As a Stanford merchant, you are required to do the following on an annual basis. Compliance is not a one-time requirement that you can complete and forget, so besides the annual requirement, please note you, as a Stanford Merchant must adhere to the PCI DSS requirements and policies on a daily basis. Please see below Compliance Dos & Don'ts, which highlight some of the ways to stay compliant. The University IT Information Security Office (ISO) collaborates with Merchant Services to help Stanford department merchants meet their PCI Compliance requirements.
- Submit SAQ through our portal
- Complete PCI compliance training
- Submit the Vendor's annual compliance documentation
- AOC SAQ-D signed by QSA
- Penetration test results* (may not be necessary if AOC SAQ-D is signed by QSA)
- ASV scan* (may not be necessary if AOC SAQ-D is signed by QSA)
The timeline below outlines the tasks that must be completed by merchants, and the university as a whole, in order to satisfy the annual PCI DSS Certification:
|May to Mid-June
|All merchants complete their annual PCI training.
|1st week of September
|MS sends an initial announcement email to all merchants.
|September to October
|MS sends reminder emails to merchants for their SAQ completions.
|1st week of November
|All merchants complete their MID level SAQs in the CampusGuard portal. MS sends warning emails to merchants who missed the deadline.
|MS sends warning emails to merchants who missed the deadline.
|1st week of December, MS sends reminder emails to merchants for their SAQ completions.
|Stanford submits overall Attestation of Compliance (AOC) to acquiring bank and American Express.