|
DocuSign Envelope ID: 85A15EAD-F9AE-4B80-8EE6-FBACB34C4780
<br />The use of a Merchant Servicer or Agent or software or systems provided by a Merchant
<br />Servicer or Agent that has connectivity to the Internet poses an increased risk, and Merchant
<br />assumes all liability for such increased risks. If Merchant utilizes software or hardware with
<br />a connection to the Internet such hardware or software interacts in any capacity with the
<br />provision of services contemplated pursuant to this Merchant Agreement, Merchant is solely
<br />liable without limitation for any and all consequences of such interaction.
<br />5.5 Security. Merchant agrees and shall ensure that Merchant Servicers and Agents
<br />utilized by Merchant provide the same levels of security as those required of Merchant, and
<br />that such Merchant Servicers and Agents transmit data in accordance with: (a) the required
<br />format(s) of the Card Associations; (b) the Operating Rules; and (c) the requirements of
<br />Processor and Member Bank. Merchant must have a written contract between Merchant and
<br />its Agent or between Merchant and the Merchant Servicer that stipulates adherence to the
<br />provisions of such information security requirements. Merchant's written contract with any
<br />such third party must contain provisions obligating the third parry to comply with applicable
<br />law, with CISP and SDP and DISC and PCIDSS, PA-DSS, PIN and PED security
<br />requirements if applicable, and all other Card Association requirements pertaining to
<br />confidentiality and security and integrity of Cardholder and Card transaction data, with all
<br />rules prohibiting storage of certain Card transaction data, and with all other applicable
<br />Operating Rules and the requirements of Processor and Member Bank. Merchant will only
<br />allow Merchant Servicers or Agents to have access to cardholder data for the purposes that
<br />are authorized by the Operating Rules. Any fees or liability assessments from actual or
<br />alleged noncompliance will be the sole liability of the Merchant. Merchants processing less
<br />than 1 million annual Visa transactions and using third parties for POS application, terminal
<br />installation and integration must engage Payment Card Industry (PCI) Qualified Integrator
<br />Reseller (QIR) professionals to install, integrate, and support point -of -sale applications and
<br />terminal installation and integration. Merchant shall indemnify and hold Member Bank and
<br />Processor harmless against losses or damages arising from the acts or omissions of Merchant
<br />Servicers or Agents engaged by Merchant.
<br />5.6 Loss or Theft. Merchant must immediately notify Member Bank and Processor
<br />of any suspected or confirmed loss or theft of materials or records that contain Cardholder
<br />Account Numbers or Card Transaction information. In the event of a suspected or confirmed
<br />loss or theft Merchant shall provide immediate access to all facilities, systems, procedures,
<br />equipment, and documents as may be deemed appropriate by Processor and Member Bank
<br />or their designated representatives, regulators or auditors for inspection, audit, and copying
<br />as deemed appropriate by both Member Bank and Processor in their individual sole
<br />discretion. Merchant shall be responsible for all costs associated with such inspection, audit,
<br />and copying however such costs may occur.
<br />5.7 Merchant authorizes Processor to release its name and address to any third party
<br />whom the Processor determines needs to know such information in order for Processor to
<br />perform the Card Program services under this Merchant Agreement and who has requested
<br />such information.
<br />5.8 Merchant will not: (a) provide Cardholder Account Numbers, personal Cardholder
<br />information or Transaction information to anyone except Processor, the Card Associations,
<br />or Merchant's Merchant Servicers or Agents for the purpose of assisting Merchant in
<br />completing Card Transactions, or as specifically required by law; (b) retain or store Card
<br />Magnetic Stripe, CVV, CVV2, CVC2 or CID data (including Track Data) subsequent to
<br />Authorization for a Transaction; (c) sell, purchase, provide or exchange Card Account
<br />Number information to any third party without the Cardholder's consent, or to any entity
<br />other than Merchant's Merchant Servicers or Agents, Processor, the Card Associations, or in
<br />response to valid legal process or subpoena; or (d) release any Cardholder information over
<br />the telephone under any circumstances.
<br />5.9 Merchant may not in any event, including its failure, including bankruptcy,
<br />insolvency, or other suspension of business operations, sell, transfer, or disclose any
<br />materials that contain Cardholder Account Numbers, personal information or Transaction
<br />information to third parties. In the event that Merchant's business fails or ceases to exist,
<br />Merchant is required to return to Processor all such information or provide proof of
<br />destruction of this information to Processor.
<br />5.10 Merchant agrees to establish security procedures to protect Cardholder information
<br />and comply with the Visa Cardholder Information Security Program (CISP), Mastercard's
<br />Site Data Protection (SDP) Program, Discover Information Security Compliance (DISC),
<br />American Express Data Security Requirements, the Payment Card Industry (PCI) Data
<br />Security Standards, and applicable laws pertaining to the privacy and security of personal
<br />information (including, without limitation, and to the extent applicable, those of non-U.S.
<br />governmental authorities). Detailed information about PCI DSS can be found at the PCI
<br />DSS Council's Website: www.peisecuritystandards.org. The Card Associations, Processor
<br />or Member Bank, and their respective representatives, may inspect the premises of Merchant
<br />or any Merchant Servicer or Agent engaged by Merchant for compliance with security
<br />requirements. Merchant acknowledges that any failure to comply with security requirements
<br />may result in the imposition of restrictions on Merchant or the permanent prohibition of
<br />Merchant's participation in Card acceptance programs by the Card Associations. Merchant
<br />shall indemnify and hold Processor and Member Bank harmless against any losses or
<br />damages arising from Merchant's actual or alleged failure to comply with security procedures
<br />and any losses or damages arising from or related to Merchant's acts or omissions that result
<br />in an actual or alleged breach of data security, including but not limited to Merchant's non -
<br />participation in any breach security program Processor may offer.
<br />5.11 Processor acknowledges that it will maintain compliance with all applicable PCI
<br />DSS requirements.
<br />5.12 Federal regulations enacted pursuant to the USA PATRIOT Act and other
<br />applicable laws require financial institutions with which Processor has relationships to verify
<br />the identity of every person who seeks to open an account with a financial institution. As a
<br />result of Merchant's status as an account holder with Member Bank, Merchant shall provide
<br />documentary verification of Merchant's identity, such as a driver's license or passport for an
<br />individual and certified copy of organization documents for an entity in manner acceptable
<br />to Processor and Member Bank. Processor and Member Bank reserve the right to verify
<br />Merchant's identity through other non -documentary methods as Processor and Member
<br />Bank deems appropriate in its sole discretion. Processor and Member Bank may retain a
<br />copy of any document it obtains to verify Merchant's identity with the financial institution.
<br />6. OPERATING RULES.
<br />6.1 Merchant must comply with the Operating Rules, as the same may be amended
<br />from time to time. The Operating Rules may change with little or no advance notice to
<br />Merchant and Merchant will be bound by all such changes. If Merchant objects to any
<br />change in the Operating Rules, it must immediately stop accepting new Transactions for
<br />Cards governed by the change. The Operating Rules will govern in the event that there is
<br />any inconsistency between the Merchant Agreement and the Operating Rules. However,
<br />nothing in the Merchant Agreement shall be construed to impose on Merchant a requirement
<br />(including a requirement under the Operating Rules) which is prohibited by mandatory
<br />provisions of applicable law (i.e., where the applicability of such provisions of law to the
<br />Merchant Agreement, and of the law's prohibition to the particular requirement which
<br />otherwise would be imposed on Merchant hereunder, cannot lawfully be waived by
<br />agreement), but the requirement hereunder shall be construed to continue in effect and to be
<br />imposed on Merchant in all respects and at all times to the fullest extent possible without
<br />violating the law's prohibition, with only those particular applications of the requirement
<br />which would violate the law's prohibition deemed severed from the provisions hereof.
<br />6.2 Operating Rules of the Debit Networks may differ among them with respect to the
<br />Transactions they allow. Processor, at its discretion, may require that the most restrictive
<br />requirements of one Debit Network apply to all of Merchant's On-line Debit Card
<br />Transactions, regardless of Card type.
<br />7. MERCHANT'S BUSINESS; OTHER PROCESSORS.
<br />7.1 Compliance With Laws. Merchant will comply with all applicable federal, state,
<br />and local laws and regulations ("Requirements of Law"), including but not limited to laws
<br />and regulations regarding anti -money laundering compliance, in completing Transactions,
<br />submitting them to Processor, performing its obligations under the Merchant Agreement, and
<br />otherwise conducting its business.
<br />7.2 Change in Name or Business. Merchant will give Member Bank and Processor
<br />at least thirty days' prior written notice before any change in Merchant's name or location,
<br />any change in ownership or management of Merchant's business, any sale, assignment,
<br />rental, lease or transfer of ownership of any location that accepts Cards, or any material
<br />change in information concerning Merchant in the Merchant Application, and material
<br />change in the type or nature of the business carried out by Merchant or otherwise required to
<br />be provided to Processor.
<br />7.3 Other Processors. To the extent permitted by applicable law, Merchant agrees
<br />that it will not participate in a Card Program with another financial institution or processor
<br />without Processor's written approval.
<br />8. CREDIT REPORTS AND OTHER INFORMATION.
<br />8.1 Reports About Merchant. From time to time, Processor may obtain credit and
<br />other information on Merchant, owners and officers of Merchant, any and all personal
<br />guarantors of Merchant, and any signatory to the Merchant Application, from others (such
<br />as customers and suppliers of Merchant, lenders and credit reporting agencies), and furnish
<br />information on Merchant's relationship with Processor and Processor's experience with
<br />Merchant to others seeking the information.
<br />8.2 Reports from Merchant. Merchant will provide Processor with updated business
<br />and financial information concerning Merchant, including financial statements, tax returns,
<br />evidence of required licenses and other information and documents Processor may
<br />reasonably request from time to time. Merchant shall further provide Processor such
<br />information as it may request for the making of insurance claim, regulatory or other filings
<br />related to Merchant's activity pursuant to this Agreement. All material marked "confidential"
<br />which Processor receives from Merchant will be used only by Processor, Member Bank or
<br />Card Association in performing the Card Program services under this Merchant Agreement
<br />or related services and reporting. Processor, Member Bank and any Card Association,
<br />regulator, auditor or any other entity having authority may audit Merchant's records relating
<br />to this Merchant Agreement. Merchant shall provide all documentation, information or other
<br />inspection rights requested by Processor's or Member Bank's regulators or auditors or
<br />otherwise to enable Processor and Member Bank to meet Requirements of Law. Without
<br />limiting the generality of the foregoing, Merchant understands and agrees that if, at the time
<br />of signing this Merchant Agreement Merchant is undergoing a forensic investigation,
<br />Merchant must notify Processor and fully cooperate with the investigation until it is
<br />completed.
<br />8.3 Information. Merchant authorizes Processor to release and use information
<br />collected in connection with Processor's provision of services to the Merchant contemplated
<br />in the Merchant Agreement, to third parties that provide services to Processor or Merchant,
<br />for marketing purposes with third parties with whom Processor has a relationship to offer
<br />products and/or services to merchants, or to any third party that requests and has a reason to
<br />know such information, including but not limited to the Card Associations, and any third
<br />party having regulatory control over any party.
<br />9. ASSIGNMENT; BANKRUPTCY.
<br />9.1 Assignment. The Merchant Agreement is binding upon the successors and assigns
<br />of Processor, Member Bank and Merchant. Merchant will not assign or transfer (including
<br />by merger, change of control or operation of law) the Merchant Agreement (in whole or in
<br />part) to another person or entity without Processor and Member Bank's prior written consent
<br />Page 4 of 10 UNIVMERAGMT v22.0421
<br />
|