Common use of Security of ePurchasing Card Data Clause in Contracts

Security of ePurchasing Card Data. 3.1.1 The Authority requires the Supplier to ensure that Contracting Bodies’ information is kept secure. The Supplier shall ensure that Information Security Accreditation which is provided by Information Security Management System (ISMS) (ISO 27001or equivalent) which covers the security of data and processes for the ePurchasing Card Solution is maintained throughout the lifetime of the Framework Agreement and any Call Off Agreement. 3.1.2 The Supplier shall safeguard and maintain all transactional data ensuring that confidentiality, integrity and availability to third parties is fully protected, including data from Spend transactions. This includes Contracting Bodies and End User data such as names, address and statement information. 3.1.3 The Supplier shall comply with all the requirements set out in paragraphs 3.1.1 and 3.1.2, ensuring all security accreditation and certifications remain current and valid. Where ISO27001 is not already held by the Supplier, the Supplier shall produce and submit a plan for bringing the assessment to at least the minimum acceptable level which is compatible with ISO27001 as required by the Authority, for the Authority’s approval within 2 months of the Framework Commencement Date and will obtain ISO27001 certification (or agreed equivalent) within 12 months of Framework Commencement Date. 3.1.4 The Supplier shall ensure that any physical Payment Cards issued as part of the ePurchasing Card Solution: 3.1.4.1 conform to all relevant industry / Card Scheme security standards applicable to physical Payment Cards; and 3.1.4.2 include all security features required by industry / Card Scheme standards. 3.1.5 The Supplier (or in the case of a Consortium, the Card Issuer) shall: 3.1.5.1 process all transactions in accordance with both Prudential Regulatory Authority and Financial Conduct Authority regulations; 3.1.5.2 remain authorised and regulated by the Financial Conduct Authority or the Prudential Regulatory Authority to deliver the Services throughout the Framework Period; and 3.1.5.3 immediately notify the Authority if it loses its authorisation and/or is no longer regulated by both the Financial Conduct Authority or the Prudential Regulatory Authority. Failure to do so may result in termination of this agreement.