Payment card service providers, please note that according to PCI SSC, all of the organizations that process, transmit, and/or store payment card information must be PCI Security Standard Requirements and Security Assessment Procedures (PCI DSS) compliant.
Third-Party Service Providers
New Third-Party Service Provider Evaluation
University departments that use or would like to use third-party vendors to process credit/debit card transactions must ensure that each new vendor is fully approved by the Office of the Treasurer (OOT) and the Information Security Office (ISO) PCI Compliance team.
Before considering a new third-party service provider, we recommend that you first check our approved service providers list to see if any of our existing service providers could meet your needs. If you still want to proceed with a new third-party service provider, use this service provider evaluation checklist for evaluation requirements.
Stanford third-party vendors must use a separate network for Internet Service not connected to Stanford unless they are using PCI SSC validated P2PE devices approved by the Stanford Merchant Services Team. Please note the Service provider or the Stanford Merchant managing the service provider must obtain approval from the Merchant Services team even if they are using the Merchant Services approved P2PE devices to use the Stanford network.
Third-party service provider evaluation steps
- Submit a support request to the merchant services operations team.
- Schedule a consultation session with the merchant services operations team.
- Be sure to complete the Vendor Payment Capability Assessment Form before your meeting.
- After the consultation, the merchant services operations team will guide you to submit a Data Risk Assessment (DRA) to the Information Security Office (ISO) and University Privacy Office (UPO).
- The service provider must provide a current Attestation of Compliance (AOC) and Report on Compliance (ROC) for verification of PCI DSS compliance.
- The ISO PCI Compliance team will review your DRA submission. Please note ISO and UPO may request additional details to complete the review.
- Receive approval from ISO/UPO & merchant services operations team.
- Start contract negotiation with the University Contract Office. Note the resources section below for preferred PCI contract language.
Important notes
- Any new or existing vendor is contractually obligated to maintain their PCI DSS compliance, and provide Stanford with the service provider’s Attestation of Compliance (AOC) annually and upon request. Other documentation may be required such as, but not limited to, a process flow of how data is transmitted and or a current SOX1 or SOX2 report.
- For evaluating a new payment application provider, in addition to the regular third-party service provider evaluation process:
- If Stanford has to pay a software license fee for the payment application, then the solution needs to be PA-DSS compliant. The company must provide a current Attestation of Validation (AOV) and Report on Validation (ROV).
- It is highly recommended that the company be listed in the Visa Global Registry of Service Providers and/or the MasterCard PCI Compliant Service Providers.
Process Flow Chart
See below for the service provider evaluation and Data Risk Assessment (DRA) process.
- Submit a help ticket
- Initial consultation with the MS Operations Team
- Start DRA process with ISO
- Receive approval form ISO and MS Operations Team
- Contract Negotiation
Click image to enlarge
- Submit data risk assessment pre-screening questionnaire*
- Complete step 1-4 of the DRA intake form (Requestor)
- Vendor completes the "third party form" of the DRA intake form
- Complete step 5 of the DRA intake form to submit the form (Requestor)
- ISO/UPO reviews the form & generates a report**
*Emailed reposonse will indicate if additional steps (Step 2-5) are required
**ISO or UPO may request additional details to complete review
Click image to enlarge
Resources
Approved service provider list
The Office of the Treasury (OOT) centrally manages Stanford University’s relationship with its acquiring bank to facilitate processing services that meet department needs and adhere to industry and institutional data security standards. This list is constantly being updated.
New third-party service provider evaluation checklist
Use this checklist to make sure you have enough information to proceed with the new third-party service provider evaluation.
Internet service model and policy
Stanford third-party vendors must use a separate network for internet service not connected to Stanford.
