Merchant Services Community of Practice Meetings

February 2023

Pending

January 27, 2022

February 24, 2022

Community of Practice February Meeting

Topic: The Information Security Office (ISO) orchestrates efforts and provides services to protect the information assets that are important to Stanford. ISO consults Merchant Services and has a vital role in supporting the university's payment card industry (PCI) regulatory compliance obligations. This was an opportunity to preview the new PCI Compliance website managed by ISO and share how it guides merchants through the requirements and training.

March 24, 2022

Presentation

Recording

Community of Practice March Meeting

Topic: Third-Party Ecommerce Vendor Usage

• Merchant of Record - Why it Matters
• Definitions and vendor types
• Stanford-approved vendor list
• New vendor evaluation process and feedback

May 26, 2022

PCI Presentation

Stripe Presentation

Recording

Community of Practice May Meeting

• PCI Incidents, presented by T.C. Chen from the Information Security Office
  • Fraudulent activities
  • Incident Response process
  • Prevention
• Demonstration of Stripe basics, presented by Rich Boltizar, MS Program Manager:
  • How it fits into the payments space
  • Why they should choose native Stripe in most situations
  • Payment methods
  • Stripe's off-the-shelf products
  • Ecommerce basics for merchants including the decision points they'll face
  • Third-party vendors

July 28, 2022

Stripe Meeting Presentation

Stripe Meeting Recording

Stripe Reconciliation Tool Guide

Stripe Reconciliation Tool Demo

Community of Practice July Meeting

• Update on Stripe features available
• How to integrate it into existing workflows and design efficient workflows to take advantage of Stripe
• Guided discussion tailored to merchant pre-submitted questions
• Q&A period

August 25, 2022

Recording

Community of Practice August Meeting

Our consulting firm, CampusGuard, covered the new Self-Assessment Questionnaire portal pciportal.stanford.edu

• Decommissioned the old portal from Trustwave/SecureTrust/Sysnet
• Training and SAQs are consolidated into one portal under CampusGuard (not STARS)
• Current SAQ docs for merchants have been migrated
• Only PCI contact identified with access can get into the portal
• If additional contacts need to get access, contact Merchant Services
• For questions on specific SAQ fields, contact the Information Security Office
• Reminder - 2022 PCI compliance validation timeline: September thru November, see Training details

Other:

• Voice over IP (VoIP) survey merchant outreach
• Certain event platform survey due by August 31, 2022
• Do not process manual transactions on Stripe dashboard; use payment links or invoices

September 21, 2022

Recording

September 29, 2022

Recording

Community of Practice September Workshop #1

Topic: CampusGuard demonstration on PCI & SAQ

Reviewed PCI Compliance Training and Self-Assessment Questionnaire requirements. The first workshop focused on the eCommerce payment channel where SAQ A was covered. Timelines for SAQ completion and submission: November 8 for all merchants

Community of Practice September Workshop #2

Topic: CampusGuard demonstration on PCI & SAQ

Reviewed PCI Compliance Training and Self-Assessment Questionnaire requirements. The second workshop focused on in-person/mail order/phone order payment channels where SAQ P2PE (primary), B, and C-VT was covered. Timelines for SAQ completion and submission: November 8 for all merchants.

• Review of the PCI Self-Assessment Questionnaires (SAQs)
  • Who is responsible for completing the SAQ?
  • Which SAQ(s) should be completed?
  • Walk-through of a sample SAQ
    • How to complete the SAQ
    • Detailed guidance on how to accurately review your merchant environments
  • Explanations around the technical requirements 

October 27, 2022

Recording

Presentation

Community of Practice October Meeting

Topic:

• Updates to deposit process for merchants who accept cash and checks
• Additional guidance through Self-Assessment Questionnaires

November 2021

Recording

Presentation

Community of Practice November meeting

Discussion topics: Cybersource migration update, SREDKey deployment overview,  and best practices on virtual/non-POS payment processing.  A cost benefit analysis of SREDKeys will be made available after we know more about how the merchant framework will impact the MS fee.

October 2021

Workshop Recording

Workshop PDF

Community of Practice October 28 Workshop 2

Discussion topics: Review PCI Compliance Training and Self-Assessment Questionnaire requirements. The second workshop focused on in-person/mail order/phone order payment channels where SAQ P2PE A (primary), B, B-IP, C-VT, C are covered.

October 2021

Workshop Recording

Community of Practice October 21 Workshop 1

Discussion topics: Reviewed PCI Compliance Training and Self-Assessment Questionnaire requirements. The first workshop focused on the eCommerce payment channel where SAQ A (primary) and A-EP are covered.

Community of Practice September meeting

Discussion topics: Beginning November 3, we will move to a direct relationship with Cybersource for Payment Gateway services. This replaces the current Cybersource “bundled” relationship through Wells Fargo. As we’ll be using the same products, many changes will be behind the scenes and invisible. There will be no immediate changes to payment processing or technical integrations. Merchants may see some changes to their Cybersource dashboards, and after migration we’ll be exploring additional service options for eCommerce payments.

We also shared the capabilities of Stripe, which Stanford just signed an agreement with, to do invoicing and take payments.

Community of Practice August meeting

In partnership with the Information Security Office (ISO), Merchant Services now has guidance on PCI compliance requirements from the consulting firm, CampusGuard which is a full-service cybersecurity and compliance services company specifically devoted to serving campus-based organizations. With specific focus on Stanford University's PCI compliance program, CampusGuard assists with the oversight of merchant compliance, annual completion of Self-Assessment Questionnaires (SAQs), and tracking of merchant documentation. Certified QSA personnel, Cari King and Katie Johnson, can assist with questions regarding technical requirements, and in the review of new merchant processes, new payment technologies, applications, etc. CampusGuard can also assist with ongoing third-party and vendor management.

July 2021

Community of Practice July meeting

Discussion topics:

• A new service agreement and an infrastructure is being built with Stripe with details to come soon
• A reminder to check point-of-sale devices for charge, for if the battery is fully drained, the risk may result in the device having to be replaced
• MS is finalizing contract negotiations for the payment gateway which will provide better features on back end payment processes and possibly pricing
• We are working to update instructions on Fingate and organize a future roadshow on merchant basics and compliance requirements to support navigating PCI compliance. One of the main goals of the Merchant Services Transformation is to adjust our practices so that PCI compliance is not viewed as the primary purpose of the program. We are working to balance those needs with business requirements wherever possible.

CANCELLED Community of Practice June meeting

May 2021

Community of Practice May meeting

Discussion on how Stripe as a payment processor plays an emerging role that impacts card acceptance on campus. 

Special insights from Rich with Associated Students of Stanford University (ASSU) and Brandy with the Alumni and Development Applications Platform Transition (ADAPT) on how Stripe has worked for them.

April 2021

Community of Practice April meeting

Roundtable/Q&A with the Information Security Office PCI Compliance team, featuring:

• Shawn Kim, Director of Special Programs/Internal Security Assessor
• Tadeu Perillo, Information Security Officer/Internal Security Assessor
• T.C. Chen, Information Security Officer/Internal Security Assessor

Discussion topics:

• Learn ISO’s PCI compliance responsibilities which include setting and enforcing PCI policies, organizing and certifying yearly PCI DSS attestation, performing quarterly security scanning, building and maintaining PCI training content and other PCI compliance matters.
• How to handle credit card information using Voice Over IP (VoIP) technologies and phone equipment requirements 
• How to verify that vendors are PCI compliant
• PCI compliance training requirements for new hires
• Pending changes to PCI DSS 4.0 and impact to the Self Assessment Questionnaire

March 24, 2021

Community of Practice Kick-Off March meeting

Discussion topics:

• Set expectations for meeting format and schedule
• COVID effects on their programs and services
• Brainstorming future topics