Common use of Payment Card Industry Standards Clause in Contracts

Payment Card Industry Standards. [Note: If using this Option, confirm that the services provided by Contractor do not violate or conflict with existing UT System or State of Texas contracts or agreements.] University is required to validate compliance on a periodic basis with applicable Payment Card Industry Data Security Standards (PCI DSS), including Payment Application Data Security Standards (PA DSS), promulgated by the Payment Card Industry Security Standards Council (PCI SSC). The compliance validation process requires University to undergo an assessment of (1) system components used to process, store or transmit cardholder data, and any other components that reside on the same network segment as those system components, as well as (2) related processes used to process, store or transmit cardholder data, (System Components in Scope). Some or all System Components in Scope have been outsourced to Contractor under this Agreement. Contractor will cause its agents and subcontractors to comply with all terms of this Section applicable to Contractor. Contractor will achieve and maintain compliance under the current versions of PCI DSS and PA DSS published on the PCI SSC website for service providers and payment applications. Contractor will provide to University (1) on or before the date this Agreement is signed by University, and (2) within ten (10) days after each anniversary of the date this Agreement is signed by University, a copy of Contractor’s annual attestation of compliance signed by a Qualified Security Assessor (QSA) as described on the PCI SSC website. If Contractor is unable to provide the required attestations of compliance, Contractor will permit University or University’s QSA to assess all System Components in Scope that are hosted or managed by Contractor or by Contractor’s agents or subcontractors. Contractor will create and maintain reasonably detailed, complete and accurate documentation describing the systems, processes, network segments, security controls, and dataflow used to receive, transmit, store and secure cardholder data. The documentation will conform to the most current version of PCI DSS. Contractor will, upon written request by University, make the documentation and the individuals responsible for implementing, maintaining and monitoring System Components in Scope available to (1) QSAs, forensic investigators, consultants and attorneys retained by University to facilitate the validation of University’s PCI DSS compliance, and (2) University’s information technology, information security, audit, compliance and other staff. Contractor will retain the documentation for at least one (1) year after termination of this Agreement.]

Payment Card Industry Standards. [Note: If using this Option, confirm that the services provided by Contractor do not violate or conflict with existing UT System or State of Texas contracts or agreements.] University is required to validate compliance on a periodic basis with applicable Payment SAMPLE Card Industry Data Security Standards (PCI DSS), including Payment Application Data Security Standards (PA DSS), promulgated by the Payment Card Industry Security Standards Council (PCI SSC). The compliance validation process requires University to undergo an assessment of (1) system components used to process, store or transmit cardholder data, and any other components that reside on the same network segment as those system components, as well as (2) related processes used to process, store or transmit cardholder data, (System Components in Scope). Some or all System Components in Scope have been outsourced to Contractor under this Agreement. Contractor will cause its agents and subcontractors to comply with all terms of this Section applicable to Contractor. Contractor will achieve and maintain compliance under the current versions of PCI DSS and PA DSS published on the PCI SSC website for service providers and payment applications. Contractor will provide to University (1) on or before the date this Agreement is signed by University, and (2) within ten (10) days after each anniversary of the date this Agreement is signed by University, a copy of Contractor’s annual attestation of compliance signed by a Qualified Security Assessor (QSA) as described on the PCI SSC website. If Contractor is unable to provide the required attestations of compliance, Contractor will permit University or University’s QSA to assess all System Components in Scope that are hosted or managed by Contractor or by Contractor’s agents or subcontractors. Contractor will create and maintain reasonably detailed, complete and accurate documentation describing the systems, processes, network segments, security controls, and dataflow used to receive, transmit, store and secure cardholder data. The documentation will conform to the most current version of PCI DSS. Contractor will, upon written request by University, make the documentation and the individuals responsible for implementing, maintaining and monitoring System Components in Scope available to (1) QSAs, forensic investigators, consultants and attorneys retained by University to facilitate the validation of University’s PCI DSS compliance, and (2) University’s information technology, information security, audit, compliance and other staff. Contractor will retain the documentation for at least one (1) year after termination of this Agreement.]