The Urgency of Cyber Security

Kindly contributed by WPM

The Urgency of Cyber Security: Why a Payments Strategy is Part of the Solution

How much of a concern is cyber security in your institution right now?  If not already somewhere at the top, I’m willing to bet it’s racing up the risk register.  And as a Finance Director you will be playing an increasingly important role in promoting cyber security and addressing threats within your institution which could lead to loss and/or destruction of valuable data and personal information. 

But what’s that got to do with a payments strategy I hear you ask? Well there are two key elements to incoming payments: the systems and services through which you accept payments and how you secure payment-related personal information across your university.  Whilst the ‘how’ is almost certainly being handled by your finance team, as Finance Directors it’s absolutely critical that you support your team in defining and understanding the ‘why’.  Why you’re offering the payment methods you do (what are the benefits to your payers and university, as well as what are acceptable costs and risks to both), and why protecting that payment information is important to reduce your institution's cyber security risks and comply with relevant data protection regulations (such as the UK GDPR ‘security’ principle).

7/10 UK Universities Don’t Have a Payments Strategy

In a recent survey of UK university finance team members, 69% reported that they did not have a precise strategy for adding, maintaining or removing a payment method.   If finance teams don’t have an agreed framework within which to make decisions about how they accept payments, operational efficiency and payer experience could be affected, and there is a greatly increased risk that the institution won’t be adequately protecting payment information and processes. 

Security Tops UK and International Payers Concerns

For the last two years WPM has commissioned research with international and UK payers, and we ask them what is most important to them when making tuition fee payments.  Security remains by far the most important consideration for international and UK payers, as it did last year.

Your payers’ trust that their payment information will be secure, so a breach could not only result in large fines and an inability to take card payments, but perhaps more importantly, could result in long term reputational damage.   

The Ripple Effect

WPM regularly commissions research into the payment experiences of international students.  An in-depth interview conducted with an Indian student doing a first year postgraduate course demonstrates the operational and security risks of a poorly planned and executed payments strategy.  COVID meant that this student was late coming into the country and therefore her father had to pay the first instalment from India.  Only one payment method was offered, which didn’t support recurring payments.  Having tried unsuccessfully to pay in this way, the student’s father decided to transfer the money to his daughter’s landlord (who was newly acquainted with them), in order for him to pay the tuition fees on her behalf.  Money hitting a university’s bank account directly from a payer who is no way related to the student is not only a major anti money laundering/KYC red flag, but requires significantly more staff time and effort to investigate and process, significantly impacting upon operational efficiency.

“I Want Them To Feel The Same Pain That I Did”

Both the student and her father were enormously frustrated at how difficult it turned out to be to pay her tuition fees.  As a one year postgraduate student, there was a sense in the interview that this had irreversibly affected her university experience.  Whilst this would clearly be a concern for any university, she had also made the decision to hold back her final payment because, and in her words, she “wanted the university to feel the same pain” (that she did).  And debt recovery is a significant pain for UK universities.  Not only the time and money spent chasing and recovering debt, but also the impact that the debt recovery process and reprisals may have on an already vulnerable and unhappy student.  

Empower Your Team To Take Action

As a Finance Director, your involvement day-to-day in accepting payments and securing payment information will almost certainly be limited.  But finding the time to support and empower your teams to develop and act upon a payments strategy, which incorporates key security obligations and criteria, will reap long term rewards at every level of the institution, and ensure that you are upholding and protecting the trust placed in the institution by your students and payers.

WPM is hosting a ‘Payment Security Overview for Finance Directors’ webinar on Wednesday 23rd June, 9.00 – 12.00.  This will look to provide an overview of "payment security"; covering your contractual and legal obligations around providing secure payment processes; covering DPA 2018/GDPR obligations, PCI DSS compliance requirements, and steps to protect your institution.  Click here to register.