Common use of PA DSS REQUIREMENTS Clause in Contracts

PA DSS REQUIREMENTS. Contractor represents and warrants that software applications it provides for the purpose of processing payments, particularly credit card payments, are developed in accordance with and are in compliance with the standards known as Payment Application Data Security Standards (PA-DSS). As verification of this, the Contractor agrees to provide evidence that any such application it provides is certified as complying with these standards and agrees to continue to maintain that certification. The evidence may be provided in the form of the PA DSS form if the contractor self- certified, or a copy of the PA QSA if the Contractor was certified by an external party. If the contractor is unable to provide a copy of the PA DSS form of the PA QSA letter, the contractor must provide the CSU with proof of bonded insurance listing the CSU as the beneficiary in the case of a security breach. If during the term of the Agreement, Contractor undergoes, or has reason to believe that it will undergo, an adverse change in its certification or compliance status with the PA DSS standards and/or other material payment card industry standards, it will promptly notify the CSU of such circumstances. Contractor agrees promptly to provide, annual or at the request of the CSU, current evidence, in form and substance reasonably satisfactory to the CSU, of compliance with PA-DSS security standards which has been properly certified by an authority recognized by the payment card industry for that purpose. Contractor shall indemnify and hold CSU harmless from loss or damages resulting from Contractor’s failure to maintain PA-DDS security standards in accordance with this section.

PA DSS REQUIREMENTS. Contractor represents and warrants that software applications it provides for the purpose of processing payments, particularly credit card payments, are developed in accordance with and are in compliance with the standards known as Payment Application Data Security Standards (PA-DSS). As verification of this, the Contractor agrees to provide evidence that any such application it provides is certified as complying with these standards and agrees to continue to maintain that certification. The evidence may be provided in the form of the PA DSS form if the contractor self- certified, or a copy of the PA QSA if the Contractor was certified by an external party. If the contractor is unable to provide a copy of the PA DSS form of the PA QSA letter, the contractor must provide the CSU with proof of bonded insurance listing the CSU as the beneficiary in the case of a security breach. If during the term of the Agreement, Contractor undergoes, or has reason to believe that it will undergo, an adverse change in its certification or compliance status with the PA DSS standards and/or other material payment card industry standards, it will promptly notify the CSU of such circumstances. Contractor agrees promptly to provide, annual or at the request of the CSU, current evidence, in form and substance reasonably satisfactory to the CSU, of compliance with PA-DSS security standards which has been properly certified by an authority recognized by the payment card industry for that purpose. Contractor shall indemnify and hold CSU harmless from loss or damages resulting from Contractor’s failure to maintain PA-DDS security standards in accordance with this section.. CSU Information Security Requirements Supplemental Provisions - CSU General Provisions for Information Technology Acquisitions 7 Revised 08/11/20

PA DSS REQUIREMENTS. Spear MC Rider D, Page 6 of 7 Contractor represents and warrants that software applications it provides for the purpose of processing payments, particularly credit card payments, are developed in accordance with and are in compliance with the standards known as Payment Application Data Security Standards (PA-DSS). As verification of this, the Contractor agrees to provide evidence that any such application it provides is certified as complying with these standards and agrees to continue to maintain that certification. The evidence may be provided in the form of the PA DSS form if the contractor self- certified, or a copy of the PA QSA if the Contractor was certified by an external party. If the contractor is unable to provide a copy of the PA DSS form of the PA QSA letter, the contractor must provide the CSU with proof of bonded insurance listing the CSU as the beneficiary in the case of a security breach. If during the term of the Agreement, Contractor undergoes, or has reason to believe that it will undergo, an adverse change in its certification or compliance status with the PA DSS standards and/or other material payment card industry standards, it will promptly notify the CSU of such circumstances. Contractor agrees promptly to provide, annual or at the request of the CSU, current evidence, in form and substance reasonably satisfactory to the CSU, of compliance with PA-DSS security standards which has been properly certified by an authority recognized by the payment card industry for that purpose. Contractor shall indemnify and hold CSU harmless from loss or damages resulting from Contractor’s failure to maintain PA-DDS security standards in accordance with this section.