Information Lockdown: Security & Compliance
Information security and regulatory compliance are perhaps the two most important parts of processing payments on campus -- or anywhere, for that matter. In fact it’s a big part of why schools choose to work with third party payment processors in the first place. At Nelnet, the security of payment information is our primary concern. Here, we provide you with a high level overview of what we do to keep sensitive information secure. In later editions of the newsletter, we’ll get into more detail on how we work to keep all personally identifiable
information safe and secure.
Those Six Important Letters
Nelnet is proud to be PCI DSS Level One Validated. PCI compliance is the gold standard for security as it pertains to protecting credit card information. The PCI DSS (Payment Card Industry Data Security Standard) is designed to ensure that all entities storing, processing, or transmitting credit card information are doing so in a secure environment. Maintaining this designation is one of the most important parts of our business. Being PCI compliant means it’s our job to help institutions mitigate and avoid the risks involved in accepting credit cards as a means of payment. Simply stated, PCI compliance is likely the most important business issue you face when it comes to campus commerce, and we help you address it successfully. For comprehensive information on PCI compliance in general, visit the Security Standards Council website. Click here to view Visa’s Global Registry of PCI DSS Validated Service Providers. Nelnet Business Solutions appears on page 50.
SSAE 16 (Formerly SAS70)
SSAE 16 is an audit standard designed for third-party service organizations (like Nelnet). Organizations use the SSAE 16 results of their service organizations in their own audits, thus avoiding the costs of having to audit the service organizations themselves. The SSAE 16 addresses all aspects of the service organization's control environment—policies, procedures, personnel, security, management, etc. While PCI DSS receives the majority of the attention when it comes to security and compliance, the SSAE 16 audit is also an important part of our security commitment, and one you can be comfortable with when working with Nelnet. Click here for more information on SSAE 16.
The Red Flags Rule is a rule set forth by the Federal Trade Commission (FTC) under the Fair and Accurate Credit Transactions (FACT) Act to prevent identity theft. The rule requires creditors and financial institutions of all types (including Nelnet) to have a written program in place describing how the entity identifies, detects, and responds to indicators (red flags) of identity theft. Nelnet is proud to maintain this written program as yet another means of protecting our clients and the confidential information of the students and families you serve. For more information on Red Flags visit the FTC webpage covering the topic.
These three compliance items are only part of a long litany of security efforts we undertake every day. In future issues of the newsletter, look for more information on topics like pass-through authentication, encryption, OWASP, alarm monitoring, and more.