New Third-Party Service Provider Evaluation
University departments that use or would like to use third-party vendors to process credit/debit card transactions must ensure that each new vendor is fully approved by the Office of the Treasurer (OOT) and the Information Security Office (ISO) PCI Compliance team.
Before considering a new third-party service provider, we recommend that you first check our approved service providers list to see if any of our existing service providers could meet your needs. If you still want to proceed with a new third-party service provider, use this service provider evaluation checklist for evaluation requirements.
Stanford third-party vendors must use a separate network for Internet Service not connected to Stanford unless they are using PCI SSC validated P2PE devices approved by the Stanford Merchant Services Team. Please note the Service provider or the Stanford Merchant managing the service provider must obtain approval from the Merchant Services team even if they are using the Merchant Services approved P2PE devices to use the Stanford network.
Third-party service provider evaluation steps
- Submit a support request to the merchant services operations team.
- Schedule a consultation session with the merchant services operations team.
- After the consultation, the merchant services operations team will guide you to submit a Data Risk Assessment (DRA) intake form to the Information Security Office (ISO) and University Privacy Office (UPO).
- The service provider must provide a current Attestation of Compliance (AOC) and Report on Compliance (ROC) for verification of PCI DSS compliance.
- The ISO PCI Compliance team will review your DRA submission. Please note ISO and UPO may request additional details to complete the review.
- Receive approval from ISO/UPO & merchant services operations team.
- Start contract negotiation with the University Contract Office. Note the resources section below for preferred PCI contract language.
- Any new or existing vendor is contractually obligated to maintain their PCI DSS compliance, and provide Stanford with the service provider’s Attestation of Compliance (AOC) annually and upon request. Other documentation may be required such as, but not limited to, a process flow of how data is transmitted and or a current SOX1 or SOX2 report.
- For evaluating a new payment application provider, in addition to the regular third-party service provider evaluation process:
- If Stanford has to pay a software license fee for the payment application, then the solution needs to be PA-DSS compliant. The company must provide a current Attestation of Validation (AOV) and Report on Validation (ROV).
- It is highly recommended that the company be listed in the Visa Global Registry of Service Providers and/or the MasterCard PCI Compliant Service Providers.