Stanford merchants are responsible for assigning employees the appropriate roles to ensure the department is compliant with university policy and Payment Card Industry Data Security Standards (PCI DSS). For more information on PCI DSS, refer to Topic Overview: Annual PCI Compliance Requirements.
Stanford merchants are required to maintain compliance with university policy and must review the Administrative Guide prior to processing payments. This ensures protection of Stanford's information resources, outlines procedures to be followed when a computer security incident is discovered, provides guidance on proper engagement in unrelated business activities and ensures relationships with entities independent of the university are structured correctly.
- 1.4.1: Academic and Business Relationships with Third Parties
- 1.5.3: Unrelated Business Activity
- 6.3.1: Information Security
- 6.6.1: Incident Response
- 3.4.2: Card and Payment Account Acceptance and Processing
- Visit pcicompliance.stanford.edu to learn about PCI compliance requirements.
- Unrelated business income is the income from a trade or business activity that is regularly carried on by an exempt organization and that is not substantially related to the performance by the organization of its tax exempt purpose or function. For more information, refer to Resource: Unrelated Business Income. Refer to Topic Overview: Tax Compliance at Stanford for university tax policy, standards and best practices.
- Review the Internal Audit Services for more details on how Internal Audit follows the Code of Ethics and the International Standards for the Professional Practice of Internal Auditing promulgated by The Institute of Internal Auditors.
- Review University IT’s (UIT) Information Security for details on protecting the information assets important to Stanford.
- Electronic storage of cardholder data at Stanford is prohibited except on an approved secure and segregated network. Contact Merchant Services (MS) for more information.
- Fulfilling Orders for Goods or Services: Merchants are responsible for providing the product or service that is being purchased. For online, mail, phone or fax orders this includes shipping and producing items available for download. Merchants are responsible for resolving any customer inquiries or challenges.
- Manage Online Stores: If merchants are selling goods or services online, they are responsible for building and maintaining their site. Enterprise Technology Compliance collaborates with merchants to integrate the connection from their website to the Wells Fargo/CyberSource Gateway's Secure Acceptance web solution. All other aspects of building and maintaining an e-commerce store are the merchant’s responsibility.
- Training: Stanford affiliates processing payment card transactions or supporting a secure payment card infrastructure must complete the PCI Security and Compliance Awareness training course in STARS prior to working with credit card information. Submit a Support Request to MS for a direct link to enroll in the course.
Assigned Roles and Responsibilities
Merchants need to assign the roles and responsibilities below to employees in the organization.
- Account owners ensure compliance with all applicable Stanford policies. Account owners must be director level or higher.
- PCI-contacts are expected to ensure all employees are familiar with the PCI DSS requirements and how it relates to their job function. They ensure the organization has documented procedures in place for the compliant handling of credit card information.
- Finance contacts are expected to perform the monthly reconciliation of their department’s credit card revenue. They ensure the timely response to any response requests and chargeback requests received from the merchant bank.
- Technical contacts (online merchants) work with Enterprise Technology Compliance to integrate the merchant website with the Wells Fargo Payment Gateway. They are expected to address any technical issues specific to the merchant’s online processing requirements.
Merchants must also designate one or more individuals to assist with the following responsibilities:
- Ensure all individuals who process, transmit, store or dispose of cardholder data are complying with university policy and must review the Administrative Guide Memos prior to processing payments. For policy details, refer to Topic Overview: Annual PCI Compliance Requirements.
- Promptly inform Merchant Services when business processes need to change or are updated.
- Confirm that third-party service providers or other contractors fulfill contractual obligations to protect cardholder data and obtain vendors’ annual PCI compliance documents.
- Complete the required annual Payment Card Industry (PCI) compliance attestation through SecureTrust portal on time.
- Work with the merchant provider's customer support as needed to troubleshoot terminal issues.
- Promptly respond to any requests for information regarding a chargeback dispute transaction.