format_list_bulleted Topic Overview

Merchant Services Program

Overview

Merchant Services (MS) is the program that manages, supports, and mitigates risk for payments collected digitally and via credit and debit card at Stanford. MS is currently supported through a collaboration between three distinct university groups within Business Affairs: Financial Management Services’ (FMS) Office of the Treasurer (OOT), UIT’s Information Security Office (ISO), and UIT’s Enterprise Technology (ET). MS supports over 200 department merchants across the university, most of whom offer individual products or services, have unique internal processes, and varied business needs. Merchant Services is committed to delivering the best services and solutions to meet the needs of the university while sustaining the highest standards of quality, excellence and compliance.

Merchant Services governance


FMS also offers the Card Services program, which is intended to support PCards and TCards that are used as university payment methods. Department merchants who accept credit and debit cards to collect payments for university goods and services are not part of that program. For more information on purchasing and traveling on behalf of the university, visit PCards Overview or TCards Overview.

Given the importance of systems, technologies, regulation compliance, policies and procedures in the Merchant Services infrastructure, a close partnership between OOT, UIT and ET continues to be critical to the success of the program. To support merchants, the program responsibilities are distributed as follows:

OOT

  • Manage the MS program equipment and key program vendors
  • Manage university level program-wide projects
  • First point of contact for all merchant support requests
  • Perform support ticket triage, assignments, and track support metrics
  • Facilitate program communication and governance
  • Manage expenses and revenue within the program budget
  • Principal responsibility for contracts with payment providers
  • Streamline the number of vendors in the MS ecosystem
  • Guide and support merchants in their vendor evaluation and selection
  • Provide financial reporting and reconciliation support
  • Perform monthly, quarterly, and year-end close activities
  • Oversight for the overall MS training program


ISO

  • Set and enforce policies according to current PCI Data Security Standards (PCI DSS)
  • Organize and certify the yearly PCI DSS attestation
  • Consult with Merchants on remediation for PCI incidents/findings
  • Perform quarterly security scanning
  • Perform regular PCI audits
  • Build and maintain PCI reporting metrics
  • Develop and maintain PCI incident response plan
  • Perform technical vendor assessment as part of the DRA process
  • Build and maintain PCI training content
  • Manage expenses within the program budget
  • Collaborate with CampusGuard, a cybersecurity and compliance services company, to oversee merchant compliance and requirements
  • Manage PCI incidents
  • Collaborate with the ET compliance team to resolve vulnerabilities
  • Maintain website pcicompliance.stanford.edu

ET

  • Maintain existing eCommerce redirect web pages
  • Maintain PCI VPN/remote desktop
  • Maintain the dedicated PCI network and infrastructure
  • Remediate vulnerabilities

A merchant is a person or an organization registered to accept and process card present, electronic payment cards or digitally transmitted transactions for selling goods and services online or in person. To learn more about accepting and processing credit and debit card or digital payments, please visit: Accepting Credit and Debit Card Payments.

There are important steps and factors merchants must consider when beginning to accept credit/debit card payments through payment platforms and maintaining their account.

New Merchants

  • Set up an initial consulting session with Merchant Services (MS), be prepared to discuss:
    • Your role and department background
    • Line of business that you want to take payment for
    • Transaction volume (sales) and frequency
    • Types of payments (ACH, Wire, Credit/Debit Card, other)
    • Payment acceptance channel (Point of Sale, E-Commerce, Mail Order/Phone Order, Mobile)
    • Any third-party vendor
  • If a third-party vendor is considered for payment processing, it needs to be fully vetted by:
    • MS for payment capability and financial risk assessment
    • Information Security Office (ISO) for Data Risk Assessment and PCI Compliance 
    • Contracts in FMS Procure to Pay to assess contractual terms to ensure compliance with university policy regardless of requisition or purchase order status
    • Note: When considering new vendors, review the criteria and steps for a Third-Party Vendor Evaluation.
  • Submit a support request attaching the signed merchant application form for MS to review. 
    • If approved, allow up to one to two weeks for MS to set up a merchant account and/or order any equipment .
  • Take required PCI compliance training and any other equipment/gateway specific training.
  • Perform vendor/payment integration and test a transaction.
  • Go live with accepting payments.
  • Track/reconcile the revenue and expense.

Existing Merchants

  • Contact MS for any changes associated with merchant accounts immediately.
  • Report any card fraud or data breach incident to ISO immediately.
  • Perform inspections on POS equipment, keep them secure when not in use, and update inventory/inspection logs periodically.
  • Work with the merchant provider's customer support as needed to troubleshoot terminal issues.
  • Promptly respond to any requests for information regarding a chargeback dispute transaction.
  • Provide vendor’s PCI DSS documentation annually, if applicable.
  • Individuals involved in payment card activities are required to complete PCI compliance training annually.
  • Department merchants are required to complete PCI compliance attestation (SAQs) annually .

Assigned Roles in Merchant Account 

Merchants must assign the following roles to employees in the organization:

  • Account owners ensure compliance with all applicable Stanford policies. Account owners must be director level or higher.
  • PCI-contacts are expected to ensure all employees are familiar with the PCI DSS requirements and how it relates to their job function. They ensure the organization has documented procedures in place for the compliant handling of credit card information.
  • Finance contacts are expected to perform the monthly reconciliation of their department’s credit card revenue. They ensure the timely response to any requests and chargeback notices received from the merchant bank.
  • Technical contacts (online merchants) work with Enterprise Technology Compliance to address any technical issues specific to the merchant’s online processing requirements.

The Payment Card Industry Data Security Standard (PCI DSS) enforces protection of consumers’ high-risk payment card data by requiring all organizations that process, transmit and store payment card information to comply with a set of data controls, establish IT and physical security measures and meet policy requirements in order to mitigate the risk of a security breach, or the loss, theft or abuse of payment card data.

All Stanford departments that accept card payments, and any third party service provider accepting payment data on their behalf, must be PCI compliant and complete an annual certification. All staff handling cardholder data are required to complete annual training. 

Merchant Services collaborates with the University IT Information Security Office (ISO) to help Stanford department merchants  meet their PCI Compliance requirements. For all information on PCI DSS, visit the pcicompliance.stanford.edu and learn about:

  • Compliance Requirements
  • Vendor Evaluation
  • Annual Training
  • Policies & Resources
  • Incident Response

Stanford merchants are required to maintain compliance with university policies and must review the Administrative Guide prior to processing payments. These ensure protection of Stanford's information resources, outline procedures to be followed when a computer security incident is discovered, provide guidance on proper engagement in unrelated business activities and ensure relationships with entities independent of the university are structured correctly.

Additional Resources

  • Visit pcicompliance.stanford.edu to learn about PCI compliance requirements and details to protect the information assets important to Stanford.
  • Electronic storage of cardholder data at Stanford is prohibited except on an approved secure and segmented network. Submit a support request to Merchant Services (MS) for more information.
  • Refer to Merchant Services Privacy Policy to learn more about managing risk and protecting merchant businesses and client information.
  • Unrelated business income is the income from a trade or business activity that is regularly carried on by an exempt organization and that is not substantially related to the performance by the organization of its tax exempt purpose or function. For more information, refer to Resource: Unrelated Business Income.
  • See the Topic Overview: Tax Compliance at Stanford for university tax policy, standards and best practices.
Last Updated: Jan 31, 2024