Common use of Payment Card Industry (PCI) Compliance Clause in Contracts

Payment Card Industry (PCI) Compliance. If and to the extent the Provider Platform accepts, transmits or stores any credit cardholder data County or is reasonably determined by County to potentially impact the security of County’s cardholder data environment (“CDE”), the following provisions shall apply: Contractor shall comply with the most recent version of the Security Standards Council’s Payment Card Industry (“PCI”) Data Security Standard (“DSS”). Prior to the Effective Date, after any significant change to the CDE, and annually Contractor shall provide to County: (a) a copy of their Annual PCI DSS Attestation of Compliance (“AOC”); and (b) a written acknowledgement of responsibility for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the County, or to the extent that the service provider could impact the security of the county’s cardholder data environment. A PCI DSS responsibility matrix that outlines the exact PCI DSS Controls are the responsibility of the service provider and which controls the service provider shares responsibility with the County. Contractor shall follow the VISA Cardholder Information Security Program (“CISP”) payment Application Best Practices and Audit Procedures and maintain current validation. If Contractor subcontracts or in any way outsources the CDE processing, or provides an API which redirects or transmits County Data to a payment gateway, Contractor is responsible for maintaining PCI compliance for their API and providing the AOC for the subcontractor or payment gateway to the County. Mobile payment application providers must follow industry best practices such as VISA Cardholder Information Security Program (“CISP”) or OWASP for secure coding and transmission of payment card data. Contractor agrees that it is responsible for the security of the County’s cardholder data that it possesses, including the functions relating to storing, processing, and transmitting of the cardholder data. Contractor will immediately notify County if it learns that it is no longer PCI DSS compliant and will immediately provide County the steps being taken to remediate the noncompliant status. In no event should Contractor’s notification to County be later than seven (7) calendar days after Contractor learns it is no longer PCI DSS complaint. Contractor shall enforce automatic disconnect of sessions for remote access technologies after a specific period of inactivity with regard to connectivity into County infrastructure. Contractor shall activate remote access from vendors and business partners into County network only when needed by vendors and partners, with immediate deactivation after use. Contractor shall implement encryption and two-factor authentication for securing remote access (non-console access) from outside the network into the County’s environment with access to any stored credit card data. Contractor shall maintain a file integrity monitoring program to ensure critical file system changes are monitored and approved with respect to County Data. All inbound and outbound connections to County’s CDE must use Transport Layer Security (TLS) 1.2 or current industry equivalent (whichever is higher).

Payment Card Industry (PCI) Compliance. If and to the extent the Provider Contractor Platform accepts, transmits or stores any credit cardholder data County or is reasonably determined by County to potentially impact the security of County’s cardholder data environment (“CDE”), the following provisions shall apply: Contractor shall comply with the most recent version of the Security Standards Council’s Payment Card Industry (“PCI”) Data Security Standard (“DSS”). Prior to the Effective Date, after any significant change to the CDE, and annually Contractor shall provide to County: (a) a A copy of their Annual PCI DSS Attestation of Compliance (“AOC”); and (b) a A written acknowledgement of responsibility for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the County, or to the extent that the service provider could impact the security of the county’s cardholder data environment. A PCI DSS responsibility matrix that outlines the exact PCI DSS Controls are the responsibility of the service provider and which controls the service provider shares responsibility with the County. Contractor shall follow the VISA Cardholder Information Security Program (“CISP”) payment Application Best Practices and Audit Procedures and maintain current validation. If Contractor subcontracts or in any way outsources the CDE processing, or provides an API which redirects or transmits County Data to a payment gateway, Contractor is responsible for maintaining PCI compliance for their API and providing the AOC for the subcontractor or payment gateway to the County. Mobile payment application providers must follow industry best practices such as VISA Cardholder Information Security Program (“CISP”) or OWASP for secure coding and transmission of payment card data. Contractor agrees that it is responsible for the security of the County’s cardholder data that it possesses, including the functions relating to storing, processing, and transmitting of the cardholder data. Contractor will immediately notify County if it learns that it is no longer PCI DSS compliant and will immediately provide County the steps being taken to remediate the noncompliant status. In no event should Contractor’s notification to County be later than seven (7) calendar days after Contractor learns it is no longer PCI DSS complaint. Contractor shall enforce automatic disconnect of sessions for remote access technologies after a specific period of inactivity with regard to connectivity into County infrastructure. (PCI 12.3.8) Contractor shall activate remote access from vendors and business partners into County network only when needed by vendors and partners, with immediate deactivation after use. (PCI 12.3.9) Contractor shall implement encryption and two-factor authentication for securing remote access (non-console access) from outside the network into the County’s environment with access to any stored credit card data. Contractor shall maintain a file integrity monitoring program to ensure critical file system changes are monitored and approved with respect to County Data. All inbound and outbound connections to County’s CDE must use Transport Layer Security (TLS) 1.2 or current industry equivalent (whichever is higher)PCI 8.

Payment Card Industry (PCI) Compliance. If and to the extent the Provider Platform accepts, transmits or stores any credit cardholder data County or is reasonably determined by County to potentially impact the security of County’s 's cardholder data environment (“"CDE”"), the following provisions shall apply: Contractor : 6.1. Provider shall comply with the most recent version of the Security Standards Council’s 's Payment Card Industry (“"PCI”") Data Security Standard (“"DSS”"). 6.2. Prior to the Effective Date, after any significant change to the CDE, and annually Contractor andannually Provider shall provide to County: (a) a Count y: 6.2.1. A copy of their Annual PCI DSS Attestation of Compliance (“"AOC”"); and (b) a ; 6.2.2. A written acknowledgement of responsibility for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the County, or to the extent that the service provider could impact the security of the county’s 's cardholder data environment. 6.2.3. A PCI DSS responsibility matrix that outlines the exact PCI DSS Controls are the responsibility of the service provider and which controls the service provider shares responsibility with the County. 6.3. Contractor Provider shall follow the VISA Cardholder Information Security Program (“"CISP”") payment Application Best Practices and Audit Procedures and maintain current validation. 6.4. If Contractor Provider subcontracts or in any way outsources the CDE processing, or provides an API which redirects or transmits County Data to a payment gateway, Contractor Provider is responsible for maintaining PCI compliance for their API and providing the AOC for the subcontractor or payment gateway to the County. 6.5. Mobile payment application providers must follow industry best practices such as VISA Cardholder Information Security Program (“"CISP”") or OWASP for secure coding and transmission of payment card data. 6.6. Contractor Provider agrees that it is responsible for the security of the County’s 's cardholder data that it possesses, including the functions relating to storing, processing, and transmitting of the cardholder data. 6.7. Contractor Provider will immediately notify County if it learns that it is no longer PCI DSS compliant and will immediately provide County the steps being taken to remediate the noncompliant status. In no event should Contractor’s Provider's notification to County be later than seven (7) calendar days after Contractor Provider learns it is no longer PCI DSS complaintDSScomplaint. 6.8. Contractor Provider shall enforce automatic disconnect of sessions for remote access technologies after a specific period of inactivity with regard to connectivity into County infrastructure. Contractor (PCI 12.3.8) 6.9. Provider shall activate remote access from vendors and business partners into County network only when needed by vendors and partners, with immediate deactivation after use. Contractor (PCI 12.3.9) 6.10. Provider shall implement encryption and two-factor authentication for securing remote access (non-console access) from outside the network into the County’s 's environment with access to any stored credit card data. Contractor (PCI 8.3) 6.11. Provider shall maintain a file integrity monitoring program to ensure critical file system changes are monitored and approved with respect to County Data. (PCI 10.5.5) 6.12. All inbound and outbound connections to County’s 's CDE must use Transport Layer Security (TLS) 1.2 or current industry equivalent (whichever is higher).

Payment Card Industry (PCI) Compliance. If and to the extent the Provider Contractor Platform accepts, transmits or stores any credit cardholder data County or is reasonably determined by County to potentially impact the security of County’s cardholder data environment (“CDE”), the following provisions shall apply: : 6.1. Contractor shall comply with the most recent version of the Security Standards Council’s Payment Card Industry (“PCI”) Data Security Standard (“DSS”). 6.2. Prior to the Effective Date, after any significant change to the CDE, and annually Contractor shall provide to County: (a) a : 6.2.1. A copy of their Annual PCI DSS Attestation of Compliance (“AOC”); and (b) a ; 6.2.2. A written acknowledgement of responsibility for the security of cardholder data the service providers Contractors possess or otherwise store, process or transmit on behalf of the County, or to the extent that the service provider Contractor could impact the security of the county’s cardholder data environment. 6.2.3. A PCI DSS responsibility matrix that outlines the exact PCI DSS Controls are the responsibility of the service provider Contractor and which controls the service provider Contractor shares responsibility with the County. 6.3. Contractor shall follow the VISA Cardholder Information Security Program (“CISP”) payment Application !pplication Best Practices and Audit !xxxx Procedures and maintain current validation. 6.4. If Contractor subcontracts or in any way outsources the CDE processing, or provides an API which redirects or transmits County Data to a payment gateway, Contractor is responsible for maintaining PCI compliance for their API and providing the AOC for the subcontractor or payment gateway to the County. 6.5. Mobile payment application providers Contractors must follow industry best practices such as VISA VIS! Cardholder Information Security Program (“CISP”) or OWASP OW!SP for secure coding and transmission of payment card data. 6.6. Contractor agrees that it is responsible for the security of the County’s cardholder data that it possesses, including the functions relating to storing, processing, and transmitting of the cardholder data. 6.7. Contractor will immediately notify County if it learns that it is no longer PCI DSS compliant and will immediately provide County the steps being taken to remediate the noncompliant status. In no event should Contractor’s notification to County be later than seven (7) calendar days after Contractor learns it is no longer PCI DSS complaint. 6.8. Contractor shall enforce automatic disconnect of sessions for remote access technologies after a specific period of inactivity with regard to connectivity into County infrastructure. (PCI 12.3.8) 6.9. Contractor shall activate remote access from vendors and business partners into County network only when needed by vendors and partners, with immediate deactivation after use. (PCI 12.3.9) 6.10. Contractor shall implement encryption and two-factor authentication for securing remote access (non-console access) from outside the network into the County’s environment with access to any stored credit card data. (PCI 8.3) 6.11. Contractor shall maintain a file integrity monitoring program to ensure critical file system changes are monitored and approved with respect to County Data. (PCI 10.5.5) 6.12. All inbound and outbound connections to County’s CDE must use Transport Layer Security (TLS) 1.2 or current industry equivalent (whichever is higher).

Payment Card Industry (PCI) Compliance. If and to the extent the Provider Platform Contractor accepts, transmits transmits, or stores any credit cardholder data County or is reasonably determined by County to potentially impact the security of County’s 's cardholder data environment (“"CDE”"), the following provisions shall apply: : i. Contractor shall comply with the most recent version of the Security Standards Council’s 's Payment Card Industry (“"PCI”") Data Security Standard (“"DSS”"). ii. Prior to the Effective Date, after any significant change to the CDE, and annually annually, Contractor shall provide to County: : (a) a A copy of their Annual PCI DSS Attestation of Compliance (“"AOC”"); and ; (b) a A written acknowledgement of responsibility for the security of cardholder data the service providers possess or otherwise store, process process, or transmit on behalf of the County, or to the extent that the service provider could impact the security of the county’s County's cardholder data environment. . (c) A PCI DSS responsibility matrix that outlines the exact PCI DSS Controls are the responsibility of the service provider and which controls the service provider shares responsibility with the County. iii. Contractor shall follow the VISA Cardholder Information Security Program (“"CISP”") payment Application Best Practices and Audit Procedures and maintain current validation. iv. If Contractor subcontracts or in any way outsources the CDE processing, or provides an API which Application Programming Interface ("API") that redirects or transmits County Data data to a payment gateway, Contractor is responsible for maintaining PCI compliance for their API and providing the AOC for the subcontractor or payment gateway to the County. . v. Mobile payment application providers applications must follow industry best practices such as VISA Cardholder Information CISP or Open Web Application Security Program (“CISP”) or OWASP Project for secure coding and transmission of payment card data. vi. Contractor agrees that it is responsible for the security of the County’s all cardholder data that it possesses, including the functions relating to storing, processing, and transmitting of the cardholder data. vii. Contractor will immediately notify County if it learns that it is no longer PCI DSS compliant and will immediately provide County the steps being taken to remediate the noncompliant status. In no event should Contractor’s 's notification to County be later than seven (7) calendar days after Contractor learns it is no longer PCI DSS complaint. viii. Contractor shall enforce automatic disconnect of sessions for remote access technologies after a specific period of inactivity with regard to connectivity into County infrastructure. (PCI 12.3.8) ix. Contractor shall activate remote access from vendors and business partners Subcontractors into County network only when needed by vendors and partnersSubcontractors to perform Services, with immediate deactivation after use. (PCI 12.3.9) x. Contractor shall implement encryption and two-factor authentication for securing remote access (non-console access) from outside the network into the County’s 's environment with access to any stored credit card data. (PCI 8.3) xi. Contractor shall maintain a file integrity monitoring program to ensure critical file system changes are monitored and approved with respect to County Datadata. (PCI 10.5.5) xii. All inbound and outbound connections to County’s 's CDE must use Transport Layer Security (TLS) 1.2 or current industry equivalent (whichever is higher).. The rates specified below shall be in effect for the entire term of the Agreement, including any renewal or extension term(s), unless otherwise expressly stated below. Any goods or services required under this Agreement for which no specific fee or cost is expressly stated in this Payment Schedule shall be deemed to be included, at no extra cost, within the costs and fees expressly provided for in this Exhibit C.