Skip to content Skip to navigation


Stanford takes seriously its commitment to respect and protect the privacy of its students, alumni, faculty, and staff, as well as to protect the confidentiality of information important to the Stanford community. Payment card data security is critical, and all merchants are required to be PCI compliant at Stanford.

The University IT PCI Compliance team only supports Stanford University merchants who process payment card transactions by using a Stanford merchant ID. University IT PCI Compliance is not responsible for any personal payment card transactions. For personal payment card issues, please work directly with the financial institution that issued your payment card.

What is Payment Card Industry (PCI) compliance?

The Payment Card Industry Data Security Standard (PCI DSS) is a required set of standards for optimizing the security of payment card transactions. A payment card is any type of credit, debit or prepaid card used in a financial transaction. The PCI DSS was developed by the PCI Security Standards Council, an organization founded by American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. The standard applies to all organizations that process cardholder information.  As such an organization, Stanford University's compliance with PCI DSS is mandatory.

Do I have to comply?

Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is required of all Stanford University departments and organizations (officially known as Stanford Merchants) that accept payment cards for financial transactions. Any third-party vendor engaged by Stanford Merchants to process payment card transactions on their behalf, or who is engaged in payment card financial services on our campus, must also comply with the PCI DSS.

Adhering to the PCI DSS requirements provides critical protective measures to make sure that payment card data is being kept safe throughout every transaction.

How do I comply?

It is your responsibility to read and understand the policies posted on this website.

You must complete the PCI Security and Compliance Awareness training, and you must retake the training on an annual basis to continue to attest to your knowledge and compliance.