Objective

To determine the extent of implementation of the three recommendations included in our initial audit report, Compliance With Payment Card Industry Standards (Report 2018-S-61).

About the Program

The City University of New York (CUNY) – the nation’s largest urban public university – comprises 25 colleges located throughout New York City’s five boroughs. As of April 2021, CUNY offers 1,400 academic programs, 200 majors leading to associate and baccalaureate degrees, and 800 graduate degree programs to over a half million students in a single integrated system. CUNY’s Central Office is responsible for issuing various CUNY-wide policies in areas such as academic affairs, legal and compliance issues, facility management, and IT security, including credit card payment processing.

All industries that accept credit cards as a method of payment must comply with the Data Security Standards (DSS) established by the Payment Card Industry (PCI) Security Standards Council. The PCI DSS is a comprehensive set of technical and operational requirements designed to protect cardholder data.

Our initial audit report, issued on December 13, 2019, examined whether CUNY complied with PCI DSS. The audit covered the period November 7, 2018 through May 2, 2019. We found that CUNY had fallen short in providing CUNY colleges with sufficient guidance and direction needed to ensure campus-wide compliance. We identified areas where system and data controls need to be improved to meet compliance standards at all four of the colleges we sampled. Furthermore, Central Office did not oversee colleges’ PCI compliance, and instead relied on each college to self-monitor. As a result, Central Office had no knowledge of the compliance status of any of its colleges – and thus no assurance that the relevant data is properly protected campus-wide. Our initial audit contained three recommendations to CUNY to develop strategies to enhance compliance with PCI DSS, update CUNY-developed Guidelines to reflect issues pointed out in the report, and implement recommendations made in a preliminary report issued to CUNY.

Key Finding

CUNY officials have made progress in addressing the audit findings identified in the initial audit report. Of the initial report’s three audit recommendations, two have been implemented and one has been partially implemented.

Key Recommendation

Officials are given 30 days after the issuance of the follow-up report to provide information on any actions that are planned to address the unresolved issues discussed in this report.