2820 Acceptance of Payment Cards

Responsible Official: 
Controller
Chief Information Security Officer
Responsible Office: 
Controller's Office
Information Security, Policy, and Compliance Office
Effective Date: 
December 20, 2013
Revision Date: 
January 14, 2021

Policy Sections

2820.1 Yale ePay Committee

2820.2 Yale Merchants: Application and Registration

2820.3 Yale Merchants: Training Requirements and Documentation

2820.4 Yale Merchants: Ongoing Maintenance and Responsibilities

2820.5 Payment Card Data and Cardholder Data Security

2820.6 Annual Attestation of Compliance

2820.7 Required Action for Theft, Fraud, or Breach

2820.8 Policy Violations

Scope

This policy covers the acceptance and processing of Payment Card payments for University business.  It applies to all Yale individuals and units (i.e., schools, departments, units, or other organizational entities) involved in the acceptance or processing of Payment Card payments for University business.

Policy Statement

Yale individuals and units involved in the acceptance or processing of Payment Card payments for University business must perform their roles in accordance with the requirements of this policy, its related procedures, and the Payment Card Industry Data Security Standard (“PCI-DSS”).

Reason for the Policy

Yale recognizes that accepting and processing Payment Card payments for University business provides important benefits, including improved customer service and increased efficiency.  As such, Yale supports the acceptance and processing of Payment Card payments for many aspects of the University’s business.  Yale also recognizes the critical security and compliance requirements, including PCI-DSS, that accompany the acceptance and processing of Payment Card payments. 

This policy establishes the University’s governance structure applicable to the acceptance and processing of Payment Card payments for University business.  It also establishes the expectations and responsibilities of Yale individuals and units involved in the acceptance or processing Payment Card payments.

Definitions

The following definitions are applicable throughout this policy and its related procedures and are, in part, a modified subset of the definitions provided in the Payment Card Industry Security Standards Council’s Glossary.

Cardholder Data

At a minimum, cardholder data consists of the full primary account number (a unique Payment Card number that identifies the issuer and the particular cardholder account).  Cardholder data may also appear in the form of the full primary account number plus any of the following: cardholder name, expiration date, and/or service code.

Merchant

Any entity that accepts Payment Cards bearing the logos of any of the five members of the Payment Card Industry Security Standards Council (American Express, Discover, JCB, MasterCard, or Visa) as payment for goods and/or services.  Yale Merchants include all employees or other individuals (e.g., students) accepting or processing Payment Card payments on behalf of the Merchant.

Payment Card

Any payment card/device that bears the logo of the founding members of the Payment Card Industry Security Standards Council, which are American Express, Discover Financial Services, JCB International, MasterCard, or Visa, Inc.

Payment Card Industry (“PCI”)

The organizations that store, process, or transmit Cardholder Data, most notably for credit and debit cards.

Payment Card Industry Data Security Standard (“PCI-DSS”)

The set of technical and operational requirements set by the Payment Card Industry Security Standards Council to protect Cardholder Data and reduce Payment Card fraud.

Payment Card Industry Security Standards Council (“PCI SSC”)

A global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide.  The PCI SSC administers the PCI-DSS.

Policy Sections

2820.1 Yale ePay Committee

The Yale ePay Committee is a standing committee responsible for oversight of, and compliance with, this policy, its related procedures, and other applicable security and compliance requirements, including PCI-DSS.  The Yale ePay Committee is responsible for the content and upkeep of this policy and its related procedures.  It is responsible for reviewing this policy and its related procedures at least annually and instituting any updates necessary to support continued compliance with the then-current version of PCI-DSS.

The Yale ePay Committee has authority over Yale Merchants, including: the application and registration processes; the ongoing training, maintenance, and compliance requirements; and enforcement mechanisms.  The Yale ePay Committee has primary authority for reviewing and, as appropriate, approving requests to be a Yale Merchant.   

The Yale ePay Committee includes representation from the following units: Controller’s Office; Financial Systems and Solutions; Information Security Office; Information Technology Services; and designated representatives from Yale Merchants.  The Yale ePay Committee is chaired by the eCommerce Manager.  It convenes at least quarterly, unless otherwise determined by the chair.

2820.2 Yale Merchants: Application and Registration

Yale individuals and units interested in accepting Payment Card payments for University business must first apply to be a Yale Merchant by completing an application in accordance with the processes detailed in the Yale ePay Website and Procedure 2820 PR.01 Payment (Credit & Debit) Card.  Only approved Yale Merchants with registered Merchant identification numbers (“MIDs”) or Terminal identification numbers (“TIDs”) may accept Payment Card payments for University business. 

A. Allowable Uses and Limitations

The University generally allows Yale units to accept Payment Card payments for basic transactions for goods and services, primarily of a retail-type and low dollar value.  Examples of generally allowable transactions include, but are not limited to: sales of event tickets and admissions; sales of merchandise; payment of enrollment and activity fees; subscription payments; and payment of patient co-pays.

When a unit opts to accept Payment Card payments, Yale strongly encourages its Merchants to implement a $5,000.00 limit for Payment Cards.  Processing fees associated with acceptance of Payment Card payments can be expensive and Yale Merchants (or their supervisory unit) are responsible for covering them.  Therefore, Yale strongly encourages units to consider alternate payment collection methods whenever possible.  Merchants should process transactions above $5,000.00 via check, wire, or ACH (Note: Yale does not currently allow the use of any other payment forms, such as PayPal or Venmo).

B. Approved Service Providers

Yale Merchants must not contract directly with any supplier/vendor for the provision of Payment Card services.  Merchants must select a Yale-approved service provider, in accordance with the processes detailed in the Yale ePay Website and Procedure 2820 PR.01 Payment (Credit & Debit) Card.

2820.3 Yale Merchants: Training Requirements and Documentation

All Yale individuals who accept or process Payment Card payments for University business on behalf of a Yale Merchant must complete the PCI Compliance Training provided by the University before they are allowed access to Cardholder Data or devices/applications that accept or process Payment Card payments.  All such individuals must then complete this training on an annual basis.

Yale Merchants are responsible for ensuring only properly trained individuals, per the above training requirements, are allowed access to devices/applications the Merchant uses in the acceptance or processing of Payment Card payments.  Yale Merchants must maintain a current list of individuals with access to devices/applications the Merchant uses in the acceptance or processing of Payment Card payments.  Merchants must review this list at least annually, make any necessary adjustments, and maintain appropriate audit logs.  Merchants are responsible for taking appropriate action(s) to eliminate individual access to devices/applications when an individual’s role no longer requires such access (e.g., change in roles, moves to a different unit, leaves Yale).

2820.4 Yale Merchants: Ongoing Maintenance and Responsibilities

Yale Merchants are responsible for complying with several ongoing maintenance activities, as detailed in the Yale ePay Website and Procedure 2820 PR.01 Payment (Credit & Debit) Card.  In addition, Yale Merchants are responsible for adhering to the following principles regarding the acceptance and processing of Payment Card payments:

  • Yale Merchants must use only devices/applications from a Yale-approved service provider. 
  • Yale Merchants must not accept or process Payment Card payments on mobile, wireless, cellular, tablet, or similar devices unless they receive prior authorization pursuant to Special Situations and Exceptions, below.
  • Yale Merchants must use devices/applications used to accept or process Payment Card payments only for accepting or processing Payment Card payments.
  • Yale Merchants, in consultation and coordination with the Yale ePay Committee, are responsible for taking appropriate measures to protect the security of Payment Card and Cardholder Data (see Section 2820.5, below).

2820.5 Payment Card Data and Cardholder Data Security

Yale classifies all Payment Card data and Cardholder Data as High Risk Data within the University’s data classification system (see, Policy 1604 Data Classification Policy).  In addition, Yale is subject to the requirements of PCI-DSS.  Therefore, it is important for all devices/applications used to accept or process Payment Card payments to meet certain minimum security criteria.  Yale Merchants and the Yale ePay Committee share responsibility for ensuring these criteria are met across the University.  Specific data security requirements and the associated responsibilities are detailed in the Yale ePay Website and Procedure 2820 PR.01 Payment (Credit & Debit) Card.

Vendors/suppliers providing Payment Card services to Yale must maintain at least Level 1 PCI-DSS compliance and must provide an annual attestation of compliance to the Yale ePay Committee (or designee).

2820.6 Annual Attestation of Compliance

On an annual basis, Yale is required to assess its Merchants’ compliance with PCI-DSS and submit an attestation letter to Yale’s Payment Card processors.  In support of this requirement, each Yale Merchant is subject to an annual assessment by the Yale ePay Committee (or designee).  The details and extent of this assessment depend on the method(s) the Merchant uses to accept or process Payment Card payments.  Detailed information on this process is documented in the Yale ePay Website and Procedure 2820 PR.01 Payment (Credit & Debit) Card.

2820.7 Required Action for Theft, Fraud, or Breach

Merchants must immediately contact the Information Security Office if Payment Card data or Cardholder Data are compromised or potentially compromised (e.g., lost or stolen files with Cardholder Data, electronic loss of data, databases infected with viruses, any other loss or potential loss, theft, or unauthorized access to devices/applications).  To do so, call their 24/7 on-call number:

  • 203-627-4665

See Report an Incident for additional information on reporting this information.  The Information Security Office consults with the Yale ePay Committee, and other individuals or units, as necessary, and implements the incident response procedures of both Yale University and the applicable Payment Card company.

2820.8 Policy Violations

Report violations and suspected violations of this policy to the eCommerce Manager.

Failure to comply with this policy and its related procedures may result in any of the following:

  • Suspension or termination of Payment Card processing privileges for the Merchant;
  • Denial of a request to establish a new MID/TID or device/application;
  • A Merchant charge, or series of Merchant charges, for addressing a data breach associated with the violation; and/or
  • Administrative action as deemed necessary by the University to prevent a reoccurrence of the violation.

Special Situations and Exceptions

Requests for exceptions to this policy must be approved in advance by the Yale ePay Committee.  The Yale ePay Committee may consult with other offices, officials, and committees, as appropriate.

Yale expects Merchants to utilize only University-approved suppliers/vendors for Payment Card services, and it manages the provision of these services through the established Merchant application processes.  In the exceedingly rare event that the Yale ePay Committee grants an exception for a Merchant to use a different supplier/vendor, the Merchant is responsible for covering all associated incremental costs of using that supplier/vendor.  These associated incremental costs are significant and may include, but are not limited to: contracting costs; fees for annual third-party PCI compliance testing; system maintenance costs; and personnel costs for managing and monitoring the services provided.   

Roles and Responsibilities

eCommerce Manager

  • Chairs, and serves as primary contact for, the Yale ePay Committee.
  • Assesses violations of this policy and, in consultation with the Yale ePay Committee, administers remedial action.
  • Reviews and, as appropriate, approves new service providers and their devices/applications for use with Yale Merchants’ acceptance and processing of Payment Card payments.

Information Security Office

  • Provides 24/7 on-call service for the reporting of compromised or potentially compromised Payment Card data or Cardholder Data.
  • Consults with the Yale ePay Committee, and other individuals or units, as necessary, and implements the incident response procedures of both Yale University and the applicable Payment Card company in cases of actual or suspected theft, fraud, or breach.

Yale ePay Committee

  • Responsible for oversight of, and compliance with, this policy, its related procedures, and other applicable security and compliance requirements, including PCI-DSS.
  • Implements University-level measures to comply with the data security requirements detailed in Section 2820.5, above, and the Yale ePay Website and Procedure 2820 PR.01 Payment (Credit & Debit) Card.
  • Reviews and, as appropriate, approves requests for exceptions to this policy.

Yale Individuals and Units

  • If interested in accepting Payment Card payments for University business, first apply to be a Yale Merchant, per the Yale ePay Website and Procedure 2820 PR.01 Payment (Credit & Debit) Card.
  • Complete the PCI Compliance Training provided by the University before accessing Cardholder Data or any devices/applications that accept or process Payment Card payments, as well as on an annual basis.

Yale Merchants

  • Ensure only properly trained individuals are allowed access to devices/applications the Merchant uses in the acceptance or processing of Payment Card payments.
  • Ensure continued compliance, for both the Yale Merchant itself and its supporting individuals, with the specific responsibilities enumerated in this policy, the Yale ePay Website, and Procedure 2820 PR.01 Payment (Credit & Debit) Card.