2820 Acceptance of Credit & Debit Card Payments

Responsible Official: 
University Controller
Chief Information Security Officer
Responsible Office: 
Office of the Controller
Information Security, Policy and Compliance Office
Effective Date: 
December 20, 2013
Revision Date: 
May 23, 2017

Policy Sections

2820.1 Requesting a New Merchant Identification Number (MID)

2820.2 Service Provider Selection

2820.3 MID Record Maintenance

2820.4 Training Requirements

2820.5 Cardholder Data Security

2820.6 PCI-DSS Annual Attestation of Compliance

2820.7 Required Action for Theft, Fraud or Breach

2820.8 Reconciliation of Payment Card Activity

2820.9 Closing a Merchant Account

2820.10 Policy Review

2820.11 Policy Violations

Scope

This policy covers all Yale University schools and departments that accept and process Payment Card payments.

Policy Statement

Yale University requires that all departments that accept Payment Card payments while conducting University business comply with Payment Card Industry Data Security Standard (PCI-DSS), with this policy and with any related procedures.

Yale PCI Administration (the Office of the Controller; Information Security, Policy and Compliance (ISPC); and Yale Treasury Services) shall lead Yale’s efforts to maintain its compliance with applicable PCI-DSS standards.

It is the responsibility of schools and departments that accept Payment Card payments to follow the policy outlined in the policy sections below.

Departments that fail to comply with this policy may face penalties, restrictions or lose the ability to accept Payment Card payments.

Reason for the Policy

Benefits to the University in Accepting Card Payments:  The University supports the acceptance of credit and debit card payments for goods and services to improve customer service and increase efficiency related to managing the University’s electronic payment process.  All organizations that process Payment Card payments are required to comply with the Payment Card Industry’s Data Security Standard (PCI-DSS) and are required to attest annually to their continued compliance in order to maintain the ability to accept electronic payments. 

This policy outlines the responsibilities of University schools and departments that accept Payment Card payments to ensure Yale’s continued compliance with PCI-DSS and to enable and support the University’s annual attestation process.

Definitions

These definitions are a subset of those provided in the PCI Security and Standards Council’s Glossary (retrieved 11/11/2015).  The complete text of the Glossary and current definitions can be found on the Council’s website: https://www.pcisecuritystandards.org/security_standards/glossary.php.

Cardholder Data - At a minimum, cardholder data consists of the full primary account number (PAN).  Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code.

Merchant - For the purposes of the PCI-DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.

PAN - Acronym for “primary account number” and also referred to as “account number.”  Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account.

Payment Cards - For purposes of PCI-DSS, any payment card/device that bears the logo of the founding members of PCI SSC, which are American Express, Discover Financial Services, JCB International, MasterCard Worldwide, or Visa, Inc.

PCI - Acronym for “Payment Card Industry”

PCI DSS - Acronym for “Payment Card Industry Data Security Standard”

POI - Acronym for “Point of Interaction,” the initial point where data is read from a card.  An electronic transaction-acceptance product, a POI consists of hardware and software and is hosted in acceptance equipment to enable a cardholder to perform a card transaction.  The POI may be attended or unattended.  POI transactions are typically integrated circuit (chip) and/or magnetic-stripe card-based payment transactions.

POS - Acronym for “point of sale.”  Hardware and/or software used to process payment card transactions at merchant locations.

Yale PCI Administration – The Office of the Controller; Information Security, Policy and Compliance (ISPC); and Yale Treasury Services work in concert to ensure the proper administration of the PCI program at Yale.

Policy Sections

Yale University permits departments to accept Payment Cards in order to facilitate customer transactions, such as the sale of event tickets and admissions, patient co-pays, enrollment and activity fees, sales of merchandise, etc.

Contact Treasury Services if there is a need to establish a new Merchant Account Identification (MID).  Detailed instructions are provided in Procedure 2820 PR.01 Payment (Credit & Debit) Card.

Pay Pal accounts are not allowed.

Since fees associated with accepting Payment Card payments can be expensive, Treasury Service advises departments to consider alternate payment collection methods including direct debit and lockbox collections.

Departments are prohibited from contracting directly for Payment Card services.  Please contact PCI Administration at 203-432-4474 upon initially identifying a need for Payment Card services.

Only Yale-approved service providers may be used by departments to process Payment Card payments.  A list of Approved Service providers can be found in the “Contacts” section of Procedure 2820 PR.01 Payment (Credit & Debit) Card.

Payment Cards payments shall not be processed on mobile or wireless devices, including cell phones and iPads without receiving prior authorization from Yale PCI Administration.

Only dedicated devices purchased from an approved vendor and which have been approved by Yale PCI Administration Office may be used.

It is the responsibility of each merchant to inform Yale PCI Administration of:

  1. Any changes to personnel with access to payment processing devices and services;
  2. Any changes to contact information for a merchant or service location; or
  3. The addition or modification of any payment processing device or method (e.g. retiring a card swipe machine, a new computer is being used to access an administrative page or adding an e-commerce website).

All University employees that process Payment Cards are required to complete PCI-DSS training provided by the University before they are allowed access to cardholder data, POI or POS systems.  The University and the payment processors will provide updated training material with regularity.

Credit card data is not to be provided to any outside party except as required by the card processor.

On a monthly basis, merchants shall inspect Payment Card processing devices for tampering, and malicious substitution.

Access to any application that processes credit card data must be documented and reviewed at least yearly.  When an employee leaves a department, their access must be deleted.  Audit logs are required to be kept at least one year.

Departments shall maintain a list of personnel with access devices used in the processing of payment card transactions.

2820.5 Cardholder Data Security

A.  Standards for Protecting Data

Payment Card Industry Data Security Standard (“PCI-DSS”) is a set of technical and operational requirements set by the PCI Security Standards Council to protect cardholder data and reduce credit card fraud.  The standards apply to all entities that store, process or transmit cardholder data.  Yale is required to meet these requirements in order to maintain the privilege of processing credit card payments.

B.  Cardholder Data Classification

All cardholder data and other data associated with the processing of payments is classified as 3-Lock Data within Yale’s data classification system (see, http://its.yale.edu/secure-computing/security-standards-and-guidance/data-and-application-security/protecting-yales-data/data-and-information-classification-yale-university).

C.  Responsibilities under PCI-DSS

It is the University’s obligation and the responsibility of each employee who processes Payment Card payments to secure cardholder data and maintain the confidentiality of all Payment Card data as required by PCI-DSS.  Only users with a business need to access payment processing systems or cardholder data may do so.

Key to Yale’s current PCI-DSS compliance strategy is not storing PANs: Departments may not scan or store payment card numbers, receive or transmit cardholder data via end user messaging technologies (text message, email, social networking services or instant message) or use API web technology, as all of these practices are considered storage of payment card numbers under PCI-DSS.  If you are required to retain a document containing a full credit card number, it must be redacted.

D.  Device and Network Configuration

  • All devices used in payment processing must comply with the standards outlined in Procedure 2820 PR.01 Payment (Credit & Debit) Card.
  • Networked devices (computers, POS devices, etc.) used in payment processing shall be attached to the Yale PCI Network.  Use of any other Yale network for these devices is not permitted.
  • Card swipe machines must not be networked at this time; all payment processing for these devices is to be completed using a phone line.
  • Tampering with payment devices is prohibited.  Staff shall check these devices regularly to ensure no tampering has occurred.

   E.  Specific Procedures for Data Security and Device Configuration

PCI-DSS defines different security standards depending on how a merchant processes payments.  For a specific merchant type, all applicable requirements defined by PCI-DSS shall be met.  In limited circumstances, legal requirements may prevent Yale from complying with some requirements or compensating controls may be used to achieve equivalent security.

A simplified list of requirements is outlined in Procedure 2820 PR.01 Payment (Credit & Debit) Card.

Each merchant is required to undergo an assessment that evaluates the merchant’s compliance with PCI-DSS.  As noted in Procedure 2820 PR.01, Section 5, the nature and extent of the assessment is dependent on how the merchant processes credit cards.  Annually, Yale must assess how well its merchant sites are adhering to PCI-DSS and then submit a letter attesting to its state of compliance with PCI-DSS.  Any standards with which the University is not compliant must be disclosed and a remediation plan formulated. 

For more information: https://www.pcisecuritystandards.org/.

In the event that Cardholder Data are compromised or potentially compromised, immediately contact Yale PCI Administration.  This includes lost or stolen files with Cardholder Data, electronic loss of data, databases infected with viruses, loss of paper documents with Cardholder Data and any other loss or potential loss, theft or unauthorized access to devices or payment processing systems.  Yale PCI Administration will follow Yale and the payment brands’ incident response procedures in handling any incident:

Each department is responsible for reconciling, on a monthly basis, Payment Card activity to the monthly Payment Card statements and to Workday statements.

See Accounting Manual for detailed instructions.

95BWhen a Merchant Account is no longer used, departments must contact Yale PCI Administration so the Merchant Account can be closed.

This policy shall be reviewed at least once yearly prior to the close of the fiscal year and updated as necessary to support continued compliance with the then current version of PCI-DSS.

Violations of this policy shall be reported to the Office of the Controller.

Failure to comply with this policy may result in any of the following:

  • Suspension or termination of the Payment Card processing privileges for the department;
  • Denial of a request to establish a new Merchant ID or payment site;
  • A departmental charge or series of departmental charges not to exceed the greater of $500 per instance or one-half (1/2) of the total cost of addressing a data breach associated with the violation; and/or
  • Administrative action as deemed necessary by the University to prevent a reoccurrence of the violation.

Special Situations/Exceptions

Please contact Yale PCI Administration if an exception to this policy is required.

Roles and Responsibilities

Treasury Services – Administrator of the Yale merchant systems, coordinate annual PCI-DSS compliance, contact for requesting new merchant numbers and closing Merchant Accounts.

Information Security, Policy and Compliance – Partner with Treasury Services to complete the annual PCI-DSS compliance attestation process, perform required quarterly scans, and review security of all web sites and point-of-sale systems which are used to process Payment Card payments.

Yale Shared Services Maintains the database of Merchant Account numbers and associated charging instructions.  Downloads the monthly Payment Card activity from the bank account and records to the general ledger.

Office of the Controller – Provides oversight of PCI-DSS compliance and partners with ISPC to complete the annual attestation process.  Responsible for evaluating and granting, when applicable, any exceptions to this policy.

Procurement – Negotiates contracts with Payment Card service providers.

ITS Web Services – Assists departments with web design and completes programming to permit Payment Card processing from a website.

Departments – Responsible for ensuring processes within their department are PCI-DSS compliant, cooperating with PCI Administration during their completion of the annual attestation process, and for completing a monthly reconciliation of Payment Card activity.

Individual employees – responsible for securing Cardholder Data as they are processing it and for redacting any sensitive information before scanning, shredding or disposing.  Individuals must adhere to all policies.