Common use of Data Security Requirements Clause in Contracts

Data Security Requirements. 3.1 The PCI Security Standards Council (“PCI SSC”) was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa, Inc. All five founders agreed to incorporate PCI Data Security Standards (“PCI DSS”) as the technical requirements of each of their data security compliance programs. The PCI SSC is responsible for the Payment Application Data Security Standard (“PA-DSS”) and PIN Transaction Security Requirements for PIN-Entry Devices (“PED”). PCI DSS applies to any Merchant or Merchant Servicer that stores, processes or transmits Cardholder information. All eligible Merchants, regardless of size, must comply with these standards. Following are standards that, at a minimum, Merchant must comply with: (a) Install and maintain a firewall configuration to protect Cardholder data. (b) Do not use vendor-supplied defaults for system passwords and other security parameters. (c) Protect stored Cardholder data. (d) Encrypt transmission of Cardholder data across open, public networks. (e) Use and regularly update anti-virus software or programs. (f) Develop and maintain secure systems and applications. (g) Restrict access to Cardholder data by business need-to-know. (h) Assign a unique ID to each person with computer access. (i) Restrict physical access to Cardholder data. (j) Track and monitor all access to network resources and Cardholder data. (k) Regularly test security systems and processes. (l) Maintain a policy that addresses information security for all personnel. Revised 111113 More information, including the complete PCI DSS specifications can be found at: xxx.xxxxxxxxxxxxxxxxxxxx.xxx/xxxxxxxxxxxxxxxxx providers.vpa_agreement.php Each of the Card Schemes has requirements based on PCI DSS that define a standard of due care and enforcement for protecting sensitive information. Merchant must meet the compliance validation requirements defined by the Card Schemes available at: xxx.xxxx.xxx/xxxx xxx.xxxxxxxxxx.xxx/xxx xxx.xxxxxxxxxxxxxxx.xxx/xxxxxxxxxxxxx/xxxx.xxxx xxx.xxxxxxxxxxxxxxx.xxx/xxxxxxxxxxxx In cases where payment application software is used as a part of Authorization or settlement of Cardholder data, Merchant must use a PA-DSS compliant payment application or have current proof of PCI DSS compliance validation. The List of Validated Payment Applications may be found at: xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx/approvedcompanies providers/vpaagreement.php In cases where PIN-based debit Transactions are processed, Merchant must use a compliant PIN Entry Device (“PED”). The List of PCI SSC Approved PIN Transaction Security Devices may be found at: xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx/security_standards/ped/pedapprovallist.html. Transactions should be Triple Data Encryption Standard (TDES) protected. In addition, Merchant must immediately notify HPS of its use of any agent or Merchant Servicer that will have any access to Cardholder data and provide the full name and business address of such agent or Merchant Servicer and change thereto. The Card Schemes or HPS may levy fines, suspend or terminate services, or impose other restrictions if it is determined that Merchant is not compliant with applicable security standards. Merchant is responsible for all fines and fees assessed by any Card Scheme in connection with violation of data security standards and will indemnify and hold harmless HPS from and against any and all damages suffered as a result of such noncompliance. 3.2 A Card Scheme may require Merchant to conduct an independent forensics review due to its data security procedures. Upon notice of such request, Merchant shall provide, at its sole cost and expense, through an approved forensic review process, information as may be required by the Card Scheme.

Data Security Requirements. 3.1 The PCI Security Standards Council (“PCI SSC”) was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa, Inc. All five founders agreed to incorporate the PCI Data Security Standards (“PCI DSS”) DSS as the technical requirements of each of their data security compliance programs. The PCI SSC is responsible for the Payment Application Data Security Standard (“PA-DSS”) and PIN Transaction Security Requirements for PIN-Entry Devices (“PED”). PCI DSS applies to any Merchant or Merchant Servicer that stores, processes or transmits Cardholder information. All eligible Merchants, regardless of size, must comply with these standards. Following are standards that, at a minimum, Merchant must comply with:. (a) Install and maintain a firewall configuration to protect Cardholder data. (b) Do not use vendor-supplied defaults for system passwords and other security parameters. (c) Protect stored Cardholder data. (d) Encrypt transmission of Cardholder data across open, public networks. (e) Use and regularly update anti-virus software or programs. (f) Develop and maintain secure systems and applications. (g) Restrict access to Cardholder data by business need-to-know. (h) Assign a unique ID to each person with computer access. (i) Restrict physical access to Cardholder data. (j) Track and monitor all access to network resources and Cardholder data. (k) Regularly test security systems and processes. (l) Maintain a policy that addresses information security for all personnel. Revised 111113 More information, including the complete PCI DSS specifications can be found at: xxx.xxxxxxxxxxxxxxxxxxxx.xxx/xxxxxxxxxxxxxxxxx providers.vpa_agreement.php xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx Each of the Card Schemes has requirements based on PCI DSS that define a standard of due care and enforcement for protecting sensitive information. Merchant must meet the compliance validation requirements defined by the Card Schemes available at: xxx.xxxx.xxx/xxxx xxx.xxxxxxxxxx.xxx/xxx xxx.xxxxxxxxxxxxxxx.xxx/xxxxxxxxxxxxx/xxxx.xxxx xxx.xxxxxxxxxxxxxxx.xxx/xxxxxxxxxxxx - For American Express Direct merchants only In cases where payment application software is used as a part of Authorization or settlement of Cardholder data, Merchant must use a PA-DSS compliant payment application or have current proof of PCI DSS compliance validation. The List of Validated Payment Applications may be found at: xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx/approvedcompanies providers/vpaagreement.php xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx/approved_companies_providers/vpa_agreement.php In cases where PIN-based debit Transactions are processed, Merchant must use a compliant PIN Entry Device (“PED”). The List of PCI SSC Approved PIN Transaction Security Devices may be found at: xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx/security_standards/ped/pedapprovallist.html. xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx/assessors_and_solutions/vpa_agreement Transactions should be must comply with the Triple Data Encryption Standard (TDES) protectedand any successor technologies or standards connected therewith. In addition, Merchant must immediately notify HPS of its use of any agent or Merchant Servicer that will have any access to Cardholder data and provide the full name and business address of such agent or Merchant Servicer and change any changes thereto. The Card Schemes or HPS may levy fines, suspend or terminate services, or impose other restrictions if it is determined that Merchant is not compliant with applicable security standards. Merchant is responsible for all fines and fees assessed by any Card Scheme in connection with violation of data security standards and will indemnify and hold harmless HPS from and against any and all damages suffered as a result of such noncompliance. 3.2 A Card Scheme may require Merchant Merchant, by notice to either HPS, Member Sponsor Bank or Merchant, to conduct an independent forensics review due to its data security proceduresprocedures and/or Transaction activities. Upon notice of such requestrequest from either a Card Scheme or HPS, Merchant shall provideMerchant, at its sole cost and expense, shall retain the requisite forensics services and provide, through an approved the requisite forensic review process, information as may be required by the Card Scheme. If Merchant fails to retain the requisite forensics services, HPS may retain such forensics services on Merchant’s behalf, and Merchant shall remain responsible for payment and/or reimbursement to HPS of all cost and expense associated with such forensics services. In addition, Merchant shall be solely responsible for the cost and expense associated with any changes to its systems or other remediation required by the Card Scheme as a result of the forensic review process. 3.3 Merchant agrees that it will not introduce into HPS’s or Member Sponsor Bank’s system any virus, “time bomb,” or any other contaminant, including but not limited to, codes, commands, or instructions that could damage or disable HPS’s of Member Sponsor Bank’s system or property.

Data Security Requirements. 3.1 The PCI Security Standards Council (“PCI SSC”) was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa, Inc. All five founders agreed to incorporate the PCI Data Security Standards (“PCI DSS”) DSS as the technical requirements of each of their data security compliance programs. The PCI SSC is responsible for the Payment Application Data Security Standard (“PA-DSS”) and PIN Transaction Security Requirements for PIN-Entry Devices (“PED”). PCI DSS applies to any Merchant or Merchant Servicer that stores, processes or transmits Cardholder information. All eligible Merchants, regardless of size, must comply with these standards. Following are standards that, at a minimum, Merchant must comply with:. (a) Install and maintain a firewall configuration to protect Cardholder data. (b) Do not use vendor-supplied defaults for system passwords and other security parameters. (c) Protect stored Cardholder data. (d) Encrypt transmission of Cardholder data across open, public networks. (e) Use and regularly update anti-virus software or programs. (f) Develop and maintain secure systems and applications. (g) Restrict access to Cardholder data by business need-to-know. (h) Assign a unique ID to each person with computer access. (i) Restrict physical access to Cardholder data. (j) Track and monitor all access to network resources and Cardholder data. (k) Regularly test security systems and processes. (l) Maintain a policy that addresses information security for all personnel. Revised 111113 More information, including the complete PCI DSS specifications can be found at: xxx.xxxxxxxxxxxxxxxxxxxx.xxx/xxxxxxxxxxxxxxxxx providers.vpa_agreement.php xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx Each of the Card Schemes has requirements based on PCI DSS that define a standard of due care and enforcement for protecting sensitive information. Merchant must meet the compliance validation requirements defined by the Card Schemes available at: xxx.xxxx.xxx/xxxx xxx.xxxxxxxxxx.xxx/xxx xxx.xxxxxxxxxxxxxxx.xxx/xxxxxxxxxxxxx/xxxx.xxxx xxx.xxxxxxxxxxxxxxx.xxx/xxxxxxxxxxxx - For American Express Direct merchants only In cases where payment application software is used as a part of Authorization or settlement of Cardholder data, Merchant must use a PA-DSS compliant payment application or have current proof of PCI DSS compliance validation. The List of Validated Payment Applications may be found at: xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx/approvedcompanies providers/vpaagreement.php xxxxx://xx.xxxxxxxxxxxxxxxxxxxx.xxx/assessors_and_solutions/payment_applications?agree=true In cases where PIN-based debit Transactions are processed, Merchant must use a compliant PIN Entry Device (“PED”). The List of PCI SSC Approved PIN Transaction Security Devices may be found at: xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx/security_standards/ped/pedapprovallist.html. xxxxx://xxxxxxxx.xxxxxxxxxxxxxxxxxxxx.xxx/assessors_and_solutions/pin_transaction_devices?agree=true Transactions should be must comply with the Triple Data Encryption Standard (TDES) protectedand any successor technologies or standards connected therewith. In addition, Merchant must immediately notify HPS of its use of any agent or Merchant Servicer that will have any access to Cardholder data and provide the full name and business address of such agent or Merchant Servicer and change any changes thereto. The Card Schemes or HPS may levy fines, suspend or terminate services, or impose other restrictions if it is determined that Merchant is not compliant with applicable security standards. Merchant is responsible for all fines and fees assessed by any Card Scheme in connection with violation of data security standards and will indemnify and hold harmless HPS from and against any and all damages suffered as a result of such noncompliance. 3.2 A Card Scheme may require Merchant Merchant, by notice to either HPS, Member Sponsor Bank or Merchant, to conduct an independent forensics review due to its data security proceduresprocedures and/or Transaction activities. Upon notice of such requestrequest from either a Card Scheme or HPS, Merchant shall provideMerchant, at its sole cost and expense, shall retain the requisite forensics services and provide, through an approved the requisite forensic review process, information as may be required by the Card Scheme. If Xxxxxxxx fails to retain the requisite forensics services, HPS may retain such forensics services on Merchant’s behalf, and Merchant shall remain responsible for payment and/or reimbursement to HPS of all cost and expense associated with such forensics services. In addition, Merchant shall be solely responsible for the cost and expense associated with any changes to its systems or other remediation required by the Card Scheme as a result of the forensic review process. 3.3 Merchant agrees that it will not introduce into HPS’s or Member Sponsor Bank’s system any virus, “time bomb,” or any other contaminant, including but not limited to, codes, commands, or instructions that could damage or disable HPS’s or Member Sponsor Bank’s system or property. 3.4 Merchant must keep all systems and media containing account, cardholder or transaction information (physical or electronic, including but not limited to account numbers, card imprints, and terminal identification numbers) secure and prevent access by or disclosure to anyone other than Merchant’s authorized personnel. Merchant must destroy, in a manner that will render the data unreadable, all such media that Merchant no longer deems necessary or appropriate to store (except for Sales Drafts maintained in accordance with this Agreement, applicable law, or Rules). Merchant must also ensure proper destruction of Cardholder, Transaction or system information (physical or electronic, including but not limited to account numbers, card imprints, and terminal identification numbers) prior to selling, storing, or disposing of any terminal.

Data Security Requirements. 3.1 The PCI Security Standards Council (“PCI SSC”) was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa, Inc. All five founders agreed to incorporate PCI Data Security Standards (“PCI DSS”) as the technical requirements of each of their data security compliance programs. The PCI SSC is responsible for the Payment Application Data Security Standard (“PA-DSS”) and PIN Transaction Security Requirements for PIN-Entry Devices (“PED”). PCI DSS applies to any Merchant or Merchant Servicer that stores, processes or transmits Cardholder information. All eligible Merchants, regardless of size, must comply with these standards. Following are standards that, at a minimum, Merchant must comply with:. (a) Install and maintain a firewall configuration to protect Cardholder data. (b) Do not use vendor-supplied defaults for system passwords and other security parameters. (c) Protect stored Cardholder data. (d) Encrypt transmission of Cardholder data across open, public networks. (e) Use and regularly update anti-virus software or programs. (f) Develop and maintain secure systems and applications. (g) Restrict access to Cardholder data by business need-to-know. (h) Assign a unique ID to each person with computer access. (i) Restrict physical access to Cardholder data. (j) Track and monitor all access to network resources and Cardholder data. (k) Regularly test security systems and processes. (l) Maintain a policy that addresses information security for all personnel. Revised 111113 More information, including the complete PCI DSS specifications can be found at: xxx.xxxxxxxxxxxxxxxxxxxx.xxx/xxxxxxxxxxxxxxxxx providers.vpa_agreement.php xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx/approved_companies_providers/vpa_agreement.php Each of the Card Schemes has requirements based on PCI DSS that define a standard of due care and enforcement for protecting sensitive information. Merchant must meet the compliance validation requirements defined by the Card Schemes available at: xxx.xxxx.xxx/xxxx xxx.xxxxxxxxxx.xxx/xxx xxx.xxxxxxxxxxxxxxx.xxx/xxxxxxxxxxxxx/xxxx.xxxx xxx.xxxxxxxxxxxxxxx.xxx/xxxxxxxxxxxx - For American Express Direct Merchants Only In cases where payment application software is used as a part of Authorization or settlement of Cardholder data, Merchant must use a PA-DSS compliant payment application or have current proof of PCI DSS compliance validation. The List of Validated Payment Applications may be found at: xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx/approvedcompanies providers/vpaagreement.php xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx/approved_companies_providers/vpa_agreement.php In cases where PIN-based debit Transactions are processed, Merchant must use a compliant PIN Entry Device (“PED”). The List of PCI SSC Approved PIN Transaction Security Devices may be found at: xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx/security_standards/ped/pedapprovallist.html. xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx/security_standards/ped/pedapprovallist.html Transactions should be Triple Data Encryption Standard (TDES) protected. In addition, Merchant must immediately notify HPS of its use of any agent or Merchant Servicer that will have any access to Cardholder data and provide the full name and business address of such agent or Merchant Servicer and change thereto. The Card Schemes or HPS may levy fines, suspend or terminate services, or impose other restrictions if it is determined that Merchant is not compliant with applicable security standards. Merchant is responsible for all fines and fees assessed by any Card Scheme in connection with violation of data security standards and will indemnify and hold harmless HPS from and against any and all damages suffered as a result of such noncompliance. 3.2 A Card Scheme may require Merchant to conduct an independent forensics review due to its data security procedures. Upon notice of such request, Merchant shall provide, at its sole cost and expense, through an approved forensic review process, information as may be required by the Card Scheme.

Data Security Requirements. 3.1 The PCI Security Standards Council (“PCI SSC”) was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa, Inc. All five founders agreed to incorporate PCI Data Security Standards (“PCI DSS”) as the technical requirements of each of their data security compliance programs. The PCI SSC is responsible for the Payment Application Data Security Standard (“PA-DSS”) and PIN Transaction Security Requirements for PIN-Entry Devices (“PED”). PCI DSS applies Heartland and to any Merchant or Merchant Servicer that stores, processes or transmits Cardholder information. Heartland acknowledges that it has an obligation to comply with PCI DSS for Cardholder information is possesses. All eligible Merchants, regardless of size, must comply with these standards. Following are standards that, at a minimum, Merchant must comply with: (a) Install and maintain a firewall configuration to protect Cardholder data. (b) Do not use vendor-supplied defaults for system passwords and other security parameters. (c) Protect stored Cardholder data. (d) Encrypt transmission of Cardholder data across open, public networks. (e) Use and regularly update anti-virus software or programs. (f) Develop and maintain secure systems and applications. (g) Restrict access to Cardholder data by business need-to-know. (h) Assign a unique ID to each person with computer access. (i) Restrict physical access to Cardholder data. (j) Track and monitor all access to network resources and Cardholder data. (k) Regularly test security systems and processes. (l) Maintain a policy that addresses information security for all personnel. Revised 111113 More information, including the complete PCI DSS specifications can be found at: xxx.xxxxxxxxxxxxxxxxxxxx.xxx/xxxxxxxxxxxxxxxxx providers.vpa_agreement.php xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx/approved companies providers/vpa agreement.php Each of the Card Schemes has requirements based on PCI DSS that define a standard of due care and enforcement for protecting sensitive information. Merchant must meet the compliance validation requirements defined by the Card Schemes available at: xxx.xxxx.xxx/xxxx xxx.xxxxxxxxxx.xxx/xxx xxx.xxxxxxxxxxxxxxx.xxx/xxxxxxxxxxxxx/xxxx.xxxx xxx.xxxxxxxxxxxxxxx.xxx/xxxxxxxxxxxx - For American Express Direct Merchants Only In cases where payment application software is used as a part of Authorization or settlement of Cardholder data, Merchant must use a PA-DSS compliant payment application or have current proof of PCI DSS compliance validation. The List of Validated Payment Applications may be found at: xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx/approvedcompanies providers/vpaagreement.php xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx/approvedcompaniesproviders/vpaagreement.php In cases where PIN-based debit Transactions are processed, Merchant must use a compliant PIN Entry Device (“PED”). The List of PCI SSC Approved PIN Transaction Security Devices may be found at: xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx/security_standards/ped/pedapprovallist.html. xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx/securitystandards/ped/pedapprovallist.html Transactions should be Triple Data Encryption Standard (TDES) protected. In addition, Merchant must immediately notify HPS of its use of any agent or Merchant Servicer that will have any access to Cardholder data and provide the full name and business address of such agent or Merchant Servicer and change thereto. The Card Schemes or HPS may levy fines, suspend or terminate services, or impose other restrictions if it is determined that Merchant is not compliant with applicable security standards. Merchant is responsible for all fines and fees assessed by any Card Scheme in connection with violation of data security standards and will indemnify and hold harmless HPS from and against any and all damages suffered as a result of such noncompliance. 3.2 A Card Scheme may require Merchant to conduct an independent forensics review due to its data security procedures. Upon notice of such request, Merchant shall provide, at its sole cost and expense, through an approved forensic review process, information as may be required by the Card Scheme.