PCI: Contractual Language with Vendors

All potential university merchants must deal with the contracting phase of the software or service acquisition in conjunction with the university controller and the Division of Technology Services.  We will assist you in determining the PCI-DSS requirements and to work through the contractual requirements of PCI-DSS.  Approved "boiler plate" contract language is below.  This is the bare minimum required in all contracts that pertain to processing credit card transactions.


For purposes of the Agreement, the term "cardholder data" refers to the unique identifier assigned by the card issuer that identifies the cardholder's account or other cardholder personal information.

  A. Contractor shall undertake commercially reasonable efforts to at all times comply with the Payment Card Industry Data Security Standard ("PCI-DSS") requirements for cardholder data that are prescribed in the PCI Data Security Standard or otherwise issued by the PCI Security Standards Council, as they may be amended from time to time (collectively, the "PCI-DSS Requirements").

  B. A copy of current PCI-DSS Requirements documentation is available on the PCI Security Standards Council website at https://www.pcisecuritystandards.org .


Article ID: 5119
Mon 4/20/15 4:53 PM
Thu 4/25/19 1:56 PM

Related Articles (1)

Campus "merchants" are required to comply.