PCI DSS Addendum

1. Payment Card Industry Data Security Standard (“PCI DSS”)

Phoenix NAP, LLC (“PNAP”) provides certain services to Client under our standard Master Services Agreement (“MSA”), and those services involve the potential for exposure to credit card data held by Client. In accordance with PCI DSS, Client may be required to adhere to the Payment Card Industry Data Security Standard (PCI DSS) established by the PCI Security Standards Council. PNAP may possess, transmit, store, or otherwise become exposed to cardholder data in the performance of its services provided to Client, and in such cases is considered a “service provider” under the Requirements of Section 12.8 of the PCI DSS.

Under the requirements set forth in Section 12.8.2 of the PCI DSS, Client shall maintain a written agreement that includes an acknowledgement that the service provider is responsible for the security of cardholder data exposed to the service provider. The requirement of Section 12.8.4 of the PCI DSS stipulates that Client shall maintain a program to monitor the service provider’s PCI DSS compliance status. Furthermore, and notwithstanding the foregoing, Client is ultimately responsible for its PCI compliance. Client must ensure that it shall use the services of PNAP in a compliant manner. In any instances for which Client handles, stores, or transmits cardholder data in any way outside of its proprietary systems, Client must ensure this is done in accordance with PCI DSS regulations.

2. Attestation of Responsibility

With the foregoing being established, PNAP hereby acknowledges, agrees and confirms the following:

  1. PNAP is responsible for the security of cardholder data that we possess, process, transmit or are otherwise exposed to on behalf of Client.
  2. PNAP confirms as of the date of this statement, we have complied with all applicable requirements to be considered PCI DSS compliant, and have performed the necessary steps to validate our compliance with the PCI DSS Standards.
  3. Upon receipt of Client’s request, PNAP shall inform Client of our current PCI DSS compliance status and evidence of our most recent validation of compliance in writing.
  4. PNAP shall inform Client as soon as practically possible in the event that we are no longer PCI DSS compliant and further we will inform Client concerning the steps being taken to remediate the non-compliance status and
  5. PNAP acknowledges that our failure to be and remain PCI DSS compliant will be the grounds for immediate termination of our Agreement without penalty to Client.

v.1; 10132017