Loading...

1. Purpose

This process provides a method of determining compliance with the published Minimum Security Standards for Merchant Payment Card Processing. It does not apply to departments who choose to use the TXShop or What I Owe (WIO) interfaces for processing credit card activity.
 

2. Requirements

All requests must address the following items. References to the security standards have been made when appropriate. Any items that do not apply can be noted as such, but should include a brief explanation.
 
 
2.1
# Requirement Reference
2.1.1 Justify why using TXShop or WIO is not in the best interest of the university.  
2.1.2 Select a vendor from the approved list of PCI compliant service providers, or submit a copy of the proposed vendor's Certificate of PCI Compliance validated by an approved scanning vendor.
§III.10
2.1.3 Provide technical documentation demonstrating how the credit card processing shall be done, how data will specifically traverse networks, and how any data being processed will be stored.
§III.5
2.1.4 Specifically identify any university systems that will be used to store or transmit credit card data. If any systems are identified then requestors must also follow 2.2 and 2.3 requirements below.
§III.6
2.2
# Requirement Reference
2.2.1 Justify why using TXShop or WIO is not in the best interest of the university.  
2.2.2 Complete the PCI questionnaire via the Information Security Office's Risk Assessment (ISORA) application.
§III.10
2.2.3 Undergo a network vulnerability assessment of the processing systems to be conducted by the Information Security Office.
§III.8
2.2.4 Provide technical documentation demonstrating how the credit card processing shall be done, how data will specifically traverse networks, and how any data being processed will be stored.
§III.6
 
 
2.3
# Requirement Reference
2.3.1 Justify why using TXShop or WIO is not in the best interest of the university.  
2.3.2 Complete the PCI questionnaire via the Information Security Office's Risk Assessment (ISORA) application.
§III.10
2.3.3 Undergo a network vulnerability assessment of the processing systems to be conducted by the Information Security Office.
§III.8
2.3.4 Provide technical documentation demonstrating how the credit card processing shall be done, how data will specifically traverse networks, and how any data being processed will be stored.
§III.6
 

3. Review

Submit the above information to the Information Security Office (security@utexas.edu). The Information Security Office shall review the technical planning documents for the proposed exception and will consult with the Office of Controller, as needed.
 
All granted exceptions must undergo an annual review.
 
All responsible parties for granted exception requests must report any significant changes made to the excepted application at any time during the year (for example, software/hardware updates, security control modification, storage modification, change in key staff, etc).
 
In the event the Information Security Office and the Office of the Controller deny an exception request, the decision will be taken to the Executive Compliance Committee for final review.
 

4. References

 

5. Revision History

Revision History
Version Date New Original
  6/21/2013 Reviewed and fixed broken links  
  6/20/2013 Converted back to HTML
No changes
Application for Exception from Use of University of Texas at Austin Central Processing Services 3/3/2011 Converted web page to PDF
No changes
 

6. APPROVALS

Approvals
Name Role Members Date
Chief Information Security Officer Approval Cam Beasley
9/28/2009