Common use of PCI Compliance Clause in Contracts

PCI Compliance. 13.1 Supplier shall at all times, for as long as Supplier impacts the security of the University’s cardholder data environment, or stores, processes, handles or transmits cardholder data in any manner or in any format on behalf of the University, comply with all applicable requirements of the current version of the Payment Card Industry Data Security Standard (“PCI DSS”) for cardholder data that is prescribed by the Payment Card Industry Security Standards Council, as it may be amended from time to time. The most current versions of the PCI DSS requirements documentation are available at the PCI Security Standards Council website, xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx/. 13.2 Supplier must be designated by Visa as a Level 1 Supplier and be listed in Visa’s Global Registry of service providers. Service providers that self-assess their PCI compliance are not eligible to become a PCI Supplier for the University. Supplier shall validate compliance with PCI DSS as required, and shall have provided appropriate documentation to the University before the Agreement is signed and upon request by the University thereafter, at least annually, for as long as services are provided. Validation instructions and documentation are available at the PCI Security Standards Council website, xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx/. Supplier must notify the University of any failure to comply with the PCI-DSS requirements. 13.3 Supplier acknowledges and agrees that cardholder data may only be used for assisting in completing a card transaction, for fraud control services, for loyalty programs, or as specifically agreed to by the card associations or as required by applicable law. Supplier is solely responsible for the security of cardholder data in its possession, or in the possession of a third-party retained by Supplier. In the event of unauthorized access to cardholder data which occurs during the access, storage, processing, or transmission of cardholder data by the Supplier, or by a third-party retained by Supplier, Supplier shall immediately notify the University, which shall not be more than forty-eight (48) hours after becoming aware of such unauthorized access. 13.4 In the event of unauthorized access to cardholder data which occurs during access, storage, processing, or transmission of cardholder data by the Supplier, or by a third-party retained by Supplier, Supplier will pay all fees, cost escalations, assessments, tariffs, penalties or fines that may be imposed under the Card Association Rules. Supplier further agrees to pay all other expenses that may be incurred by the University related to such unauthorized access. 13.5 Without limiting Supplier’s obligations of indemnification as further described in this Agreement, Supplier must indemnify, defend, and hold harmless the University for any and all claims, including reasonable attorneys’ fees, costs, and incidental expenses, which may be suffered by, accrued against, charged to, or recoverable from the University in connection with unauthorized access to cardholder data which occurs during access, storage, processing, or transmission of cardholder data by the Supplier, or by a third-party retained by Supplier.

PCI Compliance. 13.1 Credit Card Data (PCI–DSS Compliance) - Supplier certifies that their Information Technology practices conform to and meet Payment Card Industry Data Security Standard (PCI DSS) requirements as defined by The Payment Card Industry Security Standards Council (PCI SSC) at: xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx. Supplier will monitor these PCI DSS requirements and its own Information Technology practices and will notify Rutgers within five (5) business days if its IT practices do not conform to such requirements. If Supplier is unable to conform its Information Technology practices to the PCI DSS requirements within 30 days of its notification of nonconformity to Rutgers, Rutgers shall at all timeshave the right to terminate this Agreement. Supplier will provide either a letter of certification to attest to meeting this requirement or, for if subject to PCI DSS or Payment Application Data Security Standard (PA-DSS), appropriate validation documentation as long as defined by the PCI SSC. Supplier impacts the security of the University’s cardholder data environmentagrees that it may (1) create, (2) receive from or stores, processes, handles or transmits cardholder data in any manner or in any format on behalf of Rutgers, or (3) have access to, payment card records or record systems containing cardholder data including credit card numbers, cardholder names, service codes or expiration dates (collectively, the University, "Cardholder Data") and shall accept responsibility for such Cardholder Data that Supplier has in its possession in accordance with PCI-DSS Requirement. Supplier shall comply with all applicable requirements of the current version of the Payment Card Industry Data Security Standard (“PCI DSS”) requirements for cardholder data Cardholder Data that is are prescribed by the Payment Card Industry Security Standards CouncilPCI SSC member card brands, as it they may be amended from time to time. The most current versions of time (collectively, the "PCI DSS requirements documentation are available at the PCI Security Standards Council website, xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx/. 13.2 Supplier must be designated by Visa as a Level 1 Supplier and be listed in Visa’s Global Registry of service providersRequirements"). Service providers that self-assess their PCI compliance are not eligible to become a PCI Supplier for the University. Supplier shall validate compliance with PCI DSS as required, and shall have provided appropriate documentation to the University before the Agreement is signed and upon request by the University thereafter, at least annually, for as long as services are provided. Validation instructions and documentation are available at the PCI Security Standards Council website, xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx/. Supplier must notify the University of any failure to comply with the PCI-DSS requirements. 13.3 Supplier acknowledges and agrees that cardholder data Cardholder Data may only be used for assisting in completing a card transaction, for fraud control services, for loyalty programs, or as specifically agreed to by PCI SSC member card brands, for purposes of the card associations Agreement or as required by applicable law. Supplier is solely responsible for the security of cardholder data in its possession, or in the possession of a third-party retained by Supplier. In the event of unauthorized access to cardholder data which occurs during the access, storage, processing, or transmission of cardholder data by the Supplier, or by a third-party retained by Supplier, Supplier shall immediately notify the University, which shall not be more than forty-eight (48) hours after becoming aware of such unauthorized access. 13.4 In the event of unauthorized access to cardholder data which occurs during access, storage, processing, or transmission of cardholder data by the Supplier, or by a third-party retained by Supplier, Supplier will pay all fees, cost escalations, assessments, tariffs, penalties or fines that may be imposed under the Card Association Rules. Supplier further agrees to pay all other expenses that may be incurred by the University related to such unauthorized access. 13.5 Without limiting Supplier’s obligations of indemnification as further described in this Agreement, Supplier must indemnify, defend, and hold harmless the University for any and all claims, including reasonable attorneys’ fees, costs, and incidental expenses, which may be suffered by, accrued against, charged to, or recoverable from the University in connection with unauthorized access to cardholder data which occurs during access, storage, processing, or transmission of cardholder data by the Supplier, or by a third-party retained by Supplier.

PCI Compliance. 13.1 Supplier shall at all times, for as long as Supplier impacts the security of the University’s cardholder data environment, or stores, processes, handles or transmits cardholder data in any manner or in any format on behalf of the University, comply with all applicable requirements of the current version of the Payment Card Industry Data Security Standard (“PCI DSS”) for cardholder data that is prescribed by the Payment Card Industry Security Standards Council, as it may be amended from time to time. The most current versions of the PCI DSS requirements documentation are available at the PCI Security Standards Council website, xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx/. 13.2 Supplier must be designated by Visa as a Level 1 Supplier and be listed in Visa’s Global Registry of service providers. Service providers that self-assess their PCI compliance are not eligible to become a PCI Supplier for the University. Supplier shall validate compliance with PCI DSS as required, and shall have provided appropriate documentation to the University before the Agreement is signed and upon request by the University thereafter, at least annually, for as long as services are provided. Validation instructions and documentation are available at the PCI Security Standards Council website, xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx/. Supplier must notify the University of any failure to comply with the PCI-DSS requirements. 13.3 Supplier acknowledges and agrees that cardholder data may only be used for assisting in completing a card transaction, for fraud control services, for loyalty programs, or as specifically agreed to by the card associations or as required by applicable law. Supplier is solely responsible for the security of cardholder data in its possession, or in the possession of a third-party retained by Supplier. In the event of unauthorized access to cardholder data which occurs during the access, storage, processing, or transmission of cardholder data by the Supplier, or by a third-party retained by Supplier, Supplier shall immediately notify the University, which shall not be more than forty-eight (48) hours after becoming aware of such unauthorized access. 13.4 In the event of unauthorized access to cardholder data which occurs during access, storage, processing, or transmission of cardholder data by the Supplier, or by a third-party retained by Supplier, Supplier will pay all fees, cost escalations, assessments, tariffs, penalties or fines that may be imposed under the Card Association Rules. Supplier further agrees to pay all other expenses that may be incurred by the University related to such unauthorized access. 13.5 Without limiting Supplier’s obligations of indemnification as further described in this Agreement, Supplier must indemnify, defend, and hold harmless the University for any and all claims, including reasonable attorneys’ fees, costs, and incidental expenses, which may be suffered by, accrued against, charged to, or recoverable from the University in connection with unauthorized access to cardholder data which occurs during access, storage, processing, or transmission of cardholder data by the Supplier, or by a third-party retained by Supplier.

PCI Compliance. 13.1 Supplier shall at all timesAs Distributor have access to customer credit card information, for as long as Supplier impacts including, but not limited to, the security of the University’s cardholder data environment, or stores, processes, handles or transmits cardholder data in any manner or in any format on behalf of the University, comply with all applicable requirements of the current version of the Payment Card Industry Data Security Standard (“PCI DSS”) for cardholder data that is prescribed credit card number assigned by the Payment Card Industry Security Standards Councilcard issuer that identifies the cardholder’s account or other cardholder personal information (the “Cardholder Data”), as it may be amended from time to time. The most current versions of the PCI DSS requirements documentation are available at the PCI Security Standards Council website, xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx/. 13.2 Supplier must be designated by Visa as a Level 1 Supplier and be listed in Visa’s Global Registry of service providers. Service providers that self-assess their PCI compliance are not eligible to become a PCI Supplier for the University. Supplier shall validate compliance with PCI DSS as requiredDistributor hereby acknowledges, and shall have provided appropriate documentation to the University before the Agreement is signed and upon request by the University thereafter, at least annually, for as long as services are provided. Validation instructions and documentation are available at the PCI Security Standards Council website, xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx/. Supplier must notify the University of any failure agrees to comply with the following obligations with respect to the security of such Cardholder Data: (a) Distributor shall comply with those certain card acceptance requirements set forth at the website referenced below (the “PCI-DSS requirementsRequirements”), as may be periodically updated, and the requirements set forth herein (or as periodically specified by Company) for the handling of Cardholder Data, including but not limited to submission of any relevant documentation and participation in audits with respect to compliance with PCI-DSS Requirements. Distributor hereby agrees to access the PCI-DSS Requirements at xxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx; and periodically review such site for any updates to the PCI Requirements. Notwithstanding the foregoing, Company shall provide to Distributor copies of any PCI-DSS Requirements information provided to Company’s other customers. 13.3 Supplier (b) Distributor acknowledges and agrees that cardholder data Cardholder Data may only be used for assisting in completing a card transaction, for fraud control services, for loyalty programs, or as specifically agreed to by the card associations associations, Company, or as required by applicable law. Supplier is solely responsible for the security of cardholder data in its possession, or in the possession of a third-party retained by Supplier. . (c) In the event of a breach or intrusion of or otherwise unauthorized access to cardholder data which occurs during the accessCardholder Data stored at or for Distributor, storage, processing, or transmission of cardholder data by the Supplier, or by a third-party retained by Supplier, Supplier Distributor shall immediately notify Company, in manner required in PCI-DSS Requirements, and provide the University, which applicable institution and their respective designees access to Distributor’s Locations and all pertinent records to conduct a review of Distributor’s compliance with these requirements. Distributor shall not be more than forty-eight (48) hours after becoming aware fully cooperate with any reviews of such unauthorized accessDistributor’s facilities and records provided for in this paragraph. 13.4 In (d) Distributor shall maintain appropriate business continuity procedures and systems to ensure security of Cardholder Data in the event of unauthorized a disruption, disaster or failure of Distributor’s primary data systems. Distributor shall provide access to cardholder data which occurs during accessits security systems and procedures, storage, processing, or transmission as reasonably requested by Company. (e) To the extent Distributor’s conversion of cardholder data by the Supplier, or by a third-party retained by Supplier, Supplier will pay all fees, cost escalations, assessments, tariffs, penalties or fines that may be imposed under the Card Association RulesProcessing Services from Company to Distributor or Distributor’s implementation of the Card Processing Solution may impact Company’s compliance with PCI-DSS Requirements, Distributor will submit such intended action to Company prior to institution of such action. Supplier further agrees Company will submit such intended action to pay all other expenses that may be incurred by its Qualified Security Assessor for review. Distributor will follow the University related to guidance of such unauthorized accessQualified Security Assessor in the implementation of such action. 13.5 Without limiting Supplier’s (f) During the 24-month transition period, initial PCI obligations of indemnification as further described the parties and PCI cooperation obligations are set forth in this Agreement, Supplier must indemnify, defend, and hold harmless the University for any and all claims, including reasonable attorneys’ fees, costs, and incidental expenses, which may be suffered by, accrued against, charged to, or recoverable from the University in connection with unauthorized access to cardholder data which occurs during access, storage, processing, or transmission of cardholder data by the Supplier, or by a third-party retained by SupplierTSA.