Keeping Student Accounts Secure: Tech Companies Speak Out
In “Password Protected?” (December 2013) author Mark Ward, Sr., PhD, offered valuable tips that readers can take to reduce their vulnerability to cyber criminals. But what about the security of student data collected and maintained by the school meals operation? School Nutrition asked Ward to check in with some leading vendors of school foodservice software on this topic.
Thousands of school nutrition operations in districts large and small have transitioned from paper-based systems to web-based software that allows families to establish and maintain funds in an account for school meals or apply for free and reduced-priced benefits. At the serving line, students are queuing up at the point of sale (POS), flashing bar-coded identity cards or using keypads to enter a PIN (personal identification number) that connects to their accounts.
These software solutions save school nutrition department thousands of labor hours over paper-based processing. A reduced emphasis on cash offers greater safety and security for both students and onsite cashiers. And students who are eligible for free and reduced-priced meals are spared the stigma of a different system than their more economically advantaged peers. Many parents enjoy the convenience of paying for meals with a credit card, while also monitoring their child’s purchases.
But such new payment technologies also mean that reams of personal information are being exchanged through computer networks. To help operators understand the basic issues in keeping their customers’ data secure, School Nutrition spoke to two experts from leading providers of payment solutions to the K-12 market.
Robbie Payne, Senior Vice President for Research and Development
Horizon Software International, Duluth, Georgia
SN: Do most school nutrition operations that use electronic payment systems purchase off-the-shelf software from a payment solutions provider or write their own custom software inhouse?
RP: Computerized POS systems for the school market have been around for at least the 20 years that our company has been in business. Back then, when it was a new idea, you might see school districts try to write their own software. But today that’s rare. Most districts acquire off-the-shelf solutions from commercial providers who specialize in these solutions.
SN: So the trick for school nutrition operators is in evaluating the various payment solutions on the market and their providers?
RP: That’s right. And the data security of these solutions must be a high priority. PII, or personally identifiable data, is by far the largest type of data being stored and exchanged in a K-12 school district. In [actual, onsite] school cafeterias, for example, there are almost no credit card payments; instead, transactions are prepaid and are completed based on each student’s ID.
Typically, districts don’t have one set of student records at the main office and a separate set maintained by the school nutrition program. To create a student record that can be associated with each cafeteria transaction, data is imported from the district’s student information services. That means data is being exchanged between sites.
To be secured, the data must be encrypted. You can think of data existing in two states: data “at rest” when it’s being stored, and data “in motion” when it’s being exchanged between sites. In both states, it must be encrypted. In fact, encryption is needed at three points: when the data is coming in, when it’s being stored and when it’s going out.
SN: What are the biggest threats to data security?
RP: A huge threat is rogue employees. We’ve found that an effective solution is to base employees’ access rights on their group roles. In other words, the cashier won’t have the same access to student data as does the cafeteria manager.
In addition to employee access, risks include general breaches of data—from hackers, from malware and from employees who lose or don’t adequately secure a device such as a laptop, USB drive or external hard drive.
Still, the good news is that the education sector hasn’t been targeted as much (by cyber criminals). The financial services and healthcare industries are the most targeted. One study suggests as much as 20% of these industries’ data may be compromised.
SN: While security at the point of sale is vital, what about security when parents go online and prepay for school meals?
RP: The Payment Card Industry [PCI] Security Standards Council has promulgated strict standards. You should look for a payment solutions provider that is PCI compliant. Level I is the highest level of certification.
SN: Technology advances rapidly. What data security concerns might emerge in the future that school nutrition operators should know about?
RP: Traditionally, you’ve only needed to be concerned about student data within your school district’s own system. But now data are starting to flow beyond your campus walls and move into the cloud. A master student database is being discussed in an effort to personalize learning for each student.
Rosemary Orliss, Senior Marketing Manager
Heartland School Solutions, Tempe, Arizona
SN: What’s the real issue?
RO: Of course, there are isolated incidents of one student using another student’s card, or stealing an ID number, in order to get a free meal. But that’s not so widespread. The greatest potential for vulnerability is the fact that so much student information is now online. So, at the point of sale, you’ve got to associate the right student with the right account. This can be done through PIN numbers, ID cards, keypads—even biometrics, such as a student’s picture or fingerprint as an identifier.
Then, too, most Americans today are comfortable with using credit cards online. If your school nutrition program allows parents to prepay online, that cardholder data also must be kept secure.
SN: To handle these security issues, should school districts consider writing their own custom software inhouse for their unique needs? Or using commercially available off-the-shelf software?
RO: Most districts today are using off-the-shelf solutions. It would be very onerous for a school district to comply with PCI [payment card industry] security standards. At the same time, payment solution providers for the K-12 market are aware of the regulations that schools must follow such as FERPA [Federal Educational Rights and Privacy Act] and COPPA [Children’s Online Privacy Protection Act].
SN: If school nutrition programs are likely to obtain payment solutions from vendors, what questions should they be asking vendors about data security?
RO: How you do maintain data security? What levels of data encryption does your system provide? Are you PCI compliant—and to what level? Do you share data with third parties? What’s your internal data security plan? Who in your company has access to our student data? Do you have a disaster plan to recover lost data? Is your tech support easy to reach?
SN: What data security practices should school nutrition operators ask students and parents to observe?
RO: Tell students and families not to share a meal card or PIN within anyone else. When they create an online account, they should choose a “strong” password—and then protect it against others finding it out. And if they prepay for school meals through a mobile device, rather than a computer, they need to keep access to that device secure. In a word, exercise common sense.
SN: What new data security issues might the future bring?
RO: Online applications for free and reduced-priced meals are becoming more common. There’s been a lot of discussion about the “digital divide.” But people at every income level are gaining access to computers, tablets and smartphones. As families start applying online for reimbursable meals, that means a lot of data—names, birthdates, income—is going to be exchanged via computer networks.