Common use of Data Security and Privacy Clause in Contracts

Data Security and Privacy. 4.1 Merchant will retain in a secure and confidential manner, in accordance with the Operating Rules, original or complete and legible copies of each Charge Record, and each Credit Voucher required to be provided to Cardholders, for at least two (2) years or longer if required by law or the Operating Rules. Merchant shall render any materials containing Cardholder Account numbers unreadable prior to discarding. Merchant will store Charge Records in an area limited to selected personnel, and when record-retention requirements have been met, Merchant will destroy the records so that Charge Records are rendered unreadable. Merchant confirms that it is, and shall be, in full compliance during the term of this Agreement with all federal, state and local statutes, rules and regulations (including without limitation the information privacy and security requirements of the Gramm Xxxxx Xxxxxx Act and regulations thereunder), as well as all Operating Rules, regulations and bylaws of the Card Networks and the Security Standards. Merchant will have in place and comply with at all times during the term of this Agreement a comprehensive written information security program that is designed to ensure the security, confidentiality and integrity of Transaction and Cardholder information, and includes a procedure (i) for periodic review to identify new and emerging threats and vulnerabilities and (ii) to take appropriate measures to remediate and remove such threats and vulnerabilities, all in accordance with the Security Standards. The Card Networks or Provider, and their respective representatives, may inspect the premises of Merchant or any independent contractor or agent or Merchant Servicer engaged by Merchant for compliance with security requirements. Merchant acknowledges that any failure to comply with security requirements, or to demonstrate compliance, may result in the imposition of restrictions on Merchant or the permanent prohibition of Merchant's participation in Card Programs by the Card Networks. Without limitation as to Merchant's obligations or liabilities under other provisions hereof, Merchant hereby agrees to indemnify Processor and Merchant Bank, including their officers, directors, employees, and agents, and to hold them harmless from any fines, assessments, fees and/or penalties that may be assessed by the Card Networks or any governmental agency in regards to PCI-DSS or PA-DSS or otherwise in regards to data security or any actual or suspected data breaches that may occur, as well as all costs of forensic exam/audit, card replacement fees, all claims and demands of Cardholders, Card Issuers, Card Networks, governmental agencies, or other third parties, and all litigation costs and expenses including reasonable attorney's fees, and all other costs of any kind, associated with any actual or suspected data security breach or noncompliance with Card Network data security requirements or data security requirements of applicable law; and (b) in the event of a computer or other data security breach, or suspected computer or other data security breach, Merchant agrees to abide by Card Network requirements which may include without limitation a forensic network exam by a Qualified Incident Response Assessor (QIRA); and (c) Merchant agrees to cooperate with Processor and Merchant Bank in order to effectively manage breach response. Without limiting the generality of the foregoing, Merchant understands that the payment card industry has required all merchants to be PCI DSS compliant. Processor and Merchant Bank, in compliance with Card Network mandates, will not board merchants for the Services provided for in this Agreement that are not PCI DSScompliant. Merchant and Merchant's principals hereby covenant that they are, and will continue for the duration of the Term to be, PCI DSS compliant. Processor and Merchant Bank also require compliance with the PA- DSS standards in accordance with industry mandates, and with all applicable Card Network mandates relating to PIN and PIN entry device (PED) security, including without limitation, and as applicable, the applicable Payment Card Industry PCI PIN Security Requirements, PCI PIN- Entry Device Security Requirements, and PCI Encrypting PIN Pad Security Requirements. Merchant covenants that all point-of- sale (POS) and/or terminal hardware and software (make and version) that Merchant will use to submit Transactions during the Term is PA- DSS compliant, and compliant with all applicable PIN and PED security requirements, and that any future changes in Merchant’s POS hardware or software will be in compliance with the PA-DSS and all applicable PIN and PED security requirements. 4.2 Merchant must notify Provider and receive Provider’s prior approval of its use of any Merchant Servicer and, to the extent required by each Card Network, all Merchant Servicers must be (i) compliant with all Security Standards applicable to Merchant Servicers; and (ii) registered with and/or recognized by such Card Network(s) as being so compliant. Merchant agrees to exercise due diligence to ensure that all Merchant Servicers, and any other agents, business partners, contractors, or subcontractors with access to Merchant's Card Information, maintain compliance with the Security Standards. To the extent required by each Card Network, all Payment Applications or software involved in processing, storing, receiving, or transmitting of Card Information, shall be (a) compliant with all Security Standards applicable to such Payment Applications or software; and (b) registered with and/or recognized by such Card Network(s) as being so compliant. Merchant will be bound to the acts and omissions of Merchant Servicer and will be responsible for the compliance of such Merchant Servicer with all applicable laws, regulations and Operating Rules. Provider shall in no event be liable to Merchant or any third party for any actions or inactions of any Merchant Servicer used by Merchant, and Merchant hereby expressly assumes all such liability. 4.3 Merchant will immediately notify Provider if Merchant decides to use electronic authorization or data capture software or terminals provided by any entity other than Provider or its authorized designee ("Third Party Terminals") to process Transactions, including leasing a terminal from a third party. If Merchant elects to use Third Party Terminals, (i) the third party providing the terminals will be Merchant's Merchant Servicer in the delivery of Transactions to Provider; and (ii) Merchant assumes full responsibility and liability for any failure of that third party to comply with the requirements of Provider, the Operating Rules, applicable laws, rules or regulations, or this Agreement. Provider will not be responsible for any losses or additional fees incurred by Merchant as a result of any error by a third-party agent or Merchant Servicer or a malfunction in a Third-Party Terminal. 4.4 Merchant must immediately notify Merchant Bank and Processor of any suspected or confirmed loss or theft of materials or records that contain Cardholder Account numbers or Transaction information. In the event of a suspected or confirmed loss or theft Merchant shall provide immediate access to all facilities, systems, procedures, equipment, and documents as may be deemed appropriate by Provider or its designated representatives for inspection, audit, and copying as deemed appropriate by both Merchant Bank and Processor in their individual sole discretion. Merchant shall be responsible for all costs associated with such inspection, audit, and copying however such costs may occur. 4.5 Merchant must, at all times, comply with the PCI-DSS and Operating Rules requirements regarding the storage of Cardholder and Transaction data, including all restrictions on the types of data that Merchant may store. Such restrictions include, but are not limited to, prohibition on Merchant’s storage or retention of Card magnetic stripe, CVV, CVV2, CVC2, CID or any other data classified by PCI-DSS as “Sensitive Authentication Data”. 4.6 Merchant has and will maintain a comprehensive privacy program that is reasonably designed to address privacy risks related to Merchant and Merchant customer information, including personally identifiable information (“PII”), and to protect the privacy of PII. This program shall include appropriate privacy controls and procedures, including but not limited to: 4.6.1 the designation of an employee or employees to coordinate and be responsible for the privacy program; 4.6.2 the identification of reasonably foreseeable, material risks, both internal and external, that could result in Merchant’s unauthorized collection, use, or disclosure of PII, and an assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this privacy risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to employee training and management; 4.6.3 the design and implementation of reasonable privacy controls and procedures to address the risks identified through the privacy risk assessment, and regular testing or monitoring of the effectiveness of those privacy controls and procedures; and 4.6.4 the evaluation and adjustment of Merchant’s privacy program in light of any circumstances that Merchant knows or has reason to know may have a material impact on the effectiveness of its privacy program. 4.7 Processor acknowledges that it is responsible for the security of Card information that it transmits on behalf of Merchant in connection with the Services while such Card information is in Processor’s possession.

Data Security and Privacy. 4.1 Merchant will retain in a secure and confidential manner, in accordance with the Operating Rules, original or complete and legible copies of each Charge Record, and each Credit Voucher required to be provided to Cardholders, for at least two (2) years or longer if required by law or the Operating Rules. Merchant shall render any materials containing Cardholder Account numbers unreadable prior to discarding. Merchant will store Charge Records in an area limited to selected personnel, and when record-retention requirements have been met, Merchant Xxxxxxxx will destroy the records so that Charge Records are rendered unreadable. Merchant confirms that it is, and shall be, in full compliance during the term of this Agreement with all federal, state and local statutes, rules and regulations (including without limitation the information privacy and security requirements of the Gramm Xxxxx Xxxxxx Act and regulations thereunder), as well as all Operating Rules, regulations and bylaws of the Card Networks and the Security Standards. Merchant will have in place and comply with at all times during the term of this Agreement a comprehensive written information security program that is designed to ensure the security, confidentiality and integrity of Transaction and Cardholder information, and includes a procedure (i) for periodic review to identify new and emerging threats and vulnerabilities and (ii) to take appropriate measures to remediate and remove such threats and vulnerabilities, all in accordance with the Security Standards. The Card Networks or Provider, and their respective representatives, may inspect the premises of Merchant or any independent contractor or agent or Merchant Servicer engaged by Merchant for compliance with security requirements. Merchant acknowledges that any failure to comply with security requirements, or to demonstrate compliance, may result in the imposition of restrictions on Merchant or the permanent prohibition of Merchant's participation in Card Programs by the Card Networks. Without limitation as to Merchant's obligations or liabilities under other provisions hereof, Merchant hereby agrees to indemnify Processor and Merchant Bank, including their officers, directors, employees, and agents, and to hold them harmless from any fines, assessments, fees and/or penalties that may be assessed by the Card Networks or any governmental agency in regards to PCI-DSS or PA-DSS or otherwise in regards to data security or any actual or suspected data breaches that may occur, as well as all costs of forensic exam/audit, card replacement fees, all claims and demands of Cardholders, Card Issuers, Card Networks, governmental agencies, or other third parties, and all litigation costs and expenses including reasonable attorney's fees, and all other costs of any kind, associated with any actual or suspected data security breach or noncompliance with Card Network data security requirements or data security requirements of applicable law; and (b) in the event of a computer or other data security breach, or suspected computer or other data security breach, Merchant agrees to abide by Card Network requirements which may include without limitation a forensic network exam by a Qualified Incident Response Assessor (QIRA); and (c) Merchant Xxxxxxxx agrees to cooperate with Processor and Merchant Bank in order to effectively manage breach response. Without limiting the generality of the foregoing, Merchant Xxxxxxxx understands that the payment card industry has required all merchants to be PCI DSS compliant. Processor and Merchant Bank, in compliance with Card Network mandates, will not board merchants for the Services provided for in this Agreement that are not PCI DSScompliant. Merchant and MerchantXxxxxxxx's principals hereby covenant that they are, and will continue for the duration of the Term to be, PCI DSS compliant. Processor and Merchant Bank also require compliance with the PA- DSS standards in accordance with industry mandates, and with all applicable Card Network mandates relating to PIN and PIN entry device (PED) security, including without limitation, and as applicable, the applicable Payment Card Industry PCI PIN Security Requirements, PCI PIN- Entry Device Security Requirements, and PCI Encrypting PIN Pad Security Requirements. Merchant covenants that all point-of- sale (POS) and/or terminal hardware and software (make and version) that Merchant will use to submit Transactions during the Term is PA- DSS compliant, and compliant with all applicable PIN and PED security requirements, and that any future changes in Merchant’s POS hardware or software will be in compliance with the PA-DSS and all applicable PIN and PED security requirements. 4.2 Merchant must notify Provider and receive Provider’s prior approval of its use of any Merchant Servicer and, to the extent required by each Card Network, all Merchant Servicers must be (i) compliant with all Security Standards applicable to Merchant Servicers; and (ii) registered with and/or recognized by such Card Network(s) as being so compliant. Merchant Xxxxxxxx agrees to exercise due diligence to ensure that all Merchant Servicers, and any other agents, business partners, contractors, or subcontractors with access to Merchant's Card Information, maintain compliance with the Security Standards. To the extent required by each Card Network, all Payment Applications or software involved in processing, storing, receiving, or transmitting of Card Information, shall be (a) compliant with all Security Standards applicable to such Payment Applications or software; and (b) registered with and/or recognized by such Card Network(s) as being so compliant. Merchant will be bound to the acts and omissions of Merchant Servicer and will be responsible for the compliance of such Merchant Servicer with all applicable laws, regulations and Operating Rules. Provider shall in no event be liable to Merchant or any third party for any actions or inactions of any Merchant Servicer used by Merchant, and Merchant hereby expressly assumes all such liability. 4.3 Merchant will immediately notify Provider if Merchant Xxxxxxxx decides to use electronic authorization or data capture software or terminals provided by any entity other than Provider or its authorized designee ("Third Party Terminals") to process Transactions, including leasing a terminal from a third party. If Merchant elects to use Third Party Terminals, (i) the third party providing the terminals will be Merchant's Merchant Servicer in the delivery of Transactions to Provider; and (ii) Merchant assumes full responsibility and liability for any failure of that third party to comply with the requirements of Provider, the Operating Rules, applicable laws, rules or regulations, or this Agreement. Provider will not be responsible for any losses or additional fees incurred by Merchant as a result of any error by a third-party agent or Merchant Servicer or a malfunction in a Third-Party Terminal. 4.4 Merchant must immediately notify Merchant Bank and Processor of any suspected or confirmed loss or theft of materials or records that contain Cardholder Account numbers or Transaction information. In the event of a suspected or confirmed loss or theft Merchant shall provide immediate access to all facilities, systems, procedures, equipment, and documents as may be deemed appropriate by Provider or its designated representatives for inspection, audit, and copying as deemed appropriate by both Merchant Bank and Processor in their individual sole discretion. Merchant shall be responsible for all costs associated with such inspection, audit, and copying however such costs may occur. 4.5 Merchant must, at all times, comply with the PCI-DSS and Operating Rules requirements regarding the storage of Cardholder and Transaction data, including all restrictions on the types of data that Merchant may store. Such restrictions include, but are not limited to, prohibition on Merchant’s storage or retention of Card magnetic stripe, CVV, CVV2, CVC2, CID or any other data classified by PCI-DSS as “Sensitive Authentication Data”. 4.6 Merchant has and will maintain a comprehensive privacy program that is reasonably designed to address privacy risks related to Merchant and Merchant customer information, including personally identifiable information (“PII”), and to protect the privacy of PII. This program shall include appropriate privacy controls and procedures, including but not limited to: 4.6.1 the designation of an employee or employees to coordinate and be responsible for the privacy program; 4.6.2 the identification of reasonably foreseeable, material risks, both internal and external, that could result in Merchant’s unauthorized collection, use, or disclosure of PII, and an assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this privacy risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to employee training and management; 4.6.3 the design and implementation of reasonable privacy controls and procedures to address the risks identified through the privacy risk assessment, and regular testing or monitoring of the effectiveness of those privacy controls and procedures; and 4.6.4 the evaluation and adjustment of Merchant’s privacy program in light of any circumstances that Merchant knows or has reason to know may have a material impact on the effectiveness of its privacy program. 4.7 Processor acknowledges that it is responsible for the security of Card information that it transmits on behalf of Merchant in connection with the Services while such Card information is in Processor’s possession.

Data Security and Privacy. 4.1 Merchant will retain in a secure and confidential manner, in accordance with the Operating Rules, original or complete and legible copies of each Charge Record, and each Credit Voucher required to be provided to Cardholders, for at least two (2) years or longer if required by law or the Operating Rules. Merchant shall render any materials containing Cardholder Account numbers unreadable prior to discarding. Merchant will store Charge Records in an area limited to selected personnel, and when record-retention requirements have been met, Merchant Xxxxxxxx will destroy the records so that Charge Records are rendered unreadable. Merchant confirms that it is, and shall be, in full compliance during the term of this Agreement with all federal, state and local statutes, rules and regulations (including without limitation the information privacy and security requirements of the Gramm Xxxxx Xxxxxx Act and regulations thereunder), as well as all Operating Rules, regulations and bylaws of the Card Networks and the Security Standards. Merchant will have in place and comply with at all times during the term of this Agreement a comprehensive written information security program that is designed to ensure the security, confidentiality and integrity of Transaction and Cardholder information, and includes a procedure (i) for periodic review to identify new and emerging threats and vulnerabilities and (ii) to take appropriate measures to remediate and remove such threats and vulnerabilities, all in accordance with the Security Standards. The Card Networks or Provider, and their respective representatives, may inspect the premises of Merchant or any independent contractor or agent or Merchant Servicer engaged by Merchant for compliance with security requirements. Merchant acknowledges that any failure to comply with security requirements, or to demonstrate compliance, may result in the imposition of restrictions on Merchant or the permanent prohibition of Merchant's participation in Card Programs by the Card Networks. Without limitation as to Merchant's obligations or liabilities under other provisions hereof, Merchant hereby agrees to indemnify Processor and Merchant Bank, including their officers, directors, employees, and agents, and to hold them harmless from any fines, assessments, fees and/or penalties that may be assessed by the Card Networks or any governmental agency in regards to PCI-DSS or PA-DSS or otherwise in regards to data security or any actual or suspected data breaches that may occur, as well as all costs of forensic exam/audit, card replacement fees, all claims and demands of Cardholders, Card Issuers, Card Networks, governmental agencies, or other third parties, and all litigation costs and expenses including reasonable attorney's fees, and all other costs of any kind, associated with any actual or suspected data security breach or noncompliance with Card Network data security requirements or data security requirements of applicable law; and (b) in the event of a computer or other data security breach, or suspected computer or other data security breach, Merchant Xxxxxxxx agrees to abide by Card Network requirements which may include without limitation a forensic network exam by a Qualified Incident Response Assessor (QIRA); and (c) Merchant Xxxxxxxx agrees to cooperate with Processor and Merchant Bank in order to effectively manage breach response. Without limiting the generality of the foregoing, Merchant Xxxxxxxx understands that the payment card industry has required all merchants to be PCI DSS compliant. Processor and Merchant Bank, in compliance with Card Network mandates, will not board merchants for the Services provided for in this Agreement that are not PCI DSScompliant. Merchant and MerchantXxxxxxxx's principals hereby covenant that they are, and will continue for the duration of the Term to be, PCI DSS compliant. Processor and Merchant Bank also require compliance with the PA- DSS standards in accordance with industry mandates, and with all applicable Card Network mandates relating to PIN and PIN entry device (PED) security, including without limitation, and as applicable, the applicable Payment Card Industry PCI PIN Security Requirements, PCI PIN- Entry Device Security Requirements, and PCI Encrypting PIN Pad Security Requirements. Merchant covenants that all point-of- sale (POS) and/or terminal hardware and software (make and version) that Merchant will use to submit Transactions during the Term is PA- DSS compliant, and compliant with all applicable PIN and PED security requirements, and that any future changes in Merchant’s POS hardware or software will be in compliance with the PA-DSS and all applicable PIN and PED security requirements. 4.2 Merchant must notify Provider and receive Provider’s prior approval of its use of any Merchant Servicer and, to the extent required by each Card Network, all Merchant Servicers must be (i) compliant with all Security Standards applicable to Merchant Servicers; and (ii) registered with and/or recognized by such Card Network(s) as being so compliant. Merchant Xxxxxxxx agrees to exercise due diligence to ensure that all Merchant Servicers, and any other agents, business partners, contractors, or subcontractors with access to Merchant's Card Information, maintain compliance with the Security Standards. To the extent required by each Card Network, all Payment Applications or software involved in processing, storing, receiving, or transmitting of Card Information, shall be (a) compliant with all Security Standards applicable to such Payment Applications or software; and (b) registered with and/or recognized by such Card Network(s) as being so compliant. Merchant will be bound to the acts and omissions of Merchant Servicer and will be responsible for the compliance of such Merchant Servicer with all applicable laws, regulations and Operating Rules. Provider shall in no event be liable to Merchant or any third party for any actions or inactions of any Merchant Servicer used by Merchant, and Merchant hereby expressly assumes all such liability. 4.3 Merchant will immediately notify Provider if Merchant Xxxxxxxx decides to use electronic authorization or data capture software or terminals provided by any entity other than Provider or its authorized designee ("Third Party Terminals") to process Transactions, including leasing a terminal from a third party. If Merchant elects to use Third Party Terminals, (i) the third party providing the terminals will be Merchant's Merchant Servicer in the delivery of Transactions to Provider; and (ii) Merchant assumes full responsibility and liability for any failure of that third party to comply with the requirements of Provider, the Operating Rules, applicable laws, rules or regulations, or this Agreement. Provider will not be responsible for any losses or additional fees incurred by Merchant Xxxxxxxx as a result of any error by a third-party agent or Merchant Servicer or a malfunction in a Third-Party Terminal. 4.4 Merchant must immediately notify Merchant Bank and Processor of any suspected or confirmed loss or theft of materials or records that contain Cardholder Account numbers or Transaction information. In the event of a suspected or confirmed loss or theft Merchant shall provide immediate access to all facilities, systems, procedures, equipment, and documents as may be deemed appropriate by Provider or its designated representatives for inspection, audit, and copying as deemed appropriate by both Merchant Bank and Processor in their individual sole discretion. Merchant shall be responsible for all costs associated with such inspection, audit, and copying however such costs may occur. 4.5 Merchant must, at all times, comply with the PCI-DSS and Operating Rules requirements regarding the storage of Cardholder and Transaction data, including all restrictions on the types of data that Merchant may store. Such restrictions include, but are not limited to, prohibition on Merchant’s storage or retention of Card magnetic stripe, CVV, CVV2, CVC2, CID or any other data classified by PCI-DSS as “Sensitive Authentication Data”. 4.6 Merchant has and will maintain a comprehensive privacy program that is reasonably designed to address privacy risks related to Merchant and Merchant customer information, including personally identifiable information (“PII”), and to protect the privacy of PII. This program shall include appropriate privacy controls and procedures, including but not limited to: 4.6.1 the designation of an employee or employees to coordinate and be responsible for the privacy program; 4.6.2 the identification of reasonably foreseeable, material risks, both internal and external, that could result in Merchant’s unauthorized collection, use, or disclosure of PII, and an assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this privacy risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to employee training and management; 4.6.3 the design and implementation of reasonable privacy controls and procedures to address the risks identified through the privacy risk assessment, and regular testing or monitoring of the effectiveness of those privacy controls and procedures; and 4.6.4 the evaluation and adjustment of Merchant’s privacy program in light of any circumstances that Merchant Xxxxxxxx knows or has reason to know may have a material impact on the effectiveness of its privacy program. 4.7 Processor acknowledges that it is responsible for the security of Card information that it transmits on behalf of Merchant in connection with the Services while such Card information is in Processor’s possession.

Data Security and Privacy. 4.1 Merchant will retain in a secure and confidential manner, in accordance with the Operating Rules, original or complete and legible copies of each Charge Record, and each Credit Voucher required to be provided to Cardholders, for at least two (2) years or longer if required by law or the Operating Rules. Merchant shall render any materials containing Cardholder Account numbers unreadable prior to discarding. Merchant will store Charge Records in an area limited to selected personnel, and when record-retention requirements have been met, Merchant Xxxxxxxx will destroy the records so that Charge Records are rendered unreadable. Merchant confirms that it is, and shall be, in full compliance during the term of this Agreement with all federal, state and local statutes, rules and regulations (including without limitation the information privacy and security requirements of the Gramm Xxxxx Xxxxxx Act and regulations thereunder), as well as all Operating Rules, regulations and bylaws of the Card Networks and the Security Standards. Merchant will have in place and comply with at all times during the term of this Agreement a comprehensive written information security program that is designed to ensure the security, confidentiality and integrity of Transaction and Cardholder information, and includes a procedure (i) for periodic review to identify new and emerging threats and vulnerabilities and (ii) to take appropriate measures to remediate and remove such threats and vulnerabilities, all in accordance with the Security Standards. The Card Networks or Provider, and their respective representatives, may inspect the premises of Merchant or any independent contractor or agent or Merchant Servicer engaged by Merchant for compliance with security requirements. Merchant acknowledges that any failure to comply with security requirements, or to demonstrate compliance, may result in the imposition of restrictions on Merchant or the permanent prohibition of Merchant's participation in Card Programs by the Card Networks. Without limitation as to Merchant's obligations or liabilities under other provisions hereof, Merchant hereby agrees to indemnify Processor and Merchant Bank, including their officers, directors, employees, and agents, and to hold them harmless from any fines, assessments, fees and/or penalties that may be assessed by the Card Networks or any governmental agency in regards to PCI-DSS or PA-DSS or otherwise in regards to data security or any actual or suspected data breaches that may occur, as well as all costs of forensic exam/audit, card replacement fees, all claims and demands of Cardholders, Card Issuers, Card Networks, governmental agencies, or other third parties, and all litigation costs and expenses including reasonable attorney's fees, and all other costs of any kind, associated with any actual or suspected data security breach or noncompliance with Card Network data security requirements or data security requirements of applicable law; and (b) in the event of a computer or other data security breach, or suspected computer or other data security breach, Merchant Xxxxxxxx agrees to abide by Card Network requirements which may include without limitation a forensic network exam by a Qualified Incident Response Assessor (QIRA); and (c) Merchant agrees to cooperate with Processor and Merchant Bank in order to effectively manage breach response. Without limiting the generality of the foregoing, Merchant Xxxxxxxx understands that the payment card industry has required all merchants to be PCI DSS compliant. Processor and Merchant Bank, in compliance with Card Network mandates, will not board merchants for the Services provided for in this Agreement that are not PCI DSScompliantDSS compliant. Merchant and MerchantXxxxxxxx's principals hereby covenant that they are, and will continue for the duration of the Term to be, PCI DSS compliant. Processor and Merchant Bank also require compliance with the PA- DSS standards in accordance with industry mandates, and with all applicable Card Network mandates relating to PIN and PIN entry device (PED) security, including without limitation, and as applicable, the applicable Payment Card Industry PCI PIN Security Requirements, PCI PIN- Entry Device Security Requirements, and PCI Encrypting PIN Pad Security Requirements. Merchant covenants that all point-of- sale (POS) and/or terminal hardware and software (make and version) that Merchant will use to submit Transactions during the Term is PA- DSS compliant, and compliant with all applicable PIN and PED security requirements, and that any future changes in Merchant’s POS hardware or software will be in compliance with the PA-DSS and all applicable PIN and PED security requirements. 4.2 Merchant must notify Provider and receive Provider’s prior approval of its use of any Merchant Servicer and, to the extent required by each Card Network, all Merchant Servicers must be (i) compliant with all Security Standards applicable to Merchant Servicers; and (ii) registered with and/or recognized by such Card Network(s) as being so compliant. Merchant Xxxxxxxx agrees to exercise due diligence to ensure that all Merchant Servicers, and any other agents, business partners, contractors, or subcontractors with access to Merchant's Card Information, maintain compliance with the Security Standards. To the extent required by each Card Network, all Payment Applications or software involved in processing, storing, receiving, or transmitting of Card Information, shall be (a) compliant with all Security Standards applicable to such Payment Applications or software; and (b) registered with and/or recognized by such Card Network(s) as being so compliant. Merchant will be bound to the acts and omissions of Merchant Servicer and will be responsible for the compliance of such Merchant Servicer with all applicable laws, regulations and Operating Rules. Provider shall in no event be liable to Merchant or any third party for any actions or inactions of any Merchant Servicer used by Merchant, and Merchant hereby expressly assumes all such liability. 4.3 Merchant will immediately notify Provider if Merchant Xxxxxxxx decides to use electronic authorization or data capture software or terminals provided by any entity other than Provider or its authorized designee ("Third Party Terminals") to process Transactions, including leasing a terminal from a third party. If Merchant elects to use Third Party Terminals, (i) the third party providing the terminals will be Merchant's Merchant Servicer in the delivery of Transactions to Provider; and (ii) Merchant assumes full responsibility and liability for any failure of that third party to comply with the requirements of Provider, the Operating Rules, applicable laws, rules or regulations, or this Agreement. Provider will not be responsible for any losses or additional fees incurred by Merchant Xxxxxxxx as a result of any error by a third-party agent or Merchant Servicer or a malfunction in a Third-Party Terminal. 4.4 Merchant must immediately notify Merchant Bank and Processor of any suspected or confirmed loss or theft of materials or records that contain Cardholder Account numbers or Transaction information. In the event of a suspected or confirmed loss or theft Merchant shall provide immediate access to all facilities, systems, procedures, equipment, and documents as may be deemed appropriate by Provider or its designated representatives for inspection, audit, and copying as deemed appropriate by both Merchant Bank and Processor in their individual sole discretion. Merchant shall be responsible for all costs associated with such inspection, audit, and copying however such costs may occur. 4.5 Merchant must, at all times, comply with the PCI-DSS and Operating Rules requirements regarding the storage of Cardholder and Transaction data, including all restrictions on the types of data that Merchant may store. Such restrictions include, but are not limited to, prohibition on Merchant’s storage or retention of Card magnetic stripe, CVV, CVV2, CVC2, CID or any other data classified by PCI-DSS as “Sensitive Authentication Data”. 4.6 Merchant has and will maintain a comprehensive privacy program that is reasonably designed to address privacy risks related to Merchant and Merchant customer information, including personally identifiable information (“PII”), and to protect the privacy of PII. This program shall includes and will include appropriate privacy controls and procedures, including but not limited to: 4.6.1 the designation of an employee or employees to coordinate and be responsible for the privacy program; 4.6.2 the identification of reasonably foreseeable, material risks, both internal and external, that could result in Merchant’s unauthorized collection, use, or disclosure of PII, and an assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this privacy risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to employee training and management; 4.6.3 the design and implementation of reasonable privacy controls and procedures to address the risks identified through the privacy risk assessment, and regular testing or monitoring of the effectiveness of those privacy controls and procedures; and 4.6.4 the evaluation and adjustment of Merchant’s privacy program in light of any circumstances that Merchant Xxxxxxxx knows or has reason to know may have a material impact on the effectiveness of its privacy program. 4.7 Processor acknowledges that it is responsible for the security of Card information that it transmits on behalf of Merchant in connection with the Services while such Card information is in Processor’s possession.

Data Security and Privacy. 4.1 Merchant will retain in a secure and confidential manner, in accordance with the Operating Rules, original or complete and legible copies of each Charge Record, and each Credit Voucher required to be provided to Cardholders, for at least two (2) years or longer if required by law or the Operating Rules. Merchant shall render any materials containing Cardholder Account numbers unreadable prior to discarding. Merchant will store Charge Records in an area limited to selected personnel, and when record-retention requirements have been met, Merchant will destroy the records so that Charge Records are rendered unreadable. . 4.2 Merchant confirms that it is, and shall be, in full compliance during the term of this Agreement with all federal, state and local statutes, rules and regulations (including without limitation the information privacy and security requirements of the Gramm Xxxxx Xxxxxx Act and regulations thereunder), as well as all Operating Rules, regulations and bylaws of the Card Networks and the Security Standards. Merchant will have in place and comply with at all times during the term of this Agreement a comprehensive written information security program that is designed to ensure the security, confidentiality and integrity of Transaction and Cardholder information, and includes a procedure (i) for periodic review to identify new and emerging threats and vulnerabilities and (ii) to take appropriate measures to remediate and remove such threats and vulnerabilities, all in accordance with the Security Standards. The Card Networks or Provider, and their respective representatives, may inspect the premises of Merchant or any independent contractor or agent or Merchant Servicer engaged by Merchant for compliance with security requirements. Merchant acknowledges that any failure to comply with security requirements, or to demonstrate compliance, may result in the imposition of restrictions on Merchant or the permanent prohibition of Merchant's participation in Card Programs by the Card Networks. Without limitation as to Merchant's obligations or liabilities under other provisions hereof, , (a) Merchant hereby agrees to indemnify Processor and Merchant Bank, including their officers, directors, employees, and agents, and to hold them harmless from any fines, assessments, fees and/or fines and penalties that may be assessed by the Card Networks or any governmental agency in regards to PCI-DSS or PA-DSS or otherwise in regards to data security or any actual or suspected data breaches that may occur, as well as all costs of forensic exam/audit, card replacement fees, all claims and demands of Cardholders, Card Issuers, Card Networks, governmental agencies, or other third parties, and all litigation costs and expenses including reasonable attorney's fees, and all other costs of any kind, associated with any actual or suspected data security breach or noncompliance with Card Network data security requirements or data security requirements of applicable law; and and (b) in the event of a computer or other data security breach, or suspected computer or other data security breach, Merchant agrees to abide by Card Network requirements which may include without limitation a forensic network exam by a Qualified Incident Response Assessor (QIRA); and (c) Merchant agrees to cooperate with Processor and Merchant Bank in order to effectively manage breach response. Without limiting the generality of the foregoing, Merchant understands that the payment card industry has required all merchants to be PCI DSS compliant. Processor and Merchant Bank, in compliance with Card Network mandates, will not board merchants for the Services provided for in this Agreement that are not PCI DSScompliantDSS compliant. Merchant and Merchant's principals hereby covenant that they are, and will continue for the duration of the Term to be, PCI DSS compliant. Processor and Merchant Bank also require compliance with the PA- DSS standards in accordance with industry mandates, and with all applicable Card Network mandates relating to PIN and PIN entry device (PED) security, including without limitation, and as applicable, the applicable Payment Card Industry PCI PIN Security Requirements, PCI PIN- Entry Device Security Requirements, and PCI Encrypting PIN Pad Security Requirements. Merchant covenants that all point-of- sale (POS) and/or terminal hardware and software (make and version) that Merchant will use to submit Transactions during the Term is PA- PA-DSS compliant, and compliant with all applicable PIN and PED security requirements, and that any future changes in Merchant’s POS hardware or software will be in compliance with the PA-DSS and all applicable PIN and PED security requirements. 4.2 4.3 Merchant must notify Provider and receive Provider’s prior approval of its use of any Merchant Servicer and, to the extent required by each Card Network, all Merchant Servicers must be be (i) compliant with all Security Standards applicable to Merchant Servicers; and (ii) registered with and/or recognized by such Card Network(s) as being so compliant. Merchant agrees to exercise due diligence to ensure that all Merchant Servicers, and any other agents, business partners, contractors, or subcontractors with access to Merchant's Card Information, maintain compliance with the Security Standards. To the extent required by each Card Network, all Payment Applications or software involved in processing, storing, receiving, or transmitting of Card Information, shall be (a) compliant with all Security Standards applicable to such Payment Applications or software; and (b) registered with and/or recognized by such Card Network(s) as being so compliant. Merchant will be bound to the acts and omissions of Merchant Servicer and will be responsible for the compliance of such Merchant Servicer with all applicable laws, regulations and Operating Rules. Provider shall in no event be liable to Merchant or any third party for any actions or inactions of any Merchant Servicer used by Merchant, and Merchant hereby expressly assumes all such liability. 4.3 4.4 Merchant will immediately notify Provider if Merchant decides to use electronic authorization or data capture software or terminals provided by any entity other than Provider or its authorized designee ("Third Party Terminals") to process Transactions, including leasing a terminal from a third party. If Merchant elects to use Third Party Terminals, (i) the third party providing the terminals will be Merchant's Merchant Servicer in the delivery of Transactions to Provider; and (ii) Merchant assumes full responsibility and liability for any failure of that third party to comply with the requirements of Provider, the Operating Rules, applicable laws, rules or regulations, or this Agreement. Provider will not be responsible for any losses or additional fees incurred by Merchant as a result of any error by a third-third party agent or Merchant Servicer or a malfunction in a Third-Third Party Terminal. 4.4 4.5 Merchant must immediately notify Merchant Bank and Processor of any suspected or confirmed loss or theft of materials or records that contain Cardholder Account numbers or Transaction information. In the event of a suspected or confirmed loss or theft Merchant shall provide immediate access to all facilities, systems, procedures, equipment, and documents as may be deemed appropriate by Provider or its designated representatives for inspection, audit, and copying as deemed appropriate by both Merchant Bank and Processor in their individual sole discretion. Merchant shall be responsible for all costs associated with such inspection, audit, and copying however such costs may occur. 4.5 4.6 Merchant must, at all times, comply with the PCI-DSS and Operating Rules requirements regarding the storage of Cardholder and Transaction data, including all restrictions on the types of data that Merchant may store. Such restrictions include, but are not limited to, prohibition on Merchant’s storage or retention of Card magnetic stripe, CVV, CVV2, CVC2, CID or any other data classified by PCI-DSS as “Sensitive Authentication Data”. 4.6 4.7 Merchant has and will maintain a comprehensive privacy program that is reasonably designed to address privacy risks related to Merchant and Merchant customer information, including personally identifiable information (“PII”), and to protect the privacy of PII. This program shall includes and will include appropriate privacy controls and procedures, including but not limited to: 4.6.1 4.7.1 the designation of an employee or employees to coordinate and be responsible for the privacy program; 4.6.2 4.7.2 the identification of reasonably foreseeable, material risks, both internal and external, that could result in Merchant’s unauthorized collection, use, or disclosure of PII, and an assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this privacy risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to employee training and management; 4.6.3 4.7.3 the design and implementation of reasonable privacy controls and procedures to address the risks identified through the privacy risk assessment, and regular testing or monitoring of the effectiveness of those privacy controls and procedures; and 4.6.4 4.7.4 the evaluation and adjustment of Merchant’s privacy program in light of any circumstances that Merchant knows or has reason to know may have a material impact on the effectiveness of its privacy program. 4.7 4.8 Processor acknowledges that it is responsible for the security of Card information that it transmits on behalf of Merchant in connection with the Services while such Card information is in Processor’s possession.

Data Security and Privacy. 4.1 Merchant will retain in a secure and confidential manner, in accordance with the Operating Rules, original or complete and legible copies of each Charge Record, and each Credit Voucher required to be provided to Cardholders, for at least two (2) years or longer if required by law or the Operating Rules. Merchant shall render any materials containing Cardholder Account numbers unreadable prior to discarding. Merchant will store Charge Records in an area limited to selected personnel, and when record-retention requirements have been met, Merchant will destroy the records so that Charge Records are rendered unreadable. Merchant confirms that it is, and shall be, in full compliance during the term of this Agreement with all federal, state and local statutes, rules and regulations (including without limitation the information privacy and security requirements of the Gramm Xxxxx Xxxxxx Act and regulations thereunder), as well as all Operating Rules, regulations and bylaws of the Card Networks and the Security Standards. Merchant will have in place and comply with at all times during the term of this Agreement a comprehensive written information security program that is designed to ensure the security, confidentiality and integrity of Transaction and Cardholder information, and includes a procedure (i) for periodic review to identify new and emerging threats and vulnerabilities and (ii) to take appropriate measures to remediate and remove such threats and vulnerabilities, all in accordance with the Security Standards. The Card Networks or Provider, and their respective representatives, may inspect the premises of Merchant or any independent contractor or agent or Merchant Servicer engaged by Merchant for compliance with security requirements. Merchant acknowledges that any failure to comply with security requirements, or to demonstrate compliance, may result in the imposition of restrictions on Merchant or the permanent prohibition of Merchant's participation in Card Programs by the Card Networks. Without limitation as to Merchant's obligations or liabilities under other provisions hereof, Merchant hereby agrees to indemnify Processor and Merchant Bank, including their officers, directors, employees, and agents, and to hold them harmless from any fines, assessments, fees and/or penalties that may be assessed by the Card Networks or any governmental agency in regards to PCI-DSS or PA-DSS or otherwise in regards to data security or any actual or suspected data breaches that may occur, as well as all costs of forensic exam/audit, card replacement fees, all claims and demands of Cardholders, Card Issuers, Card Networks, governmental agencies, or other third parties, and all litigation costs and expenses including reasonable attorney's fees, and all other costs of any kind, associated with any actual or suspected data security breach or noncompliance with Card Network data security requirements or data security requirements of applicable law; and (b) in the event of a computer or other data security breach, or suspected computer or other data security breach, Merchant agrees to abide by Card Network requirements which may include without limitation a forensic network exam by a Qualified Incident Response Assessor (QIRA); and (c) Merchant agrees to cooperate with Processor and Merchant Bank in order to effectively manage breach response. Without limiting the generality of the foregoing, Merchant understands that the payment card industry has required all merchants to be PCI DSS compliant. Processor and Merchant Bank, in compliance with Card Network mandates, will not board merchants for the Services provided for in this Agreement that are not PCI DSScompliantDSS compliant. Merchant and Merchant's principals hereby covenant that they are, and will continue for the duration of the Term to be, PCI DSS compliant. Processor and Merchant Bank also require compliance with the PA- DSS standards in accordance with industry mandates, and with all applicable Card Network mandates relating to PIN and PIN entry device (PED) security, including without limitation, and as applicable, the applicable Payment Card Industry PCI PIN Security Requirements, PCI PIN- Entry Device Security Requirements, and PCI Encrypting PIN Pad Security Requirements. Merchant covenants that all point-of- sale (POS) and/or terminal hardware and software (make and version) that Merchant will use to submit Transactions during the Term is PA- DSS compliant, and compliant with all applicable PIN and PED security requirements, and that any future changes in Merchant’s POS hardware or software will be in compliance with the PA-DSS and all applicable PIN and PED security requirements. 4.2 Merchant must notify Provider and receive Provider’s prior approval of its use of any Merchant Servicer and, to the extent required by each Card Network, all Merchant Servicers must be (i) compliant with all Security Standards applicable to Merchant Servicers; and (ii) registered with and/or recognized by such Card Network(s) as being so compliant. Merchant agrees to exercise due diligence to ensure that all Merchant Servicers, and any other agents, business partners, contractors, or subcontractors with access to Merchant's Card Information, maintain compliance with the Security Standards. To the extent required by each Card Network, all Payment Applications or software involved in processing, storing, receiving, or transmitting of Card Information, shall be (a) compliant with all Security Standards applicable to such Payment Applications or software; and (b) registered with and/or recognized by such Card Network(s) as being so compliant. Merchant will be bound to the acts and omissions of Merchant Servicer and will be responsible for the compliance of such Merchant Servicer with all applicable laws, regulations and Operating Rules. Provider shall in no event be liable to Merchant or any third party for any actions or inactions of any Merchant Servicer used by Merchant, and Merchant hereby expressly assumes all such liability. 4.3 Merchant will immediately notify Provider if Merchant decides to use electronic authorization or data capture software or terminals provided by any entity other than Provider or its authorized designee ("Third Party Terminals") to process Transactions, including leasing a terminal from a third party. If Merchant elects to use Third Party Terminals, (i) the third party providing the terminals will be Merchant's Merchant Servicer in the delivery of Transactions to Provider; and (ii) Merchant assumes full responsibility and liability for any failure of that third party to comply with the requirements of Provider, the Operating Rules, applicable laws, rules or regulations, or this Agreement. Provider will not be responsible for any losses or additional fees incurred by Merchant as a result of any error by a third-party agent or Merchant Servicer or a malfunction in a Third-Party Terminal. 4.4 Merchant must immediately notify Merchant Bank and Processor of any suspected or confirmed loss or theft of materials or records that contain Cardholder Account numbers or Transaction information. In the event of a suspected or confirmed loss or theft Merchant shall provide immediate access to all facilities, systems, procedures, equipment, and documents as may be deemed appropriate by Provider or its designated representatives for inspection, audit, and copying as deemed appropriate by both Merchant Bank and Processor in their individual sole discretion. Merchant shall be responsible for all costs associated with such inspection, audit, and copying however such costs may occur. 4.5 Merchant must, at all times, comply with the PCI-DSS and Operating Rules requirements regarding the storage of Cardholder and Transaction data, including all restrictions on the types of data that Merchant may store. Such restrictions include, but are not limited to, prohibition on Merchant’s storage or retention of Card magnetic stripe, CVV, CVV2, CVC2, CID or any other data classified by PCI-DSS as “Sensitive Authentication Data”. 4.6 Merchant has and will maintain a comprehensive privacy program that is reasonably designed to address privacy risks related to Merchant and Merchant customer information, including personally identifiable information (“PII”), and to protect the privacy of PII. This program shall includes and will include appropriate privacy controls and procedures, including but not limited to: 4.6.1 the designation of an employee or employees to coordinate and be responsible for the privacy program; 4.6.2 the identification of reasonably foreseeable, material risks, both internal and external, that could result in Merchant’s unauthorized collection, use, or disclosure of PII, and an assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this privacy risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to employee training and management; 4.6.3 the design and implementation of reasonable privacy controls and procedures to address the risks identified through the privacy risk assessment, and regular testing or monitoring of the effectiveness of those privacy controls and procedures; and 4.6.4 the evaluation and adjustment of Merchant’s privacy program in light of any circumstances that Merchant knows or has reason to know may have a material impact on the effectiveness of its privacy program. 4.7 Processor acknowledges that it is responsible for the security of Card information that it transmits on behalf of Merchant in connection with the Services while such Card information is in Processor’s possession.

Data Security and Privacy. 4.1 Merchant will retain in a secure and confidential manner, in accordance with the Operating Rules, original or complete and legible copies of each Charge Record, and each Credit Voucher required to be provided to Cardholders, for at least two (2) years or longer if required by law or the Operating Rules. Merchant shall render any materials containing Cardholder Account numbers unreadable prior to discarding. Merchant will store Charge Records in an area limited to selected personnel, and when record-retention requirements have been met, Merchant Xxxxxxxx will destroy the records so that Charge Records are rendered unreadable. Merchant confirms that it is, and shall be, in full compliance during the term of this Agreement with all federal, state and local statutes, rules and regulations (including without limitation the information privacy and security requirements of the Gramm Xxxxx Xxxxxx Act and regulations thereunder), as well as all Operating Rules, regulations and bylaws of the Card Networks and the Security Standards. Merchant will have in place and comply with at all times during the term of this Agreement a comprehensive written information security program that is designed to ensure the security, confidentiality and integrity of Transaction and Cardholder information, and includes a procedure (i) for periodic review to identify new and emerging threats and vulnerabilities and (ii) to take appropriate measures to remediate and remove such threats and vulnerabilities, all in accordance with the Security Standards. The Card Networks or Provider, and their respective representatives, may inspect the premises of Merchant or any independent contractor or agent or Merchant Servicer engaged by Merchant for compliance with security requirements. Merchant acknowledges that any failure to comply with security requirements, or to demonstrate compliance, may result in the imposition of restrictions on Merchant or the permanent prohibition of Merchant's participation in Card Programs by the Card Networks. Without limitation as to Merchant's obligations or liabilities under other provisions hereof, Merchant hereby agrees to indemnify Processor and Merchant Bank, including their officers, directors, employees, and agents, and to hold them harmless from any fines, assessments, fees and/or penalties that may be assessed by the Card Networks or any governmental agency in regards to PCI-DSS or PA-DSS or otherwise in regards to data security or any actual or suspected data breaches that may occur, as well as all costs of forensic exam/audit, card replacement fees, all claims and demands of Cardholders, Card Issuers, Card Networks, governmental agencies, or other third parties, and all litigation costs and expenses including reasonable attorney's fees, and all other costs of any kind, associated with any actual or suspected data security breach or noncompliance with Card Network data security requirements or data security requirements of applicable law; and (b) in the event of a computer or other data security breach, or suspected computer or other data security breach, Merchant Xxxxxxxx agrees to abide by Card Network requirements which may include without limitation a forensic network exam by a Qualified Incident Response Assessor (QIRA); and (c) Merchant agrees to cooperate with Processor and Merchant Bank in order to effectively manage breach response. Without limiting the generality of the foregoing, Merchant Xxxxxxxx understands that the payment card industry has required all merchants to be PCI DSS compliant. Processor and Merchant Bank, in compliance with Card Network mandates, will not board merchants for the Services provided for in this Agreement that are not PCI DSScompliant. Merchant and MerchantXxxxxxxx's principals hereby covenant that they are, and will continue for the duration of the Term to be, PCI DSS compliant. Processor and Merchant Bank also require compliance with the PA- DSS standards in accordance with industry mandates, and with all applicable Card Network mandates relating to PIN and PIN entry device (PED) security, including without limitation, and as applicable, the applicable Payment Card Industry PCI PIN Security Requirements, PCI PIN- Entry Device Security Requirements, and PCI Encrypting PIN Pad Security Requirements. Merchant covenants that all point-of- sale (POS) and/or terminal hardware and software (make and version) that Merchant will use to submit Transactions during the Term is PA- DSS compliant, and compliant with all applicable PIN and PED security requirements, and that any future changes in Merchant’s POS hardware or software will be in compliance with the PA-DSS and all applicable PIN and PED security requirements. 4.2 Merchant must notify Provider and receive Provider’s prior approval of its use of any Merchant Servicer and, to the extent required by each Card Network, all Merchant Servicers must be (i) compliant with all Security Standards applicable to Merchant Servicers; and (ii) registered with and/or recognized by such Card Network(s) as being so compliant. Merchant Xxxxxxxx agrees to exercise due diligence to ensure that all Merchant Servicers, and any other agents, business partners, contractors, or subcontractors with access to Merchant's Card Information, maintain compliance with the Security Standards. To the extent required by each Card Network, all Payment Applications or software involved in processing, storing, receiving, or transmitting of Card Information, shall be (a) compliant with all Security Standards applicable to such Payment Applications or software; and (b) registered with and/or recognized by such Card Network(s) as being so compliant. Merchant will be bound to the acts and omissions of Merchant Servicer and will be responsible for the compliance of such Merchant Servicer with all applicable laws, regulations and Operating Rules. Provider shall in no event be liable to Merchant or any third party for any actions or inactions of any Merchant Servicer used by Merchant, and Merchant hereby expressly assumes all such liability. 4.3 Merchant will immediately notify Provider if Merchant Xxxxxxxx decides to use electronic authorization or data capture software or terminals provided by any entity other than Provider or its authorized designee ("Third Party Terminals") to process Transactions, including leasing a terminal from a third party. If Merchant elects to use Third Party Terminals, (i) the third party providing the terminals will be Merchant's Merchant Servicer in the delivery of Transactions to Provider; and (ii) Merchant assumes full responsibility and liability for any failure of that third party to comply with the requirements of Provider, the Operating Rules, applicable laws, rules or regulations, or this Agreement. Provider will not be responsible for any losses or additional fees incurred by Merchant Xxxxxxxx as a result of any error by a third-party agent or Merchant Servicer or a malfunction in a Third-Party Terminal. 4.4 Merchant must immediately notify Merchant Bank and Processor of any suspected or confirmed loss or theft of materials or records that contain Cardholder Account numbers or Transaction information. In the event of a suspected or confirmed loss or theft Merchant shall provide immediate access to all facilities, systems, procedures, equipment, and documents as may be deemed appropriate by Provider or its designated representatives for inspection, audit, and copying as deemed appropriate by both Merchant Bank and Processor in their individual sole discretion. Merchant shall be responsible for all costs associated with such inspection, audit, and copying however such costs may occur. 4.5 Merchant must, at all times, comply with the PCI-DSS and Operating Rules requirements regarding the storage of Cardholder and Transaction data, including all restrictions on the types of data that Merchant may store. Such restrictions include, but are not limited to, prohibition on Merchant’s storage or retention of Card magnetic stripe, CVV, CVV2, CVC2, CID or any other data classified by PCI-DSS as “Sensitive Authentication Data”. 4.6 Merchant has and will maintain a comprehensive privacy program that is reasonably designed to address privacy risks related to Merchant and Merchant customer information, including personally identifiable information (“PII”), and to protect the privacy of PII. This program shall includes and will include appropriate privacy controls and procedures, including but not limited to: 4.6.1 the designation of an employee or employees to coordinate and be responsible for the privacy program; 4.6.2 the identification of reasonably foreseeable, material risks, both internal and external, that could result in Merchant’s unauthorized collection, use, or disclosure of PII, and an assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this privacy risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to employee training and management; 4.6.3 the design and implementation of reasonable privacy controls and procedures to address the risks identified through the privacy risk assessment, and regular testing or monitoring of the effectiveness of those privacy controls and procedures; and 4.6.4 the evaluation and adjustment of Merchant’s privacy program in light of any circumstances that Merchant Xxxxxxxx knows or has reason to know may have a material impact on the effectiveness of its privacy program. 4.7 Processor acknowledges that it is responsible for the security of Card information that it transmits on behalf of Merchant in connection with the Services while such Card information is in Processor’s possession.