|
1.6 Security Standards.
<br />A. MERCHANT agrees it will not disclose to any third party any cardholder account information or other personal information
<br />except to their agent assisting in completing a card transaction, or as required by law. MERCHANT must not request or use
<br />cardholder account number information for any purpose that MERCHANT knows or should have known to be fraudulent or in
<br />violation of the RULES, or for any purpose that the cardholder did not authorize, except to MERCHANT's agent assisting in
<br />completing a card transaction, or as required by law. MERCHANT must keep all systems and media containing account,
<br />cardholder or transaction information (physical or electronic, including but not limited to account numbers, card imprints, and
<br />terminal identification numbers) in a secure manner, to prevent access by or disclosure to anyone other than MERCHANT's
<br />authorized personnel. MERCHANT must destroy, in a manner that will render the data unreadable, all such media that
<br />MERCHANT no longer deems necessary or appropriate to store (except for Sales Drafts maintained in accordance with this
<br />AGREEMENT, LAWS or RULES). Further, MERCHANT must take all steps reasonably necessary to ensure cardholder
<br />information is not disclosed or otherwise misused. MERCHANT may not retain or store magnetic stripe, CW2 or CVC2 data
<br />after authorization. MERCHANT must not store, and must ensure that all of MERCHANT's third party providers that have access
<br />to cardholder data do not store, magnetic stripe, CW2 or CVC2 data after a transaction.
<br />B. If MERCHANT uses any third parties who will have access to cardholder data ("Merchant Provider(s)"), or any third party
<br />payment application(s) or software, MERCHANT must notify TMS of the identity of the Merchant Provider(s) and/or the name and
<br />version of the payment application(s) or software. In addition, MERCHANT must: (1) only allow the Merchant Providers access
<br />to the cardholder data for purposes that are authorized by the RULES, (2) have proper security measures in place for the
<br />protection of cardholder data, (3) ensure that Merchant Providers have proper security measures in place for the protection of
<br />cardholder data, (4) comply with and assure that Merchant Providers comply with the Payment Card Industry ("PCI") Data
<br />Security Standard, as amended from time to time, which may be referred to as the Visa Cardholder Information Security Program
<br />("CISP") (found at www.visa.com), the MasterCard Site Data Protection Program ("SDP") (found at www.mastercard.com),
<br />Discover Information Security and Compliance ("DISC") (found at http://www.discovernetwork.com/fraudsecurity/disc.html), and
<br />the American Express Data Security Operating Policy ("DSOP") (found at
<br />https://www209.americanexpress.com/merchant/sincilevoice/Ddfs/en US/DSOP Merchant US.pdf), and (5) have written
<br />agreements with Merchant Providers requiring the compliance set forth herein. MERCHANT will immediately notify TMS of any
<br />suspected or confirmed loss or theft of any transaction information, including any loss or theft from a Merchant Provider.
<br />MERCHANT is responsible for demonstrating MERCHANT's and Merchant Providers' compliance with the CISP, SDP, DISC,
<br />DSOP, and PCI programs, and providing reasonable access to MERCHANT's locations and ensuring Merchant Providers provide
<br />reasonable access to their locations to verify MERCHANT's and Merchant Providers' ability to prevent future security violations.
<br />Any fees, fines or penalties resulting from non-compliance will be passed through to MERCHANT. MERCHANT agrees to
<br />indemnify TMS, BANK and the ASSOCIATIONS against all costs, expenses, damages and/or losses resulting from any breach of
<br />security, or loss or theft of information.
<br />C. In addition, in the event of a suspected or confirmed loss or theft of information, MERCHANT agrees, at MERCHANT's cost,
<br />to provide all information requested by TMS, BANK, an ASSOCIATION, other financial institutions, or local, state or federal
<br />officials in connection with such event and to cooperate in any ensuing investigation. Any information provided in response to
<br />such investigation will (as between MERCHANT, TMS, and BANK) be considered TMS's and BANK's confidential information.
<br />MERCHANT agrees that TMS or BANK may release to the ASSOCIATIONS, other financial institutions and/or regulatory, local,
<br />state or federal officials, any information MERCHANT provides to TMS or BANK in connection with a suspected or confirmed loss
<br />or theft of transaction information. The requirements of this provision apply to cardholder data regardless of the medium in which
<br />the information is contained and regardless of whether MERCHANT processes transactions via Internet, mail, phone, face-to-face
<br />or any other method. Additional information regarding data security may be found at the ASSOCIATIONS' websites.
<br />1.7 Submission by MERCHANT of SALES or participation in SERVICES at any time after seven (7) days from the date of distribution
<br />of or publication by the ASSOCIATIONS of amended RULES to MERCHANT shall be evidence that MERCHANT was provided
<br />with and/or received access to the amended RULES and has agreed to abide by them.
<br />1.8 If MERCHANT is a healthcare provider or other entity covered by the Health Insurance Portability and Accountability Act of 1996,
<br />as amended, and the supporting regulations under 45 C.F.R. Part 160 and 164, as amended, MERCHANT agrees it will not
<br />provide TMS and BANK with Personal Healthcare Information (as defined in such act).
<br />2. SPECIFIC OPERATING PROCEDURES:
<br />21 MERCHANT agrees that it will comply with all Card Acceptance Procedures in the RULES for each SALE, including, but not
<br />limited to the following:
<br />A. MERCHANT agrees that it will obtain and record a valid positive authorization for all SALES in accordance with the RULES
<br />before submitting them to TMS for processing;
<br />B. MERCHANT must be able to prove, by evidence of a terminal capture of the magnetic stripe or a signed SALES DRAFT (as
<br />defined in the RULES) showing imprint of the CARD, that the CARD was present at the time of SALE, unless specifically set
<br />up for Card Not Present transactions; and
<br />C. Failure to read the magnetic stripe on the card may result in a DISCOUNT rate tier downgrade or a CHARGEBACK.
<br />2.2 TMS, BANK and/or third party banks with which TMS or BANK have a relationship are members of certain NETWORKS and are
<br />willing to sponsor MERCHANT as a participant in such NETWORKS ("SPONSOR") as set forth in the Merchant Application.
<br />Additional NETWORKS may be available from time to time. TMS and BANK do not warrant the continuing availability of any
<br />NETWORK. MERCHANT agrees to pay TMS the then current FEES for any NETWORK added or deleted after the effective date
<br />of this AGREEMENT.
<br />23 MERCHANT agrees to accept valid CARDS of each of the selected NETWORKS and will not impose purchase minimums,
<br />maximums, or surcharges, unless specifically allowed by the NETWORKS. MERCHANT agrees to comply with Federal
<br />Regulation E and the rules, procedures, fees, assessments, penalties, and other obligations of each NETWORK, as from time to
<br />time are in effect.
<br />201108 MTPA Terms and Conditions Page 3 of 35 CONFIDENTIAL
|