If the Principal is providing the Company merchant account information to use the Principal’s merchant account items the following applies.
- The Company will provide technology for and authorizes the Principal to utilize the technology to interface with the Authorize.net / SafeSave (US & Canadian) / Moneris (Canadian) / BeanStream (Canadian) / Vital / VisaNet / TSYS credit card processing network. In the event that Principal so elects, Principal may choose an alternative payment processor at any time during the Term.
- The Principal authorizes the Company to host the merchant information for purposes of processing credit card payments for sales conducted for the Principal.
- The Company will use its best effort to ensure the security of credit card data and merchant information maintained within the Company system, provided that in any event, such efforts will be compliant with prevailing industry “best practices”. The Company assumes the risk fees and penalties associated with theft and/or loss of credit card related data from the Company system. The Company represents and warrants to the Principal and covenants that (i) at all times during the term of this Agreement the Company will be compliant with the Payment Card Industry Data Security Standards and the Payment Application Data Security Standards, as applicable, and (ii) the Company will use at least industry standard measures to prevent the introduction of any viruses, Trojan horses, malware or any other similar malicious code into the Services.
- The Company will use its best efforts to ensure that no fraudulent or stolen credit cards are used to purchase Tickets or items through the Company’s Systems. The Company assumes the risk of credit card sales and related fees and penalties associated with the use of fraudulent or stolen credit cards provided that in any event, such efforts will be compliant with prevailing industry “best practices”.
- All chargeback disputes and any fees or refunds given due to such action will be the responsibility of the Company
PCI compliance and security responsibilities
Whereas the Company processes, transmits, and/or stores cardholder data in the performance of services provided to Principal, and is therefore considered a “service provider” under Requirement 12.8 of the PCI DSS; and
Whereas Requirement 12.8.2 of the PCI DSS requires the Principal to maintain a written agreement that includes an acknowledgment that the service provider is responsible for the security of cardholder data that the service provider possesses; and
Whereas Requirement 12.8.4 of the PCI DSS requires the Principal to maintain a program to monitor the service provider’s PCI DSS compliance status;
It is hereby agreed that:
- The Company agrees that it is responsible for the security of cardholder data that it possesses, including the functions relating to storing, processing, and transmitting of the cardholder data.
- The Company affirms that, as of the effective date of this agreement, it has complied with all applicable requirements to be considered PCI DSS compliant, and has performed the necessary steps to validate its compliance with the PCI DSS.
- The Company agrees to supply the current status of Company’s PCI DSS compliance status, and evidence of its most recent validation of compliance upon request by the Principal.
- The Company will immediately notify Principal if it learns that it is no longer PCI DSS compliant and will immediately provide the Principal with the steps being taken to remediate the non-compliance status. In no event should the Company’s notification to the Principal be later than seven (7) calendar days after the Company learns it is no longer PCI DSS compliant.
- The Company acknowledges that any indemnification provided for under this agreement applies to the failure of the Company to be and to remain PCI DSS compliant.
- The Company maintains documentation on its current PCI DSS credentials (https://agiletix.com/legal-notices)