Common use of Payment Card Industry Standards Clause in Contracts

Payment Card Industry Standards. [Note: If using this Option, contact OGC to confirm that the services provided by Contractor do not violate or conflict with existing UT System or State of Texas contracts or agreements.] University is required to validate compliance on a periodic basis with all applicable Payment Card Industry Data Security Standards (collectively, “PCI DSS”), including Payment Application Data Security Standards (collectively, “PA DSS”), promulgated by the Payment Card Industry Security Standards Council (“PCI SSC”). The compliance validation process requires University to undergo an assessment of (1) all system components used to process, store or transmit cardholder data, and any other components that reside on the same network segment as those system components, as well as (2) all related processes used to process, store or transmit cardholder data, (collectively, “System Components in Scope”). Some or all System Components in Scope have been outsourced to Contractor under this Agreement. Contractor will cause its agents and subcontractors to comply with all terms of this Section applicable to Contractor. Contractor will achieve and maintain compliance under the current versions of PCI DSS and PA DSS published on the PCI SSC website for service providers and payment applications. As evidence of compliance, Contractor will provide to University on or before the Effective Date and within ten (10) days after each anniversary of the Effective Date during the Term of this Agreement, a copy of Contractor’s annual attestation of compliance signed by a Qualified Security Assessor (“QSA”) as more particularly described on the PCI SSC website. If Contractor is unable to provide the required attestations of compliance, Contractor will permit University or University’s QSA to assess all System Components in Scope that are hosted or managed by Contractor or by Contractor’s agents or subcontractors. Contractor will create and maintain reasonably detailed, complete and accurate documentation describing the systems, processes, network segments, security controls, and dataflow used to receive, transmit, store and secure cardholder data. The documentation will conform to the most current version of PCI DSS. Contractor will, upon written request by University, make the documentation and the individuals responsible for implementing, maintaining and monitoring System Components in Scope available to (1) QSAs, forensic investigators, consultants and attorneys retained by University to facilitate the validation of University’s PCI DSS compliance, and (2) University’s information technology, information security, audit, compliance and other staff. Contractor will retain the documentation for at least one (1) year after termination of this Agreement.]

Payment Card Industry Standards. [Note: If using this Option, contact OGC to confirm that the services provided by Contractor do not violate or conflict with existing UT System or State of Texas contracts or agreements.] University is required to validate compliance on a periodic basis with all applicable Payment Card Industry Data Security Standards (collectively, “PCI DSS”), including Payment Application Data Security Standards (collectively, “PA DSS”), promulgated by the Payment Card Industry Security Standards Council (“PCI SSC”). The compliance validation process requires University to undergo an assessment of (1) all system components used to process, store or transmit cardholder data, and any other components that reside on the same network segment as those system components, as well as (2) all related processes used to process, store or transmit cardholder data, (collectively, “System Components in Scope”). Some or all System Components in Scope have been outsourced to Contractor under this Agreement. Contractor will cause its agents and subcontractors to comply with all terms of this Section applicable to Contractor. Contractor will achieve and maintain compliance under the current versions of PCI DSS and PA DSS published on the PCI SSC website for service providers and payment applications. As evidence of compliance, Contractor will provide to University on or before the Effective Date and within ten (10) days after each anniversary of the Effective Date during the Term term of this Agreement, a copy of Contractor’s annual attestation of compliance signed by a Qualified Security Assessor (“QSA”) as more particularly described on the PCI SSC website. If Contractor is unable to provide the required attestations of compliance, Contractor will permit University or University’s QSA to assess all System Components in Scope that are hosted or managed by Contractor or by Contractor’s agents or subcontractors. Contractor will create and maintain reasonably detailed, complete and accurate documentation describing the systems, processes, network segments, security controls, and dataflow used to receive, transmit, store and secure cardholder data. The documentation will conform to the most current version of PCI DSS. Contractor will, upon written request by University, make the documentation and the individuals responsible for implementing, maintaining and monitoring System Components in Scope available to (1) QSAs, forensic investigators, consultants and attorneys retained by University to facilitate the validation of University’s PCI DSS compliance, and (2) University’s information technology, information security, audit, compliance and other staff. Contractor will retain the documentation for at least one (1) year after termination of this Agreement.]

Payment Card Industry Standards. [Note: If using this Option, contact OGC to confirm that the services provided by Contractor do not violate or conflict with existing UT System or State of Texas contracts or agreements.] University is required to validate compliance on a periodic basis with all applicable Payment Card Industry Data Security Standards (collectively, “PCI DSS”), including Payment Application Data Security Standards (collectively, “PA DSS”), promulgated by the Payment Card Industry Security Standards Council (“PCI SSC”). The compliance validation process requires University to undergo an assessment of (1) all system components used to process, store or transmit cardholder data, and any other components that reside on the same network segment as those system components, as well as (2) all related processes used to process, store or transmit cardholder data, (collectively, “System Components in Scope”). Some or all System Components in Scope have been outsourced to Contractor under this Agreement. Contractor will cause its agents and subcontractors to comply with all terms of this Section applicable to Contractor. Contractor will achieve and maintain compliance under the current versions of PCI DSS and PA DSS published on the PCI SSC website for service providers and payment applications. As evidence of compliance, Contractor will provide to University on or before the Effective Date and within ten (10) days after each anniversary of the Effective Date during the Term term of this Agreement, a copy of Contractor’s annual attestation of compliance signed by a Qualified Security Assessor (“QSA”) as more particularly described on the PCI SSC website. If Contractor is unable to provide the required attestations of compliance, Contractor will permit University or University’s QSA to assess all System Components in Scope that are hosted or managed by Contractor or by Contractor’s agents or subcontractors. Contractor will create and maintain reasonably detailed, complete and accurate documentation describing the systems, processes, network segments, security controls, and dataflow used to receive, transmit, store and secure cardholder data. The documentation will conform to the most current version of PCI DSS. Contractor will, upon written request by University, make the documentation and the individuals responsible for implementing, maintaining and monitoring System Components in Scope available to (1) QSAs, forensic investigators, consultants and attorneys retained by University to facilitate the validation of University’s PCI DSS compliance, and (2) University’s information technology, information security, audit, compliance and other staff. Contractor will retain the documentation for at least one (1) year after termination of this Agreement.]

Payment Card Industry Standards. [Note: If using this Option, contact OGC to confirm that the services provided by Contractor do not violate or conflict with existing UT System or State of Texas contracts or agreements.] University is required to validate compliance on a periodic basis with all applicable Payment Card Industry Data Security Standards (collectively, “PCI DSS”), including Payment Application Data Security Standards (collectively, “PA DSS”), promulgated by the Payment Card Industry Security Standards Council (“PCI SSC”). The compliance validation process requires University to undergo an assessment of (1) all system components used to process, store or transmit cardholder data, and any other components that reside on the same network segment as those system components, as well as (2) all related processes used to process, store or transmit cardholder data, (collectively, “System Components in Scope”). Some or all System Components in Scope have been outsourced to Contractor under this Agreement. Contractor will cause its agents and subcontractors to comply with all terms of this Section applicable to Contractor. Contractor will achieve and maintain compliance under the current versions of PCI DSS and PA DSS published on the PCI SSC website for service providers and payment applications. As evidence of compliance, Contractor will provide to University (1) on or before the Effective Date date this Agreement is signed by University, and (2) within ten (10) days after each anniversary of the Effective Date during the Term of date this AgreementAgreement is signed by University, a copy of Contractor’s annual attestation of compliance signed by a Qualified Security Assessor (“QSA”) as more particularly described on the PCI SSC website. If Contractor is unable to provide the required attestations of compliance, Contractor will permit University or University’s QSA to assess all System Components in Scope that are hosted or managed by Contractor or by Contractor’s agents or subcontractors. Contractor will create and maintain reasonably detailed, complete and accurate documentation describing the systems, processes, network segments, security controls, and dataflow used to receive, transmit, store and secure cardholder data. The documentation will conform to the most current version of PCI DSS. Contractor will, upon written request by University, make the documentation and the individuals responsible for implementing, maintaining and monitoring System Components in Scope available to (1) QSAs, forensic investigators, consultants and attorneys retained by University to facilitate the validation of University’s PCI DSS compliance, and (2) University’s information technology, information security, audit, compliance and other staff. Contractor will retain the documentation for at least one (1) year after termination of this Agreement.]

Payment Card Industry Standards. [Note: If using this Option, contact OGC to confirm that the services provided by Contractor do not violate or conflict with existing UT System or State of Texas contracts or agreements.] University is required to validate compliance on a periodic basis with all applicable Payment Card Industry Data Security Standards (collectively, “PCI DSS”), including Payment Application Data Security Standards (collectively, “PA DSS”), promulgated by the Payment Card Industry Security Standards Council (“PCI SSC”). The compliance validation process requires University to undergo an assessment of (1) all system components used to process, store or transmit cardholder data, and any other components that reside on the same network segment as those system components, as well as (2) all related processes used to process, store or transmit cardholder data, (collectively, “System Components in Scope”). Some or all System Components in Scope have been outsourced to Contractor under this Agreement. Contractor will cause its agents and subcontractors to comply with all terms of this Section applicable to Contractor. Contractor will achieve and maintain compliance under the current versions of PCI DSS and PA DSS published on the PCI SSC website for service providers and payment applications. As evidence of compliance, Contractor will provide to University on or before the Effective Date and within ten (10) days after each anniversary of the Effective Date during the Term term of this Agreement, a copy of Contractor’s annual attestation of compliance signed by a Qualified Security Assessor (“QSA”) as more particularly described on the PCI SSC website. If Contractor is unable to provide the required attestations of compliance, Contractor will permit University or University’s QSA to assess all System Components in Scope that are hosted or managed by Contractor or by Contractor’s agents or subcontractors. Contractor will create and maintain reasonably detailed, complete and accurate documentation describing the systems, processes, network segments, security controls, and dataflow used to receive, transmit, store and secure cardholder data. The documentation will conform to the most current version of PCI DSS. Contractor will, upon written request by University, make the documentation and the individuals responsible for implementing, maintaining and monitoring System Components in Scope available to (1) QSAs, forensic investigators, consultants and attorneys retained by University to facilitate the validation of University’s PCI DSS compliance, and (2) University’s information technology, information security, audit, compliance and other staff. Contractor will retain the documentation for at least one (1) year after termination of this Agreement.] [Note: Delete all bracketed ([ ]) and highlighted text before sending this Agreement to Contractor.] University and Contractor have executed and delivered this Agreement to be effective as of the Effective Date. UNIVERSITY: CONTRACTOR: THE UNIVERSITY OF TEXAS HEALTH SCIENCE CENTER AT HOUSTON By: By: ___________________________ Name: ______________________________ Name: ________________________ Title: ______________________________ Title: __________________________ [Option (Include if Contractor is a corporation.): Attest: ________________________ Corporate Secretary] Attach: EXHIBIT A – Scope of Work EXHIBIT B – Schedule EXHIBIT C – Payment for Services [Option (Include if Agreement relates to or Contractor has access to health information.): EXHIBIT D – HIPAA Business Associate Agreement] [Option (Include if HUB Subcontracting Plan was prepared in connection with the Work covered by this Agreement.): EXHIBIT E – HUB Subcontracting Plan] [Option (Include if federal contract provisions are included in this Agreement.): EXHIBIT ___ – Affirmative Action Compliance Program] [Option: (Include if this Agreement relates to electronic and information resources, including hardware, software or related services.): EXHIBIT ___ – Electronic and Information Resources Environment Specifications] [Option: (Include if this Agreement relates to electronic and information resources, including hardware, software or related services.): EXHIBIT ___ – Security Characteristics and Functionality of Contractor’s Information Resources] EXHIBIT A SCOPE OF WORK [Note: Provide a detailed description and break-down of all tasks Contractor is to perform and technical standards for the tasks, if appropriate.] EXHIBIT B SCHEDULE [Note: Describe specific time deadlines and due dates for each phase of the Work and, if appropriate, for the Work as a whole.] EXHIBIT C PAYMENT FOR SERVICES SERVICE FEES: [Note: Specify payment model. If the fee is not a stipulated lump sum, include a “not to exceed” fee cap amount.] Notwithstanding the foregoing, the cumulative amount of Service Fees remitted by University to Contractor will not exceed $_______________ (“Fee Cap”) without the prior written approval of University. In addition, total fees for each Phase of the Work will not exceed the following specified amounts without the prior written approval of University: _________________ _________________ If University submits, in advance, a written request for additional services not contemplated or reasonably inferred by this Agreement, Contractor will be paid for actual hours incurred by Contractor’s personnel directly and solely in support of the additional services at the Rates set forth above. [Note:

Payment Card Industry Standards. [Note: If using this Option, contact OGC to confirm that the services provided by Contractor do not violate or conflict with existing UT System or State of Texas contracts or agreements.] University is required to validate compliance on a periodic basis with all applicable Payment Card Industry Data Security Standards (collectively, “PCI DSS”), including Payment Application Data Security Standards (collectively, “PA DSS”), promulgated by the Payment Card Industry Security Standards Council (“PCI SSC”). The compliance validation process requires University to undergo an assessment of (1) all system components used to process, store or transmit cardholder data, and any other components that reside on the same network segment as those system components, as well as (2) all related processes used to process, store or transmit cardholder data, (collectively, “System Components in Scope”). Some or all System Components in Scope have been outsourced to Contractor Caterer under this Agreement. Contractor Caterer will cause its agents and subcontractors subCaterers to comply with all terms of this Section applicable to ContractorCaterer. Contractor Caterer will achieve and maintain compliance under the current versions of PCI DSS and PA DSS published on the PCI SSC website for service providers and payment applications. As evidence of compliance, Contractor Caterer will provide to University on or before the Effective Date and within ten (10) days after each anniversary of the Effective Date during the Term term of this Agreement, a copy of ContractorCaterer’s annual attestation of compliance signed by a Qualified Security Assessor (“QSA”) as more particularly described on the PCI SSC website. If Contractor Caterer is unable to provide the required attestations of compliance, Contractor Caterer will permit University or University’s QSA to assess all System Components in Scope that are hosted or managed by Contractor Caterer or by ContractorCaterer’s agents or subcontractorssubCaterers. Contractor Caterer will create and maintain reasonably detailed, complete and accurate documentation describing the systems, processes, network segments, security controls, and dataflow used to receive, transmit, store and secure cardholder data. The documentation will conform to the most current version of PCI DSS. Contractor Caterer will, upon written request by University, make the documentation and the individuals responsible for implementing, maintaining and monitoring System Components in Scope available to (1) QSAs, forensic investigators, consultants and attorneys retained by University to facilitate the validation of University’s PCI DSS compliance, and (2) University’s information technology, information security, audit, compliance and other staff. Contractor Caterer will retain the documentation for at least one (1) year after termination of this Agreement.]

Payment Card Industry Standards. [Note: If using this Option, contact OGC to confirm that the services provided by Contractor do not violate or conflict with existing UT System or State of Texas contracts or agreements.] University is required to validate compliance on a periodic basis with all applicable Payment Card Industry Data Security Standards (collectively, “PCI DSS”), including Payment Application Data Security Standards (collectively, “PA DSS”), promulgated by the Payment Card Industry Security Standards Council (“PCI SSC”). The compliance validation process requires University to undergo an assessment of (1) all system components used to process, store or transmit cardholder data, and any other components that reside on the same network segment as those system components, as well as (2) all related processes used to process, store or transmit cardholder data, (collectively, “System Components in Scope”). Some or all System Components in Scope have been outsourced to Contractor under this Agreement. Contractor will cause its agents and subcontractors to comply with all terms of this Section applicable to Contractor. Contractor will achieve and maintain compliance under the current versions of PCI DSS and PA DSS published on the PCI SSC website for service providers and payment applications. As evidence of compliance, Contractor will provide to University on or before the Effective Date and within ten (10) days after each anniversary of the Effective Date during the Term of this Agreement, a copy of Contractor’s annual attestation of compliance signed by a Qualified Security Assessor (“QSA”) as more particularly described on the PCI SSC website. If Contractor is unable to provide the required attestations of compliance, Contractor will permit University or University’s QSA to assess all System Components in Scope that are hosted or managed by Contractor or by Contractor’s agents or subcontractors. Contractor will create and maintain reasonably detailed, complete and accurate documentation describing the systems, processes, network segments, security controls, and dataflow used to receive, transmit, store and secure cardholder data. The documentation will conform to the most current version of PCI DSS. Contractor will, upon written request by University, make the documentation and the individuals responsible for implementing, maintaining and monitoring System Components in Scope available to (1) QSAs, forensic investigators, consultants and attorneys retained by University to facilitate the validation of University’s PCI DSS compliance, and (2) University’s information technology, information security, audit, compliance and other staff. Contractor will retain the documentation for at least one (1) year after termination of this Agreement.]and

Payment Card Industry Standards. [Note: If using this Option, contact OGC to confirm that the services provided by Contractor do not violate or conflict with existing UT System or State of Texas contracts or agreements.] University is required to validate compliance on a periodic basis with all applicable Payment Card Industry Data Security Standards (collectively, “PCI DSS”), including Payment Application Data Security Standards (collectively, “PA DSS”), promulgated by the Payment Card Industry Security Standards Council (“PCI SSC”). The compliance validation process requires University to undergo an assessment of (1) all system components used to process, store or transmit cardholder data, and any other components that reside on the same network segment as those system components, as well as (2) all related processes used to process, store or transmit cardholder data, (collectively, “System Components in Scope”). Some or all System Components in Scope have been outsourced to Contractor under this Agreement. Contractor will cause its agents and subcontractors to comply with all terms of this Section applicable to Contractor. Contractor will achieve and maintain compliance under the current versions of PCI DSS and PA DSS published on the PCI SSC website for service providers and payment applications. As evidence of compliance, Contractor will provide to University on or before the Effective Date and within ten (10) days after each anniversary of the Effective Date during the Term term of this Agreement, a copy of Contractor’s annual attestation of compliance signed by a Qualified Security Assessor (“QSA”) as more particularly described on the PCI SSC website. If Contractor is unable to provide the required attestations of compliance, Contractor will permit University or University’s QSA to assess all System Components in Scope that are hosted or managed by Contractor or by Contractor’s agents or subcontractors. Contractor will create and maintain reasonably detailed, complete and accurate documentation describing the systems, processes, network segments, security controls, and dataflow used to receive, transmit, store and secure cardholder data. The documentation will conform to the most current version of PCI DSS. Contractor will, upon written request by University, make the documentation and the individuals responsible for implementing, maintaining and monitoring System Components in Scope available to (1) QSAs, forensic investigators, consultants and attorneys retained by University to facilitate the validation of University’s PCI DSS compliance, and (2) University’s information technology, information security, audit, compliance and other staff. Contractor will retain the documentation for at least one (1) year after termination of this Agreement.]