This month, Stanford’s Purchasing Card (PCard) policy will be updated to improve our software purchasing practices and safeguards.
Effective Nov. 13, 2023:
- PCard users must consult with their local IT team or department administrator before using the PCard to purchase software that is not available through the Software at Stanford website and does not require a contract.
- The PCard user must then attest that they consulted with their local IT team or department administrator in the verification process following the purchase. Refer to Software Purchase Guide for Local IT for information about IT consultation.
This change replaces the current policy that requires PCard users to submit an exception request to the Financial Management Services (FMS) Card Services team before making these software purchases.
Purchaser guidance
FMS will provide guidance to PCard holders to first search the Software at Stanford website. The site presents a comprehensive selection of licensed software that is already available for use or purchase through several campus providers, including University IT (UIT), Stanford University Libraries, Stanford SmartMart, and the Stanford Bookstore. Software purchasing guidance will also be updated on the Fingate website.
Local IT guidance
Data risk compliance
If the desired software is not found on Software at Stanford, departments must consult with their local IT team or department administrator to conduct a pre-screening risk assessment with regard to use of data. The pre-screening assessment indicates whether the proposed data use results in Low, Moderate, or High Risk to the university.
- Those that present Low to Moderate Risk may be purchased with a PCard.
- Those that present High Risk should be submitted as a contract so that a full data risk assessment (DRA) can be conducted by the university Information Security Office and University Privacy Office and legal review conducted by the Campus Procurement Contract Office. For more information about the full DRA process, visit the DRA webpage.
Accessibility compliance
Evaluating accessibility of a software product to ensure compliance with Stanford’s digital accessibility policy is another important consideration. The Office of Digital Accessibility (ODA) recommends requesting a Voluntary Product Accessibility Report (VPAT) from the vendor prior to purchase. The report should include information about how the product conforms with established accessibility standards (e.g., Web Content Accessibility Guidelines 2.0 (WCAG 2.0), Level A and Level AA standard).
For more details about requesting vendor accessibility documentation, refer to procurement guidance on the ODA website. If you have questions about accessibility or need assistance with evaluations, submit a request to the ODA team.
Other local requirements
In addition to data risk and accessibility considerations, the local IT team or department administrator should assess compliance with any local business unit requirements or restrictions. For example, some units may altogether prohibit the use of PCards to purchase software.
Cloud computing services
This policy change does not apply to Infrastructure-as-a-Service Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure cloud accounts. Stanford does not permit the use of PCards, personal credit card reimbursements, and direct invoicing to pay for cloud services. All cloud computing accounts used for Stanford-related activities should be part of Cardinal Cloud.
Refer to guide for local IT
To prepare for this coming process change, refer to and share the Software Purchase Guide for Local IT with your teams.
