Supporting PCI Compliance

Many business offices at Stanford are authorized to accept payment cards (i.e., credit, debit, and prepaid cards) in payment for services and products. These “Stanford Merchants”, like any business that accepts such cards, are required to comply with the Payment Card Industry Data Security Standard (PCI DSS) — a set of standards developed by the PCI Security Standards Council for optimizing the security of payment card transactions. Stanford is a participating organization in the Council.

The PCI Compliance Services team provides consulting and technical services to help Stanford Merchants achieve compliance. The team built and maintains a dedicated PCI infrastructure for processing payment card transactions, updating it regularly to meet evolving security and PCI DSS requirements and supporting Stanford Merchants’ business needs. 

The PCI DSS requires an annual audit and validation of compliance, which is reported to the University’s bank. PCI Compliance Services worked with Stanford Merchants to achieve Stanford’s first documented and validated PCI DSS v2.0 compliance this past March. The team couldn’t rest on those laurels, however; the PCI Council released Version 3.0 of the data security standard in late 2013, and merchants are required to be in compliance with the new standard by the end of December 2015. 

The PCI Compliance Services team is currently testing a new infrastructure to support the PCI DSS v3.0 requirements. Upgrades of the current Stanford Merchants who operate in the PCI Infrastructure into this new secure zone are being planned. Planning is also underway to migrate other merchants into the new zone. Meanwhile, the team is preparing for the next PCI compliance validation deadline for all Stanford Merchants, which is December 15, 2014.  

PCI Compliance Services is also working to support Stanford’s CyberSource users. Stanford Merchants who process payment card data via ecommerce sites use the Wells Fargo Payment Gateway powered by CyberSource. To enhance payment card processing security, CyberSource mandated a migration of sites to use its new improved Secure Acceptance method. PCI Compliance Services has worked to help communicate this migration and assist merchants in meeting the migration deadline of September 30, 2014.

In September, to help Stanford Merchants and the University community understand PCI policies and processes, University IT launched a new PCI Security and Awareness Training course and published a PCI compliance website. To learn more about PCI compliance, see pcicompliance.stanford.edu.