One Step Ahead: Minimizing Risk Associated with Software Purchases on Procurement Cards

Another tip in a series provided by the Offices of Information Systems & Computing and Audit, Compliance & Privacy

Making software purchases using the Penn Purchasing Card (PCard) can be challenging from an information security perspective since a purchase made with a PCard does not offer the same contractual protections found in a Purchase Order.  In many instances, the online procurement process when the payment made is via a credit card also entails accepting the supplier’s standard terms and conditions (i.e. a click-through action is required), which often protects the supplier more than it does the organization purchasing the software solution.   

Here are a few examples of contract terms from software providers that necessitate further examination before they are accepted by a buyer at Penn:

  • The supplier has the right to use and/or publicly share data entered into the system;
  • Users of the system are automatically signed up for either the supplier’s or the supplier’s partners promotional marketing;
  • Suppliers may change or remove functionality (and all the data contained or configured within that functionality) at any time; and
  • The supplier establishes its maximum liability at the cost of the software. This means that in the event of a breach that leaks sensitive Penn data, the software company is only liable for the annual cost that the University paid for the license.

Leveraging available resources at Penn to better understand the complexities of software suppliers’ terms and conditions is especially important when the data shared with the supplier is considered Medium or High risk as indicated on the chart from the Office of Audit, Compliance and Privacy:

Such resources include:

Contact Purchasing Services at if you have questions about interpretation and management of click-through contract language in an agreement before using a PCard to make the software purchase.

For additional tips, see the One Step Ahead link on the Information Security website: