Skip to content Skip to site navigation Skip to service navigation


Merchant Services Program

Merchant Services (MS) is the program that manages, supports, and mitigates risk for payments collected digitally and via credit and debit card at Stanford. 

Learn more Merchant Services Program

Device Inspection

At each merchant's discretion, a POS owner/department should develop a schedule and routine for device inspection that looks for tampering or substitution periodically.

Learn more about Inspection

Approved Service Providers

The Office of the Treasury (OOT) centrally manages Stanford University’s relationship with its acquiring bank to facilitate processing services that meet department needs and adhere to industry and institutional data security standards. This list is constantly being updated. 

Learn more about VoIP Encryption

Internet Service Model and Policy for Independent Third-Party Vendors at Stanford

Stanford third-party vendors must use a separate network for internet service not connected to Stanford.

Learn more about Internet Service Model and Policy for Independent Third Party Vendors at Stanford

Vendor Payment Capability Assessment Form

Complete this form before your initial meeting with the merchant services operations team. 

View form Vendor Payment Capability Assessment Form

New Third-Party Service Provider Evaluation Checklist

Use this checklist to make sure you have enough information to proceed with the new third-party service provider evaluation. 

View checklist New Third-Party Service Provider Evaluation Checklist

PCI Contractual Language

Refer to the Purchase Order Terms and Conditions Article 18 and 19. Terms in any acceptance by a Seller which are in addition to, or not identical with the following terms will not become a part of any Stanford University Purchase Contract unless Stanford specifically and expressly agrees in writing that such other terms are accepted.

Learn more PCI Contractual Language

PCI Account Password Change Instructions Self-Service Document

Follow the instructions to change the PCI account created by the PCI Compliance Infrastructure team. 

View instructionsPCI account password change instructions self-service document

Encrypted Keypad for Virtual Terminal

The SREDKey (secure reading and exchange of data) is an encrypted keypad that ensures all data transactions are protected through secure point to point encryption (P2PE) reducing fraud and data compromise risk.

Learn moreEncrypted Keypad

Third-Party Security Assurance Form by PCI SSC

Covers Service Correlation to PCI DSS Requirements, Agreements, Policies and Procedures, and Monitoring Compliance Status. 

View documentThird-Party Security Assurance Form by PCI SSC

External Resources by PCI SSC

External websites to help you understand PCI Compliance. 

Learn more about Security Resources

PCI by the Numbers

PCI By the Numbers
Incorporating compliance into your business-as-usual


Review the following:

  • All security events
  • Logs of system components that store, process, or transmit CHD
  • Logs of critical system components
  • Logs of servers/system components performing security functions


  • Back-up Audit logs
  • Retain audit trail history for 1 Year (minimum of 3 months immediately available)


Perform critical file comparisons


Install critical patches every month


  • Delete stored chd
  • Test for rogue wireless access point
  • Run Internal & external vulnerability scans

3 months

Retain visitor log camera and/or access controls data storage

  • Remove inactive user accounts 90 Days
  • 15 minute system session idle time out
  • 30 minute account lockout
  • 90 days change passwords
  • 4 passwords compare to history
  • 7 characters in password


  • Address new threats/vulnerabilities to public-facing web applications
  • Perform internal and external penetration tests
  • Review service provider compliance status
  • Review and update the information security policy
  • Provide PCI & security training to staff
  • Document acknowledgment of policies/procedures
  • Review & test incident response plan
  • Verify equipment & media inventory
  • Review security of stored media locations
  • Perform risk assessment

Any questions? submit a helpsu ticket