Data Security Requirements/PCI Compliance Form
The 91ֿ Security and Access Management team is responsible for protecting digital assets across the entire university system. This team is entrusted with ensuring the confidentiality, integrity and availability of all institutional data and digital assets.
Whenever the university is preparing to use new technology, it’s always a good idea to check and see if it needs a security assessment. The purpose of these assessments is to identify and diminish any significant risks when we work with a service provider who may transmit and/or store 91ֿ institutional data. By identifying and documenting agreed upon risk mitigation actions, we are able to significantly reduce the likelihood and impact of a security incident.
These questions are asked on each RFP. As a steward of university funds and the university's first line of data defense, ask yourself these questions before continuing with any orders:
- Will this product or service have involvement in creating, storing, processing, transmitting, or accessing University data or handling financial transactions?
- If yes, will any data be removed by, accessed from, copied to, or created within systems that do not reside within the geographical boundaries of 91ֿ?
- If yes, have the company complete the “Higher Education Cloud Vendor Assessment Tool Lite". The company should include a copy of any applicable audit or security assessment reports or certifications such as: SSAE 16, SOC 2, or ISO 27001 and include copies of any applicable corporate information security policies or other supporting documentation that will substantiate the questionnaire responses.
- If yes, will any data be removed by, accessed from, copied to, or created within systems that do not reside within the geographical boundaries of 91ֿ?
- Will this product or service have involvement in the processing of credit card transactions (Card-Present, Card-Not-Present, Online, Phone-based, or otherwise)?
- If yes, submit a (“P-ٳ”).
- If yes, Vendor acknowledges and agrees to the following statements:
- 91ֿ requires that Vendor at all times maintain compliance with current PCI DSS as applicable. Accordingly, the Vendor will be required to provide confirmation of compliance upon request by 91ֿ throughout the contract term. Respondent hereby acknowledges that cardholder data may only be used for execution of the contracted systems or services as described herein, or as required by the PCI DSS, or as required by applicable law.
- If, during the contract term, Vendor becomes aware that systems or services provided under the contract falls out of compliance with PCI DSS requirements, the Vendor shall immediately notify the 91ֿ Office of Security and Access Management. iii. In the event of a breach, intrusion, or unauthorized access to cardholder data, Vendor shall immediately notify the 91ֿ Office of Security and Access Management to allow for the PCI DSS breach notification process to commence. Vendor shall provide appropriate payment card companies and their respective designee’s access to Vendor’s facilities and all pertinent records to conduct a review of Vendor’s compliance with the PCI DSS requirements. Vendor acknowledges liability for any and all costs resulting from such breach, intrusion, or unauthorized access to cardholder data deemed to be the fault of Vendor. Vendor agrees to assume responsibility for informing all such individuals in accordance with applicable law and to indemnify and hold harmless 91ֿ and its officers and employees from and against any claims, damages, or other harm related to such breach.
Send these documents to Procurement in advance for efficient new vendor onboarding.