Credit Card Data

Credit Card Data

#Why is this Important
#Sample RFP Language
#Sample Contract Clauses

Why is this Important:
Institutions of higher education might have other obligations regarding use of data under federal, state, or local laws, regulations, or contractual obligations. Generally speaking, an institution may not be able to alleviate such obligations by contracting with a third party to perform functions that use regulated data. Clauses that include instructions to contracting third parties regarding regulatory requirements help to protect the institution in the event of an unauthorized disclosure or breach. The Payment Card Industry Data Security Standard (PCI DSS), for instance, is a set of information security standards designed to protect credit card information and transactions. The PCI DSS applies to any entity, whether merchant or service provider, that stores, processes, or transmits cardholder account and/or transaction information and attaches on the basis of contracts with merchant banks and credit card associations.

Appendix 1 ISO/IEC 27002:2005, Reference 6.2.3(r); (s)
Appendix 2 NIST Sp. Pub. 800-53, Rev. 2; Control SA-9 (External Information System Services)

Criticality: Category 1, Category 3, and Category 4.

Sample RFP Language:

  1. Does the Proposer conforms to and meets PCI DSS standards? If yes, provide examples of Proposer practices that can assist with our understanding of how the Proposer meets PCI standards.
  2. Does the Proposer monitor the PCI DSS standards and the Proposer's own information security practices to ensure continued compliance? If yes, describe the Proposer's monitoring activities and their frequency.
  3. Would the Proposer be willing to provide a letter of certification or independent audit report to attest to meeting PCI DSS standard requirements? If no, Proposer must, as part of its proposal, identify and describe in detail the reasons for Proposer's objection.


Sample Contract Clauses:

  1. The VENDOR certifies that their Information Technology practices conform to and meet PCI DSS standards as defined by major credit card vendors Visa and MasterCard at and The Vendor will monitor these PCI DSS standards and its Information Technology practices and the Vendor will notify the University within one (1) week, if its practices should not conform to such standards. The VENDOR will provide a letter of certification to attest to meeting this requirement.
  2. "Contractor agrees that it may (1) create, (2) receive from or on behalf of University, or (3) have access to, payment card records or record systems containing cardholder data including credit card numbers (collectively, the "Cardholder Data"). Contractor shall comply with the Payment Card Industry Data Security Standard ("PCIDSS") requirements for Cardholder Data that are prescribed by Visa, as they may be amended from time to time (collectively, the "PCIDSS Requirements"). Contractor acknowledges and agrees that Cardholder Data may only be used for assisting in completing a card transaction, for fraud control services, for loyalty programs, or as specifically agreed to by Visa, for purposes of this Agreement or as required by applicable law."


Federal, state, or local law, regulation, or contractual obligation

Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).