Skip to main content

Compliance Requirements

The Payment Card Industry Security Standards Council (PCI SSC) established the Payment Card Industry Data Security Standards (PCI DSS), current version 3.2.1, to help protect consumers’ high-risk payment card data. The PCI DSS requires all organizations that process, transmit and store payment card information to comply with a set of data controls, establish IT and physical security measures, and meet policy requirements to mitigate the risk of a security breach or the loss, theft, or abuse of payment card data.

The standard applies to all organizations that process cardholder information. As such an organization, Stanford University's compliance with PCI DSS is mandatory.

Any third-party vendor engaged by Stanford merchants to process payment card transactions on their behalf, or that is engaged in payment card financial services on our campus, must also comply with the PCI DSS. 

As a Stanford merchant, you are required to do the following on an annual basis. Compliance is not a one-time requirement that you can complete and forget, so besides the annual requirement, please note you, as a Stanford Merchant must adhere to the PCI DSS requirements and policies on a daily basis. Please see below Compliance Dos & Don'ts, which highlight some of the ways to stay compliant. The University IT Information Security Office (ISO) collaborates with Merchant Services to help Stanford department merchants meet their PCI Compliance requirements.

  • Submit SAQ through our portal
  • Complete PCI compliance training
  • Submit the Vendor's annual compliance documentation
    • AOC SAQ-D signed by QSA
    • Penetration test results* (may not be necessary if AOC SAQ-D is signed by QSA)
    • ASV scan* (may not be necessary if AOC SAQ-D is signed by QSA)
       

The timeline below outlines the tasks that must be completed by merchants, and the university as a whole, in order to satisfy the annual PCI DSS Certification: 

Date/DeadlineTask
May to Mid-JuneAll merchants complete their annual PCI training. 
1st week of SeptemberMS sends an initial announcement email to all merchants.
September to OctoberMS sends reminder emails to merchants for their SAQ completions.
1st week of NovemberAll merchants complete their MID level SAQs in the CampusGuard portal. MS sends warning emails to merchants who missed the deadline.
NovemberMS sends warning emails to merchants who missed the deadline.
1st week of December, MS sends reminder emails to merchants for their SAQ completions.Stanford submits overall Attestation of Compliance (AOC) to acquiring bank and American Express.

 

Adhering to the PCI DSS requirements provides critical protective measures to ensure that payment card data is kept safe throughout every transaction.

PCI DSS has 12 broad requirements and more than 300 sub-requirements. The Council created these requirements to meet six primary control objectives:

GoalsPCI DSS Requirements
Build and Maintain a Secure Network
  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
  1. Protect stored cardholder data.
  2. Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
  1. Use and regularly update anti-virus software and programs.
  2. Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
  1. Restrict access to cardholder data by business need to know.
  2. Assign a unique ID to each person with computer access.
  3. Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
  1. Track and monitor all access to network resources and cardholder data.
  2. Regularly test security systems and processes.
Maintain an Information Security Policy
  1. Maintain a policy that addresses information security for all personnel.

Source: PCI DSS Quick Reference Guide: Understanding the Payment Card Industry Data Security Standard version 3.2.1

Each merchant must assign a PCI contact person to monitor, document, and manage card acceptance processes and security. There are a few key things you as a merchant should do and not do to ensure you are compliant with PCI’s standards. This shortlist of “Do’s” and “Don'ts” should get you started down the path of PCI compliance.

PCI Compliance: DO’sPCI Compliance: DON’Ts
  • Change the default password on your computer to a complex password.
  • Supervise all visitors (including your regular, part-time or temporary personnel) in areas where credit card information is maintained.
  • Ensure all cardholder data is unreadable (converted by strong encryption into a meaningless character string) during transmission.
  • Handwritten credit card information must be cross-cut shredded immediately after use.
  • Store documents or media-containing cardholder information in a locked drawer or filing cabinet accessible only by PCI-trained and authorized personnel.
  • Complete your merchant account’s annual PCI DSS certification. 
  • Take the required annual PCI awareness training through STARS.
  • Maintain an up-to-date inventory of all credit/debit card processing devices. 
  • Perform periodic inspections to look for tampering or substitution. 
  • Report immediately to your supervisor and Merchant Services if you suspect card information has been lost, stolen, exposed, or otherwise misused; or if your system containing credit card data has been hacked or breached. 
  • Contact Merchant Services if you are making a change to your cardholder data environment or processes.
  • Never physically write down any card information unless you are explicitly required to do so as part of your business processes.
  • Never acquire or disclose any cardholder’s card information without the cardholder’s consent, including but not limited to:
    • Full or partial sections of the sixteen (16) digit card number
    • CVV/CVC security code (three or four-digit validation code on the back of the card or on the front for American Express)
    • PIN (personal identification number)
  • Never transmit or accept any of the above cardholder information via unsecured email, fax, scan, unencrypted VOIP phone device (i.e., Jabber), or by end-user messaging technologies (i.e., Slack). 
  • Never store any sensitive authentication data on a university computer, server, or on paper, including:
    • The card’s storage chip or magnetic stripe
    • The CVV/CVC security code (the three or four-digit validation code on the back of the card or on the front for American Express) post-authorization
  • Never leave unsettled batches in terminals at the end of a business day. Instead, set up auto-settle programming or ensure that batches are settled manually each night.
  • Never share the password to your computer or any computer you access with anyone.
  • Never leave sensitive information unattended on a desk, screen, or in any public area.

 

The SAQ is a validation tool that is primarily used by merchants to demonstrate ongoing compliance with the PCI-DSS to the university’s acquiring bank: WFMS and American Express. The SAQ includes a series of yes-or-no questions for each applicable PCI DSS requirement. There are eight different types of SAQs depending on merchants’ payment processing methods. If you are not sure which SAQ would apply or have any questions when filling out the SAQ, please consult with Merchant Services or PCI compliance for further assistance.

SAQDescription# of Questions
A

E-Commerce channels/MOTO (fully outsourced) - (no electronic cardholder data storage)

  • Fully outsourced all cardholder data processing
  • Merchant website provides an iFrame or URL that redirects a consumer to a third-party payment processor
  • Merchant cannot impact the security of the payment transaction
  • All transactions are self-serve (no staff members enter payment information on behalf of consumers)
22
A-EP

E-Commerce channels (direct post) - (no electronic cardholder data storage)

  • ​Processing of Cardholder data is outsourced
  • Merchant website provides a portion of the payment page or can affect the security of the payment transaction

*Consult with the PCI compliance team if you think you qualify for SAQ A-EP.

191
B

Processes cards via: (no electronic cardholder data storage)

  • Cellular card reader, or stand-alone, dial-out terminal

Not applicable to e-commerce channels.

41
B-IP

Processes cards via: (no electronic cardholder data storage)

  • Internet-based stand-alone, PTS-approved terminal isolated from other devices on the network

Not applicable to e-commerce channels.

82
C

Payment application systems connected to the Internet: (no electronic cardholder data storage)

  • ​Virtual terminal (Not C-VT eligible)
  • IP terminal (Not B-IP eligible)
  • Mobile device (smartphone/tablet) with a card-processing application or swipe device POS with tokenization

Not applicable to e-commerce channels.

160
C-VT

Processes cards: (no electronic cardholder data storage)

  • ​Single transaction at a time via a keyboard into a web-based virtual terminal
  • On an isolated network at one location
  • No swipe device
  • View or handle cardholder data via the Internet

Not applicable to e-commerce channels.

79
P2PE-HW

Point-to-Point Encryption: (Hardware terminals only)

  • Validated PCI P2PE hardware payment terminal solution only

Not applicable to e-commerce channels.

33
D
  • All other SAQ-Eligible Merchants*

*Consult with the PCI compliance team if you think you qualify for SAQ D.

329

View PCI Security Resources