← All Guides
Arrow Payments · Tufts University · 2026 Town Hall

PCI & Merchant Services Foundations

Tufts University Town Hall · March 25, 2026 · Slides 1–17
What Is PCI DSS?

Payment Card Industry Data Security Standard

Core Definition

PCI DSS is a global set of data security requirements designed to help merchants securely process credit and debit card payments. It was created by Visa, MasterCard, American Express, Discover, and JCB in 2006 and is now managed by the PCI Security Standards Council (PCI SSC).

  • Contains 12 core requirements to standardize cardholder data security
  • Applies to all entities that store, process, or transmit cardholder data
  • Compliance is contractually required to accept payment cards
  • Not specific to any one institution — it applies globally
Who Is Involved at Tufts?

Arrow Payments

Boots on the Ground

Founded by Deborah Jackson in 2005 in Chicago, IL. Arrow specializes in higher education payment processing solutions.

  • Guided completion of SAQs
  • AOC reminders
  • PCI training enrollment & completion reports
  • Vendor implementation & integration
  • Tailored solution recommendations
  • Device troubleshooting

CampusGuard

Qualified Security Assessor

CampusGuard serves as the independent Qualified Security Assessor (QSA) for Tufts.

  • Vendor compliance reviews
  • PCI training course content
  • Vulnerability scanning
  • Annual SAQ review & compliance sign-off
The Continuous Compliance Cycle
1
Assess
Identify and inventory assets and processes that handle cardholder data. Analyze them for vulnerabilities that could lead to exposure.
2
Remediate
Resolve identified vulnerabilities and establish secure, repeatable business processes.
3
Report
Document the assessment process and remediation performed. Share compliance reports with your bank and card brands.
🏛️
A Campus Is a City
Universities face unique PCI challenges: open networks, complex environments, many locations, thinly stretched staff, budget constraints, silos, and constantly changing scope. Compliance is a 24/7/365 requirement — scope can change quickly.
What Is Cardholder Data?
💳
Sensitive payment card information is called "Cardholder Data" (CHD)
This is the information found on or derived from a customer's credit or debit card. It is critical to protect — never store, transmit, or display CHD unless absolutely required and properly secured.
Data ElementDescriptionProtection Required
Primary Account Number (PAN)The 16-digit credit card number — the most critical elementMust be protected at all times
Cardholder NameName of the card account holderMust be protected
Expiration DateMonth/year the card expiresMust be protected
Card Verification Code (CVV)3 or 4-digit security code on the cardNever store after authorization
Cardholder AddressBilling address associated with the accountMust be protected
Magnetic Stripe / Chip DataFull track data from swipe or dipNever store after authorization
Cardholder PINPersonal Identification Number for debit transactionsNever store
Why Protecting CHD Matters

Financial Impact

  • Average cost per stolen record: $245
  • 100,000 records × $245 = $25M+ breach cost
  • 2024 average U.S. data breach cost: $9.36M
  • Fines up to $500,000 per card brand
  • Banking fines, legal fees, federal audit costs

Operational Impact

  • Loss of ability to accept credit cards
  • Cost of forensic investigation & cleanup
  • Consumer notification & protection costs
  • Cost of reissuing affected credit cards
  • Fraudulent charges expense
  • Reputational loss — customer trust is hard to rebuild
⚠️
Education Is a High-Value Target
The Education/Research sector is one of the most targeted industries. Records compromised in 2024 soared to nearly 4.3 million (up from ~3.5M in 2022). Per the U.S. Secret Service, 30% of all data theft incidents occur on university campuses.
How Breaches Happen

Non-Compliance with PCI DSS Requirements

Primary Cause

Failing to implement or maintain PCI DSS controls is the most direct path to a breach. Know the requirements that apply to your department and ensure continuous compliance.

Third-Party Vulnerabilities

Vendor Risk

Vendors and service providers with access to your cardholder data environment can introduce risk. Review vendor Attestations of Compliance (AOCs) annually.

Lack of or Inadequate Training

Human Factor

New or untrained employees may not understand how to securely accept payments. Annual PCI training is required for all users who interact with payment systems.

Phishing & Social Engineering

Targeted Attacks

Attackers trick employees into revealing credentials or clicking malicious links. If you receive a suspicious email, ask before acting — never assume it's legitimate.

Weak or Default Passwords

Credential Risk

Reused, default, or weak passwords are a primary cause of breaches. Use strong, unique passwords and a password manager. Update passwords at least every 90 days.

Non-Compliant Devices or Processes

Process Risk

Entering credit card numbers into a university computer is a PCI violation. Never use non-approved devices or processes. Only use PCI DSS-compliant terminals and systems.

Physical Tampering / Device Theft

Physical Security

Criminals may swap or tamper with payment terminals to steal card data (skimming). Inspect devices regularly for signs of tampering. Lock up devices when not in use and submit tamper logs monthly.

Unauthorized Access to Secure Areas

Access Control

Physical access to systems, servers, or documents containing cardholder data must be restricted and logged. Report any unauthorized access immediately.

💡
Key Takeaway
Most breaches are preventable. Following PCI DSS requirements, training your team, and staying vigilant about physical and digital security dramatically reduces risk.
Who Is Responsible?

Treasury

Institutional Oversight
  • Oversees merchant accounts and related policies and procedures
  • Reviews requests for third-party service providers
  • Ensures campus-wide PCI DSS compliance
  • Files annual PCI Attestation with the bank (December)

Account Managers

Departmental Lead

One Account Manager is assigned as the primary PCI contact for each department that accepts credit card payments.

  • Complete annual PCI tasks and self-assessments (SAQs)
  • Maintain a list of departmental users requiring PCI training
  • Oversee device inspections and submit tamper logs
  • Communicate any changes in payment processing to Arrow Payments
  • Ensure security controls are consistently implemented
  • Complete vendor reviews (AOCs)
  • Adhere to Tufts' Incident Response Plan (IRP)

Account Users

Day-to-Day Operations
  • Complete annual PCI training
  • Maintain PCI best practices in day-to-day operations
  • Report any suspicious activity or evidence of device tampering
🏆
PCI Is a Team Sport
Anyone interacting with systems or processes related to credit card payments is part of the compliance team. Compliance is a 24/7/365 requirement. Communicate any changes to your payment environment immediately to ensure continuous compliance.
Consequences of Non-Compliance

Financial Penalties

Monetary
  • Legal fees
  • Banking fines (per card stolen)
  • Cost of federal audits
  • Forensic investigation and cleanup costs
  • Fines up to $500,000 per card brand

Operational Consequences

Operational
  • Loss of ability to accept credit card payments
  • Loss of trust from banking institutions and partners
  • Reputational damage with customers
  • Operational disruption during investigation
2026 PCI Project Timeline
March — Initiation
Town Hall
Review PCI Compliance Project for 2026. Establish timelines and due dates. Arrow sends kick-off and SAQ scheduling emails to Account Managers.
April & May — Execution
SAQs
Arrow assists with SAQ completion in CampusGuard Central (CGC). Departmental users are confirmed and PCI training enrollment is verified.
May & June — Execution
Documentation & Site Visits
Compliance documents are reviewed, submitted, and locked. CampusGuard conducts site visits to selected departments.
July & August — Monitoring
Compliance Review
Arrow reviews locked SAQs. CampusGuard completes SAQ and PCI review.
November — Verification
Compliance Verification
Email sent to each merchant to confirm compliance. Written confirmation received from all departments.
December — Closure
File Attestation
Treasury files PCI Attestation with the bank. Merchants maintain best practices year-round.
2026 Project Workflow — Your 4 Steps
1
SAQ Completion in CampusGuard Central (CGC)
Schedule a time with Arrow Payments to complete your SAQ(s). A scheduling link will be provided via email. Arrow ensures all responses are accurate.
2
Documentation
Provide all departmental users and confirm PCI training enrollment. Submit quarterly PCI training reports. Confirm departmental payment policies and Incident Response Plan (IRP).
3
Site Visits
CampusGuard will visit selected departments to review payment processes and physical security controls in person.
4
Maintain PCI Best Practices Year-Round
Ensure all users complete annual PCI training. Maintain device inventory and submit tamper logs as requested. Inform Arrow Payments of any payment processing changes.
📧
New to PCI or changed roles?
Email merchants@tufts.edu if you have been newly appointed as an Account Manager or Account Coordinator. CampusGuard Central portal: campusguardcentral.com/login — questions: opsupport@campusguard.com
🃏
Tap any card to reveal the answer
30 cards covering PCI foundations, cardholder data, breach causes, roles, and the 2026 program.
PCI DSS
Payment Card Industry Data Security Standard — a global set of security requirements created by Visa, MasterCard, Amex, Discover, and JCB to protect cardholder data.
PCI SSC
Payment Card Industry Security Standards Council — the independent body that manages and updates the PCI DSS standards.
Cardholder Data (CHD)
Sensitive payment card information including the PAN, cardholder name, expiration date, CVV, address, magnetic stripe/chip data, and PIN.
PAN
Primary Account Number — the 16-digit credit card number. The most critical element of cardholder data.
CVV
Card Verification Value — the 3 or 4-digit security code on a card. Must never be stored after authorization.
SAQ
Self-Assessment Questionnaire — the annual document each merchant completes to attest to their PCI DSS compliance. Completed in the CampusGuard Central portal.
AOC
Attestation of Compliance — a document completed by a vendor or service provider confirming they are PCI DSS compliant. Arrow Payments assists in collecting and reviewing AOCs.
QSA
Qualified Security Assessor — an independent organization certified by the PCI SSC to validate PCI compliance. CampusGuard serves as the QSA for Tufts.
CampusGuard
The QSA firm supporting Tufts University — responsible for vendor compliance reviews, PCI training content, vulnerability scanning, and annual SAQ review and sign-off.
CGC
CampusGuard Central — the online portal where Tufts merchants complete SAQs and manage PCI compliance documentation. Login at campusguardcentral.com/login.
Arrow Payments
The merchant support partner for Tufts — provides boots-on-the-ground assistance with SAQs, training, device troubleshooting, vendor integrations, and compliance support.
Account Manager
The designated primary PCI contact for a department. Responsible for SAQ completion, user lists, training, tamper logs, and compliance adherence.
Tamper Log
A monthly record submitted to confirm that payment devices have been inspected for tampering or substitution. Due before the end of each month.
IRP
Incident Response Plan — Tufts' documented procedure for responding to a payment card data breach or suspected security incident.
ASV
Approved Scanning Vendor — a company certified by the PCI SSC to perform external vulnerability scans of systems in the cardholder data environment. CampusGuard performs ASV scans quarterly.
CDE
Cardholder Data Environment — the people, processes, and technology that store, process, or transmit cardholder data, plus any connected systems.
Treasury
Tufts University Treasury — oversees all merchant accounts, reviews third-party service providers, ensures campus-wide PCI compliance, and files the annual PCI Attestation with the bank.
Phishing
A social engineering attack where criminals impersonate trusted entities via email or message to trick employees into revealing credentials or clicking malicious links.
Skimming
Physical tampering of a payment terminal by criminals to steal card data when a card is swiped or inserted. Devices must be regularly inspected for signs of tampering.
Merchant Account Manager
Each department accepting card payments must designate one primary Merchant Account Manager as the PCI point of contact. Changes must be reported to Arrow Payments.

Knowledge Test

25 questions covering PCI foundations, cardholder data, breach causes, roles and responsibilities, and the 2026 compliance program.

Arrow Payments · Tufts University 2026 Town Hall · Internal Use Only