In an era of identity theft and cybercrime, the payment card industry must constantly evolve to stay one step ahead of the bad guys. A key piece of this evolution is the Payment Card Industry Data Security Standard (PCI DSS), which is regularly updated and enforced by the Payment Card Industry Security Standards Council.
Version 3.0 of the standard went into effect on Jan. 1, 2015, but potential security flaws subsequently discovered in SSL and early TLS resulted in the need for an immediate update. PCI DSS 3.1 was introduced on April 15, and became the current valid/effective version as of July 1.
Many organizations at Stanford are authorized to accept payment cards (i.e., credit, debit, and prepaid cards) for financial transactions. These “Stanford Merchants” are required to comply with the latest version of the PCI DSS. Each Stanford Merchant belongs to one of four groups defined by the standard, each with its own set of requirements to fulfill and attest to annually.
Stanford performs a compliance audit/validation with all its merchants each year, and reports the results to the University’s bank. The PCI Compliance Services and Credit Card Merchant Services teams provide guidance and supervision throughout the validation process, and perform the audits.
The University IT Compliance Services team and the Office of the Treasurer will kick off this year’s audit in September. Both offices will work directly with each Stanford Merchant to complete the required process by Oct. 30. Compliance Services will then prepare and submit required validation documents to the Bank for Stanford University’s PCI DSS 3.1 compliance by Dec. 12, 2015.
Concurrent with the new standard, University IT released a revised edition of the PCI Security and Compliance Awareness Training module in STARS (AS-1000-WEB). This online course is required for any Stanford University employee or contractor who processes payment card transactions or supports a secure payment card infrastructure.
Questions about PCI compliance and/or the new data security standard may be directed to the University IT Compliance Services team.
© Stanford University, Stanford, California 94305.