY.”
Local businesses that fit into the MWBE category will benefit by becoming certified, and it will help our local percentage increase as well, said Schofield. “It’s a win-win situation if they’re MWBE certified and local. So we do reach out specifically to local businesses. There are a couple furniture, electrician, plumber and paint suppliers. Most come from the construction area.”
Binghamton is one of the only campuses that actually has two MWBE coordinators, splitting responsibilities with Physical Facilities due to the large number of construction projects. “We’re definitely able to reach our goals and have an understanding of where those businesses are on the construction side as a result,” said Schofield. “SUNY has praised us for splitting it out.”
One example of why Binghamton is successful, Cordi said, is that Schofield worked with Staples and Proftech Office Supplies, a minority-owned reseller of office supplies. Luckily, New York State is finding front-end vendors that take orders and process them, but Staples is still the warehouse and that’s helped us. Ninety-nine percent of our office supplies are through Proftech. There are also a few other New York State contracts that we jump on and get our MWBE credit with the state.
“All of this has taken a lot of effort and we’ve definitely restructured the way we look at purchasing,” said Schofield. “It’s a priority. Anything we purchase at $25,000 or higher ($100,000 for construction), we have to set goals on. We have to see if there’s something at all possible from MWBEs, whether they are the sole vendor, or if they can deliver the product or split it out somehow. Sometimes it’s not feasible, but we always have to try. It becomes more beneficial to us down the road when an MWBE gets a contract.”
“All of this adds time to the procurement process,” Cordi added. “If we can’t identify an MWBE for a purchase, we have to go through a waiver process with the state that can add 30 days to the process.”
“We stress that people plan ahead,” said Schofield.