Introduction
Achieving PCI DSS compliance requires more than technical expertise—it takes true collaboration. Since 2021, the San Diego State University (SDSU) PCI DSS Compliance team has worked hand-in-hand with CampusGuard, uniting representation from Information Technology, Risk and Compliance, the Bursar’s Office, CampusGuard QSA support, and a dedicated PCI DSS Program Manager.
Together, the teams created a highly collaborative environment where each group contributed its unique expertise, ensuring steady progress and shared success.
The Challenge
SDSU recognized the need to strengthen and streamline its PCI DSS compliance program ahead of PCI DSS v4.0. With a significant number of merchant locations across multiple auxiliaries, many of which had not been recently reviewed, the University faced the complex task of understanding its full cardholder data environment.
Most members of the PCI Working Group balanced compliance alongside other demanding roles, leaving limited bandwidth to lead a comprehensive program reset and rollout.
SDSU sought a partner who could provide program management expertise, QSA guidance, and structured support to build a sustainable and campus-wide compliance framework.
The Approach
SDSU partnered with CampusGuard to conduct a thorough review and establish a program-wide structure. Merchant surveys were deployed across all auxiliaries to document payment channels, technologies, and third-party service providers in use.
CampusGuard reviewed existing documentation, identified improvement opportunities, and led efforts to develop a complete merchant inventory, technology register, and third-party vendor list (including AOCs and responsibility matrices).
To build consistency, standardized departmental procedure templates were created, and a cadence for PCI DSS awareness training was established.
With support from CampusGuard Program Manager Laura Allison and San Diego State University’s Director of Risk and Compliance, Chris Clements, SDSU achieved 100% training completion.
In collaboration with CampusGuard QSA Pete Campbell, CampusGuard led merchant-focused SAQ workshops to ensure SAQ accuracy and completeness.
The PCI DSS Compliance team also helped facilitate the adoption of Point-to-Point Encryption (P2PE) solutions, reducing the scope for high-risk merchant areas. Together, SDSU and CampusGuard established a strong foundation for compliance and long-term program maturity.
“With more than 70 merchants spread across multiple departments, ensuring PCI compliance is no small feat,” said Ricardo Fitipaldi, Chief Information Security Officer at SDSU. “CampusGuard provided the expertise and structure we needed to align all of our units under one secure standard.”
The Results
In less than a year, CampusGuard and SDSU transformed SDSU’s PCI DSS program into a centralized, structured, and sustainable initiative.
The University now maintains updated merchant-level documentation, a university-wide PCI DSS policy, and a formal PCI DSS Incident Response Plan.
All employees handling cardholder data receive PCI DSS awareness training annually, as part of new hire onboarding, and when assuming new responsibilities.
“CampusGuard has been a true partner in helping us navigate the complexities of PCI compliance,” said Christopher Clements, Director of Risk and Compliance at SDSU. “Their guidance allowed us to streamline processes across a very diverse set of merchants.”
Technology improvements reduced the scope of two SAQ D environments, quarterly ASV scanning is now in place, and by December 2025, all merchant locations were successfully attested as compliant, captured for the first time in a single university-wide SAQ.
This accomplishment was made possible through close collaboration between SDSU stakeholders and CampusGuard’s program management and QSA teams.
“This collaboration has given us peace of mind that our students, faculty, and staff can trust their transactions are protected at every point of sale,” Ricardo said.
Going Forward
SDSU now has a strong compliance framework in place, with clear documentation, annual timelines, and established processes that will support ongoing compliance and program maturity.
Campus-wide awareness of PCI DSS has grown significantly, and merchant areas now have a stronger understanding of the importance of compliance and their role in maintaining it.
“The result is a stronger security posture that not only meets compliance requirements but also reinforces SDSU’s commitment to safeguarding the campus community,” Chris said.
Looking ahead, SDSU plans to continue working with CampusGuard to further enhance its PCI DSS compliance program.
Contact us if you have questions or need assistance with your PCI DSS program.
"CampusGuard has been a true partner in helping us navigate the complexities of PCI compliance. Their guidance allowed us to streamline processes across a very diverse set of merchants."
