Introducing YourYale
The It’s Your Yale website is now home to a new weekly e-newsletter, YourYale, for and about the staff; learn more about what to expect.
Note: this procedure applies to Yale Merchants with Merchant identification numbers (“MIDs”) established prior to 7/1/2020. Procedures for MIDs established on and after 7/1/2020 are currently under construction. For information on establishing new MIDs and other related resources, please visit Yale ePay.
2. Requesting a New Merchant Number
4. Standards Used to Evaluate Merchant Security Compliance
5. Credit Card Receipts and Reports
6. Payment Processing and Reconciliation Standards
7. Closing/Moving a Merchant Number or Retiring Old Equipment
9. Securing Payment Processing Related Devices
11. Credit Card Merchants Reconciliation Guide
This procedure provides instructions for departments that wish to accept credit card payments when conducting University business. This procedure is owned and managed by Yale PCI Administration. There are several different ways that a credit card merchant can process credit card transactions at Yale.
All organizations that process credit card payments are required to comply with the Payment Card Industry’s Data Security Standards (PCI DSS) and are required to attest annually to their continued compliance in order to maintain the ability to accept electronic payments. Therefore, it is important to consider the applicable security standards when selecting the method, a department will use for processing credit card payments. The methods can range from using a stand-alone swipe machine connected by a dedicated phone line, which is the simplest arrangement with the least amount of compliance regulations, to very complex on-line hosted arrangements that obligate very strict data security and compliance requirements on the merchants.
Note: this procedure applies to Yale Merchants with Merchant identification numbers (“MIDs”) established prior to 7/1/2020. Procedures for MIDs established on and after 7/1/2020 are currently under construction. For information on establishing new MIDs and other related resources, please visit Yale ePay.
Departments interested in accepting credit card payments for goods and services must contact Treasury Services for an application form. The following three subsections contain detailed descriptions of the three payment methods currently available to departments at Yale.
Note: Charges and Fees
Charges may vary based on the number of type of payments methods used. The department will assume all costs associated with operating the merchant number including supplies, monthly fees and discount. The cost of a swipe machine is approximately $700 but can be more depending on the selected machine. The fees will be approximately 3% of each transaction. Certain government cards, special processing, internet processing or cards issued by banks in developing nations will incur higher fees.
Internet based merchants have additional charges including a one-time set up fee of approximately $200.00 and $20.00 monthly fee.
Please note that credits cards are to be accepted primarily for retail and low dollar transactions. Due to the high cost of processing credit card payments, Yale PCI Administration suggests all merchants implement a limit of $5,000.00. Transactions above the limit should be sent to Yale in the form of a check, wire, or ACH.
Since fees associated with accepting Payment Card payments can be expensive, Treasury Service advises departments to consider alternate payment collection methods, including direct debit and lockbox collections.
A. Stand Alone Credit Card Swipe Machine Merchants
Using a stand-alone card swipe machine connected to a dedicated phone line is Yale’s preferred method of payment card processing, as it is the most secure and subject to the least complex set of data security standards and compliance regulations. All Yale Medicine merchants must be using stand-alone credit card swipe machines.
Departments requesting a stand-alone credit card swipe machine must use a dedicated phone line for these devices (this may mean you may have to contact Telecom for the installation of a dedicated phone line for the machine). If a department has a dedicated fax line, it may use that line for the stand-alone swipe machine by using a splitter, however, this could delay the processing of payments if the fax line is in use. Allow three weeks for delivery of each swipe machine.
For training on using the swipe machine, call the phone number included in the installation materials. Supplies can be ordered from any office supply store or by calling the customer service number provided with the machine.
B. Virtual and Website Merchants
Virtual/Website Merchant processing is an external service such as PayPal Payflow Pro, CyberSource, Authorize.net, and MyVirtualMerchant.com. When this method is implemented, one or a combination of two processing methods may be used:
The use of secure forms is required (these sites will be have addresses that start with HTTPS and will make use of TLS 1.2 or later). Each vendor has its own set of external payment applications. A department should review all the developer options linked at the bottom of this document and select a choice that meets your department’s needs.
All vendors and products must be PCI DSS compliant and must provide proof of their compliance.
If you choose this method, you will have to be in contact with Yale PCI Administration (information.security@yale.edu) in order to verify the security of your gateway.
If you are using a website, you will also have to comply with Yale PCI Administration standards and complete a Security Planning Assessment (SPA). This will include providing the IP address of your system and the name of a technical contact. Information about completing an SPA can be found on the ITS website on the Security Planning Assessment page.
Examples of this type of merchant:
Online credit card processing:
Customer |
-> |
Fees Apply |
-> |
Fees Apply |
-> |
Yale’s |
-> |
General Accounting |
NOTE: There are additional PCI DSS requirements for Internet-based Merchants. The use of an Application Program Interface (API), which requires Yale to collect and store credit card data prior to transmission, is not permitted.
C. Cash Register Merchants
A department may decide it best suits their business operations to use a cash register with an internet-connected point of sale (POS) system. POS systems are subject to stringent PCI DSS requiring a rigorous compliance program, but are also the most robust payment processing systems. These are primarily used at retail and dining locations around campus. Departments selecting this method of credit card payment processing will need to perform the following:
An example of this type of merchant:
The credit card associations (American Express, MasterCard, Visa and Discover) have established the Payment Card Industry Data Security Standard (PCI-DSS) for all merchants. Compliance with these standards increases consumer confidence, reduces fraud and identity theft, and ensures that the University can continue to accept credit card payments.
All merchants that process credit cards at Yale are required to complete or assist with the completion of the PCI-DSS Self-Assessment Questionnaire (SAQ) on an annual basis and maintain an accurate asset inventory.
Depending on a department’s credit card processing method, different security standards apply, and therefore different SAQ’s must be completed, as follows:
All payment processing vendors and software used by Yale must also be PCI-DSS compliant.
Yale classifies credit card numbers as High Risk Data. PCI-DSS data is not allowed to reside on a local computer, laptop, or smart phone. This High Risk Data is not to be stored in digital format. Yale’s PCI-DSS compliance is dependent on not storing this data digitally.
A. Daily Processing
All credit transactions must be processed promptly and transmitted to the processor daily. This would be commonly referred to as a payment batch.
B. Reconciliation - Recording of Revenue and Expenses
All credit card transactions and fees will be posted to the General Ledger on a monthly basis by General Accounting. The department will provide one designated account for all income activity and one account for all fee activity. The department will be responsible for any Online Journal Entries required to post amounts to other accounts.
C. Departmental Reconciliation
The department will receive a monthly statement of activity from the credit card processor. This statement must be reconciled to the settlement reports from your machine/software/web site and to the monthly Workday statements.
Note: There will be a timing difference for the last one or two days of credit card activity each month. Please see Section 11 of this procedure for more detail.
If you need to arrange for the removal of any swipe machines, cash registers, or deactivation of any POS or user accounts, contact Yale PCI Administration. These devices must be disposed of properly by following Procedure 1610 PR.02 Disposal of Obsolete Computers and Peripherals.
If the equipment is being swapped or traded, it should immediately be sent to Merchant provider.
If the equipment no longer works or for any reason is being retired, please forward the Terminal ID to the Merchant Provider so they can remove it from their list, disable the machine by cutting the cord, then follow Procedure 1610 PR.02 Disposal of Obsolete Computers and Peripherals.
If your department is a seasonal credit card merchant and the account is only used for part of the year, contact Yale PCI Administration and have the merchant account number shut off when not in use. Fees are not charged during the months that the credit card merchant account is shut off. When necessary, contact Yale PCI Administration to reactivate the merchant account number.
For a one-time event, Treasury Services provides a website, to which departments may direct their purchasers/participants.
When using the online process, please email agnes.siniscalchi@yale.edu with the total dollar amount collected, the COA account to be credited, and a COA account for the processing fee.
All cardholder data and other data associated with the processing of payments is classified as High Risk Data within Yale’s data classification system (see, Policy 1604 Data Classification Policy). All systems used to access, create, store, transmit, or receive cardholder data must meet and maintain all Minimum Security Standards for High Risk Data, as well as all other University policies and procedures related to protecting High Risk Data and systems (e.g., Policy 1607 Information Technology Appropriate Use Policy and Policy 1610 Systems and Network Security). Additional requirements for securing payment processing-related devices is outlined below.
A. Notification about Device Changes
Departments are responsible for securing credit card data as well as the device(s) that is being used for processing credit card transactions. Yale PCI Administration shall be notified within 30 days when new devices or payment methods are added or when devices are no longer in use. Please be ready to provide the make, model, and location of each device.
B. Device Inventory
Department shall maintain a list of devices used in the processing of payment card transactions. Yale PCI Administration shall maintain a master list of PCI devices on campus. Physical access to these devices shall be limited, and where appropriate these devices must be physically secured (e.g., via locking devices).
C. Device Tampering
The operator must periodically inspect the device(s) to ensure there is no tempering. The device and office must be locked and secured after hours or when the device is unattended.
D. How Devices May Be Used
Devices used to process payment card transactions may only be used for processing payments. General office productivity activities (word processing, email, desktop publishing, etc.) must be conducted on a separate system to maintain the integrity and security of the payment card processing environment.
E. User Names and Passwords (for Computers and Servers)
F. Firmware and Software Patch Management
Merchants and their IT support providers are responsible for ensuring that applications, system software and device firmware on payment processing devices are kept up-to-date. Within 30 days of a vendor releasing a (1) firmware update (2) operating system patch, or (3) application patch to address a known critical vulnerability*, a merchant shall ensure that any applicable update or patch has been installed on their production devices. Other security patches shall be installed within 90 days.
* A critical vulnerability can be identified by analyzing the following:
1. Determine the potential impact of the vulnerability.
The potential impact of a vulnerability is measured based on the impact its exploitation would have to the confidentiality, integrity, or availability of the technology and/or the data. The potential impact of a vulnerability is high if any of the following are true:
2. Determine the likelihood that the vulnerability will be exploited.
The likelihood that the vulnerability will be exploited can be determined by answering the following questions:
If the answer to two or more of these questions is “yes,” then the likelihood is high.
3. Determine if there are compensating controls to prevent exploitation.
Consider if there are additional protective measures in place that significantly reduce the ease of exploitation or severely limit the accessibility of the vulnerability to a small number of known systems.
If the impact and likelihood are both high, and there are no significant compensating controls, the vulnerability is critical.
G. Antivirus and Antimalware Protection
Where possible, antivirus and antimalware software shall be installed, kept up-to-date and used to monitor system health. Regular, scheduled scans shall be conducted at least monthly. Non-administrative users shall be prevented from disabling antivirus and antimalware software. Administrative users shall request permission from Yale PCI Administration before disabling this software.
H. Log Management (for Computers and Servers)
Additionally, for servers and computers used in the processing of payments, the following logs shall be reviewed daily (other logs shall be reviewed as appropriate) and retained for at least one (1) year:
I. Network Security
Cardholder data transmitted outside of the Yale PCI Network (e.g. across the Internet) must be encrypted using strong encryption (TLS 1.2 or later) unless a documented justification from the payment processor or payment solution vendor exists. Industry best practices shall be used to implement this encryption.
Devices used for payment card processing may only be connected to Yale’s PCI Network and/or wirelessly through Yale Secure. Use of Yale’s other wired or wireless networks is prohibited. The Yale Secure wireless network may be used only with pre-authorized Clover devices from Bank of America Merchant Services to process payment transactions.
J. Remote Access to these Devices
When remote access by a vendor is required, this functionality must remain disabled until the vendor requests access for a specific support purpose or through an automated process defined in the contract with the vendor. Remote access must then be deactivated immediately after the support event is finished. Should a vendor or business partner require remote access, send the request to information.security@yale.edu for approval.
K. Mobile Computing Devices
Only pre-authorized mobile computing devices may be used to process card payments. Unauthorized mobile devices include smartphones such as iPhones and Android OS devices, Square and Clover Go, etc.
L. Computer Configuration Standards (for devices running a desktop or server operating system)
Computers must meet security requirements as defined by Yale PCI Administration to ensure credit card data is properly secured. Yale PCI Administration can provide further guidance on appropriate security measures in this area.
The following steps must be taken to ensure secure processing of payments on Yale servers and endpoints:
M. Sending/Receiving Payment Information Using Email and Text Message is Prohibited
Email shall not be used to send or receive credit card information. If a card number is received via email, delete the card number after processing the transaction, then delete the email.
Similarly, end-user messaging technologies such as text messages, instant messaging or chat services shall not be used to transmit or receive credit card information.
Exception for receipts: It is, however, acceptable to provide a receipt via email or text message if the cardholder consents to receive electronic disclosure. Instances where printing, email or text messaging is not an option, merchants should be prepared to provide a handwritten receipt that conforms to all of the sales receipt requirements.
N. Loss, Theft, or Breach
In the event you believe that cardholder data may have been compromised immediately contact Yale PCI Administration. Compromise includes instances where files with credit card numbers are lost or stolen, electronic losses of data, where devices (servers, endpoints or mobile devices) storing sensitive data may have been compromised by malware or a virus.
A. Network Security
Yale University Information Technology Services shall maintain a firewall (or firewalls) and maintain an appropriate network (or networks), the Yale PCI Network, to protect devices used in payment card processing. Any firewall or network used in payment processing shall be configured to the standards outlined in PCI-DSS. Only devices used in payment processes or in place to maintain the health of these devices and the payment processing network shall be allowed on the Yale PCI Network. Penetration tests shall be conducted at least quarterly to verify the integrity and effectiveness of this segmentation. The Yale PCI Network shall be monitored for unauthorized changes. Strong cryptography and security protocols must be used to transmit sensitive cardholder data.
B. Remote Access Security for Vendors
Outside vendors requiring access to these devices from outside of the Yale network must use remote access technology with the following restrictions:
C. Network Vulnerability and Penetration Testing Scans
In order to ensure system integrity and ensure PCI-DSS compliance, it is necessary for Yale and its security vendors to conduct regular network scans of devices that process Payment Card payments. Yale personnel will contact you concerning any findings generated by a scan — do not respond to inquiries coming directly from outside parties. Merchants shall cooperate with Yale in remediating any vulnerability discovered by a scan. These scans will be conducted at least quarterly as required by PCI-DSS.
On a monthly basis, the Merchant statement, General Ledger statement, and settlement reports from the Swipe Machine/Software/Website should be reconciled against each other to ensure all transactions have been posted and cleared accordingly.
Note: There will be a timing difference for the last one or two days of credit card activity each month.
Reconciliation Steps: