Compliance with Payment Card Industry requirements

Due to growing consumer concerns over compromised credit card data, the five major credit card associations (American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa) joined forces to establish a security program for merchants called the Payment Card Industry Data Security Standards (PCI DSS). PCI DSS is a compliance initiative that dictates security standards for merchants and service providers for the safe handling of credit card information.

All departments accepting credit cards should be familiar with the risks, fees, and security requirements involved with being a credit card merchant. This means any card (credit, debit, prepaid, stored value, gift or chip) bearing the logo of one of the PCI Security Standards Council’s five founding payment brands is required to be protected as prescribed by the PCI DSS. All Yale merchants must validate their PCI DSS compliance by completing an annual PCI DSS Self Assessment Questionnaire (SAQ). Check with the Treasury department if you are unsure which one you need to complete. The university will conduct a quarterly vulnerability scan of the web facing network.

Credit card handling

• Any collection of credit card and/or debit card data (“Credit Data”), including but not limited to account number, cardholder name, service code, expiration date, security code, access code, personal identification number (PIN), shall be performed only in connection with a purchase transaction for goods and services provided by Yale University or as otherwise approved by Treasury. 
• It is the credit card processing manager (data owner) responsibility to be aware of any data that may contain credit and/or debit card information and take the appropriate measures in the collection, management and or use of that data.
• Credit/Debit Card Data may only be maintained on a Yale University computer maintained in the PCI network where it must be encrypted.  You may not at any point keep a copy of credit card data on a portable media device (iphones, laptops, etc).
• Scanned documents going into the Yale FileNet system must have the credit card number redacted (blacked out so nothing other than the last 4 digits are visible).  No documents may be scanned in with the complete credit card data visible.
• No method of collection may be employed, including any writing and/or voice recording, unless authorized in writing by the Treasury Office. 
• Should any Yale University staff or faculty come into contact with credit card data in any form (paper, electronic, etc.) and they are not authorized to handle this data, he or she must securely dispose of the data.  If there is a question as to what disposal methods are proper and secure, please consult the Information Assurance and Compliance data disposal website.
• No Credit data may be provided to any party, including any individuals purporting to be the owner of such data, unless such individuals presents valid, issued identification (i.e., legally – drivers license or electronically - NETIDS).
• All systems that process credit cards require approval by Treasury Services and ITS Information Security. 
• Departments must contact Treasury Services before entering into any contracts for software and/or equipment related to credit card processing. 
• Any server used to process credit cards must be physically located within a secure area managed by ITS. 
• All computers which process credit cards must be dedicated for this purpose only.  They cannot be used for any other purpose.
• All computers that process credit cards must use a desktop (physical or virtual).  If you must have a laptop, it cannot have any wireless capability.
• Departments must not maintain sensitive credit card data such as credit card numbers, card type, expiration, PIN, and card-validation codes.
• Credit card numbers must not be transmitted in an insecure manner, such as by email, fax, or campus mail.
• The annual self assessment questionnaire must be completed and forwarded to Treasury Services by October 31st of each year.  The next self assessment questionnaire is due by October 31, 2010.

Email

You should never accept emails with credit card numbers.  Never request credit card information via e-mail – either call the customer or ask them to call you with the information. 

• If email is the only option available, then the Information Assurance and Compliance department must be informed of the requirement.  This can also only then be allowed with the University PGP software, where credit card data is put in a password protected document.  That password protected document must be then encrypted with PGP.  To decrypt this data the recipient must use their private PGP key.  The recipient must then be called via telephone (no voicemail messages) to relay the password for the compressed encrypted file.
• Should a customer send you credit information via e-mail for an individual purchase, then:
• Process the credit card information per your procedure. 
• If you want to save the e-mail send the e-mail to yourself, BUT DELETE THE CREDIT CARD NUMBER and any other information. You may leave the last 4 digits to help identify the credit card, but delete the remaining numbers.
• Delete the original emails from both your Inbox and your Deleted Items box as soon as possible.
• Respond back to the customer, making sure you delete the credit card information in the body of your e-mail to tell them not to send credit card data through email as it is insecure.

Credit card processing through websites

• Never use an Application Program Interface (API) as this does require Yale to collect the credit card data and then transmit the data for processing.  This is against the Yale method of only using offsite credit card transmission, storing, and processing where possible. 
• Yale does allow Hosted Order Pages (HOP) or Hosted Payment Forms (HPF).
• All vendors used must be PCI compliant and provide proof of such compliance.

Credit card data access breach

• All campus merchants are required to handle credit card data in a secure manner, as a breach has significant consequences. Non-compliance could result in Yale being assessed significant fines, suspending campus ability to process credit cards, and/or requiring on site credit card audits. Any fines and/or penalties associated with non-compliance and/or confirmed security breaches are defined by each of the payment card brands. Please ensure you follow the Yale procedures.
• When cardholder data is shared with a third party processor/ service provider (i.e., VeriSign or PayPal) on behalf of the Yale department they must also be in compliance with PCI DSS. That Yale department needs to ensure that there is a contractual obligation for that third party processor/service provider to adhere to the PCI DSS standard and that the third party processor/service provider is responsible for the security of the cardholder data it possesses. Please contact the Office of the General Council or the Treasury department if you are unsure.

Credit card disposal processes

• Credit card numbers will be truncated or purged from all locations when no longer necessary for business, regulatory, or legal purposes, in order to limit the risk and impact of a security breach.  This applies even if the card numbers are in hashed or encrypted form. 
• Purge – to eliminate the data by deleting, erasing, wiping, etc.
• Truncate – to eliminate part of the number.  In the case of credit card numbers, the last 4 digits can be retained. 
• Each system owner is responsible for ensuring credit card numbers are truncated or purged.
• When deleting an entire electronic file (e.g. Word, Excel, etc.) from a hard drive that contains credit card data use a process to wipe the file location several times (minimum of 3 passes).  Consult the Information Assurance and Compliance data disposal website http://www.yale.edu/its/secure-computing/devices/physical/secure-disposal.html .
• System owners are encouraged to set up automated purging processes, otherwise, system owners must set up a reminder to execute the purge process according to the purge frequency for their system.

Audit logs

• Both the web interface and the database of credit card transactions must be exhaustively logged, and the hosts in this configuration must be regularly backed up so that investigations into customer transactions and security incidents can be conducted at any time. Logging will include customer records, logs generated by the operating system and the application, access logs and any manual logs related to the storage and use of the backup tapes.

Audit logs containing credit card data-related activity (including access via the operating system or a direct DB connection, etc) are required to be kept at least 1 year. 

---

Related resources

• Visa Cardholder Information Security Program (CISP) and Visa International Account Information Security Program (AIS)  
• MasterCard Data Protection Program (SDP)
• Discover Card Information Security & Compliance (DISC)
• American Express Data Security Operating Policy (DSOP)
• JCB Data Security Program
• PCI Security Standards Council
• PIN Entry Device Program

Related topics

• Personal financial or Social Security information
• FERPA privacy & confidentiality
• Glossary & A-Z index

Related University policies & procedures

• Information Assurance and Compliance data disposal
• Procedure 2820 PR.01 - Credit Card Merchants
• Yale computing security & access policies & procedures
• Policy 1601 - Information Access and Security
• Policy 1602 - Protecting the Security and Confidentiality of Social Security Numbers
• Policy 1610 - Systems and Network Security
• Procedure 1610 - Systems and Network Security