Education

PCI compliance for education

Take student and donor payment data out of PCI scope. A European PCI DSS Level 1 vault for schools, universities and ed-tech — tokenized cards for tuition, fees, instalments and phone payments, with EU data residency.

Talk to us How tokenization works

SAQ A

Typical PCI scope after tokenization

Instalments

Tuition plans & recurring fees

Phone

Bursar & MOTO out of scope

100% EU

Card data residency

The challenge

Education collects payments from many people

Tuition, application fees, accommodation, campus services, course payments and alumni donations all touch card data — across departments with limited IT security resources.

Many payment points

Online portals, departments, the bursar's office and campus services each handle cards, multiplying PCI scope.

Instalments & recurring

Tuition plans, course fees and memberships need a card you can charge again without storing the PAN.

Phone payments

Finance and admissions staff often take cards by phone, pulling people and systems into scope.

Donations & alumni

Giving campaigns and alumni offices collect cards through multiple channels and one-off drives.

Limited resources

Public institutions rarely have the security staff to run a full SAQ D programme each year.

EU data residency

Students, parents and donors expect card and personal data to stay in the EU under GDPR.

The solution

Finance systems that never see a card number

Hosted fields & SDKs

Payment-portal card inputs send data straight to the vault and return a token — secure online tuition and fees with no PAN on your servers.

Phone & bursar payments

MOTO capture sends the card straight to the vault without displaying or storing it, keeping phone payments out of scope.

Instalments & recurring

Charge stored tokens for tuition plans, course fees and memberships, with no card data in your student systems.

EU custody

Card data is stored only in European data centres under PCI DSS Level 1, with GDPR-aligned residency.

PCI DSS compliance, explained Phone & MOTO payments

FAQ

Education payments, answered

01 How does tokenization keep a school or university PCI compliant?

Card details for tuition, fees or donations are captured in hosted fields or by phone and sent straight to a PCI DSS Level 1 vault, which returns a token. Your student information system and finance tools only ever hold tokens, so cardholder data never touches your environment and most institutions qualify for SAQ A.

02 Can students pay tuition in instalments?

Yes. A token represents a stored card you can charge again for tuition instalment plans, recurring course fees or memberships — without holding the real card number in your systems.

03 Does it cover phone payments and donations?

Yes. Bursar and alumni-office staff can capture cards through a MOTO flow where the number goes directly to the vault and is never displayed or stored, keeping phone payments and donation campaigns out of PCI scope.

04 Is student and donor card data kept in the EU?

Yes. PCI Proxy stores card data only in European data centres with GDPR-aligned residency — important for institutions handling students, parents and donors across borders.

Take education payments out of PCI scope

Tell us about your tuition, fees and phone flows, and we'll map a tokenization setup that keeps you on SAQ A.

Talk to us More use cases