Mitigating Risk and Improving Efficiency with Third Party Vendors

– When is enough… enough?

Paul Aries, RVP, Nelnet Business SolutionsAnn Holland, Associate Dean Business Affairs

Hopkinsville Community College

Agenda

» Introductions» Background» Issues» Solutions» Questions

Kentucky Community & Technical College System (KCTCS)

• State system for 16 community and technical colleges – 67 Campus locations

• 100,000+ students

• 600 credit degree certificate programs

• Hopkinsville Community College– 3755 Students– 2 Campus locations offering courses at 6 sites

About Nelnet Business Solutions• Focused on Higher Education

–Built for education by education• Over 800 college and universities• 30 years combined experience in education• Leading provider of payment plans and campus commerce• On the PCI Standards Council• PCI Level 1 compliant service provider• NACHA compliant service provider• Red Flag compliant service provider• Serving KCTCS since 2002

Higher Education Challenges• Higher education is unique

• Higher education makes up about 15% of the published internet space*

• Higher education networks– Are LARGE and COMPLEX– Traditionally “open” for collaboration– Application security is not a critical part of doing business

* Source: Indiana University

Session ID 0926

Higher Education ChallengesHigher Education Challenges• Many groups, organizations and departments want to

offer credit card and check payments to their customers, but they all have– Different needs– Resource limitations – Lack of payment processing knowledge

• Commerce is complex, risky, and involves many different groups– Who is in charge?– Is there a defined process?

• Reduction in Budgets

Session ID 0926

Invoicing Process•Paper is Expensive

– Printed, folded, sealed, postage

– Paper/folder jams

– Cut/paste international student invoices for emails

– Address issues

– Returned mail

•Email is open source network•Costly to develop•ERP Functionality?

Session ID 0926

Issues with Payment Processing• Payment Card Industry Data Security

Standards (PCI- DSS) came into effect– Compliance was a major concern– Collecting card information on ERP– No centralized control over credit card

processing– Merchant fees– Do not know what departments were doing– Universities are not in the payment processing

business– We are in the business of education, not

payments

Session ID 0926

Refunds

• Timing (compliance)

• Cost for paper checks

• Staffing and manhours– Printed, folded, sealed, postage– Address issues– Returned mail

Challenges in Managing Payment Plans• Labor intensive

– Managing enrollment process– High call volume – questions– Follow-up on missed payments

• Technology/Resources• The costs associated with credit card processing• Compliance with regulations (PCI, NACHA and

Red Flag)

Challenges in Managing Payment Plans

• Low Collections/high receivables– Payment decisions for students

• Poor student services– Long lines & waiting

• Lack of Functionality in ERP system• Changes, Changes, Changes!• Reconciliation• Colleges and Universities are not in the

payment processing business

What are your options?

• Reduce services – not offer services

What are your options?

•Do nothing-suffer along– accept risk•Poor student services•Frustrated staff•Hope there are no problems

What are your options?

•Throw money at it!!!•Increase staffing•Develop technology internally

Solution = Outsource

Advantages of Outsourcing

• Save Money – Programs not available without third party (Convenience fee)

• Generate income– Outsource the work and still generate income

• Increasing affordability & payment flexibility• Reduce workload on staff • Provide better customer service• Utilize Proven Technology • Integration with ERP• Reputation

Advantages of Outsourcing

• What can they do now… what can they do later?– Keeping up with the industry

– Keeping up with compliance

• Transfer Compliance Risk– Present – compliant systems

– Future – vendor will keep up on future regulations

• Red Flag

• PCI

Create a Partnership

Establish a strategic partnership where there is:• A shared risk / reward• An alignment of goals and vision• A defined resolution process• Highly engaged project management and

customer support

Outsourcing Business Processes

Look for:• Functionality• Technology• Ability to deliver• Vision• Service / Support• Cost• References• Accountability

Strategies for ComplianceStrategies for Compliance

Acceptthe risk

Transferthe risk

Avoidthe risk

Mitigatethe risk

Session ID 0926

Avoiding Risk

Do you really need the data?

Eliminate non-compliant systems

Evaluate co-sourcing partnerships

Session ID 0926

Avoidthe risk

PCI-Compliant Service Provider

.EDU

Commerce Server&

Payment Apps

• User sent to PCI-compliant service provider

• Card data managed by service provider

• Consolidated payment processing

• Consolidated reporting

• Centralized management

Transfer of user

Transfer of user

Business App

Business App

Transferring the RiskTransferring the Risk

Session ID 0926

Transferthe risk

Are you Vulnerable?

• Is sensitive data stored securely?– credit card, banking and personal information

• Is sensitive data stored in your ERP?• Do you change vendor supplied passwords?• Do you have defined procedures for accepting

credit card payments? • Do you manage your own direct deposit of

refunds?• Do you complete a Self Assessment

Questionnaire annually?– Who is responsible & do they know what they are looking for?

Session ID 0926

Why Should I Care?Why Should I Care?

• Cost of non-compliance is more expensive than compliance!– $100,000 minimum fine from each card

association– Cost to notify the victims– Cost to replace the cards ($10/card)– Cost for any fraudulent transactions– Forensics from a QSA– Level 1 certification

Session ID 0926

Benefits of Using NBS

• Seamless integration to a schools ERP• Fully hosted solution (ASP)• Ability to deliver additional services beyond

hosted payment screens– eBilling– Payment Plans– Authorized third party access– Student Refunds– Potential to reduce and avoid interchange rates – Cashiering

• Reduction of PCI scope for your institution

• Regulatory Compliance has become more critical, more time consuming, more expensive

• Leverage NACHA compliant ACH processing

• Eliminate paper checks – convert to ACH/Check 21 at point of sale

• Utilize role-based access and security

• Extensive audit trail

• Improve staff efficiency & reduce workload

• Improved Customer Service

Summary

27

Summary

• Higher education IS unique• PCI compliance is NOT optional• You are always one change control away from

being out of compliance• Reduce scope by removing credit card and

banking from your systems• Non-compliance is more expensive than

compliance• Compliance is a journey not a destination• Outsourcing to the right partner can be the way

to go!

Session ID 0926

Thank You!

Paul Aries,Regional Vice President

Nelnet Business Solutionspaul.aries@nelnet.net

800-811-1079

Ann HollandAssociate Dean, Business AffairsHopkinsville Community College

Ann.holland@kctcs.edu(270)707-3724