format_list_bulleted Topic Overview

Merchant Services Program

Overview

Merchant Services (MS) oversees the acceptance and processing of payments collected digitally and through credit or debit card transactions at Stanford. The program operates through a collaboration between Financial Management Services’ Office of the Treasurer (OOT) and University IT’s Information Security Office (ISO), both within Business Affairs.

MS supports over 300 department merchants across the university, each with distinct services, internal processes, and business requirements.  The program is committed to delivering effective and  innovative payment solutions that align with the evolving needs of the Stanford community, while maintaining a strong commitment to security and compliance standards. 

Diagram illustrating the hierarchy of the MS Program consisting of OOT and ISO in support of campus.

FMS also offers the Card Services program, which is intended to support the use of PCards and TCards. For more information on using these university payment methods, visit the PCards Overview or TCards Overview.

Given the importance of systems, technologies, regulation compliance, policies, and procedures in the Merchant Services infrastructure, a close partnership with UIT continues to be critical to the success of the program. To effectively support campus merchants, the program responsibilities are distributed as follows:

OOT
  • Manage the MS program equipment and key program vendors
  • Manage university level program-wide projects
  • First point of contact for all merchant support requests
  • Perform support ticket triage, assignments, and track support metrics
  • Facilitate program communication and governance
  • Manage expenses and revenue within the program budget
  • Principal responsibility for contracts with payment providers
  • Streamline the number of vendors in the MS ecosystem
  • Guide and support merchants in their vendor evaluation and selection
  • Provide financial reporting and reconciliation support
  • Perform monthly, quarterly, and year-end close activities
  • Oversight for the overall MS training program

ISO
  • Set and enforce policies according to current PCI Data Security Standards (PCI DSS)
  • Organize and certify the yearly PCI DSS attestation
  • Consult with Merchants on remediation for PCI incidents/findings
  • Perform quarterly security scanning
  • Perform regular PCI audits
  • Build and maintain PCI reporting metrics
  • Develop and maintain PCI incident response plan
  • Perform technical vendor assessment as part of the DRA process
  • Build and maintain PCI training content
  • Manage expenses within the program budget
  • Collaborate with CampusGuard, a cybersecurity and compliance services company, to oversee merchant compliance and requirements
  • Manage PCI incidents
  • Maintain website pcicompliance.stanford.edu

A merchant is a person or an organization registered to accept and process card present, electronic payment cards or digitally transmitted transactions for selling goods and services online or in person. Following are important steps and considerations for merchants when creating and maintaining their account.

New Merchant Accounts and Set up

  • For guidance, provide the MS team with the following details during an initial consulting session:
    • Your role and department background
    • Line of business that you want to take payment for
    • Transaction volume (sales) and frequency
    • Types of payments (ACH, Wire, Credit/Debit Card, other)
    • Payment acceptance channel (Point of Sale, E-commerce, Mail Order/Phone Order, Mobile)
    • Any third-party vendor
  • If a third-party vendor is considered for payment processing, it needs to be fully vetted by:
    • MS for payment capability and financial risk assessment
    • Information Security Office (ISO) for Data Risk Assessment and PCI Compliance
    • Contracts in FMS Procure to Pay to assess contractual terms to ensure compliance with university policy regardless of requisition or purchase order status
    • Note: When considering new vendors, review the criteria and steps for a Third-Party Vendor Evaluation.
  • Submit a support request attaching a copy of the signed merchant application form for MS to review.
    • If approved, allow up to one to two weeks for MS to set up a merchant account and/or order any equipment .
  • Complete required PCI compliance training and any other equipment/gateway specific training.
  • Perform vendor/payment integration and test a transaction.
  • Launch payment acceptance channel(s).
  • Track/reconcile the revenue and expense.

Existing Merchant Maintenance

  • Contact MS for any changes associated with merchant accounts.
  • Report any card fraud or data breach incidents to ISO immediately.
  • Perform inspections on POS equipment, keep them secure when not in use, and update inventory/inspection logs periodically.
  • Work with the merchant provider's customer support as needed to troubleshoot terminal issues.
  • Promptly respond to any requests for information regarding a chargeback dispute transaction.
  • Provide vendor’s PCI DSS documentation annually, if applicable.
  • Complete PCI compliance attestation self-assessment questionnaires (SAQs) annually.
    • Individuals involved in payment card activities are required to complete PCI compliance training annually.

Assigned Roles in Merchant Account 

Merchants must assign the following roles to employees in the organization:

  • Account Owner ensures compliance with all applicable Stanford policies. Account owner must be at a director level or higher and must The Account Owner must have financial signature authority for the revenue/expense award(s) provided for the merchant account.
  • Department Contact is the secondary contact person after account owner for any inquiries received on a merchant account.
  • Finance Contact performs the monthly reconciliation of their department’s card revenue. They ensure the timely response to any requests and chargeback notices received from the merchant bank.
  • PCI Contact ensures all employees are familiar with the PCI DSS requirements and how it relates to their job function. They ensure the organization has documented procedures in place for the compliant handling of credit card information.
  • Technical Contact (if applicable) addresses any technical issues specific to the merchant’s online processing requirements.

The Payment Card Industry Data Security Standard (PCI DSS) enforces protection of consumers’ high-risk payment card data by requiring all organizations that process, transmit, and store payment card information to comply with a set of data controls, establish IT and physical security measures, and meet policy requirements in order to mitigate the risk of a security breach, or the loss, theft, or abuse of payment card data.

All Stanford departments that accept card payments, and any third-party service provider accepting payment data on their behalf, must be PCI compliant and complete an annual certification. All staff handling cardholder data are required to complete annual training. 

Merchant Services collaborates with the University IT Information Security Office (ISO) to help Stanford department merchants meet their PCI Compliance requirements. For all information on PCI DSS, visit the pcicompliance.stanford.edu and learn about:

  • Compliance Requirements
  • Vendor Evaluation
  • Annual Training
  • Policies & Resources
  • Incident Response

Stanford merchants are required to maintain compliance with university policies and must review the Administrative Guide prior to processing payments. These ensure protection of Stanford's information resources, outline procedures to be followed when a computer security incident is discovered, provide guidance on proper engagement in unrelated business activities, and ensure relationships with entities independent of the university are structured correctly.

Additional Resources

  • Visit pcicompliance.stanford.edu to learn about PCI compliance requirements and details to protect the information assets important to Stanford.
  • Electronic storage of cardholder data at Stanford is prohibited except on an approved secure and segmented network. Submit a support request to Merchant Services (MS) for more information.
  • Refer to Merchant Services Privacy Policy to learn more about managing risk and protecting merchant businesses and client information.
  • Unrelated business income is the income from a trade or business activity that is regularly carried on by an exempt organization and that is not substantially related to the performance by the organization of its tax exempt purpose or function. For more information, refer to Resource: Unrelated Business Income.
  • See the Topic Overview: Tax Compliance at Stanford for university tax policy, standards, and best practices.
Last Updated: May 1, 2025