Other Operational Requirements. [based upon Xxxxxx’s proposal] A. For purposes of this subsection, the term "Cardholder Data" means personally identifiable data about the cardholder (i.e. the plastic card number, card expiration date in combination with the plastic card number, cardholder name in combination with the plastic card number and/or sensitive authentication data (track data/magnetic stripe, verification numbers CVV2, CVC2, CID, and PIN Block). This term also accounts for other personal insights gathered about the cardholder (i.e., addresses, telephone numbers, and so on), assigned by the card issuer that identifies the cardholder's account or other cardholder personal information. For purposes of this section, a "Tenant" means any person or entity that stores, processes, transmits or otherwise is permitted access to Cardholder Data, while performing the Permitted Uses authorized in this Lease. Customer Information shall include cardholder data and such other customer information as may be defined elsewhere in this Lease. B. As a Merchant or Service Provider as defined by the PCI Security Council, Tenant must be familiar with and adhere to the Payment Card Industry Data Security Standards (PCI DSS). This requirement includes, but is not limited to, full compliance with the twelve (12) DSS Security Standards as published by the PCI Security Standards Council at all times. The current standards may be found at xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx/index.php. Tenant is responsible for keeping informed about any and all modifications to the PCI DSS, and shall validate yearly compliance with PCI DSS by completing the appropriate Self-Assessment Questionnaire (SAQ) or Report On Compliance (ROC) and accompanying Attestation of Compliance (AOC). Tenant must provide copy of the compliance validation documentation to San Francisco International Airport Revenue Development and Management office every 12 months. Should any assessment result in evidence of non-compliance with PCI DSS standards, Tenant shall immediately: (1) provide written notification to the Airport regarding the specific compliance failures and a Remediation Action Plan Tenant intends to undertake to come into compliance; and (2) immediately remediate operations to come into compliance. i. Tenant represents and warrants that it shall implement and maintain Payment Card Industry Data Security Standard Requirements ("PCI Data Security Standard Requirements") for Cardholder Data, as they may be amended by the PCI Security Standards Council from time to time. The current PCI Data Security Standard Requirements are available on the following internet site; xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx/. As evidence of compliance with PCI DSS, Tenant shall provide current evidence of compliance with these data security standards certified by a third party authority recognized by the payment card industry for that purpose. ii. Tenant shall maintain and protect in accordance with all applicable federal, state, local and PCI laws, rules and regulations the security of all Cardholder Data when performing the Permitted Uses under this Lease. Tenant will use reasonable precautions, including but not limited to, physical, software and network security measures, employee screening, training, and supervision and appropriate agreements with employees, to prevent anyone other than City or its authorized employees from monitoring, using, gaining access to or learning the import of the Cardholder Data; protect appropriate copies of Cardholder Data from loss, corruption or unauthorized alteration; and prevent the disclosure of passwords and other access control information to anyone. iii. Tenant shall indemnify, defend, protect and hold City harmless from and against any and all claims, losses, damages, notices and expenses, including without limitation, any fines which City may be required to pay, which result from Tenant’s breach of the provisions of this Section. Without limiting the generality of the foregoing, it is expressly agreed that if City pays any fine in connection with a breach by Tenant of the provisions of this Section, the foregoing indemnity obligation shall require Tenant to reimburse City the full amount of such fine within thirty (30) days of City delivering written notice to Tenant of City's payment of such fine. Tenant, at its sole cost and expense, shall fully cooperate with any investigation of any data loss or other breach of Tenant’s obligations under this Section. iv. The use of Cardholder Data is specifically restricted to only those applications directly pertaining to payments, including transaction authentication, or as required by applicable law. v. If there is a breach or intrusion of, or otherwise unauthorized access to Cardholder Data stored at or for Tenant, Tenant shall immediately notify City and the acquiring financial institution, in the manner required by the PCI Data Security Standard Requirements, and provide City and the acquiring financial institution and their respective designees access to Tenant’s facilities and all pertinent records to conduct an audit of Tenant’s compliance with the PCI Data Security Standard Requirements. Tenant shall fully cooperate with any audits of their facilities and records provided for in this paragraph. Any costs incurred as a result of the breach or audit shall be the responsibility of Tenant. vi. Tenant shall maintain appropriate business continuity procedures and systems to ensure availability and security of Cardholder Data in the event of a disruption, disaster or failure of Tenant’s primary data systems. vii. Tenant's and its successors' and assigns' compliance with the PCI Data Security Standard Requirements expressly survives termination or expiration of this Lease. viii. Destruction of Cardholder Data must be completed in accordance with section 9 of the PCI DSS. KNOW ALL MEN BY THESE PRESENT: That we, , as Principal, and , a corporation duly organized and existing under and by virtue of the laws of the State of , as Surety, are held and firmly bound unto the City and County of San Francisco, acting by and through its Airport Commission, as Obligee, in the sum of Dollars
Appears in 1 contract
Samples: Lease Agreement
