Confidentiality Data Security. Merchant will retain in a secure and confidential manner original or complete and legible copies of each Charge Record, each Credit Voucher required to be provided to Cardholders, and all information required to be submitted in connection with a Card Transaction for at least two (2) years or longer if required by any applicable law, rule, or regulation, or the Operating Rules. Merchant shall render all materials containing Cardholder Account numbers unreadable prior to discarding. Merchant will store Charge Records and all media containing Cardholder names, Cardholder account information, and other personal information, as well as Card imprints (such as sales drafts and credit records, auto rental agreements, and carbons) in an area limited to selected personnel, and when record‐retention requirements have been met, Merchant will destroy the records so that Charge Records are rendered unreadable. If Merchant stores any electronically captured signature of a Cardholder, Merchant may not reproduce such signature except upon the specific request of Bank. Merchant will not: i. Provide Cardholder Account numbers, personal Cardholder information, or Card Transaction information to anyone except Bank, Card Networks, or Merchant’s agents/Merchant Servicers (but only those who have been approved by Bank as required under this Agreement and are properly registered with the Card Networks) for the purpose of assisting Merchant in completing Card Transactions, or as specifically required by the Operating Rules, or any applicable law, rule, or regulation. ii. Retain or store Card Magnetic Stripe, CVV, CVV2, CVC2 or CID data (including Track Data) subsequent to Authorization for a Card Transaction. iii. Sell, purchase, provide, or exchange Card account number information or other Card transaction or Cardholder information to any third party, or to any entity other than Merchant’s authorized agents/Merchant Servicers (but only those who have been approved by Bank as required under this Agreement and are properly registered with the Card Networks), the Bank, the Card Networks, or in response to valid legal process or subpoena. iv. Release any Cardholder information over the telephone under any circumstances. Merchant may not, without the express written consent of Bank or Cardholder, or an order from a Court of competent jurisdiction, in the event of its (and Merchant shall ensure, and by contract provide, that Merchant’s agents/Merchant Servicers shall not, in the event of their or Merchant’s) failure, including bankruptcy, insolvency, or other suspension of business operations, sell, transfer, or disclose any materials that contain Cardholder Account numbers, personal Cardholder information, or Card Transaction information to third parties. In the event that Merchant’s (or such an agent’s/Merchant Servicer’s) business fails or ceases to exist, Merchant is required to return (and shall ensure and by contract provide, that such agent/Merchant Servicer shall return) to Bank all such information or provide proof of destruction of this information to Bank. Merchant confirms that it is, and shall be, in full compliance during the term of this Agreement with all federal, state, and local statutes, rules and regulations (including, without limitation, the information privacy and security requirements of the Gramm Xxxxx Xxxxxx Act and regulations thereunder), as well as all rules and operating regulations, and bylaws of the Card Networks, relating to the establishment and maintenance (pursuant to a comprehensive written information security program, to the extent required by any of such laws, rules, or regulations, or by any such rules, operating regulations, or bylaws of the Card Networks) of appropriate administrative, technical and physical security procedures and safeguards to ensure the security, confidentiality and integrity of Card Transaction and Cardholder information and Merchant shall comply, and shall demonstrate its compliance with, the Visa Cardholder Information Security Program (“CISP”), MasterCard’s Site Data Protection (“SDP”) Program, Discover Information Security Compliance Program (“DISC”), the Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA‐DSS), and any other similar requirements contained in the Operating Rules. Merchant may find the details of the CISP program at xxx.xxxx.xxx/xxxx. Merchant may find details of the DISC program at xxxxx://xxx.xxxxxxxxxxxxxxx.xxx/fraudsecurity/ disc.html. Merchant may find details of the SDP program at xxxxx://xxx.xxxxxxxxxx.xx/en-us/merchants/safety-security/security- recommendations/site-data-protection-PCI.html Detailed information about PCI DSS can be found at the PCI DSS Council’s Website: xxx.xxxxxxxxxxxxxxxxxxxx.xxx. The Card Networks may impose restrictions, fines, or prohibit Merchant from participating in Card Acceptance programs if it is determined that Merchant is non‐ compliant with any of the applicable data security requirements. Merchant may be required to comply with an audit to verify compliance with data security requirements and procedures. Merchant is solely responsible for understanding and complying in full with all applicable data security requirements, including, without limitation, PCI‐ DSS, PA‐ DSS, CISP, SDP, and DISC. Merchant acknowledges that any failure to comply, or to demonstrate compliance, with security requirements may result in the imposition of restrictions on Merchant or the permanent prohibition of Merchant’s participation in Card Acceptance programs by the Card Networks. Without limiting any of Merchant’s obligations or liabilities under other provisions of this Agreement, Merchant hereby agrees to defend, indemnify, and hold harmless Processor and Merchant Bank, including each of their officers, directors, employees, and agents, from any claims, costs, expenses, or losses of any kind arising out of or relating to any actual or suspected data breach or data compromise, including, but not limited to: any fees, fines, or penalties that may be assessed by the Card Networks or any governmental agency; investigation costs; costs of forensic exam or audit; assessments by the Card Networks to reimburse Card Issuers for losses or to assign liability for Card Issuer losses; case management or any other fees assessed by the Card Networks to cover the Card Networks’ investigation or other costs; card replacement fees; all claims and demands of Cardholders, Card Issuers, Card Networks, governmental agencies, or others; and all litigation costs and expenses, including reasonable attorney’s fees, costs, and expert witness fees; and all other costs, expenses, or losses of any kind that are associated with, arise out of, or are related to any actual or suspected data security breach, data compromise, or Merchant’s noncompliance with Card Network data security requirements or data security requirements of any applicable laws, rules, or regulations. Merchant agrees to promptly pay all of the above amounts to Processor or Merchant Bank, regardless of its belief that it has complied with Card Network data security requirements or any other security precautions and is not responsible for the data breach or compromise, and regardless of any determination by the Card Networks or otherwise that Merchant was or was not the likely source of any loss, disclosure, theft, or compromise of Cardholder data. In addition to the foregoing, in the event of a computer or other data security breach, or suspected computer or other data security breach or data compromise, Merchant agrees to abide by Card Network requirements which may include, without limitation, a forensic network exam by a Qualified Incident Response Assessor (QIRA) and Merchant agrees to cooperate with Processor and Merchant Bank in order to effectively manage the breach response. The defense and indemnity obligation in this Paragraph is in addition to all other defense and indemnity obligations of Merchant under this Agreement and shall survive the termination of this Agreement. with all applicable PIN and PED security requirements, and that any future changes in POS hardware or software will be in compliance with the PA‐DSS and all applicable PIN and PED security requirements. Merchant must notify Bank and receive Bank’s approval prior to engaging, directly or indirectly, any independent contractor or agent, Merchant Servicer in connection with Merchant’s Acceptance of Cards, or the submission of Charges or Credit Vouchers to Bank, or otherwise to assist Merchant in the performance of Merchant’s obligations under this Agreement, and including without limitation any such person or entity who will have access to Cardholder or Card Transaction data. Such third parties may include, but are not limited to, Merchant’s software providers and/or equipment providers. Merchant shall provide Merchant Bank and Processor at least sixty (60) days advance written notice of Merchant’s election to use an agent or independent contractor or Merchant Servicer. Merchant Bank and/or Processor may individually approve or deny the use of an agent, independent contractor, or Merchant Servicer in their sole and absolute discretion and at any time. If any such entity is required to be designated a service provider or Merchant Servicer under any applicable Operating Regulation or is otherwise required to certify, register, or act in any fashion pursuant to the Operating Rules, Merchant shall cause such Agent to cooperate with Merchant Bank in completing any steps required for registration and/or certification and/or action. Merchant is solely responsible for any and all applicable fees, costs, expenses, and liabilities associated with such registration and/or certification and/or action. Bank shall in no event be liable to Merchant or any third party for any actions or inactions of any agent, independent contractor, or Merchant Servicer used by Merchant, and Merchant hereby expressly assumes all such liability. Merchant’s agreement with any such third party must contain provisions obligating the third party to comply with all applicable laws, rules, and regulations, CISP, SDP, DISC, PCI‐ DSS, PA‐DSS, PIN, and PED security requirements, all other Card Network requirements pertaining to confidentiality, security and integrity of Cardholder and Card Transaction data, all Operating Rules prohibiting storage of certain Card Transaction data, and all other applicable Operating Rules. Merchant will immediately notify Bank if Merchant decides to use electronic authorization, data capture software, or terminals provided by any entity other than Bank or its authorized designee (“Third Party Terminals”) to process transactions, including leasing a terminal from a third party. If Merchant elects to use Third Party Terminals, (i) the third party providing the terminals will be Merchant’s Merchant Servicer in the delivery of Card transactions to Bank; and (ii) Merchant assumes full responsibility and liability for any failure of that third party to comply with the requirements of Bank, the Operating Rules, applicable laws, rules or regulations, and this Agreement. Bank will not be responsible for any losses or additional fees incurred by Merchant as a result of any error by a third party agent or Merchant Servicer or a malfunction in a Third Party Terminal. The use of an agent, Merchant Servicer, or an agent’s or Merchant Servicer’s software application that has connectivity to the Internet poses an increased risk, and Merchant assumes all liability for such increased risks. If Merchant utilizes software or hardware with a connection to the Internet and such hardware or software interacts in any capacity with the provision of services contemplated pursuant to this Agreement, Merchant is solely liable without limitation for any and all consequences of such interaction. Merchant agrees and shall ensure (and by contract shall require) that Merchant’s agents and Merchant Servicers provide the same levels of security as those required of Merchant, and that such agents and Merchant Servicers transmit data in accordance with: (1) the required format(s) of the Card Networks; (2) the Operating Rules; and (3) the requirements of Bank. Merchant must immediately notify Merchant Bank and Processor of any suspected or confirmed loss or theft of materials or records that contain Cardholder Account numbers, Cardholder personal information, or Card Transaction information. In the event of a suspected or confirmed loss or theft, Merchant shall provide immediate access to all facilities, systems, procedures, equipment, and documents as may be deemed appropriate by Bank or its designated representatives for inspection, audit, and copying as deemed appropriate by both Merchant Bank and Processor in their individual sole and absolute discretion. Merchant shall be responsible for all costs associated with such inspection, audit, and copying however such costs may occur. Merchant authorizes Bank to release its name and address to any third party whom the Bank determines needs to know such information in order for Bank to perform the Card Program services under this Agreement and who has requested such information. Merchant authorizes Bank to disclose Card Transaction data and other information relating to the Merchant, Guarantor, and each of their Principals (including credit and other financial information obtained under Paragraph 10 of this Agreement), to the Card Networks, current and prospective Card Issuers, current and prospective acquirers or other merchant or sponsor banks, third parties in connection with a potential sale of some or all of Merchant Bank’s or Processor’s merchant portfolio, business, or a merger transaction, regulatory authorities, and other entities to whom Bank or any such entity may be required to provide such information, and to Bank’s and each such entity’s affiliates, agents, subcontractors, and employees, for purposes Bank or such other entities deem necessary in Bank’s or their reasonable discretion, including without limitation, in connection with the performance of their various obligations hereunder or under their other applicable agreements or under the Operating Rules or applicable laws, rules, or regulations. Federal regulations enacted pursuant to the USA PATRIOT Act and other applicable laws require financial institutions to verify the identity of every person who seeks to open an account with a financial institution. As a result of Merchant’s status as an account holder with Merchant Bank, Merchant shall provide documentary verification of Merchant’s identity, such as a driver’s license or passport for an individual, and certified copy of organization documents for an entity in a manner acceptable to Bank. Bank reserves the right to verify Merchant’s identity through other non‐documentary methods as Bank deems appropriate in its sole and absolute discretion. Bank may retain a copy of any document it obtains to verify Merchant’s identity with the financial institution. Merchant is responsible for ensuring its Merchant Identification Number (“MID”) is kept confidential. When a change to a Merchant account is required, Merchant shall disclose its MID to the Bank representative as confirmation that the person requesting the change has authority. If the person requesting the change discloses the proper MID, Bank shall assume that person has the proper authority to make the change. Merchant shall be fully liable for any changes to its account after disclosure of the MID. Bank may request from Merchant additional information to further verify Merchant’s identity. is limited, and then only to the extent that this data is required for bona fide purposes and only for the length of time that the data is required for such purposes. The MasterCard Merchant Security Rules and Procedures may be accessed at: xxxxx://xxx. xxxxxxxxxxxx.xxx/xxxx/xxxxxxxxxx/xxxxxxxx-xxxxxxxx-xxxxx-xxx-xxxxxxxxxx.xxx. Merchant will not contact any Cardholder with respect to any matter arising under the Operating Rules, except as required or permitted under the Operating Rules.
Appears in 2 contracts
Samples: Merchant Card Processing Agreement, Merchant Processing Agreement
Confidentiality Data Security. a. Merchant will retain in a secure and confidential manner original or complete and legible copies of each Charge Record, and each Credit Voucher required to be provided to Cardholders, and all information required to be submitted in connection with a Card Transaction for at least two (2) years or longer if required by any applicable law, rule, or regulation, law or the Operating Rules. Merchant shall render all materials containing Cardholder Account numbers unreadable prior to discarding. .
b. Merchant will store Charge Records and all media containing Cardholder names, Cardholder account information, and other personal information, as well as Card imprints (such as sales drafts and credit records, auto rental agreements, and carbons) in an area limited to selected personnel, and when record‐retention record- retention requirements have been met, Merchant will destroy the records so that Charge Records are rendered unreadable. If Merchant stores any electronically captured signature of a Cardholder, Merchant may not reproduce such signature except upon the specific request of Bank. .
c. Merchant will not:
i. Provide Cardholder Account numbers, personal Cardholder information, information or Card Transaction information to anyone except Bank, Card Networks, or Merchant’s agents/Merchant Servicers (but only those who have been approved by Bank as required under this Agreement and are properly registered with the Card Networks) for the purpose of assisting Merchant in completing Card Transactions, or as specifically required by the Operating Rules, or any applicable law, rule, or regulation.
ii. Retain or store Card Magnetic Stripe, CVV, CVV2, CVC2 or CID data (including Track Data) subsequent to Authorization for a Card Transaction.
iii. Sell, purchase, provide, provide or exchange Card account number information or other Card transaction or Cardholder information to any third party, or to any entity other than Merchant’s authorized agents/Merchant Servicers (but only those who have been approved by Bank as required under this Agreement and are properly registered with the Card Networks), the Bank, the Card Networks, or in response to valid legal process or subpoena.
iv. Release any Cardholder information over the telephone under any circumstances. .
d. Merchant may not, without the express written consent of Bank or Cardholder, or an order from a Court of competent jurisdiction, in the event of its (and Merchant shall ensure, and by contract provide, that Merchant’s agents/Merchant Servicers shall not, in the event of their or Merchant’s) failure, including bankruptcy, insolvency, or other suspension of business operations, sell, transfer, or disclose any materials that contain Cardholder Account numbers, personal Cardholder information, information or Card Transaction information to third parties. In the event that Merchant’s (or such an agent’s/Merchant Servicer’s) business fails or ceases to exist, Merchant is required to return (and shall ensure and by contract provide, that such agent/Merchant Servicer shall return) to Bank all such information or provide proof of destruction of this information to Bank. .
e. Merchant confirms that it is, and shall be, in full compliance during the term of this Agreement with all federal, state, state and local statutes, rules and regulations (including, including without limitation, limitation the information privacy and security requirements of the Gramm Xxxxx Xxxxxx Act and regulations thereunder), as well as all rules and operating regulations, regulations and bylaws of the Card Networks, relating to the establishment and maintenance (pursuant to a comprehensive written information security program, to the extent required by any of such laws, rules, rules or regulations, or by any such rules, operating regulations, regulations or bylaws of the Card Networks) of appropriate administrative, technical and physical security procedures and safeguards to ensure the security, confidentiality and integrity of Card Transaction transaction and Cardholder information and Merchant shall comply, and shall demonstrate its compliance withcompliance, with the Visa Cardholder Information Security Program (“CISP”), MasterCard’s 's Site Data Protection (“"SDP”") Program, Discover Information Security Compliance Program (“DISC”), the American Express Data Security Operating Policy (“DSOP”), the Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA‐DSSPA DSS), and any other similar requirements contained in the Operating RulesRules of the card networks. Merchant may find the details of the Visa CISP program at xxx.xxxx.xxx/xxxx. Merchant may find details of the DISC MasterCard SDP program at xxxxx://xxx.xxxxxxxxxxxxxxx.xxx/fraudsecurity/ disc.htmlxxxx://xxx.xxxxxxxxxx.xxx/us/company/en/whatwedo/site_data_protection.html. Merchant may find details of the SDP Discover DISC program at xxxxx://xxx.xxxxxxxxxx.xx/en-us/merchants/safety-security/security- recommendations/site-data-protection-PCI.html Detailed information about PCI DSS can be found xxxx://xxx.xxxxxxxxxxxxxxx.xxx/fraudsecurity/disc.html. Merchant may find details on the American Express DSOP at the PCI DSS Council’s Website: xxx.xxxxxxxxxxxxxxxxxxxx.xxxxxxxx://xxx000.xxxxxxxxxxxxxxx.xxx/merchant/services/en_US/data-security. The Card Networks or Bank, and their respective representatives, may impose restrictions, fines, inspect the premises of Merchant or prohibit any independent contractor or agent or Merchant from participating in Card Acceptance programs if it is determined that Servicer engaged by Merchant is non‐ compliant for compliance with any of the applicable data security requirements. Merchant may be required to comply with an audit to verify compliance with data security requirements and procedures. Merchant is solely responsible for understanding and complying in full with all applicable data security requirements, including, without limitation, PCI‐ DSS, PA‐ DSS, CISP, SDP, and DISC. Merchant acknowledges that any failure to comply, or to demonstrate compliance, with security requirements may result in the imposition of restrictions on Merchant or the permanent prohibition of Merchant’s 's participation in Card Acceptance acceptance programs by the Card Networks. Without limiting any of limitation as to Merchant’s obligations or liabilities under other provisions of this Agreementhereof, (i) Merchant hereby agrees to defend, indemnify, and hold harmless indemnify Processor and Merchant Bank, including each of their officers, directors, employees, and agents, and to hold them harmless from any claims, costs, expenses, or losses of any kind arising out of or relating to any actual or suspected data breach or data compromise, including, but not limited to: any fees, fines, or fines and penalties that may be assessed by the Card Networks or any governmental agency; investigation costs; agency in regards to PCI DSS or PA DSS or otherwise in regards to data security or any actual or suspected data breaches that may occur as well as all costs of forensic exam or exam/audit; assessments by the Card Networks to reimburse Card Issuers for losses or to assign liability for Card Issuer losses; case management or any other fees assessed by the Card Networks to cover the Card Networks’ investigation or other costs; , card replacement fees; , all claims and demands of Cardholderscardholders, Card Issuerscard issuers, Card Networks, governmental agencies, or others; , and all litigation costs and expenses, expenses including reasonable attorney’s attorney fees, costs, and expert witness fees; and all other costs, expenses, or losses costs of any kind that are kind, associated with, arise out of, or are related to with any actual or suspected data security breach, data compromise, breach or Merchant’s noncompliance with Card Network data security requirements or data security requirements of any applicable laws, rules, or regulations. Merchant agrees to promptly pay all of the above amounts to Processor or Merchant Bank, regardless of its belief that it has complied with Card Network data security requirements or any other security precautions law; and is not responsible for the data breach or compromise, and regardless of any determination by the Card Networks or otherwise that Merchant was or was not the likely source of any loss, disclosure, theft, or compromise of Cardholder data. In addition to the foregoing, (ii) in the event of a computer or other data security breach, or suspected computer or other data security breach or data compromise, breach. Merchant agrees to abide by Card Network requirements which may include, include without limitation, limitation a forensic network exam by a Qualified Incident Response Assessor PCI Forensic Investigative firm (QIRAPFI), and (iii) and Merchant agrees to cooperate with Processor and Merchant Bank in order to effectively manage the breach response. The defense Mandatory Payment Card Industry Data Security Standard (PCI DSS) and indemnity obligation Payment Application Data Security Standard (PA-DSS) and PIN Security Compliance. Without limiting the generality of the foregoing, Merchant understands that the payment card industry requires all merchants to be PCI DSS compliant. Processor and Merchant Bank, in compliance with payment brand mandates will not board merchants for the Card Program services provided for in this Paragraph is in addition to all other defense and indemnity obligations of Merchant under this Agreement and shall survive the termination of who are not PCI DSS compliant. In signing this Agreement, Merchant and Merchant’s principals attest to Merchant PCI DSS compliance. Processor and Merchant Bank also require compliance with the PA-DSS in compliance with industry mandates, and with all applicable Card Network mandates relating to PIN and PIN entry device (PED) security, including without limitation, and as applicable, the applicable Payment Card Industry PCI PIN Security Requirements, PCI PIN-Entry Device Security Requirements, and PCI Encrypting PIN Pad Security Requirements. Merchant agrees that all point-of-sale (POS) and/or terminal hardware and software (make and version) is PA-DSS compliant, and compliant with all applicable PIN and PED security requirements, and that any future changes in POS hardware or software will also be in compliance with the PA‐DSS PA-DSS and all applicable PIN and PED security requirements. Merchants processing up to 1 million annual Visa transactions and using third parties for POS application, terminal installation and integration must engage Payment Card Industry (PCI) Qualified Integrator Reseller (QIR) professionals to install, integrate, and support point-of-sale applications and terminal installation and integration.
f. Merchant must notify Bank and receive Bank’s 's approval prior to engaging, directly or indirectly, any independent contractor or agent, agent or Merchant Servicer in connection with Merchant’s Acceptance 's acceptance of Cards, Cards or the submission of Charges or Credit Vouchers to Bank, or otherwise to assist Merchant in the performance of Merchant’s obligations under this Agreement, and including without limitation any such person or entity who will have access to Cardholder or Card Transaction card transaction data. Such third parties may include, but are not limited to, Merchant’s software providers and/or equipment providers. Merchant shall provide Merchant Bank and Processor at least sixty (60) days advance written notice of Merchant’s election to use an agent or independent contractor or Merchant Servicer. Merchant Bank and/or Processor may individually approve or deny the use of an agent, independent contractor, contractor or Merchant Servicer in their sole and absolute discretion and at any time. If any such entity is required to be designated a service provider or Merchant Servicer under any applicable Operating Regulation or is otherwise required to certify, register, or act in any fashion pursuant to the Operating Rules, Merchant shall cause such Agent to cooperate with Merchant Bank in completing any steps required for registration and/or certification and/or action. Merchant is solely responsible for any and all applicable fees, costs, expenses, expenses and liabilities 04/2017 Page 14 of 36 associated with such registration and/or certification and/or action. Bank shall in no event be liable to Merchant or any third party for any actions or inactions of any agent, independent contractor, contractor or Merchant Servicer used by Merchant, and Merchant hereby expressly assumes all such liability. Merchant’s agreement with any such third party must contain provisions obligating the third party to comply with all applicable lawslaw, rules, with CISP and regulations, CISP, SDP, DISC, PCI‐ SDP and DISC and PCI DSS, PA‐DSSPA-DSS, PIN, PIN and PED security requirements, and all other Card Network requirements pertaining to confidentiality, confidentiality and security and integrity of Cardholder and Card Transaction transaction data, with all Operating Rules rules prohibiting storage of certain Card Transaction transaction data, and with all other applicable Operating Rules. Merchant will immediately notify Bank if Merchant decides to use electronic authorization, authorization or data capture software, software or terminals provided by any entity other than Bank or its authorized designee (“"Third Party Terminals”") to process transactions, including leasing a terminal from a third party. If Merchant elects to use Third Party Terminals, (i) the third party providing the terminals will be Merchant’s Merchant Servicer in the delivery of Card transactions to Bank; and (ii) Merchant assumes full responsibility and liability for any failure of that third party to comply with the requirements of Bank, the Operating Rules, applicable laws, rules or regulations, and or this Agreement. Bank will not be responsible for any losses or additional fees incurred by Merchant as a result of any error by a third third-party agent or Merchant Servicer or a malfunction in a Third Party Terminal. The use of an agent, agent or Merchant Servicer, Servicer or an agent’s or Merchant Servicer’s software application that has connectivity to the Internet poses an increased risk, and Merchant assumes all liability for such increased risks. If Merchant utilizes software or hardware with a connection to the Internet and such hardware or software interacts in any capacity with the provision of services contemplated pursuant to this Agreement, Merchant is solely liable without limitation for any and all consequences of such interaction. .
g. Merchant agrees and shall ensure (and by contract shall require) that Merchant’s 's agents and Merchant Servicers provide the same levels of security as those required of Merchant, and that such agents and Merchant Servicers transmit data in accordance with: (1) the required format(s) of the Card Networks; (2) the Operating Rules; and (3) the requirements of Bank. .
h. Merchant must immediately notify Merchant Bank and Processor of any suspected or confirmed loss or theft of materials or records that contain Cardholder Account numbers, Cardholder personal information, numbers or Card Transaction information. In the event of a suspected or confirmed loss or theft, theft Merchant shall provide immediate access to all facilities, systems, procedures, equipment, and documents as may be deemed appropriate by Bank or its designated representatives for inspection, audit, and copying as deemed appropriate by both Merchant Bank and Processor in their individual sole and absolute discretion. Merchant shall be responsible for all costs associated with such inspection, audit, and copying however such costs may occur. .
i. Merchant authorizes Bank to release its name and address to any third party whom the Bank determines needs to know such information in order for Bank to perform the Card Program services under this Agreement and who has requested such information. Merchant authorizes Bank to disclose Card Transaction data and other information relating to the Merchant, Guarantor, Guarantor and each of their Principals (including credit and other financial information obtained under Paragraph 10 of this Agreement)principals, to the Card Networks, current and prospective Card Issuers, current and prospective acquirers or other merchant or sponsor banks, third parties in connection with a potential sale of some or all of Merchant Bank’s or Processor’s merchant portfolio, business, or a merger transactionacquirers, regulatory authorities, and other entities to whom Bank or any such entity may be required to provide such information, information and to Bank’s 's and each such entity’s 's affiliates, agents, subcontractors, subcontractors and employees, for purposes Bank or such other entities deem necessary in Bank’s 's or their reasonable discretion, including without limitation, in connection with the performance of their various obligations hereunder or under their other applicable agreements or under the Operating Rules or applicable laws, rules, or regulations. law.
j. [Intentionally Omitted]
k. Federal regulations enacted pursuant to the USA PATRIOT Act and other applicable laws require financial institutions to verify the identity of every person who seeks to open an account with a financial institution. As a result of Merchant’s status as an account holder with Merchant Bank, Merchant shall provide documentary verification of Merchant’s identity, such as a driver’s 's license or passport for an individual, individual and certified copy of organization documents for an entity in a manner acceptable to Bank. Bank reserves the right to verify Merchant’s identity through other non‐documentary non-documentary methods as Bank deems appropriate in its sole and absolute discretion. Bank may retain a copy of any document it obtains to verify Merchant’s identity with the financial institution. .
l. Merchant is responsible for ensuring its Merchant Identification Number (“MID”) is kept confidential. When a change to a Merchant account is required, Merchant shall disclose its MID to the Bank representative as confirmation that the person requesting the change has authority. If the person requesting the change discloses the proper MID, Bank shall assume that person has the proper authority to make the change. Merchant shall be fully liable for any changes to its account after disclosure of the MID. Bank may request from Merchant additional information to further verify Merchant’s identity.
m. MasterCard: Merchant must not store in any system or in any manner, discretionary card-read data, CVC2 data, Card Identification Data (CID), PIN data, Address Verification Service (AVS) data, or any other prohibited information as set forth in the MasterCard Merchant Rules Manual, except during the Authorization process for a Transaction, that is, from the time an Authorization request message is transmitted and up to the time the Authorization request response message is received. MasterCard permits storage of only the card account number, expiration date, cardholder name, and service code, in a secure environment to which access is limited, and then only to the extent that this data is required for bona fide purposes and only for the length of time that the data is required for such purposes. The MasterCard Merchant Security Rules and Procedures Manual may be accessed at: xxxxx://xxx. xxxxxxxxxxxx.xxx/xxxx/xxxxxxxxxx/xxxxxxxx-xxxxxxxx-xxxxx-xxx-xxxxxxxxxx.xxx. xxxx://xxx.xxxxxxxxxx.xxx/us/merchant/support/rules.html.
n. Merchant will not contact any Cardholder with respect to any matter arising under the Operating Rules, except as required or permitted under the Operating Rules.
Appears in 1 contract
Samples: Merchant Card Processing Agreement
Confidentiality Data Security. Merchant will retain in a secure and confidential manner original or complete and legible copies of each Charge Record, each Credit Voucher required to be provided to Cardholders, and all information required to be submitted in connection with a Card Transaction for at least two (2) years or longer if required by any applicable law, rule, or regulation, or the Operating Rules. Merchant shall render all materials containing Cardholder Account numbers unreadable prior to discarding. Merchant will store Charge Records and all media containing Cardholder names, Cardholder account information, and other personal information, as well as Card imprints (such as sales drafts and credit records, auto rental agreements, and carbons) in an area limited to selected personnel, and when record‐retention requirements have been met, Merchant will destroy the records so that Charge Records are rendered unreadable. If Merchant stores any electronically captured signature of a Cardholder, Merchant may not reproduce such signature except upon the specific request of Bank. a. Merchant will not:
i. Provide Cardholder Account numbers, personal Cardholder information, information or Card Transaction information to anyone except Bank, Card Networks, or Merchant’s agents/Merchant Servicers (but only those who have been approved by Bank as required under this Agreement and are properly registered with the Card Networks) for the purpose of assisting Merchant in completing Card Transactions, or as specifically required by the Operating Rules, or any applicable law, rule, or regulationbylaw.
ii. Retain or store Card Magnetic Stripe, CVV, CVV2, CVC2 or CID data (including Track Data) subsequent to Authorization for a Card Transaction.
iii. Sell, purchase, provide, provide or exchange Card account number information or other Card transaction or Cardholder information to any third party, or to any entity other than Merchant’s authorized agents/Merchant Servicers (but only those who have been approved by Bank as required under this Agreement and are properly registered with the Card Networks), the Bank, the Card Networks, or in response to valid legal process or subpoena.
iv. Release any Cardholder information over the telephone under any circumstances. .
b. Merchant may not, without the express written consent of Bank or Cardholder, or an order from a Court of competent jurisdiction, in the event of its (and Merchant shall ensure, and by contract provide, that Merchant’s agents/Merchant Servicers shall not, in the event of their or Merchant’s) failure, including bankruptcy, insolvency, or other suspension of business operations, sell, transfer, or disclose any materials that contain Cardholder Account numbers, personal Cardholder information, information or Card Transaction information to third parties. In the event that Merchant’s (or such an agent’s/Merchant Servicer’s) business fails or ceases to exist, Merchant is required to return (and shall ensure and by contract provide, that such agent/Merchant Servicer shall return) to Bank all such information or provide proof of destruction of this information to Bank. .
c. Merchant confirms that it is, and shall be, in full compliance during the term of this Agreement with all federal, state, state and local statutes, rules and regulations (including, including without limitation, limitation the information privacy and security requirements of the Gramm Xxxxx Xxxxxx Act and regulations thereunder), as well as all rules and operating regulations, regulations and bylaws of the Card Networks, relating to the establishment and maintenance (pursuant to a comprehensive written information security program, to the extent required by any of such laws, rules, rules or regulations, or by any such rules, operating regulations, regulations or bylaws of the Card Networks) of appropriate administrative, technical and physical security procedures and safeguards to ensure the security, confidentiality and integrity of Card Transaction transaction and Cardholder information and Merchant shall comply, and shall demonstrate its compliance with, with the Visa Cardholder Information Security Program (“CISP”), MasterCard’s 's Site Data Protection (“"SDP”") Program, Discover Information Security Compliance Program (“DISC”), the Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA‐DSSPA-DSS), and any other similar requirements contained in the Operating Rules. Merchant may find the details of the CISP program at xxx.xxxx.xxx/xxxx. Merchant may find details of the DISC program at xxxxx://xxx.xxxxxxxxxxxxxxx.xxx/fraudsecurity/ disc.htmlxxxx://xxx.xxxxxxxxxxxxxxx.xxx/fraudsecurity/disc.html. Merchant may find details of the SDP program at xxxxx://xxx.xxxxxxxxxx.xx/en-us/merchants/safety-security/security- recommendations/site-data-protection-PCI.html Detailed information about PCI DSS can be found at the PCI DSS Council’s Website: xxx.xxxxxxxxxxxxxxxxxxxx.xxxxxxx://xxx.xxxxxxxxxx.xxx/us/sdp/merchants. The Card Networks or Bank, and their respective representatives, may impose restrictions, fines, inspect the premises of Merchant or prohibit any independent contractor or agent or Merchant from participating in Card Acceptance programs if it is determined that Servicer engaged by Merchant is non‐ compliant for compliance with any of the applicable data security requirements. Merchant may be required to comply with an audit to verify compliance with data security requirements and procedures. Merchant is solely responsible for understanding and complying in full with all applicable data security requirements, including, without limitation, PCI‐ DSS, PA‐ DSS, CISP, SDP, and DISC. Merchant acknowledges that any failure to comply, or to demonstrate compliance, with security requirements may result in the imposition of restrictions on Merchant or the permanent prohibition of Merchant’s 's participation in Card Acceptance acceptance programs by the Card Networks. Without limiting any of limitation as to Merchant’s obligations or liabilities under other provisions of this Agreementhereof, (i) Merchant hereby agrees to defend, indemnify, and hold harmless indemnify Processor and Merchant Bank, including each of their officers, directors, employees, and agents, and to hold them harmless from any claims, costs, expenses, or losses of any kind arising out of or relating to any actual or suspected data breach or data compromise, including, but not limited to: any fees, fines, or fines and penalties that may be assessed by the Card Networks or any governmental agency; investigation costs; agency in regards to PCI-DSS or PA-DSS or otherwise in regards to data security or any actual or suspected data breaches that may occur, as well as all costs of forensic exam or exam/audit; assessments by the Card Networks to reimburse Card Issuers for losses or to assign liability for Card Issuer losses; case management or any other fees assessed by the Card Networks to cover the Card Networks’ investigation or other costs; , card replacement fees; , all claims and demands of Cardholderscardholders, Card Issuerscard issuers, Card Networks, governmental agencies, or others; , and all litigation costs and expenses, expenses including reasonable attorney’s attorneys fees, costs, and expert witness fees; and all other costs, expenses, or losses costs of any kind that are kind, associated with, arise out of, or are related to with any actual or suspected data security breach, data compromise, breach or Merchant’s noncompliance with Card Network data security requirements or data security requirements of any applicable laws, rules, or regulations. Merchant agrees to promptly pay all of the above amounts to Processor or Merchant Bank, regardless of its belief that it has complied with Card Network data security requirements or any other security precautions law; and is not responsible for the data breach or compromise, and regardless of any determination by the Card Networks or otherwise that Merchant was or was not the likely source of any loss, disclosure, theft, or compromise of Cardholder data. In addition to the foregoing, (ii) in the event of a computer or other data security breach, or suspected computer or other data security breach or data compromisebreach, Merchant agrees to abide by Card Network requirements which may include, include without limitation, limitation a forensic network exam by a Qualified Incident Response Assessor (QIRA), and (iii) and Merchant agrees to cooperate with Processor and Merchant Bank in order to effectively manage the breach response. The defense and indemnity obligation for the Card Program services provided for in this Paragraph is in addition to all other defense and indemnity obligations of Merchant under this Agreement and shall survive the termination of Agreement, who are not PCI DSS compliant. In signing this Agreement, Merchant and Merchant’s principals agree that they are PCI DSS compliant. Processor and Merchant Bank also require compliance with the PA-DSS in compliance with industry mandates, and with all applicable Card Network mandates relating to PIN and PED security requirementsPIN entry device (PED) security, including without limitation, and that any future changes in POS hardware or software will be in compliance with as applicable, the PA‐DSS applicable Payment Card Industry PCI PIN Security Requirements, PCI PIN-Entry Device Security Requirements, and all applicable PCI Encrypting PIN and PED security requirements. Pad Security Requirements.
d. Merchant must notify Bank and receive Bank’s 's approval prior to engaging, directly or indirectly, any independent contractor or agent, agent or Merchant Servicer in connection with Merchant’s Acceptance 's acceptance of Cards, Cards or the submission of Charges or Credit Vouchers to Bank, or otherwise to assist Merchant in the performance of Merchant’s obligations under this Agreement, and including without limitation any such person or entity who will have access to Cardholder or Card Transaction card transaction data. Such third parties may include, but are not limited to, Merchant’s software providers and/or equipment providers. Merchant shall provide Merchant Bank and Processor at least sixty (60) days advance written notice of Merchant’s election to use an agent or independent contractor or Merchant Servicer. Merchant Bank and/or Processor may individually approve or deny the use of an agent, independent contractor, contractor or Merchant Servicer in their sole and absolute discretion and at any time. If any such entity is required to be designated a service provider or Merchant Servicer under any applicable Operating Regulation or is otherwise required to certify, register, or act in any fashion pursuant to the Operating Rules, Merchant shall cause such Agent to cooperate with Merchant Bank in completing any steps required for registration and/or certification and/or action. Merchant is solely responsible for any and all applicable fees, costs, expenses, expenses and liabilities associated with such registration and/or certification and/or action. Bank shall in no event be liable to Merchant or any third party for any actions or inactions of any agent, independent contractor, contractor or Merchant Servicer used by Merchant, and Merchant hereby expressly assumes all such liability. Merchant’s agreement with any such third party must contain provisions obligating the third party to comply with all applicable lawslaw, rules, with CISP and regulations, CISP, SDP, DISC, PCI‐ SDP and DISC and PCI-DSS, PA‐DSSPA-DSS, PIN, PIN and PED security requirements, and all other Card Network requirements pertaining to confidentiality, confidentiality and security and integrity of Cardholder and Card Transaction transaction data, with all Operating Rules rules prohibiting storage of certain Card Transaction transaction data, and with all other applicable Operating Rules. Merchant will immediately notify Bank if Merchant decides to use electronic authorization, authorization or data capture software, software or terminals provided by any entity other than Bank or its authorized designee (“"Third Party Terminals”") to process transactions, including leasing a terminal from a third party. If Merchant elects to use Third Party Terminals, (i) the third party providing the terminals will be Merchant’s Merchant Servicer in the delivery of Card transactions to Bank; and (ii) Merchant assumes full responsibility and liability for any failure of that third party to comply with the requirements of Bank, the Operating Rules, applicable laws, rules or regulations, and or this Agreement. Bank will not be responsible for any losses or additional fees incurred by Merchant as a result of any error by a third party agent or Merchant Servicer or a malfunction in a Third Party Terminal. The use of an agent, agent or Merchant Servicer, Servicer or an agent’s or Merchant Servicer’s software application that has connectivity to the Internet poses an increased risk, and Merchant assumes all liability for such increased risks. If Merchant utilizes software or hardware with a connection to the Internet and such hardware or software interacts in any capacity with the provision of services contemplated pursuant to this Agreement, Merchant is solely liable without limitation for any and all consequences of such interaction. .
e. Merchant agrees and shall ensure (and by contract shall require) that Merchant’s 's agents and Merchant Servicers provide the same levels of security as those required of Merchant, and that such agents and Merchant Servicers transmit data in accordance with: (1) the required format(s) of the Card Networks; (2) the Operating Rules; and (3) the requirements of Bank. .
f. Merchant must immediately notify Merchant Bank and Processor of any suspected or confirmed loss or theft of materials or records that contain Cardholder Account numbers, Cardholder personal information, numbers or Card Transaction information. In the event of a suspected or confirmed loss or theft, theft Merchant shall provide immediate access to all facilities, systems, procedures, equipment, and documents as may be deemed appropriate by Bank or its designated representatives for inspection, audit, and copying as deemed appropriate by both Merchant Bank and Processor in their individual sole and absolute discretion. Merchant shall be responsible for all costs associated with such inspection, audit, and copying however such costs may occur. .
g. Merchant authorizes Bank to release its name and address to any third party whom the Bank determines needs to know such information in order for Bank to perform the Card Program services under this Agreement and who has requested such information. Merchant authorizes Bank to disclose Card Transaction data and other information relating to the Merchant, Guarantor, Guarantor and each of their Principals (including credit and other financial information obtained under Paragraph 10 of this Agreement)principals, to the Card Networks, current and prospective Card Issuers, current and prospective acquirers or other merchant or sponsor banks, third parties in connection with a potential sale of some or all of Merchant Bank’s or Processor’s merchant portfolio, business, or a merger transactionacquirers, regulatory authorities, and other entities to whom Bank or any such entity may be required to provide such information, information and to Bank’s 's and each such entity’s 's affiliates, agents, subcontractors, subcontractors and employees, for purposes Bank or such other entities deem necessary in Bank’s 's or their reasonable discretion, including without limitation, in connection with the performance of their various obligations hereunder or under their other applicable agreements or under the Operating Rules or applicable laws, rules, or regulations. law.
h. [Intentionally Omitted]
i. Federal regulations enacted pursuant to the USA PATRIOT Act and other applicable laws require financial institutions to verify the identity of every person who seeks to open an account with a financial institution. As a result of Merchant’s status as an account holder with Merchant Bank, Merchant shall provide documentary verification of Merchant’s identity, such as a driver’s 's license or passport for an individual, individual and certified copy of organization documents for an entity in a manner acceptable to Bank. Bank reserves the right to verify Merchant’s identity through other non‐documentary non-documentary methods as Bank deems appropriate in its sole and absolute discretion. Bank may retain a copy of any document it obtains to verify Merchant’s identity with the financial institution. .
j. Merchant is responsible for ensuring its Merchant Identification Number (“MID”) is kept confidential. When a change to a Merchant account is required, Merchant shall disclose its MID to the Bank representative as confirmation that the person requesting the change has authority. If the person requesting the change discloses the proper MID, Bank shall assume that person has the proper authority to make the change. Merchant shall be fully liable for any changes to its account after disclosure of the MID. Bank may request from Merchant additional information to further verify Merchant’s identity.
k. MasterCard: Merchant must not store in any system or in any manner, discretionary card-read data, CVC2 data, Card Identification Data (CID), PIN data, Address Verification Service (AVS) data, or any other prohibited information as set forth in the MasterCard Merchant Rules Manual, except during the Authorization process for a Transaction, that is, from the time an Authorization request message is transmitted and up to the time the Authorization request response message is received. MasterCard permits storage of only the card account number, expiration date, cardholder name, and service code, in a secure environment to which access is limited, and then only to the extent that this data is required for bona fide purposes and only for the length of time that the data is required for such purposes. The MasterCard Merchant Security Rules and Procedures Manual may be accessed at: xxxxx://xxx. xxxxxxxxxxxx.xxx/xxxx/xxxxxxxxxx/xxxxxxxx-xxxxxxxx-xxxxx-xxx-xxxxxxxxxx.xxx. xxxx://xxx.xxxxxxxxxx.xxx/us/merchant/support/rules.html.
l. Merchant will not contact any Cardholder with respect to any matter arising under the Operating Rules, except as required or permitted under the Operating Rules.
Appears in 1 contract
Samples: Merchant Card Processing Agreement
Confidentiality Data Security. a. Merchant will retain in a secure and confidential manner original or complete and legible copies of each Charge Record, and each Credit Voucher required to be provided to Cardholders, and all information required to be submitted in connection with a Card Transaction for at least two (2) years or longer if required by any applicable law, rule, or regulation, law or the Operating Rules. Merchant shall render all materials containing Cardholder Account numbers unreadable prior to discarding. .
b. Merchant will store Charge Records and all media containing Cardholder names, Cardholder account information, and other personal information, as well as Card imprints (such as sales drafts and credit records, auto rental agreements, and carbons) in an area limited to selected personnel, and when record‐retention record-retention requirements have been met, Merchant will destroy the records so that Charge Records are rendered unreadable. If Merchant stores any electronically captured signature of a Cardholder, Merchant may not reproduce such signature except upon the specific request of Bank. .
c. Merchant will not:
i. Provide Cardholder Account numbers, personal Cardholder information, information or Card Transaction information to anyone except Bank, Card Networks, or Merchant’s agents/Merchant Servicers (but only those who have been approved by Bank as required under this Agreement and are properly registered with the Card Networks) for the purpose of assisting Merchant in completing Card Transactions, or as specifically required by the Operating Rules, or any applicable law, rule, or regulation.
ii. Retain or store Card Magnetic Stripe, CVV, CVV2, CVC2 or CID data (including Track Data) subsequent to Authorization for a Card Transaction.
iii. Sell, purchase, provide, provide or exchange Card account number information or other Card transaction or Cardholder information to any third party, or to any entity other than Merchant’s authorized agents/Merchant Servicers (but only those who have been approved by Bank as required under this Agreement and are properly registered with the Card Networks), the Bank, the Card Networks, or in response to valid legal process or subpoena.
iv. Release any Cardholder information over the telephone under any circumstances. .
d. Merchant may not, without the express written consent of Bank or Cardholder, or an order from a Court of competent jurisdiction, in the event of its (and Merchant shall ensure, and by contract provide, that Merchant’s agents/Merchant Servicers shall not, in the event of their or Merchant’s) failure, including bankruptcy, insolvency, or other suspension of business operations, sell, transfer, or disclose any materials that contain Cardholder Account numbers, personal Cardholder information, information or Card Transaction information to third parties. In the event that Merchant’s (or such an agent’s/Merchant Servicer’s) business fails or ceases to exist, Merchant is required to return (and shall ensure and by contract provide, that such agent/Merchant Servicer shall return) to Bank all such information or provide proof of destruction of this information to Bank. .
e. Merchant confirms that it is, and shall be, in full compliance during the term of this Agreement with all federal, state, state and local statutes, rules and regulations (including, including without limitation, limitation the information privacy and security requirements of the Gramm Xxxxx Xxxxxx Act and regulations thereunder), as well as all rules and operating regulations, regulations and bylaws of the Card Networks, relating to the establishment and maintenance (pursuant to a comprehensive written information security program, to the extent required by any of such laws, rules, rules or regulations, or by any such rules, operating regulations, regulations or bylaws of the Card Networks) of appropriate administrative, technical and physical security procedures and safeguards to ensure the security, confidentiality and integrity of Card Transaction transaction and Cardholder information and Merchant shall comply, and shall demonstrate its compliance with, with the Visa Cardholder Information Security Program (“CISP”), MasterCard’s 's Site Data Protection (“"SDP”") Program, Discover Information Security Compliance Program (“DISC”), the Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA‐DSSPA-DSS), and any other similar requirements contained in the Operating Rules. Merchant may find the details of the CISP program at xxx.xxxx.xxx/xxxx. Merchant may find details of the DISC program at xxxxx://xxx.xxxxxxxxxxxxxxx.xxx/fraudsecurity/ xxxx://xxx.xxxxxxxxxxxxxxx.xxx/ fraudsecurity/disc.html. Merchant may find details of the SDP program at xxxxx://xxx.xxxxxxxxxx.xx/en-us/merchants/safety-security/security- recommendationsxxxx://xxx.xxxxxxxxxx.xxx/us/ sdp/site-data-protection-PCI.html Detailed information about PCI DSS can be found at the PCI DSS Council’s Website: xxx.xxxxxxxxxxxxxxxxxxxx.xxxmerchants. The Card Networks or Bank, and their respective representatives, may impose restrictions, fines, inspect the premises of Merchant or prohibit any independent contractor or agent or Merchant from participating in Card Acceptance programs if it is determined that Servicer engaged by Merchant is non‐ compliant for compliance with any of the applicable data security requirements. Merchant may be required to comply with an audit to verify compliance with data security requirements and procedures. Merchant is solely responsible for understanding and complying in full with all applicable data security requirements, including, without limitation, PCI‐ DSS, PA‐ DSS, CISP, SDP, and DISC. Merchant acknowledges that any failure to comply, or to demonstrate compliance, with security requirements may result in the imposition of restrictions on Merchant or the permanent prohibition of Merchant’s 's participation in Card Acceptance acceptance programs by the Card Networks. Without limiting any of limitation as to Merchant’s obligations or liabilities under other provisions of this Agreement, hereof,
(i) Merchant hereby agrees to defend, indemnify, and hold harmless indemnify Processor and Merchant Bank, including each of their officers, directors, employees, and agents, and to hold them harmless from any claims, costs, expenses, or losses of any kind arising out of or relating to any actual or suspected data breach or data compromise, including, but not limited to: any fees, fines, or fines and penalties that may be assessed by the Card Networks or any governmental agency; investigation costs; agency in regards to PCI-DSS or PA-DSS or otherwise in regards to data security or any actual or suspected data breaches that may occur, as well as all costs of forensic exam or exam/audit; assessments by the Card Networks to reimburse Card Issuers for losses or to assign liability for Card Issuer losses; case management or any other fees assessed by the Card Networks to cover the Card Networks’ investigation or other costs; , card replacement fees; , all claims and demands of Cardholderscardholders, Card Issuerscard issuers, Card Networks, governmental agencies, or others; , and all litigation costs and expenses, expenses including reasonable attorney’s attorneys fees, costs, and expert witness fees; and all other costs, expenses, or losses costs of any kind that are kind, associated with, arise out of, or are related to with any actual or suspected data security breach, data compromise, breach or Merchant’s noncompliance with Card Network data security requirements or data security requirements of any applicable laws, rules, or regulations. Merchant agrees to promptly pay all of the above amounts to Processor or Merchant Bank, regardless of its belief that it has complied with Card Network data security requirements or any other security precautions law; and is not responsible for the data breach or compromise, and regardless of any determination by the Card Networks or otherwise that Merchant was or was not the likely source of any loss, disclosure, theft, or compromise of Cardholder data. In addition to the foregoing, (ii) in the event of a computer or other data security breach, or suspected computer or other data security breach or data compromisebreach, Merchant agrees to abide by Card Network requirements which may include, include without limitation, limitation a forensic network exam by a Qualified Incident Response Assessor (QIRA), and (iii) and Merchant agrees to cooperate with Processor and Merchant Bank in order to effectively manage the breach response. The defense and indemnity obligation in this Paragraph is in addition to all other defense and indemnity obligations of Merchant under this Agreement and shall survive the termination of this Agreement. with all applicable PIN and PED security requirements, and that any future changes in POS hardware or software will be in compliance with the PA‐DSS and all applicable PIN and PED security requirements. .
f. Merchant must notify Bank and receive Bank’s 's approval prior to engaging, directly or indirectly, any independent contractor or agent, agent or Merchant Servicer in connection with Merchant’s Acceptance 's acceptance of Cards, Cards or the submission of Charges or Credit Vouchers to Bank, or otherwise to assist Merchant in the performance of Merchant’s obligations under this Agreement, and including without limitation any such person or entity who will have access to Cardholder or Card Transaction card transaction data. Such third parties may include, but are not limited to, Merchant’s software providers and/or equipment providers. Merchant shall provide Merchant Bank and Processor at least sixty (60) days advance written notice of Merchant’s election to use an agent or independent contractor or Merchant Servicer. Merchant Bank and/or Processor may individually approve or deny the use of an agent, independent contractor, contractor or Merchant Servicer in their sole and absolute discretion and at any time. If any such entity is required to be designated a service provider or Merchant Servicer under any applicable Operating Regulation or is otherwise required to certify, register, or act in any fashion pursuant to the Operating Rules, Merchant shall cause such Agent to cooperate with Merchant Bank in completing any steps required for registration and/or certification and/or action. Merchant is solely responsible for any and all applicable fees, costs, expenses, expenses and liabilities associated with such registration and/or certification and/or action. Bank shall in no event be liable to Merchant or any third party for any actions or inactions of any agent, independent contractor, contractor or Merchant Servicer used by Merchant, and Merchant hereby expressly assumes all such liability. Merchant’s agreement with any such third party must contain provisions obligating the third party to comply with all applicable lawslaw, rules, with CISP and regulations, CISP, SDP, DISC, PCI‐ SDP and DISC and PCI-DSS, PA‐DSSPA-DSS, PIN, PIN and PED security requirements, and all other Card Network requirements pertaining to confidentiality, confidentiality and security and integrity of Cardholder and Card Transaction transaction data, with all Operating Rules rules prohibiting storage of certain Card Transaction transaction data, and with all other applicable Operating Rules. Merchant will immediately notify Bank if Merchant decides to use electronic authorization, authorization or data capture software, software or terminals provided by any entity other than Bank or its authorized designee (“"Third Party Terminals”") to process transactions, including leasing a terminal from a third party. If Merchant elects to use Third Party Terminals, (i) the third party providing the terminals will be Merchant’s Merchant Servicer in the delivery of Card transactions to Bank; and (ii) Merchant assumes full responsibility and liability for any failure of that third party to comply with the requirements of Bank, the Operating Rules, applicable laws, rules or regulations, and or this Agreement. Bank will not be responsible for any losses or additional fees incurred by Merchant as a result of any error by a third party agent or Merchant Servicer or a malfunction in a Third Party Terminal. The use of an agent, agent or Merchant Servicer, Servicer or an agent’s or Merchant Servicer’s software application that has connectivity to the Internet poses an increased risk, and Merchant assumes all liability for such increased risks. If Merchant utilizes software or hardware with a connection to the Internet and such hardware or software interacts in any capacity with the provision of services contemplated pursuant to this Agreement, Merchant is solely liable without limitation for any and all consequences of such interaction. .
g. Merchant agrees and shall ensure (and by contract shall require) that Merchant’s 's agents and Merchant Servicers provide the same levels of security as those required of Merchant, and that such agents and Merchant Servicers transmit data in accordance with: (1) the required format(s) of the Card Networks; (2) the Operating Rules; and (3) the requirements of Bank. .
h. Merchant must immediately notify Merchant Bank and Processor of any suspected or confirmed loss or theft of materials or records that contain Cardholder Account numbers, Cardholder personal information, numbers or Card Transaction information. In the event of a suspected or confirmed loss or theft, theft Merchant shall provide immediate access to all facilities, systems, procedures, equipment, and documents as may be deemed appropriate by Bank or its designated representatives for inspection, audit, and copying as deemed appropriate by both Merchant Bank and Processor in their individual sole and absolute discretion. Merchant shall be responsible for all costs associated with such inspection, audit, and copying however such costs may occur. .
i. Merchant authorizes Bank to release its name and address to any third party whom the Bank determines needs to know such information in order for Bank to perform the Card Program services under this Agreement and who has requested such information. Merchant authorizes Bank to disclose Card Transaction data and other information relating to the Merchant, Guarantor, Guarantor and each of their Principals (including credit and other financial information obtained under Paragraph 10 of this Agreement)principals, to the Card Networks, current and prospective Card Issuers, current and prospective acquirers or other merchant or sponsor banks, third parties in connection with a potential sale of some or all of Merchant Bank’s or Processor’s merchant portfolio, business, or a merger transactionacquirers, regulatory authorities, and other entities to whom Bank or any such entity may be required to provide such information, information and to Bank’s 's and each such entity’s 's affiliates, agents, subcontractors, subcontractors and employees, for purposes Bank or such other entities deem necessary in Bank’s 's or their reasonable discretion, including without limitation, in connection with the performance of their various obligations hereunder or under their other applicable agreements or under the Operating Rules or applicable laws, rules, or regulations. law.
j. [Intentionally Omitted]
k. Federal regulations enacted pursuant to the USA PATRIOT Act and other applicable laws require financial institutions to verify the identity of every person who seeks to open an account with a financial institution. As a result of Merchant’s status as an account holder with Merchant Bank, Merchant shall provide documentary verification of Merchant’s identity, such as a driver’s 's license or passport for an individual, individual and certified copy of organization documents for an entity in a manner acceptable to Bank. Bank reserves the right to verify Merchant’s identity through other non‐documentary non-documentary methods as Bank deems appropriate in its sole and absolute discretion. Bank may retain a copy of any document it obtains to verify Merchant’s identity with the financial institution. .
l. Merchant is responsible for ensuring its Merchant Identification Number (“MID”) is kept confidential. When a change to a Merchant account is required, Merchant shall disclose its MID to the Bank representative as confirmation that the person requesting the change has authority. If the person requesting the change discloses the proper MID, Bank shall assume that person has the proper authority to make the change. Merchant shall be fully liable for any changes to its account after disclosure of the MID. Bank may request from Merchant additional information to further verify Merchant’s identity.
m. MasterCard: Merchant must not store in any system or in any manner, discretionary card-read data, CVC2 data, Card Identification Data (CID), PIN data, Address Verification Service (AVS) data, or any other prohibited information as set forth in the MasterCard Merchant Rules Manual, except during the Authorization process for a Transaction, that is, from the time an Authorization request message is transmitted and up to the time the Authorization request response message is received. MasterCard permits storage of only the card account number, expiration date, cardholder name, and service code, in a secure environment to which access is limited, and then only to the extent that this data is required for bona fide purposes and only for the length of time that the data is required for such purposes. The MasterCard Merchant Security Rules and Procedures Manual may be accessed at: xxxxx://xxx. xxxxxxxxxxxx.xxx/xxxx/xxxxxxxxxx/xxxxxxxx-xxxxxxxx-xxxxx-xxx-xxxxxxxxxx.xxx. xxxx://xxx.xxxxxxxxxx.xxx/us/ merchant/support/rules.html.
n. Merchant will not contact any Cardholder with respect to any matter arising under the Operating Rules, except as required or permitted under the Operating Rules.
Appears in 1 contract
Samples: Merchant Card Processing Agreement
Confidentiality Data Security. a. Merchant will retain in a secure and confidential manner original or complete and legible copies of each Charge Record, and each Credit Voucher required to be provided to Cardholders, and all information required to be submitted in connection with a Card Transaction for at least two (2) years or longer if required by any applicable law, rule, or regulation, law or the Operating Rules. Merchant shall render all materials containing Cardholder Account numbers unreadable prior to discarding. .
b. Merchant will store Charge Records and all media containing Cardholder names, Cardholder account information, and other personal information, as well as Card imprints (such as sales drafts and credit records, auto rental agreements, and carbons) in an area limited to selected personnel, and when record‐retention record-retention requirements have been met, Merchant Xxxxxxxx will destroy the records so that Charge Records are rendered unreadable. If Merchant stores any electronically captured signature of a Cardholder, Merchant may not reproduce such signature except upon the specific request of Bank. .
c. Merchant will not:
i. Provide Cardholder Account numbers, personal Cardholder information, information or Card Transaction information to anyone except Bank, Card Networks, or Merchant’s agents/Merchant Servicers (but only those who have been approved by Bank as required under this Agreement and are properly registered with the Card Networks) for the purpose of assisting Merchant in completing Card Transactions, or as specifically required by the Operating Rules, or any applicable law, rule, or regulation.
ii. Retain or store Card Magnetic Stripe, CVV, CVV2, CVC2 or CID data (including Track Data) subsequent to Authorization for a Card Transaction.
iii. Sell, purchase, provide, provide or exchange Card account number information or other Card transaction or Cardholder information to any third party, or to any entity other than Merchant’s authorized agents/Merchant Servicers (but only those who have been approved by Bank as required under this Agreement and are properly registered with the Card Networks), the Bank, the Card Networks, or in response to valid legal process or subpoena.
iv. Release any Cardholder information over the telephone under any circumstances. .
d. Merchant may not, without the express written consent of Bank or Cardholder, or an order from a Court of competent jurisdiction, in the event of its (and Merchant shall ensure, and by contract provide, that Merchant’s agents/Merchant Servicers shall not, in the event of their or Merchant’s) failure, including bankruptcy, insolvency, or other suspension of business operations, sell, transfer, or disclose any materials that contain Cardholder Account numbers, personal Cardholder information, information or Card Transaction information to third parties. In the event that Merchant’s (or such an agent’s/Merchant Servicer’s) business fails or ceases to exist, Merchant is required to return (and shall ensure and by contract provide, that such agent/Merchant Servicer shall return) to Bank all such information or provide proof of destruction of this information to Bank. .
e. Merchant confirms that it is, and shall be, in full compliance during the term of this Agreement with all federal, state, state and local statutes, rules and regulations (including, including without limitation, limitation the information privacy and security requirements of the Gramm Xxxxx Xxxxxx Act and regulations thereunder), as well as all rules and operating regulations, regulations and bylaws of the Card Networks, relating to the establishment and maintenance (pursuant to a comprehensive written information security program, to the extent required by any of such laws, rules, rules or regulations, or by any such rules, operating regulations, regulations or bylaws of the Card Networks) of appropriate administrative, technical and physical security procedures and safeguards to ensure the security, confidentiality and integrity of Card Transaction transaction and Cardholder information and Merchant shall comply, and shall demonstrate its compliance with, with the Visa Cardholder Information Security Program (“CISP”), MasterCard’s 's Site Data Protection (“"SDP”") Program, Discover Information Security Compliance Program (“DISC”), the Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA‐DSSPA-DSS), and any other similar requirements contained in the Operating Rules. Merchant may find the details of the CISP program at p r o g r a m a t xxx.xxxx.xxx/xxxx. Merchant may find f ind details of the DISC program at xxxxx://xxx.xxxxxxxxxxxxxxx.xxx/fraudsecurity/ disc.htmlxxxx://xxx.xxxxxxxxxxxxxxx.xxx/fraudsecurity/disc.html. Merchant may find details of the SDP program at xxxxx://xxx.xxxxxxxxxx.xx/en-us/merchants/safety-security/security- recommendations/site-data-protection-PCI.html Detailed information about PCI DSS can be found at the PCI DSS Council’s Website: xxx.xxxxxxxxxxxxxxxxxxxx.xxxa t xxxx://xxx.xxxxxxxxxx.xxx/us/sdp/merchants. The Card Networks or Bank, and their respective representatives, may impose restrictions, fines, inspect the premises of Merchant or prohibit any independent contractor or agent or Merchant from participating in Card Acceptance programs if it is determined that Servicer engaged by Merchant is non‐ compliant for compliance with any of the applicable data security requirements. Merchant may be required to comply with an audit to verify compliance with data security requirements and procedures. Merchant is solely responsible for understanding and complying in full with all applicable data security requirements, including, without limitation, PCI‐ DSS, PA‐ DSS, CISP, SDP, and DISC. Merchant acknowledges that any failure to comply, or to demonstrate compliance, with security requirements may result in the imposition of restrictions on Merchant or the permanent prohibition of Merchant’s 's participation in Card Acceptance acceptance programs by the Card Networks. Without limiting any of limitation as to Merchant’s obligations or liabilities under other provisions of this Agreementhereof, (i) Merchant hereby agrees to defend, indemnify, and hold harmless indemnify Processor and Merchant Bank, including each of their officers, directors, employees, and agents, and to hold them harmless from any claims, costs, expenses, or losses of any kind arising out of or relating to any actual or suspected data breach or data compromise, including, but not limited to: any fees, fines, or fines and penalties that may be assessed by the Card Networks or any governmental agency; investigation costs; agency in regards to PCI-DSS or PA-DSS or otherwise in regards to data security or any actual or suspected data breaches that may occur, as well as all costs of forensic exam or exam/audit; assessments by the Card Networks to reimburse Card Issuers for losses or to assign liability for Card Issuer losses; case management or any other fees assessed by the Card Networks to cover the Card Networks’ investigation or other costs; , card replacement fees; , all claims and demands of Cardholderscardholders, Card Issuerscard issuers, Card Networks, governmental agencies, or others; , and all litigation costs and expenses, expenses including reasonable attorney’s attorneys fees, costs, and expert witness fees; and all other costs, expenses, or losses costs of any kind that are kind, associated with, arise out of, or are related to with any actual or suspected data security breach, data compromise, breach or Merchant’s noncompliance with Card Network data security requirements or data security requirements of any applicable laws, rules, or regulations. Merchant agrees to promptly pay all of the above amounts to Processor or Merchant Bank, regardless of its belief that it has complied with Card Network data security requirements or any other security precautions law; and is not responsible for the data breach or compromise, and regardless of any determination by the Card Networks or otherwise that Merchant was or was not the likely source of any loss, disclosure, theft, or compromise of Cardholder data. In addition to the foregoing, (ii) in the event of a computer or other data security breach, or suspected computer or other data security breach or data compromisebreach, Merchant Xxxxxxxx agrees to abide by Card Network requirements which may include, include without limitation, limitation a forensic network exam by a Qualified Incident Response Assessor (QIRA), and (iii) and Merchant agrees to cooperate with Processor and Merchant Bank in order to effectively manage the breach response. The defense and indemnity obligation in this Paragraph is in addition to all other defense and indemnity obligations of Merchant under this Agreement and shall survive the termination of this Agreement. with all applicable PIN and PED security requirements, and that any future changes in POS hardware or software will be in compliance with the PA‐DSS and all applicable PIN and PED security requirements. .
f. Merchant must notify Bank and receive Bank’s 's approval prior to engaging, directly or indirectly, any independent contractor or agent, agent or Merchant Servicer in connection with Merchant’s Acceptance 's acceptance of Cards, Cards or the submission of Charges or Credit Vouchers to Bank, or otherwise to assist Merchant in the performance of Merchant’s obligations under this Agreement, and including without limitation any such person or entity who will have access to Cardholder or Card Transaction card transaction data. Such third parties may include, but are not limited to, Merchant’s software providers and/or equipment providers. Merchant shall provide Merchant Bank and Processor at least sixty (60) days advance written notice of Merchant’s election to use an agent or independent contractor or Merchant Servicer. Merchant Bank and/or Processor may individually approve or deny the use of an agent, independent contractor, contractor or Merchant Servicer in their sole and absolute discretion and at any time. If any such entity is required to be designated a service provider or Merchant Servicer under any applicable Operating Regulation or is otherwise required to certify, register, or act in any fashion pursuant to the Operating Rules, Merchant shall cause such Agent to cooperate with Merchant Bank in completing any steps required for registration and/or certification and/or action. Merchant is solely responsible for any and all applicable fees, costs, expenses, expenses and liabilities associated with such registration and/or certification and/or action. Bank shall in no event be liable to Merchant or any third party for any actions or inactions of any agent, independent contractor, contractor or Merchant Servicer used by Merchant, and Merchant hereby expressly assumes all such liability. Merchant’s agreement with any such third party must contain provisions obligating the third party to comply with all applicable lawslaw, rules, with CISP and regulations, CISP, SDP, DISC, PCI‐ SDP and DISC and PCI-DSS, PA‐DSSPA-DSS, PIN, PIN and PED security requirements, and all other Card Network requirements pertaining to confidentiality, confidentiality and security and integrity of Cardholder and Card Transaction transaction data, with all Operating Rules rules prohibiting storage of certain Card Transaction transaction data, and with all other applicable Operating Rules. Merchant Xxxxxxxx will immediately notify Bank if Merchant Xxxxxxxx decides to use electronic authorization, authorization or data capture software, software or terminals provided by any entity other than Bank or its authorized designee (“"Third Party Terminals”") to process transactions, including leasing a terminal from a third party. If Merchant elects to use Third Party Terminals, (i) the third party providing the terminals will be Merchant’s Merchant Servicer in the delivery of Card transactions to Bank; and (ii) Merchant assumes full responsibility and liability for any failure of that third party to comply with the requirements of Bank, the Operating Rules, applicable laws, rules or regulations, and or this Agreement. Bank will not be responsible for any losses or additional fees incurred by Merchant Xxxxxxxx as a result of any error by a third party agent or Merchant Servicer or a malfunction in a Third Party Terminal. The use of an agent, agent or Merchant Servicer, Servicer or an agent’s or Merchant Servicer’s software application that has connectivity to the Internet poses an increased risk, and Merchant assumes all liability for such increased risks. If Merchant utilizes software or hardware with a connection to the Internet and such hardware or software interacts in any capacity with the provision of services contemplated pursuant to this Agreement, Merchant is solely liable without limitation for any and all consequences of such interaction. .
g. Merchant agrees and shall ensure (and by contract shall require) that Merchant’s 's agents and Merchant Servicers provide the same levels of security as those required of Merchant, and that such agents and Merchant Servicers transmit data in accordance with: (1) the required format(s) of the Card Networks; (2) the Operating Rules; and (3) the requirements of Bank. Merchant .
x. Xxxxxxxx must immediately notify Merchant Bank and Processor of any suspected or confirmed loss or theft of materials or records that contain Cardholder Account numbers, Cardholder personal information, numbers or Card Transaction information. In the event of a suspected or confirmed loss or theft, theft Merchant shall provide immediate access to all facilities, systems, procedures, equipment, and documents as may be deemed appropriate by Bank or its designated representatives for inspection, audit, and copying as deemed appropriate by both Merchant Bank and Processor in their individual sole and absolute discretion. Merchant shall be responsible for all costs associated with such inspection, audit, and copying however such costs may occur. .
i. Merchant authorizes Bank to release its name and address to any third party whom the Bank determines needs to know such information in order for Bank to perform the Card Program services under this Agreement and who has requested such information. Merchant authorizes Bank to disclose Card Transaction data and other information relating to the Merchant, Guarantor, Guarantor and each of their Principals (including credit and other financial information obtained under Paragraph 10 of this Agreement)principals, to the Card Networks, current and prospective Card Issuers, current and prospective acquirers or other merchant or sponsor banks, third parties in connection with a potential sale of some or all of Merchant Bank’s or Processor’s merchant portfolio, business, or a merger transactionacquirers, regulatory authorities, and other entities to whom Bank or any such entity may be required to provide such information, information and to Bank’s 's and each such entity’s 's affiliates, agents, subcontractors, subcontractors and employees, for purposes Bank or such other entities deem necessary in Bank’s 's or their reasonable discretion, including without limitation, in connection with the performance of their various obligations hereunder or under their other applicable agreements or under the Operating Rules or applicable laws, rules, or regulations. law.
j. [Intentionally Omitted]
k. Federal regulations enacted pursuant to the USA PATRIOT Act and other applicable laws require financial institutions to verify the identity of every person who seeks to open an account with a financial institution. As a result of Merchant’s status as an account holder with Merchant Bank, Merchant shall provide documentary verification of Merchant’s identity, such as a driver’s 's license or passport for an individual, individual and certified copy of organization documents for an entity in a manner acceptable to Bank. Bank reserves the right to verify MerchantXxxxxxxx’s identity through other non‐documentary non-documentary methods as Bank deems appropriate in its sole and absolute discretion. Bank may retain a copy of any document it obtains to verify MerchantXxxxxxxx’s identity with the financial institution. .
l. Merchant is responsible for ensuring its Merchant Identification Number (“MID”) is kept confidential. When a change to a Merchant account is required, Merchant shall disclose its MID to the Bank representative as confirmation that the person requesting the change has authority. If the person requesting the change discloses the proper MID, Bank shall assume that person has the proper authority to make the change. Merchant shall be fully liable for any changes to its account after disclosure of the MID. Bank may request from Merchant additional information to further verify Merchant’s identity.
m. MasterCard: Merchant must not store in any system or in any manner, discretionary card-read data, CVC2 data, Card Identification Data (CID), PIN data, Address Verification Service (AVS) data, or any other prohibited information as set forth in the MasterCard Merchant Rules Manual, except during the Authorization process for a Transaction, that is, from the time an Authorization request message is transmitted and up to the time the Authorization request response message is received. MasterCard permits storage of only the card account number, expiration date, cardholder name, and service code, in a secure environment to which access is limited, and then only to the extent that this data is required for bona fide purposes and only for the length of time that the data is required for such purposesp u r p o s e s . The MasterCard Merchant Security Rules and Procedures may be accessed atT h e M x x x x x X x x x M e r c h a n t R u l e s M a n u a l m a y b e a c c e s s e d a t : xxxxx://xxx. xxxxxxxxxxxx.xxx/xxxx/xxxxxxxxxx/xxxxxxxx-xxxxxxxx-xxxxx-xxx-xxxxxxxxxx.xxx. xxxx://xxx.xxxxxxxxxx.xxx/us/merchant/support/rules.html.
n. Merchant will not contact any Cardholder with respect to any matter arising under the Operating Rules, except as required or permitted under the Operating Rules.
Appears in 1 contract
Samples: Merchant Card Processing Agreement