Overview
In accordance with Payment Card Industry Data Security Standards (PCI DSS) requirements, Stanford University has established a formal policy and supporting procedures for payment systems and service vendor’s evaluation. This policy is to be implemented immediately. It will be evaluated on an annual basis for ensuring its adequacy and relevancy regarding Stanford University’s needs and goals.
Policy
Stanford University will ensure that payment systems and service vendors’ usage adhere to and comply with the Payment Card Industry Data Security Standards (PCI DSS) initiatives (PCI DSS Requirements and Security Assessment Procedures):
Payment System and Services Vendors include application system and service providers, and any external consulting services that involve PCI DSS compliance.
30.1 Vendor evaluation for individual merchant department
For the evaluation and verification of payment card service providers, the following documents must be submitted to pcicompliance@stanford.edu or Merchant Services.
An Attestation of Compliance (AOC) must be submitted by using the PCI Security Standards Council (SSC) official form. Please note the following:
- The AOC must be valid within twelve months.
- Every vendor must submit the AOC as a service provider, unless an exception is granted by Treasury Office, ISO and UIT Compliance Office.
- If the AOC is not signed by a PCI SSC certified QSA or ISA, the vendor must also submit their current quarter's Approved Scanning Vendor (ASV) report and the current year's penetration test report for external network.
- In a twelve month period, the PCI Compliance team will only accept a maximum of three versions of an AOC from the same vendor for review.
If needed at a later stage of the evaluation, the PCI Compliance team might request that the vendor provide a demo on payment processing workflow through its services.
30.2 Vendor and consulting services evaluation for Merchant Services
Prior to Merchant Services starts the discovery process with a vendor, Merchant Services will contact UIT-PCI Compliance Services for the following 30.2.1, 30.2.2 and 30.2.3 assessment. No business engagement or formal purchase orders should be involved with any prospect payment system and services vendors before such assessment is completed and satisfied.
- 30.2.1 Vendors' PCI DSS compliance assessment (please see 30.1 for requirement documents).
- 30.2.2 Initial assessment for vendors' qualification to meet Stanford Minimum Security Standard.
- 30.2.3 Assess vendor systems' feasibility for the integration with Stanford's PCI infrastructure, compliance and security requirement for PCI DSS compliance and Stanford Minimum Security.
Subsequently, for Data Risk Assessment (DRA), the Information Security Office (ISO) and the University Privacy Office (UPO) evaluate projects based on all applicable security and privacy laws and regulations as well as University policy. For DRA details, please refer to Data Risk Assessment FAQs.
Note: Payment card service providers, please note that according to PCI SSC, all of the organizations that process, transmit, and/or store payment card information must be PCI Security Standard Requirements and Security Assessment Procedures (PCI DSS) compliant.
Responsibility for Policy Maintenance
UIT’s PCI Compliance service is responsible for ensuring that the aforementioned policy is kept current as needed for purposes of compliance with the Payment Card Industry Data Security Standards (PCI DSS) initiatives.
