In this presentation that was featured in an EDUCAUSE Symposium, we share how Stanford approached PCI DSS challenges and developed a sustainable, lower‑risk, lower‑scope compliance program.
We explore how Stanford tackled PCI challenges and what worked (and what didn’t) in a real-world campus environment. We also cover practical ways to shrink your organization’s PCI scope and make compliance less overwhelming, and provide clear recommendations to build stronger governance and simplify processes.
Key Takeaways:
- Reducing PCI Scope Is the Most Effective Risk Reduction
Modern tools like P2PE and vendor‑hosted e-commerce dramatically reduce compliance burden by removing the institution from storing/processing cardholder data. - Central Governance Is Critical
Clear roles shared between ISO and Merchant Services ensure consistent oversight and reduce decentralization challenges. - Continuous Improvement Matters
PCI DSS evolves often; institutions must maintain adaptable governance, vendor management processes, training, and documentation practices.
Speakers:
Shawn Kim
Director of Cybersecurity Governance, Risk, and Compliance, Information Security Office at Stanford University
David Gundrum
QSA, CISSP
Security Advisor at CampusGuard
Katie Johnson
PCIP
Manager of Operations Support at CampusGuard
