Reminders & new deadline regarding Policy 2820 Acceptance of Credit & Debit Card Payments

May 13, 2020

Below please find several important reminders and information on a key new deadline related to Policy 2820 Acceptance of Credit & Debit Card Payments. This policy governs all Yale University schools and departments that accept and process Payment Card payments, which must be compliant with the Payment Card Industry Data Security Standard (“PCI-DSS”).

Important Reminders:

  • Yale virtual and website merchants. Yale merchants may receive payment card information from purchasers in a secure manner. They may then log-in to the external processing system and manually enter the information. Purchasers must not email their card numbers or use social media to send payment card data.
  • Destruction of paper documents with payment card information. Some Yale merchants receive donations/payments using paper forms. In those cases, donors/purchasers complete forms sent to them with their payment card information and mail them to the Yale merchant. When the forms arrive, the Yale merchant logs into their virtual merchant account and manually enters the payment card information. The Yale merchant must then destroy the paper form.  When disposing of documents containing cardholder data, the Yale merchant must, at a minimum, cross-cut shred the documents prior to disposal. Note: the PCI-DSS does not support shredding with strip cut paper shredders. Alternatively, Yale merchants may securely dispose of documents by placing them in Infoshred bins to which access to the inside of the bin is physically prevented.
  • Merchant Identification Number (“MID”) record maintenance: it is the responsibility of each Yale merchant to inform Yale PCI Administration of the following:
    • Any changes to personnel with access to payment processing devices and services;
    • Any changes to contact information for a merchant or service location;
    • The addition or modification of any payment processing device or method (e.g., retiring a card swipe machine, a new computer is being used to access an administrative page, or adding an e-commerce website); and
      • When new devices or payment methods are added or when devices are no longer in use, notify PCI Administration within 30 days. Please be ready to provide the make, model, and location of each device.

New Deadline - December 31, 2020

Policy 2820 Acceptance of Credit & Debit Card Payments, subsection 2820.5 D., provides that all “Devices used to process payment card transactions may only be used for processing payments.” This is essential for ensuring Yale is in compliance with its obligations under the PCI-DSS.

All Yale merchants accepting payments via payment card must be in compliance with this provision no later than December 31, 2020. Only those merchants with compliant devices will be permitted to continue accepting payments via payment card as of that date. Please note, however, that P2PE devices (i.e., Clover) are not impacted by this requirement.

Any questions about this requirement should be addressed to your appropriate service provider or the ITS Help Desk.