Table of Contents
1. Purpose
This process provides a method of determining compliance with the published Minimum Security Standards for Merchant Payment Card Processing. It does not apply to departments who choose to use the TXShop or What I Owe (WIO) interfaces for processing credit card activity.
2. Requirements
All requests must address the following items. References to the security standards have been made when appropriate. Any items that do not apply can be noted as such, but should include a brief explanation.
| # | Requirement | Reference |
|---|---|---|
| 2.1.1 | Justify why using TXShop or WIO is not in the best interest of the university. | |
| 2.1.2 | Select a vendor from the approved list of PCI compliant service providers, or submit a copy of the proposed vendor's Certificate of PCI Compliance validated by an approved scanning vendor. | §III.10 |
| 2.1.3 | Provide technical documentation demonstrating how the credit card processing shall be done, how data will specifically traverse networks, and how any data being processed will be stored. | §III.5 |
| 2.1.4 | Specifically identify any university systems that will be used to store or transmit credit card data. If any systems are identified then requestors must also follow 2.2 and 2.3 requirements below. | §III.6 |
| # | Requirement | Reference |
|---|---|---|
| 2.2.1 | Justify why using TXShop or WIO is not in the best interest of the university. | |
| 2.2.2 | Complete the PCI questionnaire via the Information Security Office's Risk Assessment (ISORA) application. | §III.10 |
| 2.2.3 | Undergo a network vulnerability assessment of the processing systems to be conducted by the Information Security Office. | §III.8 |
| 2.2.4 | Provide technical documentation demonstrating how the credit card processing shall be done, how data will specifically traverse networks, and how any data being processed will be stored. | §III.6 |
| # | Requirement | Reference |
|---|---|---|
| 2.3.1 | Justify why using TXShop or WIO is not in the best interest of the university. | |
| 2.3.2 | Complete the PCI questionnaire via the Information Security Office's Risk Assessment (ISORA) application. | §III.10 |
| 2.3.3 | Undergo a network vulnerability assessment of the processing systems to be conducted by the Information Security Office. | §III.8 |
| 2.3.4 | Provide technical documentation demonstrating how the credit card processing shall be done, how data will specifically traverse networks, and how any data being processed will be stored. | §III.6 |
3. Review
Submit the above information to the Information Security Office (security@utexas.edu). The Information Security Office shall review the technical planning documents for the proposed exception and will consult with the Office of Controller, as needed.
All granted exceptions must undergo an annual review.
All responsible parties for granted exception requests must report any significant changes made to the excepted application at any time during the year (for example, software/hardware updates, security control modification, storage modification, change in key staff, etc).
In the event the Information Security Office and the Office of the Controller deny an exception request, the decision will be taken to the Executive Compliance Committee for final review.
4. References
5. Revision History
| Version | Date | New | Original |
|---|---|---|---|
| 6/21/2013 | Reviewed and fixed broken links | ||
| 6/20/2013 | Converted back to HTML | No changes | |
| Application for Exception from Use of University of Texas at Austin Central Processing Services | 3/3/2011 | Converted web page to PDF | No changes |
6. APPROVALS
| Name | Role | Members | Date |
|---|---|---|---|
| Chief Information Security Officer | Approval | Cam Beasley | 9/28/2009 |