Compliance with PCI requirements
Due to growing consumer concerns over compromised credit card data, the five major credit card associations (American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa) joined forces to establish a security program for merchants called the Payment Card Industry Data Security Standards (PCI DSS). PCI DSS is a compliance initiative that dictates security standards for merchants and service providers for the safe handling of credit card information.
All departments accepting credit cards should be familiar with the risks, fees, and security requirements involved with being a credit card merchant. This means any card (credit, debit, prepaid, stored value, gift or chip) bearing the logo of one of the PCI Security Standards Council’s five founding payment brands is required to be protected as prescribed by the PCI DSS. All Yale merchants must validate their PCI DSS compliance by completing an annual PCI DSS Self Assessment Questionnaire (SAQ). Check with the Treasury department if you are unsure which one you need to complete. The university will conduct a quarterly vulnerability scan of the web facing network.
Your department can assist in achieving and maintaining compliance by adhering to the following:
- All systems that process credit cards require approval by Treasury Services and ITS Information Security.
- Departments must contact Treasury Services before entering into any contracts for software and/or equipment related to credit card processing.
- Any server used to process credit cards must be physically located within a secure area managed by ITS.
- All computers which process credit cards must be dedicated for this purpose only. They cannot be used for any other purpose.
- All computers that process credit cards must use a desktop (physical or virtual). If you must have a laptop, it cannot have any wireless capability.
- Departments must not maintain sensitive credit card data such as credit card numbers, card type, expiration, PIN, and card-validation codes.
- Credit card numbers must not be transmitted in an insecure manner, such as by email, fax, or campus mail.
- The annual self assessment questionnaire must be completed and forwarded to Treasury Services by October 31st of each year. The next self assessment questionnaire is due by October 31, 2009.
When cardholder data is shared with a third party processor/ service provider (i.e., VeriSign or PayPal) on behalf of the Yale department they must also be in compliance with PCI DSS. That Yale department needs to ensure that there is a contractual obligation for that third party processor/service provider to adhere to the PCI DSS standard and that the third party processor/service provider is responsible for the security of the cardholder data it possesses. Please contact the Office of the General Council or the Treasury department if you are unsure.
All campus merchants are required to handle credit card data in a secure manner, as a breach has significant consequences. Non-compliance could result in Yale being assessed significant fines, suspending campus ability to process credit cards, and/or requiring on site credit card audits. Any fines and/or penalties associated with non-compliance and/or confirmed security breaches are defined by each of the payment card brands. Please ensure you follow the Yale procedures.
- Visa Cardholder Information Security Program (CISP) and Visa International Account Information Security Program (AIS)
- MasterCard Data Protection Program (SDP)
- Discover Card Information Security & Compliance (DISC)
- American Express Data Security Operating Policy (DSOP)
- JCB Data Security Program
- PCI Security Standards Council
- PIN Entry Device Program
