E-Commerce Merchants

To be able to accept credit card payments on your website, and bearing in mind that credit card data is “high risk” data, you will need the following:

E-commerce Website

Connects the merchant’s web-based store with the acquirer (or its processor), card networks and card issuers. Specifically, your website will need to incorporate the following components:

• SSL Certificate: Secure Socket Layers (SSL) are services that encrypt data communicated online to provide security against unauthorized use. The SSL is identified by the “s” in the “https” at the beginning of the URL of a SSL-protected webpage and often colors the URL bar.
• Online Store/Shopping Cart: Software that collects and organizes online customers’ list of items for purchase. Once the customer is ready to check out, the shopping cart calculates the order total and presents the customer with a payment information form to complete the transaction. The shopping cart can be provided by third party vendors or be custom-built by website developers.
• Payment Gateway: Technology that connects a merchant's online store/shopping cart with its acquirer (or processor) and transmits the transaction information and authorization for each customer purchase.

E-Commerce Merchant Account

Establishing a merchant account is the mechanism that enables merchants to accept credit and debit cards for payment. It is provided by the university’s acquiring bank Wells Fargo. It links all of the above mentioned components into an integrated system. For more information, refer to Topic Overview: Merchant Account Life Cycle.

The university encourages departments to use CyberSource payment gateway. By using CyberSource's Secure Acceptance Web/Mobile implementation, the customer enters their cardholder information onto a secure order page hosted by CyberSource. In this way, no credit card data is stored upon or transmitted through any of Stanford's UIT systems or servers.

If merchants choose another third party provided payment gateway, they will need to ensure that first the gateway is fully approved by Merchant Services (MS) and is compatible with Wells Fargo’s processor - First Data.

CyberSource can also be integrated with other third-party, vendor-provided applications if the vendors offer integration capability. Timelines, pricing and fees are dependent upon vendor and integration requirements. E-commerce merchants that connect to CyberSource are responsible for monitoring/maintaining that connection. All connections must be fully documented and that documentation must be submitted to MS prior to the merchant's web store going live with processing the live transactions.

The following CyberSource features are available to merchants:

• CyberSource Secure Acceptance Web/Mobile: Used to enable your web store to accept card and check payments by customers entering their own information into a secure order page hosted by Cybersource.
• Recurring Billing/Customer Profiles: Enables you to create customer profiles that are stored on CyberSource’s secure servers. A customer profile is a set of information about a customer that you store in the CyberSource database for future billing.
• Secure Storage: Customer payment information is securely stored for each transaction.

Note: Not all features may be applicable to your web store.

E-commerce merchants who use CyberSource can contact them directly via the Customer Support Center. The support center allows live chat, submit a ticket, and call for phone support. 

Any significant changes to current processes planned by currently active e-commerce merchants must be reviewed and approved by MS prior to implementation. Such changes include (but are not limited to):

• Departmental website
• Application software
• Products or services for sale
• Anticipated transaction volume
• Departmental contacts responsible for the e-commerce 

Stanford-managed Stripe accounts offer ecommerce products for merchants to choose from that do not rely on a third-party ISV or the development of a custom implementation. These core payment methods have wide applicability to that Stanford merchant community. See the Stripe Payment Solutions page for more information on:

• Stripe payment methods
• Native Stripe solutions available for merchants
• Basic Stripe setup for merchants: products, coupons, etc.
• Creating and using Payment Links
• Using Invoicing
• Stripe integrations
• Integrating Stripe into workflows

CardinalPay is a single-source solution for managing Stanford-managed Stripe accounts, offering front-end payment acceptance and back-end account management. Merchant Services offers consulting services to Stanford merchants. See the Resource: CardinalPay page for more information.

Please submit a support request for help integrating Stripe with your business needs.

While it is perfectly acceptable or encouraged for customers to make online payments from their personal devices, merchants must not allow customers to enter their credit card information on any university owned device (computer, tablet, laptop).

If merchants have the need to manually enter card information into an e-commerce site on behalf of the customer, entries must be made through an approved secure channel. This may include a dedicated PCI workstation or at a regular workstation connected with the approved point-to-point-encryption (P2PE), secure reading and exchange of data (SRED) key. Contact the Merchant Services team for more information.

In order to comply with Visa and MasterCard regulations, certain terms and conditions must be presented on university websites and/or mobile apps. These include:

• Name of business unit listed on your merchant ID or payment processing account
• Contact information such as mailing address, phone number and/or email address
• Clear and prominent display of the merchant outlet’s country of operation, appearing:
  • On the same screen view as the checkout screen that presents the final transaction amount
  • Within the sequence of webpages the cardholder will access during the checkout process
• Disclosure of return, refund and cancellation policies on the sequence pages before final checkout and include a “click to accept” button, checkbox or other acknowledgement.

• Work with MS for all your e-commerce needs
• Allow plenty of time to establish your Merchant ID and e-commerce implementation (minimum 1 to 3 months depending on the solution)
• Inform MS of changes to staff and access roles so that payment maintenance of gateway users can be properly managed
• Do not conduct e-commerce at Stanford without an official Merchant ID unless exception approval is obtained
• Review the third-party service providers who are centrally supported and acceptable for deployment on campus. For new vendors, learn more about the criteria and steps for a Third-Party Vendor Evaluation. Do not use unapproved e-commerce vendors.