Common use of Payment Card Industry (PCI) Compliance Clause in Contracts

Payment Card Industry (PCI) Compliance. If and to the extent Contractor accepts, transmits, or stores any credit cardholder data or is reasonably determined by County to potentially impact the security of County's cardholder data environment ("CDE"), the following provisions shall apply: i. Contractor shall comply with the most recent version of the Security Standards Council's Payment Card Industry ("PCI") Data Security Standard ("DSS"). ii. Prior to the Effective Date, after any significant change to the CDE, and annually, Contractor shall provide to County: (a) A copy of their Annual PCI DSS Attestation of Compliance ("AOC"); (b) A written acknowledgement of responsibility for the security of cardholder data the service providers possess or otherwise store, process, or transmit on behalf of County, or to the extent that the service provider could impact the security of County's cardholder data environment. (c) A PCI DSS responsibility matrix that outlines the exact PCI DSS Controls are the responsibility of the service provider and which controls the service provider shares responsibility with County. iii. Contractor shall follow the VISA Cardholder Information Security Program ("CISP") payment Application Best Practices and Audit Procedures and maintain current validation. iv. If Contractor subcontracts or in any way outsources the CDE processing, or provides an Application Programming Interface ("API") that redirects or transmits County data to a payment gateway, Contractor is responsible for maintaining PCI compliance for their API and providing the AOC for the subcontractor or payment gateway to County. v. Mobile payment applications must follow industry best practices such as VISA CISP or Open Web Application Security Project for secure coding and transmission of payment card data. vi. Contractor agrees that it is responsible for the security of all cardholder data that it possesses, including the functions relating to storing, processing, and transmitting of the cardholder data. vii. Contractor will immediately notify County if it learns that it is no longer PCI DSS compliant and will immediately provide County the steps being taken to remediate the noncompliant status. In no event should Contractor's notification to County be later than seven (7) calendar days after Contractor learns it is no longer PCI DSS complaint. viii. Contractor shall enforce automatic disconnect of sessions for remote access technologies after a specific period of inactivity with regard to connectivity into County infrastructure. (PCI 12.3.8) ix. Contractor shall activate remote access from Subcontractors into County network only when needed by Subcontractors to perform Services, with immediate deactivation after use. (PCI 12.3.9) x. Contractor shall implement encryption and two-factor authentication for securing remote access (non-console access) from outside the network into County's environment with access to any stored credit card data. (PCI 8.3) xi. Contractor shall maintain a file integrity monitoring program to ensure critical file system changes are monitored and approved with respect to County data. (PCI 10.5.5) xii. All inbound and outbound connections to County's CDE must use Transport Layer Security (TLS) 1.2 or current industry equivalent (whichever is higher). The rates specified below shall be in effect for the entire term of the Agreement, including any renewal or extension term(s), unless otherwise expressly stated below. Any goods or services required under this Agreement for which no specific fee or cost is expressly stated in this Payment Schedule shall be deemed to be included, at no extra cost, within the costs and fees expressly provided for in this Exhibit C.

Payment Card Industry (PCI) Compliance. If and to the extent Contractor the Provider Platform accepts, transmits, transmits or stores any credit cardholder data County or is reasonably determined by County to potentially impact the security of County's cardholder data environment ("CDE"), the following provisions shall apply: i. Contractor 6.1. Provider shall comply with the most recent version of the Security Standards Council's Payment Card Industry ("PCI") Data Security Standard ("DSS"). ii6.2. Prior to the Effective Date, after any significant change to the CDE, and annually, Contractor andannually Provider shall provide to CountyCount y: (a) 6.2.1. A copy of their Annual PCI DSS Attestation of Compliance ("AOC"); (b) 6.2.2. A written acknowledgement of responsibility for the security of cardholder data the service providers possess or otherwise store, process, process or transmit on behalf of the County, or to the extent that the service provider could impact the security of Countythe county's cardholder data environment. (c) 6.2.3. A PCI DSS responsibility matrix that outlines the exact PCI DSS Controls are the responsibility of the service provider and which controls the service provider shares responsibility with the County. iii6.3. Contractor Provider shall follow the VISA Cardholder Information Security Program ("CISP") payment Application Best Practices and Audit Procedures and maintain current validation. iv6.4. If Contractor Provider subcontracts or in any way outsources the CDE processing, or provides an Application Programming Interface ("API") that API which redirects or transmits County data Data to a payment gateway, Contractor Provider is responsible for maintaining PCI compliance for their API and providing the AOC for the subcontractor or payment gateway to the County. v. 6.5. Mobile payment applications application providers must follow industry best practices such as VISA CISP Cardholder Information Security Program ("CISP") or Open Web Application Security Project OWASP for secure coding and transmission of payment card data. vi6.6. Contractor Provider agrees that it is responsible for the security of all the County's cardholder data that it possesses, including the functions relating to storing, processing, and transmitting of the cardholder data. vii6.7. Contractor Provider will immediately notify County if it learns that it is no longer PCI DSS compliant and will immediately provide County the steps being taken to remediate the noncompliant status. In no event should ContractorProvider's notification to County be later than seven (7) calendar days after Contractor Provider learns it is no longer PCI DSS complaintDSScomplaint. viii6.8. Contractor Provider shall enforce automatic disconnect of sessions for remote access technologies after a specific period of inactivity with regard to connectivity into County infrastructure. (PCI 12.3.8) ix6.9. Contractor Provider shall activate remote access from Subcontractors vendors and business partners into County network only when needed by Subcontractors to perform Servicesvendors and partners, with immediate deactivation after use. (PCI 12.3.9) x. Contractor 6.10. Provider shall implement encryption and two-factor authentication for securing remote access (non-console access) from outside the network into the County's environment with access to any stored credit card data. (PCI 8.3) xi6.11. Contractor Provider shall maintain a file integrity monitoring program to ensure critical file system changes are monitored and approved with respect to County dataData. (PCI 10.5.5) xii6.12. All inbound and outbound connections to County's CDE must use Transport Layer Security (TLS) 1.2 or current industry equivalent (whichever is higher). The rates specified below shall be in effect for the entire term of the Agreement, including any renewal or extension term(s), unless otherwise expressly stated below. Any goods or services required under this Agreement for which no specific fee or cost is expressly stated in this Payment Schedule shall be deemed to be included, at no extra cost, within the costs and fees expressly provided for in this Exhibit C..

Payment Card Industry (PCI) Compliance. If and to the extent the Contractor Platform accepts, transmits, transmits or stores any credit cardholder data County or is reasonably determined by County to potentially impact the security of County's ’s cardholder data environment ("“CDE"”), the following provisions shall apply: i. 6.1. Contractor shall comply with the most recent version of the Security Standards Council's ’s Payment Card Industry ("“PCI"”) Data Security Standard ("“DSS"”). ii6.2. Prior to the Effective Date, after any significant change to the CDE, and annually, annually Contractor shall provide to County: (a) 6.2.1. A copy of their Annual PCI DSS Attestation of Compliance ("“AOC"”); (b) 6.2.2. A written acknowledgement of responsibility for the security of cardholder data the service providers Contractors possess or otherwise store, process, process or transmit on behalf of the County, or to the extent that the service provider Contractor could impact the security of County's the county’s cardholder data environment. (c) 6.2.3. A PCI DSS responsibility matrix that outlines the exact PCI DSS Controls are the responsibility of the service provider Contractor and which controls the service provider Contractor shares responsibility with the County. iii6.3. Contractor shall follow the VISA Cardholder Information Security Program ("“CISP"”) payment Application !pplication Best Practices and Audit !▇▇▇▇ Procedures and maintain current validation. iv6.4. If Contractor subcontracts or in any way outsources the CDE processing, or provides an Application Programming Interface ("API") that API which redirects or transmits County data Data to a payment gateway, Contractor is responsible for maintaining PCI compliance for their API and providing the AOC for the subcontractor or payment gateway to the County. v. 6.5. Mobile payment applications application Contractors must follow industry best practices such as VISA CISP VIS! Cardholder Information Security Program (“CISP”) or Open Web Application Security Project OW!SP for secure coding and transmission of payment card data. vi6.6. Contractor agrees that it is responsible for the security of all the County’s cardholder data that it possesses, including the functions relating to storing, processing, and transmitting of the cardholder data. vii6.7. Contractor will immediately notify County if it learns that it is no longer PCI DSS compliant and will immediately provide County the steps being taken to remediate the noncompliant status. In no event should Contractor's ’s notification to County be later than seven (7) calendar days after Contractor learns it is no longer PCI DSS complaint. viii6.8. Contractor shall enforce automatic disconnect of sessions for remote access technologies after a specific period of inactivity with regard to connectivity into County infrastructure. (PCI 12.3.8) ix6.9. Contractor shall activate remote access from Subcontractors vendors and business partners into County network only when needed by Subcontractors to perform Servicesvendors and partners, with immediate deactivation after use. (PCI 12.3.9) x. 6.10. Contractor shall implement encryption and two-factor authentication for securing remote access (non-console access) from outside the network into the County's ’s environment with access to any stored credit card data. (PCI 8.3) xi6.11. Contractor shall maintain a file integrity monitoring program to ensure critical file system changes are monitored and approved with respect to County dataData. (PCI 10.5.5) xii6.12. All inbound and outbound connections to County's ’s CDE must use Transport Layer Security (TLS) 1.2 or current industry equivalent (whichever is higher). The rates specified below shall be in effect for the entire term of the Agreement, including any renewal or extension term(s), unless otherwise expressly stated below. Any goods or services required under this Agreement for which no specific fee or cost is expressly stated in this Payment Schedule shall be deemed to be included, at no extra cost, within the costs and fees expressly provided for in this Exhibit C..

Payment Card Industry (PCI) Compliance. If and to the extent Contractor the Provider Platform accepts, transmits, transmits or stores any credit cardholder data County or is reasonably determined by County to potentially impact the security of County's ’s cardholder data environment ("“CDE"”), the following provisions shall apply: i. : Contractor shall comply with the most recent version of the Security Standards Council's ’s Payment Card Industry ("“PCI"”) Data Security Standard ("“DSS"”). ii. Prior to the Effective Date, after any significant change to the CDE, and annually, annually Contractor shall provide to County: : (a) A a copy of their Annual PCI DSS Attestation of Compliance ("“AOC"”); ; and (b) A a written acknowledgement of responsibility for the security of cardholder data the service providers possess or otherwise store, process, process or transmit on behalf of the County, or to the extent that the service provider could impact the security of County's the county’s cardholder data environment. (c) . A PCI DSS responsibility matrix that outlines the exact PCI DSS Controls are the responsibility of the service provider and which controls the service provider shares responsibility with the County. iii. Contractor shall follow the VISA Cardholder Information Security Program ("“CISP"”) payment Application Best Practices and Audit Procedures and maintain current validation. iv. If Contractor subcontracts or in any way outsources the CDE processing, or provides an Application Programming Interface ("API") that API which redirects or transmits County data Data to a payment gateway, Contractor is responsible for maintaining PCI compliance for their API and providing the AOC for the subcontractor or payment gateway to the County. v. . Mobile payment applications application providers must follow industry best practices such as VISA CISP Cardholder Information Security Program (“CISP”) or Open Web Application Security Project OWASP for secure coding and transmission of payment card data. vi. Contractor agrees that it is responsible for the security of all the County’s cardholder data that it possesses, including the functions relating to storing, processing, and transmitting of the cardholder data. vii. Contractor will immediately notify County if it learns that it is no longer PCI DSS compliant and will immediately provide County the steps being taken to remediate the noncompliant status. In no event should Contractor's ’s notification to County be later than seven (7) calendar days after Contractor learns it is no longer PCI DSS complaint. viii. Contractor shall enforce automatic disconnect of sessions for remote access technologies after a specific period of inactivity with regard to connectivity into County infrastructure. (PCI 12.3.8) ix. Contractor shall activate remote access from Subcontractors vendors and business partners into County network only when needed by Subcontractors to perform Servicesvendors and partners, with immediate deactivation after use. (PCI 12.3.9) x. Contractor shall implement encryption and two-factor authentication for securing remote access (non-console access) from outside the network into the County's ’s environment with access to any stored credit card data. (PCI 8.3) xi. Contractor shall maintain a file integrity monitoring program to ensure critical file system changes are monitored and approved with respect to County data. (PCI 10.5.5) xiiData. All inbound and outbound connections to County's ’s CDE must use Transport Layer Security (TLS) 1.2 or current industry equivalent (whichever is higher). The rates specified below shall be in effect for the entire term of the Agreement, including any renewal or extension term(s), unless otherwise expressly stated below. Any goods or services required under this Agreement for which no specific fee or cost is expressly stated in this Payment Schedule shall be deemed to be included, at no extra cost, within the costs and fees expressly provided for in this Exhibit C..

Payment Card Industry (PCI) Compliance. If and to the extent the Contractor Platform accepts, transmits, transmits or stores any credit cardholder data County or is reasonably determined by County to potentially impact the security of County's ’s cardholder data environment ("“CDE"”), the following provisions shall apply: i. : Contractor shall comply with the most recent version of the Security Standards Council's ’s Payment Card Industry ("“PCI"”) Data Security Standard ("“DSS"”). ii. Prior to the Effective Date, after any significant change to the CDE, and annually, annually Contractor shall provide to County: (a) : A copy of their Annual PCI DSS Attestation of Compliance ("“AOC"”); (b) ; A written acknowledgement of responsibility for the security of cardholder data the service providers possess or otherwise store, process, process or transmit on behalf of the County, or to the extent that the service provider could impact the security of County's the county’s cardholder data environment. (c) . A PCI DSS responsibility matrix that outlines the exact PCI DSS Controls are the responsibility of the service provider and which controls the service provider shares responsibility with the County. iii. Contractor shall follow the VISA Cardholder Information Security Program ("“CISP"”) payment Application Best Practices and Audit Procedures and maintain current validation. iv. If Contractor subcontracts or in any way outsources the CDE processing, or provides an Application Programming Interface ("API") that API which redirects or transmits County data Data to a payment gateway, Contractor is responsible for maintaining PCI compliance for their API and providing the AOC for the subcontractor or payment gateway to the County. v. . Mobile payment applications application providers must follow industry best practices such as VISA CISP Cardholder Information Security Program (“CISP”) or Open Web Application Security Project OWASP for secure coding and transmission of payment card data. vi. Contractor agrees that it is responsible for the security of all the County’s cardholder data that it possesses, including the functions relating to storing, processing, and transmitting of the cardholder data. vii. Contractor will immediately notify County if it learns that it is no longer PCI DSS compliant and will immediately provide County the steps being taken to remediate the noncompliant status. In no event should Contractor's ’s notification to County be later than seven (7) calendar days after Contractor learns it is no longer PCI DSS complaint. viii. Contractor shall enforce automatic disconnect of sessions for remote access technologies after a specific period of inactivity with regard to connectivity into County infrastructure. (PCI 12.3.8) ix. ) Contractor shall activate remote access from Subcontractors vendors and business partners into County network only when needed by Subcontractors to perform Servicesvendors and partners, with immediate deactivation after use. (PCI 12.3.9) x. ) Contractor shall implement encryption and two-factor authentication for securing remote access (non-console access) from outside the network into the County's ’s environment with access to any stored credit card data. (PCI 8.3) xi. Contractor shall maintain a file integrity monitoring program to ensure critical file system changes are monitored and approved with respect to County data. (PCI 10.5.5) xii. All inbound and outbound connections to County's CDE must use Transport Layer Security (TLS) 1.2 or current industry equivalent (whichever is higher). The rates specified below shall be in effect for the entire term of the Agreement, including any renewal or extension term(s), unless otherwise expressly stated below. Any goods or services required under this Agreement for which no specific fee or cost is expressly stated in this Payment Schedule shall be deemed to be included, at no extra cost, within the costs and fees expressly provided for in this Exhibit C.8.