Merchant Services Transformation Project
The Merchant Services (MS) Program manages, supports, and mitigates risk for payments collected digitally and via credit card at Stanford. MS is currently supported through a collaboration between three distinct university groups within Business Affairs: Financial Management Services’ (FMS) Office of the Treasurer (OOT), UIT’s Information Security Office (ISO), and UIT’s Enterprise Technology (ET). MS supports over 200 department merchants across the university, most of whom offer individual products or services, have unique internal processes, and varied business needs. (updated 8/30/23)
Merchant Services is committed to delivering the best services and solutions to meet the needs of the university while meeting the highest standards of quality, excellence and compliance. Over the past several years, in addition to the rapidly changing payment receipt landscape, the costs to run the MS program have risen significantly faster than revenue. Through new technologies and security features, MS is seeking to both reverse that trend to avoid additional downstream costs or burden on merchants, and to improve services to merchants and their customers. To better evaluate and implement the program transformation, MS embarked on a multi-year initiative with three major phases.
Phases and Status
This phase focused on reviewing the program as it stood, then automating and streamlining processes, for example, new technologies and workflow changes were adopted. The results of this phase included:
During this phase, an external consultant (Glenbrook Partners) embarked on a multi-month project to evaluate Stanford’s payment ecosystem and deliver a series of strategic recommendations, cost/benefit analysis and proposed timelines for changes.
The Merchant Services Strategic Advisory Committee considered Glenbrook’s proposals and recommended proceeding with three unique workstreams to enhance and improve the program, which would comprise Phase III of the initiative. The initiative was approved by and is funded through the University's Systems Governance Group (SGG).
The three workstreams in Phase II were launched and are comprised of:
Learn more about the status of this current phase below.
Phase III: Activities and Accomplishments
Phases I and II were about exploration, strategy, & planning and Phase III is about action.
In terms of the current Phase, there have already been numerous accomplishments, including:
The internal structure of the program was changed in order to:
- Re-align the focus to business support, consulting and partnership
- Re-calibrate the approach to PCI compliance and risk mitigation
- Retire the previous Merchant Services firstname.lastname@example.org mailbox and utilize Stanford Services & Support to provide transparency of the request process, minimize email and expedite fulfillment
- Hire an Operations Manager to enhance support of day-to-day operations
- Partner with Rich Boltizar of Boltizar Consulting LLC based in Idaho by providing services as Program Manager/Business Architect for Merchant Services to drive forward the various initiatives of the Transformation Project.
The Merchant Services Community of Practice (CoP) was established in 2021 as a platform to discuss operational experiences, share best practices and provide training on new services. Past topics include:
- PCI compliance training workshop and Self-Assessment Questionnaires for ecommerce and in-person/phone order payment channels
- Guidance on PCI compliance requirements from the consulting firm, CampusGuard, a full-service cybersecurity and compliance services company specifically devoted to serving campus-based organizations
- How Stripe as a payment processor has played an emerging role that impacts card acceptance on campus
Payment Gateway Discovery
Upon completion of the Gateway discovery, two vendors were selected: FreedomPay for transactions received at the Point-of-Sale, including expanded equipment offerings, and Cybersource (direct) for eCommerce, replacing our current relationship with Cybersource managed through Wells Fargo. Merchant Services has moved to a direct relationship with Cybersource for payment gateway services. This new arrangement should result in more streamlined support and services. This replaces the current Cybersource “bundled” relationship through Wells Fargo. As we’ll be using the same gateway, this transition will be behind the scenes and invisible to merchants. There will be no major impact to payment processing or technical integrations. Merchant Services will be in direct contact with merchant groups affected to discuss in more detail. For more information, see ECommerce Merchants.
Merchants can purchase Point-to-Point Encrypted (P2PE) keypads (aka: SREDKeys) for processing transactions via Cybersource virtual terminals. One device can be used by various people or across multiple accounts. SREDKeys will be configured for Stanford’s environment as a whole, so they can be shared within units. Benefits include improving device security, enhancing payment security, reducing PCI DSS scope, lowering cost associated with PCI infrastructure, and increasing work efficiency. For more guidance, see Point of Sale Merchants.
Stanford signed an Enterprise-wide agreement with Stripe, and as a result we have implemented Stripe's products and features for eCommerce. Stanford signed an Enterprise-wide agreement with Stripe, and as a result we have implemented Stripe's products and features for eCommerce.
Compliance Content Consolidation
UIT’s Information Security Office launched the new PCI Compliance website. This serves as a central information hub that provides clear guidance for merchants around PCI compliance requirements, while improving and modernizing the user experience with updated content. This has allowed ISO and MS to update and consolidate the standards for optimizing the security of payment card transactions and make it easier for merchants to find the information they need.
Event Management Transition
Cvent, a new third-party event management platform managed by UIT, was rolled out in July 2023 for Certain platform event users. Certain has sunsetted on October 25, 2023. For more information, see the Stanford Transitioning from Certain to Cvent for Events Management news page.
For merchants who used Certain for payment collection only, the CardinalPay platform can be an alternative.
Launched CardinalPay's Back-End Accounting Automation
Merchant Services launched the first part of CardinalPay, an Oracle accounting automation tool, for all transactions processed only by Stanford-owned and managed Stripe accounts effective on October 1, 2023. Oracle will automatically generate daily iJournals to book all transaction activities for Stanford-managed Stripe accounts. Rather than seeing one net deposit to a PTA per batched payout, each transaction’s revenue and fees will appear separately on the GL with a significantly expanded level of detail in the description field. Benefits include:
- Offers a simple and flexible revenue collection solution with diverse payment options
- Improves customer confidence through trusted Stanford branding and Stanford.edu domain
- Automates accounting posting to Oracle for all Stripe-related grossed-up financial data
- Integration of Authority Manager simplifies management of access to merchant functionality
- Reduces PCI compliance scope by replacing existing custom standalone payment pages
- Centralizes the management of a large number of Stanford-owned Stripe merchant accounts
- Provides high level reporting capabilities to query transaction activities across all accounts
Front-End Solutions Redesign
In November 2023, Merchant Services will offer a front-end solution through CardinalPay which can provide support for merchant department ecommerce websites. In partnership with each merchant, a plan can be built for each, checked and adjusted with the assigned technical resources, and implemented within a timeframe that works with the merchant's business needs. Benefits include:
- Stanford-approved ecommerce solution
- Dedicated hosted merchant payment page(s) for each defined payment stream with substantial "no code" customization options
- Customers interface with individual Stripe merchant accounts through a centrally managed portal with emailed receipt issuance
- Minimized PCI scope through open network operation (no network segmentation required)
- Revenue can be routed to unique PTAs based on the payment type used
Learn More and Join the Community
- Learn about Accepting Credit and Debit Card Payments for products and services.
- Visit the Community of Practice meeting Resource page to learn more about past topics and register for upcoming monthly discussions.
- Join the Slack channel at #Merchant-Community-Forum for timely topics in between meetings.
- To learn more and stay up to date on all things Merchant Services, subscribe to the newsletter and view past news on Fingate.