Skip to content Skip to navigation

Vendors

PCI DSS Compliance Vendors Evaluation

For the evaluation and verification of payment card service providers, you must submit an Attestation of Compliance (AOC) using the PCI Security Standards Council (SSC) official form. Submit the document to pcicompliance@stanford.edu or Merchant Services.

Please note the following:

  • The AOC must be valid within 12 months.
  • Every vendor must submit the AOC as a service provider, unless an exception is granted by Treasury Office, the Information Security Office (ISO) and the UIT Compliance Office.
  • If the AOC is not signed by a PCI SSC certified QSA or ISA, the vendor must also submit their current quarter's Approved Scanning Vendor (ASV) report and the current year's penetration test report for external network.
  • In a 12 month period, the PCI Compliance team will only accept a maximum of 3 versions of an AOC from the same vendor for review.
  • If needed at a later stage of the evaluation, the PCI Compliance team might request that the vendor provide a demo on payment processing workflow through its services.
Note: Payment card service providers, please note that according to PCI SSC, all of the organizations that process, transmit, and/or store payment card information must be PCI Security Standard Requirements and Security Assessment Procedures (PCI DSS) compliant.