Cardholder Data Security Clause Samples

The Cardholder Data Security clause establishes requirements for protecting sensitive payment card information handled by a party. It typically mandates the implementation of security measures such as encryption, restricted access, and compliance with industry standards like PCI DSS when processing, storing, or transmitting cardholder data. This clause serves to minimize the risk of data breaches and unauthorized access, thereby safeguarding both the cardholders and the parties involved from financial loss and reputational harm.
Cardholder Data Security. To the extent applicable, each of the parties shall be required to comply at all times with the Payment Card Industry Data Security Standard Program (“PCI-DSS”) in effect and as may be amended from time to time during the term of the Agreement. The current PCI-DSS specifications are available on the PCI Security Standards Council website which may be amended or modified at any time: ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇▇.
View SourceView Similar (5)
Cardholder Data Security. With respect to the Program, from and after the Effective Date, Company and Bank shall, each at its own cost and expense except to the extent otherwise provided therein, comply with the information security and business continuity requirements set forth in Schedule 6.4. At a minimum, the parties shall transmit, store and process Cardholder Data in accordance with Applicable Law, Network Rules, Payment Card Industry Data Security Standards and the then-current security rules and requirements of the Network, all as applicable to the Program. [*] Without limiting the foregoing, Company and Bank will each establish, maintain and implement (and require each of its subcontractors receiving Cardholder Data or Company Guest Data to establish, maintain and implement) an information security program, including appropriate administrative, technical and physical safeguards, that is designed to meet the objectives of the Interagency Guidelines Establishing Standards for Safeguarding Information Security Data and any other Applicable Law governing data security, including the objectives of (v) ensuring the security and confidentiality of the Cardholder Data, (w) protecting against any anticipated threats or hazards to the security or integrity of the Cardholder Data, (x) protecting against unauthorized access to or modification, destruction, disclosure, use or disposal of, or access to, Cardholder Data, (y) ensuring the proper disposal of Cardholder Data, and (z) in the event of a security breach involving Cardholder Data, ensuring that the party suffering such breach notifies affected Cardholders, Applicants and other individuals, and Governmental Authorities, in each case insofar as required by and otherwise in compliance with Applicable Law and Network Rules. [*]
View SourceView Similar (5)
Cardholder Data Security. (A) Each Party acknowledges and agrees that this Amended Program Manager Agreement constitutes an agreement for Manager to perform services for ▇▇▇▇▇▇ Bank as contemplated in Title V of GLBA and the Privacy Regulations. Without limiting the generality of the terms of this Amended Program Manager Agreement, Manager and Processor each agree that they shall protect the privacy of Cardholder Data to at least the same extent that ▇▇▇▇▇▇ Bank must maintain that confidentiality under GLBA and the Privacy Regulations. Without limiting the generality of the foregoing sentence, except as otherwise provided in any Program Schedule, neither Manager nor Processor shall: (i) use any Cardholder Data except to perform its obligations under this Amended Program Manager Agreement (unless such Cardholder Data is used for Manager’s internal business purposes), or (ii) disclose any Cardholder Data other than to: (a) any Network or any other entity to which disclosure is necessary in connection with the processing a Transaction; (b) a Third Party Service Provider in connection with a permitted use of such Cardholder Data under this Section 8.1, provided that each such Third Party Service Provider agrees in writing to maintain all such Cardholder Data as strictly confidential in perpetuity and not to use or disclose such information to any person other than ▇▇▇▇▇▇ Bank, Manager or Processor, except as required by Applicable Law or any Regulatory Authority (after giving ▇▇▇▇▇▇ Bank, Manager or Processor, as applicable, prior notice and an opportunity to defend against such disclosure) or as permitted under ▇▇▇▇▇▇ Bank’s Privacy Policy; provided, further, that each such Third Party Service Provider maintains, and agrees in writing to maintain, an information security program that is designed to protect Cardholder Data and information related to Transactions, and which complies with the requirements under the Network Rules, including but not limited to the requirement for such Third Party Service Provider, upon termination of any of its associated Card Programs, to securely destroy all Cardholder Data in its possession associated with such Card Program as quickly as circumstances permit in accordance with best industry practices and provide a written notice to ▇▇▇▇▇▇ Bank that the destruction of the Cardholder Data has been completed; (c) its employees, consultants, attorneys and accountants with a need to know such Cardholder Data in connection with a permitted use of such Cardhol...
View SourceView Similar (3)
Cardholder Data Security. Provider has implemented technical and organizational measures designed to secure Merchant’s Customer’s personal information from accidental loss and from unauthorized access, use, alteration or disclosure; however, Provider cannot guarantee that unauthorized third parties will never be able to defeat those measures or use Merchant’s, or Merchant’s Customers’, personal information for improper purposes. a) Restriction on distribution of credit account numbers via unencrypted messaging technologies, such as email, instant messaging, etc. b) Installation of anti-virus software that updates automatically. c) Installation of all operating system patches, such as Windows Updates, timely to protect Merchant’s system from known vulnerabilities. d) All Cardholder Data or deposit account information that may be used in phone orders should be entered directly into Provider’s system and should not be recorded. Should hard copy data be received by Merchant, it should be destroyed immediately after received in a manner that reconstruction is not practically possible (shredding, incinerated, pulped, etc.). Any materials that are not immediately destroyed must be secured.
View SourceView Similar (2)
Cardholder Data Security. Licensee acknowledges that to the extent it receives cardholder data in connection with the Agreement, Licensee is responsible for the security of the cardholder data Licensee possesses and Licensee will comply with current Payment Card Industry (“PCI”) Data Security Standards (as updated by PCI from time to time). In the event of a data breach of Sears Card cardholder information involving Licensee or Licensee’s environment, Licensee will notify Sears within 24 hours of identified breach and cooperate fully with Sears, PCI, and government officials in any review or forensic investigation of Licensee’s environment and processes.
View Source
Cardholder Data Security. You agree you are fully responsible for the security of data collected through your website or otherwise in your possession or control including cardholder data. Cardholder data is any personally identifiable information associated with an individual's credit card or debit card, including Primary Account Numbers (PAN), cardholder name, expiration date, or service code. You expressly agree to comply with the PCI and to provide validation of compliance to Faithlife upon request.
View Source

Related to Cardholder Data Security

  • Data Security The Provider agrees to utilize administrative, physical, and technical safeguards designed to protect Student Data from unauthorized access, disclosure, acquisition, destruction, use, or modification. The Provider shall adhere to any applicable law relating to data security. The provider shall implement an adequate Cybersecurity Framework based on one of the nationally recognized standards set forth set forth in Exhibit “F”. Exclusions, variations, or exemptions to the identified Cybersecurity Framework must be detailed in an attachment to Exhibit “H”. Additionally, Provider may choose to further detail its security programs and measures that augment or are in addition to the Cybersecurity Framework in Exhibit “F”. Provider shall provide, in the Standard Schedule to the DPA, contact information of an employee who ▇▇▇ may contact if there are any data security concerns or questions.

  • Privacy and Data Security (a) In the prior three (3) years, the Company and its Subsidiaries have been in compliance with Privacy Laws, and in all material respects with (i) Contracts (or portions thereof) between the Company or its Subsidiaries and other Persons relating to Personal Data and (ii) applicable written policies, public statements and other public representations relating to the Processing of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken as a whole. (b) In the prior three (3) years, the Privacy and Data Security Policies have at all times been maintained and made available to individuals in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of the Company or its Subsidiaries with respect to the Processing of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal Data. (c) There is (and in the prior three years there has been) no material Legal Proceeding pending or, to the Company’s knowledge, threatened against or involving the Company or its Subsidiaries initiated by any Person (including (i) the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of the Company or its Subsidiaries is or was in violation of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitments. (d) In the prior three (3) years, (i) there has been no unauthorized access to, or unauthorized use, disclosure, or Processing of Personal Data in the possession or control of the Company or its Subsidiaries or any of its contractors with regard to any Personal Data obtained from or on behalf of the Company or its Subsidiaries (“Security Incident”), (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systems, and (iii) none of the Company or any of its Subsidiaries has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal Data. (e) Each of the Company and its Subsidiaries owns or has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Company and its Subsidiaries, taken as a whole. In the prior three years, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past three (3) years, there have been no (except to the extent completely remediated), and to the Company’s Knowledge, there are no material security deficiencies or vulnerabilities in the Company IT Systems.

  • Data Security and Unauthorized Data Release The Requester and Approved Users, including the Requester’s IT Director, acknowledge NIH’s expectation that they have reviewed and agree to manage the requested controlled-access dataset(s) and any Data Derivatives of controlled-access datasets according to NIH’s expectations set forth in the current NIH Security Best Practices for Controlled-Access Data Subject to the GDS Policy and the Requester’s IT security requirements and policies. The Requester, including the Requester’s IT Director, agree that the Requester’s IT security requirements and policies are sufficient to protect the confidentiality and integrity of the NIH controlled-access data entrusted to the Requester. If approved by NIH to use cloud computing for the proposed research project, as outlined in the Research and Cloud Computing Use Statements of the Data Access Request, the Requester acknowledges that the IT Director has reviewed and understands the cloud computing guidelines in the NIH Security Best Practices for Controlled-Access Data Subject to the NIH GDS Policy. The Requester and PI agree to notify the appropriate DAC(s) of any unauthorized data sharing, breaches of data security, or inadvertent data releases that may compromise data confidentiality within 24 hours of when the incident is identified. As permitted by law, notifications should include any known information regarding the incident and a general description of the activities or process in place to define and remediate the situation fully. Within 3 business days of the DAC notification, the Requester agrees to submit to the DAC(s) a detailed written report including the date and nature of the event, actions taken or to be taken to remediate the issue(s), and plans or processes developed to prevent further problems, including specific information on timelines anticipated for action. The Requester agrees to provide documentation verifying that the remediation plans have been implemented. Repeated violations or unresponsiveness to NIH requests may result in further compliance measures affecting the Requester. NIH, or another entity designated by NIH may, as permitted by law, also investigate any data security incident or policy violation. Approved Users and their associates agree to support such investigations and provide information, within the limits of applicable local, state, tribal, and federal laws and regulations. In addition, Requester and Approved Users agree to work with the NIH to assure that plans and procedures that are developed to address identified problems are mutually acceptable and consistent with applicable law.

  • Privacy and Security (a) Each of the Company and its Subsidiaries complies (and requires and monitors the compliance of applicable third parties) in all material respects with all applicable Laws relating to privacy or data security, and reputable industry practice, standards, self-governing rules and policies and their own published, posted and internal agreements and policies (which are in conformance with reputable industry practice) (all of the foregoing collectively, “Privacy Laws”) with respect to: (i) personally identifiable information (including name, address, telephone number, electronic mail address, social security number, bank account number or credit card number), sensitive personal information and any special categories of personal information regulated thereunder or covered thereby (“Personal Information”), whether any of same is accessed or used by the Company or any of its Subsidiaries or any of their respective business partners; and (ii) non-personally identifiable information, whether any of same is accessed or used by the Company or any of its Subsidiaries or any of their respective business partners. (b) Neither the Company nor any of its Subsidiaries uses, collects, or receives any Personal Information or sensitive non-personally identifiable information and does not become aware of the identity or location of, or identify or locate, any particular Person as a result of any receipt of such Personal Information, in a manner which would materially breach or violate any Privacy Laws and materially and adversely impact the business of the Company and its Subsidiaries, taken as a whole. (c) To the Company’s knowledge, Persons with which the Company or any of its Subsidiaries have contractual relationships have not breached any agreements or any Privacy Laws pertaining to Personal Information and to non-personally identifiable information. (d) To the Company’s knowledge, the Company and its Subsidiaries take all commercially reasonable steps to protect the operation, confidentiality, integrity and security of their respective business systems and websites and all information and transactions stored or contained therein or transmitted thereby against any unauthorized or improper use, access, transmittal, interruption, modification or corruption, and there have been no material breaches of same. Without limiting the generality of the foregoing, each of the Company and its Subsidiaries (i) uses industry standard encryption technology and (ii) has implemented a comprehensive security plan that (1) identifies internal and external risks to the security of the Company’s or its Subsidiaries’ confidential information and Personal Information and (2) implements, monitors and improves adequate and effective safeguards to control those risks.

  • Data Security Requirements Without limiting Contractor’s obligation of confidentiality as further described in this Contract, Contractor must establish, maintain, and enforce a data privacy program and an information and cyber security program, including safety, physical, and technical security and resiliency policies and procedures, that comply with the requirements set forth in this Contract and, to the extent such programs are consistent with and not less protective than the requirements set forth in this Contract and are at least equal to applicable best industry practices and standards (NIST 800-53).