Merchant’s obligations to comply with Data Security requirements. a. The Merchant acknowledges and agrees that it is fully responsible for the security of data on its website or otherwise within its possession or control. b. The Merchant agrees to do the following with respect to its processing of its customers’ personal identifiable information and the collection, security and dissemination of data on the Merchant’s website: 1. comply with all applicable laws and regulations; 2. comply with the Association Rules; 3. comply with the Payment Card Industry Data Security Standards (PCI DSS), the Payment Application Data Security Standards (PA DSS), and any Card Association data security requirements, as applicable, including without limitation: a. install and maintain a firewall configuration to protect data; b. not use vendor supplied defaults for system passwords and other security parameters; c. protect stored data; d. encrypt transmission of cardholder data and sensitive information across public networks; e. use and regularly update anti-virus software; f. develop and maintain secure systems and applications g. restrict access to data by business need-to-know; h. assign a unique ID to each person with computer access; i. restrict physical access to cardholder data; j. track and monitor all access to network resources and cardholder data; k. regularly test security systems and procedures; and l. maintain a policy that addresses information security. At PayPal’s request, the Merchant must provide PayPal with evidence to PayPal’s satisfaction that it is in compliance with PCI DSS. The Merchant acknowledges and agrees that nothing in this Card Agreement nor PayPal providing the Services will constitute compliance by the Merchant to the PCI DSS whether via a third party “Qualified Security Assessor” and such compliance services are not provided under the scope of this Card Agreement. The Merchant must design, maintain and operate its website and other systems in conformity with PCI DSS. PayPal is not responsible for any costs that you incur in complying with PCI DSS. The Merchant agrees to independently arrange, at its own expense, evidence from a Qualified Security Assessor or otherwise to PayPal’s satisfaction. If the Merchant does not initiate a security audit within 10 business days of PayPal’s request, PayPal may conduct or obtain such an audit at the Merchant’s expense. PayPal may advise Shared Customers, if PayPal has reason to believe that a fraud or other illegitimate activity may be occurring or may have occurred, and if PayPal reasonably believes that the fraud or other illegitimate activity may affect those Shared Customers’ PayPal accounts.
Appears in 1 contract
Merchant’s obligations to comply with Data Security requirements. a. The Merchant acknowledges and agrees that it is fully responsible for the security of data on its website or otherwise within its possession or control.
b. The Merchant agrees to do the following with respect to its processing of its customers’ personal identifiable information and the collection, security and dissemination of data on the Merchant’s website:
1. i. comply with all applicable laws and regulations;
2ii. comply with the Association Rules;
3iii. comply with the Payment Card Industry Data Security Standards (PCI DSS), the Payment Application Data Security Standards (PA DSS), and any Card Association data security requirements, as applicable, including without limitation:
a. install and maintain a firewall configuration to protect data;
b. not use vendor supplied defaults for system passwords and other security parameters;
c. protect stored data;
d. encrypt transmission of cardholder data and sensitive information across public networks;
e. use and regularly update anti-virus software;
f. develop and maintain secure systems and applications
g. restrict access to data by business need-to-know;
h. assign a unique ID to each person with computer access;
i. restrict physical access to cardholder data;
j. track and monitor all access to network resources and cardholder data;
k. regularly test security systems and procedures; and
l. maintain a policy that addresses information security.
iv. At PayPal’s request, the Merchant must provide PayPal with evidence to PayPal’s satisfaction that it is in compliance with PCI DSS. The Merchant acknowledges and agrees that nothing in this Card Agreement nor PayPal providing the Services will constitute compliance by the Merchant to the PCI DSS whether via a third party “Qualified Security Assessor” and such compliance services are not provided under the scope of this Card Agreement. The Merchant must design, maintain and operate its website and other systems in conformity with PCI DSS. PayPal is not responsible for any costs that you incur in complying with PCI DSS. The Merchant agrees to independently arrange, at its own expense, evidence from a Qualified Security Assessor or otherwise to PayPal’s satisfaction. If the Merchant does not initiate a security audit within 10 business days of PayPal’s request, PayPal may conduct or obtain such an audit at the Merchant’s expense. PayPal may advise Shared Customers, if PayPal has reason to believe that a fraud or other illegitimate activity may be occurring or may have occurred, and if PayPal reasonably believes that the fraud or other illegitimate activity may affect those Shared Customers’ PayPal accounts.
v. undertake non penetrative scans (either quarterly or annually depending on the volume of the Merchant’s annual transactions as notified by either PayPal or the Acquiring Institution to the Merchant) of the Merchant’s web accessible ports and an on site audit if the Merchant processes six million Visa and/or MasterCard/Maestro transactions annually which must be completed by a Qualified Security Assessor. For details of Visa and MasterCard Qualified Security Assessors log onto: xxxx://xxx.xxxxxxxxxx.xxx/us/sdp/serviceprovider s/compliant_serviceprovider.html or xxxxx://xxx.xxxxxxxxx xxxxxxxxxxx.xxx/xxxx/xxx_xxx_xxxx.xxx.
vi. conspicuously post a privacy policy on the Merchant’s website which complies with the laws, regulations, rules and guidelines referred to in sub-paragraphs 3(b)(i) and 3 (b)(ii) and which is consistent with good business practice;
vii. notify PayPal of any agent, including any web hosting service, gateway, shopping cart or other third party provider, that has access to cardholder data and ensure that such agent is compliant with PCI DSS and all current legal obligations associated with the collection, security and dissemination of data and the processing of personal information. The Merchant will be liable to PayPal for any and all damages, losses, costs, expenses and/or claims made to, or suffered by, PayPal as a result of a breach by such third parties obligations under this sub-paragraph;
viii. provide PayPal with all information or access to records as needed by PayPal to ensure the Merchant’s compliance with this paragraph 3; and
ix. notify PayPal immediately of any security breach to the Merchant’s records or system as it relates to the Merchant’s access to, and/or utilisation of the Services.
c. The Merchant agrees to not store any personal identification number data, AVS (address verification service) data or card validation codes (for example, the three digit values printed in the signature panel of most cards and the four digit code printed on the front of the American Express card) of any cardholder or any other payment method information of any cardholder (whether received electronically, verbally, by fax, hardcopy or otherwise) and will be liable for any fines associated with the breach of any relevant Association Rule or guidance.
d. The Merchant acknowledges and agrees that if PayPal receives notice of a security breach or compromise of cardholder data in connection with the Merchant, the Merchant will allow a third party forensic auditor certified by the Card Associations to conduct a security review of the Merchant’s systems, controls and facilities and to issue a report to PayPal and the Card Associations. If the Merchant fails to initiate such a process after PayPal’s requesting it to do so, the Merchant authorises PayPal to take such action at the Merchant’s expense.
e. PayPal may immediately suspend the Merchant’s access to or use of any of the Services or terminate without notice this Card Agreement upon notice of the Merchant potentially breaching or breaching any provision set out in this paragraph 3.
f. If PayPal suspends your access to or use of any Service, PayPal will set out in a notice to the Merchant and explain the basis of PayPal’s actions in suspending the Merchant, including measures reasonably calculated to rectify the breach. PayPal’s suspension of the Merchant’s access or use of any Services will remain in effect and until such time as PayPal is satisfied that the Merchant has remedied the applicable breach(es).
Appears in 1 contract
Merchant’s obligations to comply with Data Security requirements. a. The Merchant acknowledges and agrees that it is fully responsible for the security of data on its website or otherwise within its possession or control.
b. The Merchant agrees to do the following with respect to its processing of its customers’ personal identifiable information and the collection, security and dissemination of data on the Merchant’s website:
1. i. comply with all applicable laws and regulations;
2ii. comply with the Association Rules;
3iii. comply with the Payment Card Industry Data Security Standards (PCI DSS), the Payment Application Data Security Standards (PA DSS), and any Card Association data security requirements, as applicable, including without limitation:
a. install and maintain a firewall configuration to protect data;
b. not use vendor supplied defaults for system passwords and other security parameters;
c. protect stored data;
d. encrypt transmission of cardholder data and sensitive information across public networks;
e. use and regularly update anti-virus software;
f. develop and maintain secure systems and applications
g. restrict access to data by business need-to-know;
h. assign a unique ID to each person with computer access;
i. restrict physical access to cardholder data;
j. track and monitor all access to network resources and cardholder data;
k. regularly test security systems and procedures; and
l. maintain a policy that addresses information security.
iv. At PayPal’s request, the Merchant must provide PayPal with evidence to PayPal’s satisfaction that it is in compliance with PCI DSS. The Merchant acknowledges and agrees that nothing in this Card Agreement nor PayPal providing the Services will constitute compliance by the Merchant to the PCI DSS whether via a third party “Qualified Security Assessor” and such compliance services are not provided under the scope of this Card Agreement. The Merchant must design, maintain and operate its website and other systems in conformity with PCI DSS. PayPal is not responsible for any costs that you incur in complying with PCI DSS. The Merchant agrees to independently arrange, at its own expense, evidence from a Qualified Security Assessor or otherwise to PayPal’s satisfaction. If the Merchant does not initiate a security audit within 10 business days of PayPal’s request, PayPal may conduct or obtain such an audit at the Merchant’s expense. PayPal may advise Shared Customers, if PayPal has reason to believe that a fraud or other illegitimate activity may be occurring or may have occurred, and if PayPal reasonably believes that the fraud or other illegitimate activity may affect those Shared Customers’ PayPal accounts.
v. undertake non penetrative scans (either quarterly or annually depending on the volume of the Merchant’s annual transactions as notified by either PayPal or the Acquiring Institution to the Merchant) of the Merchant’s web accessible ports and an on site audit if the Merchant processes six million Visa and/or MasterCard/Maestro transactions annually which must be completed by a Qualified Security Assessor. For details of Visa and MasterCard Qualified Security Assessors log onto: xxxx://xxx.xxxxxxxxxx.xxx/us/sdp/serviceproviders/com pliant_serviceprovider.html or xxxxx://xxx.xxxxxxxxxxxxxxxxxx xx.xxx/xxxx/xxx_xxx_xxxx.xxx.
vi. conspicuously post a privacy policy on the Merchant’s website which complies with the laws, regulations, rules and guidelines referred to in sub-paragraphs 3(b)(i) and 3 (b)(ii) and which is consistent with good business practice;
vii. notify PayPal of any agent, including any web hosting service, gateway, shopping cart or other third party provider, that has access to cardholder data and ensure that such agent is compliant with PCI DSS and all current legal obligations associated with the collection, security and dissemination of data and the processing of personal information. The Merchant will be liable to PayPal for any and all damages, losses, costs, expenses and/or claims made to, or suffered by, PayPal as a result of a breach by such third parties obligations under this sub-paragraph;
viii. provide PayPal with all information or access to records as needed by PayPal to ensure the Merchant’s compliance with this paragraph 3; and
ix. notify PayPal immediately of any security breach to the Merchant’s records or system as it relates to the Merchant’s access to, and/or utilisation of the Services.
c. The Merchant agrees to not store any personal identification number data, AVS (address verification service) data or card validation codes (for example, the three digit values printed in the signature panel of most cards and the four digit code printed on the front of the American Express card) of any cardholder or any other payment method information of any cardholder (whether received electronically, verbally, by fax, hardcopy or otherwise) and will be liable for any fines associated with the breach of any relevant Association Rule or guidance.
d. The Merchant acknowledges and agrees that if PayPal receives notice of a security breach or compromise of cardholder data in connection with the Merchant, the Merchant will allow a third party forensic auditor certified by the Card Associations to conduct a security review of the Merchant’s systems, controls and facilities and to issue a report to PayPal and the Card Associations. If the Merchant fails to initiate such a process after PayPal’s requesting it to do so, the Merchant authorises PayPal to take such action at the Merchant’s expense.
e. PayPal may immediately suspend the Merchant’s access to or use of any of the Services or terminate without notice this Card Agreement upon notice of the Merchant potentially breaching or breaching any provision set out in this paragraph 3.
f. If PayPal suspends your access to or use of any Service, PayPal will set out in a notice to the Merchant and explain the basis of PayPal’s actions in suspending the Merchant, including measures reasonably calculated to rectify the breach. PayPal’s suspension of the Merchant’s access or use of any Services will remain in effect and until such time as PayPal is satisfied that the Merchant has remedied the applicable breach(es).
Appears in 1 contract
Merchant’s obligations to comply with Data Security requirements. a. The Merchant acknowledges and agrees that it is fully responsible for the security of data on its website or otherwise within its possession or control.
b. The Merchant agrees to do the following with respect to its processing of its customers’ personal identifiable information and the collection, security and dissemination of data on the Merchant’s website:
1. i. comply with all applicable laws and regulations;
2ii. comply with the Association Rules;.
3iii. comply with the Payment Card Industry Data Security Standards (PCI DSS), the Payment Application Data Security Standards (PA DSS), and any Card Association data security requirements, as applicable, including without limitation:
a. install and maintain a firewall configuration to protect data;
b. not use vendor supplied defaults for system passwords and other security parameters;
c. protect stored data;
d. encrypt transmission of cardholder data and sensitive information across public networks;
e. use and regularly update anti-virus software;
f. develop and maintain secure systems and applications
g. restrict access to data by business need-to-know;
h. assign a unique ID to each person with computer access;
i. restrict physical access to cardholder data;
j. track and monitor all access to network resources and cardholder data;
k. regularly test security systems and procedures; and
l. maintain a policy that addresses information security.
iv. At PayPal’s request, the Merchant must provide PayPal with evidence to PayPal’s satisfaction that it is in compliance with PCI DSS. The Merchant acknowledges and agrees that nothing in this Card Agreement nor PayPal providing the Services will constitute compliance by the Merchant to the PCI DSS whether via a third party “Qualified Security Assessor” and such compliance services are not provided under the scope of this Card Agreement. The Merchant must design, maintain and operate its website and other systems in conformity with PCI DSS. PayPal is not responsible for any costs that you incur in complying with PCI DSS. The Merchant agrees to independently arrange, at its own expense, evidence from a Qualified Security Assessor or otherwise to PayPal’s satisfaction. If the Merchant does not initiate a security audit within 10 business days of PayPal’s request, PayPal may conduct or obtain such an audit at the Merchant’s expense. PayPal may advise Shared Customers, if PayPal has reason to believe that a fraud or other illegitimate activity may be occurring or may have occurred, and if PayPal reasonably believes that the fraud or other illegitimate activity may affect those Shared Customers’ PayPal accounts.
v. undertake non penetrative scans (either quarterly or annually depending on the volume of the Merchant’s annual transactions as notified by either PayPal or the Acquiring Institution to the Merchant) of the Merchant’s web accessible ports and an on site audit if the Merchant processes six million Visa and/or MasterCard/Maestro transactions annually which must be completed by a Qualified Security Assessor. For details of Visa and MasterCard Qualified Security Assessors log onto: xxxx://xxx.xxxxxxxxxx.xxx/us/sdp/serviceproviders/com pliant_serviceprovider.html or xxxxx://xxx.xxxxxxxxxxxxxxxxxx xx.xxx/xxxx/xxx_xxx_xxxx.xxx.
vi. conspicuously post a privacy policy on the Merchant’s website which complies with the laws, regulations, rules and guidelines referred to in sub-paragraphs 2(b)(i) and 2(b)(ii) and which is consistent with good business practice;
vii. notify PayPal of any agent, including any web hosting service, gateway, shopping cart or other third party provider, that has access to cardholder data and ensure that such agent is compliant with PCI DSS and all current legal obligations associated with the collection, security and dissemination of data and the processing of personal information. The Merchant will be liable to PayPal for any and all damages, losses, costs, expenses and/or claims made to, or suffered by, PayPal as a result of a breach by such third parties obligations under this sub-paragraph;
viii. provide PayPal with all information or access to records as needed by PayPal to ensure the Merchant’s compliance with this paragraph 2; and
ix. notify PayPal immediately of any security breach to the Merchant’s records or system as it relates to the Merchant’s access to, and/or utilisation of the Services.
c. The Merchant agrees to not store any personal identification number data, AVS (address verification service) data or card validation codes (for example, the three digit values printed in the signature panel of most cards and the four digit code printed on the front of the American Express card) of any cardholder or any other payment method information of any cardholder (whether received electronically, verbally, by fax, hardcopy or otherwise) and will be liable for any fines associated with the breach of any relevant Association Rule or guidance.
d. The Merchant acknowledges and agrees that if PayPal receives notice of a security breach or compromise of cardholder data in connection with the Merchant, the Merchant will allow a third party forensic auditor certified by the Card Associations to conduct a security review of the Merchant’s systems, controls and facilities and to issue a report to PayPal and the Card Associations. If the Merchant fails to initiate such a process after PayPal’s requesting it to do so, the Merchant authorises PayPal to take such action at the Merchant’s expense.
e. PayPal may immediately suspend the Merchant’s access to or use of any of the Services or terminate without notice this Card Agreement upon notice of the Merchant potentially breaching or breaching any provision set out in this paragraph 2.
f. If PayPal suspends your access to or use of any Service, PayPal will set out in a notice to the Merchant and explain the basis of PayPal’s actions in suspending the Merchant, including measures reasonably calculated to rectify the breach. PayPal’s suspension of the Merchant’s access or use of any Services will remain in effect and until such time as PayPal is satisfied that the Merchant has remedied the applicable breach(es).
Appears in 1 contract
