| The University of Texas at Austin
|
Information Security Office
|

| |
ISO Policies, Standards, and Guidelines

Application for Exception from Use of University of Texas at Austin Central Processing Services

1. Purpose
2. Requirements
3. Review
4. References
5. Revision History
6. Approvals

Last reviewed: 06/21/2013
Last updated: 06/21/2013

1. Purpose

This process provides a method of determining compliance with the published Minimum Security Standards for Merchant Payment Card Processing. It does not apply to departments who choose to use the TXShop or What I Owe (WIO) interfaces for processing credit card activity.

2. Requirements

All requests must address the following items. References to the security standards have been made when appropriate. Any items that do not apply can be noted as such, but should include a brief explanation.

2.1. Requestors wishing to use any credit card processing services provided by a third-party vendor must demonstrate PCI compliance. Requestors must:

# Requirement Reference
2.1.1 Justify why using TXShop or WIO is not in the best interest of the university.
2.1.2 Select a vendor from the approved list of PCI compliant service providers, or submit a copy of the proposed vendor's Certificate of PCI Compliance validated by an approved scanning vendor. §III.10
2.1.3 Provide technical documentation demonstrating how the credit card processing shall be done, how data will specifically traverse networks, and how any data being processed will be stored. §III.5
2.1.4 Specifically identify any university systems that will be used to store or transmit credit card data. If any systems are identified then requestors must also follow 2.2 and 2.3 requirements below. §III.6

2.2. Requestors wishing to use any processing services developed by or operating on university systems and using the university's centralized credit card infrastructure must:

# Requirement Reference
2.2.1 Justify why using TXShop or WIO is not in the best interest of the university.
2.2.2 Complete the PCI questionnaire via the Information Security Office's Risk Assessment (ISORA) application. §III.10
2.2.3 Undergo a network vulnerability assessment of the processing systems to be conducted by the Information Security Office. §III.8
2.2.4 Provide technical documentation demonstrating how the credit card processing shall be done, how data will specifically traverse networks, and how any data being processed will be stored. §III.6

2.3. Requestors wishing to use any processing services developed by or operating on university systems and NOT using the university's centralized credit card infrastructure must:

# Requirement Reference
2.3.1 Justify why using TXShop or WIO is not in the best interest of the university.
2.3.2 Complete the PCI questionnaire via the Information Security Office's Risk Assessment (ISORA) application. §III.10
2.3.3 Undergo a network vulnerability assessment of the processing systems to be conducted by the Information Security Office. §III.8
2.3.4 Provide technical documentation demonstrating how the credit card processing shall be done, how data will specifically traverse networks, and how any data being processed will be stored. §III.6

3. Review

Submit the above information to the Information Security Office (security@utexas.edu). The Information Security Office shall review the technical planning documents for the proposed exception and will consult with the Office of Controller, as needed.

All granted exceptions must undergo an annual review.

All responsible parties for granted exception requests must report any significant changes made to the excepted application at any time during the year (for example, software/hardware updates, security control modification, storage modification, change in key staff, etc).

In the event the Information Security Office and the Office of the Controller deny an exception request, the decision will be taken to the Executive Compliance Committee for final review.

4. References

Minimum Security Standards for Merchant Payment Card Processing

5. Revision History

Version Date New Original
6/21/2013 Reviewed and fixed broken links
6/20/2013 Converted back to HTML No changes
Application for Exception from Use of University of Texas at Austin Central Processing Services 3/3/2011 Converted web page to PDF No changes

6. Approvals

Name Role Members Date
Chief Information Security Officer Approval Cam Beasley 9/28/2009

 



Last updated June 21, 2013.
Copyright © 2006-14, Information Security Office. All rights reserved.
Privacy | Accessibility | Emergency Preparedness, Safety and Security

Send computing questions to the ITS Help Desk or call (512) 475-9400.

 

| | | |