Common use of PCI Standards Clause in Contracts

PCI Standards. Bank represents, warrants, and covenants that Bank is presently in compliance with and will remain, at all times during and after the Term during which Bank stores, processes, or transmits Cardholder Information, in compliance with the most recent effective versions of all rules, regulations, standards, and guidelines adopted or required (a) by any entity offering or supporting payment card networks whose Cardholder Information is handled by Bank, and (b) by the Payment Card Industry Security Standards Council (the “Council”), in each case, relating to privacy, data security, or the safeguarding, disclosure, or handling of Cardholder Information, including the Payment Card Industry Data Security Standards, the Payment Card Industry’s Payment Application Data Security Standard, the Payment Card Industry’s PIN Transaction Security requirements, Visa’s Cardholder Information Security Program and Payment Application Best Practices, American Express’s Data Security Operating Policy, MasterCard’s Site Data Protection Program and POS Terminal Security program, and the analogous security programs implemented by other payment card networks, in each case, as amended, updated, replaced, or augmented from time to time (the standards described in this clause (c) being collectively referred to as the “PCI Standards”). Bank will, [***], perform all tasks, assessments, reviews, penetration tests, scans, and other activities required under the PCI Standards (including any compliance guidance related to the PCI Standards issued by the Council, its subordinate bodies, or any successors thereto) and otherwise to validate Bank’s compliance during the Term with the PCI Standards. To the extent that Bank is hosting a system or application which is Internet facing, its PCI attestation of compliance must be performed by a qualified security assessor. Bank will deliver to Company copies of all documentation necessary to verify compliance with these requirements (“Verification Documentation”). In the event Company reasonably determines that additional Verification Documentation is required under the PCI Standards or likely to be so required to verify such compliance, including a “Report on Compliance,” and an associated unqualified “Attestation of Compliance,” then, upon Company's request [***], Bank will provide such additional Verification Documentation to Company [***] from Company's request, or the timeframe required for Company to remain compliant, whichever is less. [***], Bank will deliver to Company a copy of the Verification Documentation, applicable to the Cardholder Information environment [***]. [***], Bank will deliver to Company, [***], evidence of a passing vulnerability scan applicable to the Cardholder Information environment conducted within [***]. Bank will [***] notify Company in writing of any exception in a Report on Compliance, Attestation of Compliance, or [***] vulnerability scan if Bank learns that it is no longer PCI Standards compliant or if it reasonably anticipates that it is or will be non-compliant. Such notification will include, in detail, the steps being taken by Bank to remediate such exception or non-compliance.

PCI Standards. Bank Licensor represents, warrants, warrants and covenants that Bank Licensor is presently in compliance with with, and will remain, at all times during and after the Term during which Bank Licensor stores, processes, processes or transmits Cardholder Information, in compliance with the most recent effective versions of all rules, regulations, standards, standards and guidelines adopted or required (a) by any entity offering or supporting payment card networks brands (collectively, “Card Brands”) whose Cardholder Information is handled by BankLicensor, and (b) by the Payment Card Industry Security Standards Council (the “Council”), in each case, either case relating to privacy, data security, security or the safeguarding, disclosure, disclosure or handling of Cardholder Information, including the Payment Card Industry Data Security Standards, the Payment Card Industry’s Payment Application Data Security Standard, the Payment Card Industry’s PIN Transaction Security requirements, Visa’s Cardholder Information Security Program and Payment Application Best Practices, American Express’s Data Security Operating Policy, MasterCard’s Site Data Protection Program and POS Terminal Security program, and the analogous security programs implemented by other payment card networksbrands, in each case, case referenced in this sentence as they may be amended, updated, replaced, replaced or augmented from time to time (the standards described in this clause (c) being collectively referred to as the “PCI Standards”). Bank Licensor will, [***]at its own cost and expense, perform all tasks, assessments, reviews, penetration tests, scans, scans and other activities required under the PCI Standards (including any compliance guidance related to the PCI Standards issued by the Council, its subordinate bodies, or any successors thereto) and otherwise to validate BankLicensor’s compliance during the Term with the PCI Standards. To the extent that Bank Licensor is hosting a system or application which is Internet facing, its PCI attestation of compliance must be performed by a qualified security assessorQualified Security Assessor. Bank Licensor will deliver to Company T-Mobile copies of all documentation necessary to verify compliance with these requirements (“Verification Documentation”). In the event Company T-Mobile reasonably determines that additional Verification Documentation is required under the PCI Standards or likely to be so required to verify such compliance, including a “Report on Compliance,” and an associated unqualified “Attestation of Compliance,” then, upon CompanyT-Mobile's request [***]and at no additional charge to T-Mobile, Bank Licensor will provide such additional Verification Documentation to Company [***] T-Mobile within 30 days from CompanyT-Mobile's request, or the timeframe required for Company T-Mobile to remain compliant, whichever is less. [***]At least annually thereafter, Bank Licensor will deliver to Company T-Mobile a copy of the Verification Documentation, applicable to the Cardholder Information environment [***]at no additional charge to T-Mobile. [***]On a quarterly basis, Bank Licensor will deliver to Company, [***], T-Mobile at no additional charge to T-Mobile evidence of a passing vulnerability scan applicable to the Cardholder Information environment conducted within [***]the preceding three months. Bank Licensor will [***] immediately notify Company T-Mobile in writing of any exception in a Report on Compliance, Attestation of Compliance, Compliance or [***] quarterly vulnerability scan or if Bank it learns that it is no longer PCI Standards compliant compliant, or if it reasonably anticipates that it is or will be non-compliant. Such notification , and will include, promptly notify T-Mobile in detail, writing of the steps being taken by Bank to remediate such exception or non-compliance.