$100,000 for all covered expenses arising out of, or related to a MID per twelve (12) month period Per MID EMV Upgrade Costs Sublimit: $10,000

Transcription

1 Terms and Conditions Merchant Data Security Insurance Voyager Indemnity Insurance Company A Stock Insurance Company Quail Roost Drive, Miami, FL (305) (herein referred to as Company, We, Us and Our) PLAN AGGREGATE LIMIT Per Merchant Limit of Insurance: $500,000 for all covered expenses arising out of, or related to a merchant per twelve (12) month period Per Merchant EMV Upgrade Costs Sublimit: $25,000 Per MID Limit of Insurance: $100,000 for all covered expenses arising out of, or related to a MID per twelve (12) month period Per MID EMV Upgrade Costs Sublimit: $10,000 Eligible Merchants are Level 1, 2, 3 and 4 Merchants not levied a PCI Assessment, unless reinstated upon completion of PCI Certification. All security event expenses and post event service expenses resulting from the same, continuous, related or repeated data security events shall be subject to the terms, conditions, exclusions and limits of insurance in effect at the time of the first such data security event is first discovered by the policyholder or merchant MERCHANT DATA SECURITY BENEFIT SUMMARY Subject to the limits of liability, exclusions, conditions, and other terms of these Terms and Conditions, we agree with the policyholder as follows: 1. We shall pay, on behalf of the merchant, security event expenses and post event services expenses which the merchant is contractually obligated to pay to the claimant under one or more merchant agreements as a result of a data security event; provided always that the data security event is discovered during an eligible policy period. In no event shall we be obligated to pay security event expenses or post event services expenses after the applicable Limit(s) of Liability has been exhausted by payment of security event expenses and post event services expenses. 2. We shall have the right to investigate, contest, defend, appeal and/or settle any security event expenses or post event services expenses (other than forensic audit expenses) assessed or otherwise brought by any party as it deems expedient. We shall have the right, but not the obligation, to defend the policyholder or the merchant against any legal action or proceeding. 3. To report a Data Security event under the Plan, visit the web-site DEFINITIONS ADCR Fines means amounts contractually assessed against a merchant or the policyholder by a card association to cover partial collection of losses experienced by a bank card issuer as a result of a data security event, including the Account Data Compromise Recovery process and similar processes. Acquiring Bank means a financial institution that accepts or acquires payment transactions for the products or services on behalf of a merchant performed using a card issued by itself or another financial institution. Bank Card means a financial transaction card, including a debit card, credit card or prepaid card, issued by a card association or financial institution as a member of a card association. Cardholder means a natural person or entity to which a bank card has been issued. Page 1

2 Cardholder Information means the data contained on a bank card, or otherwise provided to a merchant, that is required by the card association or the policyholder in order to process, approve and/or settle a bank card transaction. Card Association means each of Visa International, MasterCard Worldwide, Discover Financial Services, JCB, American Express and any similar credit or debit card association that is a participating organization of the PCI Security Standards Council. Card Association Assessment means a monetary assessment, fee, fine or penalty levied against a merchant or the policyholder by a card association as the result of (i) a data security event or (ii) a security assessment conducted as the result of a data security event. The card association assessment shall not exceed the maximum monetary assessment, fee, fine or penalty permitted upon the occurrence of a data security event by the applicable rules or agreement in effect as of the inception date of the policy period for such card association. Card association assessment also means compliance case costs and ADCR fines. Card association assessment does not include chargeback recovery, fines or expenses assessed directly against a merchant. Card Replacement Expenses means the costs that the policyholder or a merchant are required to pay by the card association to replace compromised bank cards as the result of (i) a data security event or (ii) a security assessment conducted as the result of a data security event. Chargeback means the procedure by which a bank card transaction is returned to a merchant which is then responsible for the amount of such transaction. Claimant means either a: 1. card association or acquiring bank assessing PCI assessments, related costs and/or card replacement costs against the merchant; or 2. qualified security assessor incurring and seeking reimbursement for authorized mandatory forensic audit expenses Making demand for security event expense or post event services expense reimbursement from the merchant of such amounts. Claimant shall also include such party that has assumed the role by payment of contractually obligated security event expenses or post event services expenses against the merchant. Compliance Case Costs means costs and expenses incurred by a card issuer in monitoring and addressing bank card accounts which are reasonably believed to be compromised or at risk as a result of a data security event and for which reimbursement is requested pursuant to rules of a card association. Compliance case costs do not include chargeback amounts. Data Security Event means the actual or suspected unauthorized access to or use of cardholder information, arising out of a merchant s possession of or access to such cardholder information, which has been reported (i) to a card association by a merchant or the policyholder or (ii) to the merchant or the policyholder by a card association. All security event expenses and post event services expenses resulting from the same, continuous, related or repeated event or which arise from the same, related or common nexus of facts will be deemed to arise out of one data security event. Date of Discovery, Discovered, or Discovery means the date appearing on the first formal written notification by the card association (including case number) to either the acquiring bank, independent sales organization (ISO) or merchant of a data security event at the merchant level or a request for a mandatory forensic audit. Eligible Merchant means the eligible PCI compliance levels, specified on the Declarations Page of this Policy, as defined by the PCI compliance level assigned by the card association, not levied a PCI Assessment (unless reinstated upon completion of PCI Certification) reported by the policyholder on the monthly premium reporting schedule. Eligible merchant does not include merchants that are categorized as a Level 1 merchant as a result of a hack or an attack that resulted in an account data compromise, or that the card association, in its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk until an eligible PCI Compliance Level, as specified on the Declarations Page of this Policy, is subsequently attained, maintained or reacquired by such merchant. Forensic Audit Expenses means the costs of a security assessment conducted by a qualified security assessor approved by a card association or the PCI Security Standards Council to determine the cause and extent of a data security event. Merchant means a sole proprietorship, partnership, corporation (including affiliates and subsidiaries), limited liability company, holding company or other legal entity (regardless of the number of MID s held) properly authorized by a Page 2

3 independent sales organization (ISO), merchant service provider, acquiring bank, or other PCI compliant system vendor approved by an acquiring bank to provide bank card processing services, to enter and secure approval for bank card transactions. When applicable, merchant also means each entity that enters into a Service Agreement with the policyholder and for which said Service Agreement is submitted and approved by us. MID means a Merchant Identification Number, which is a unique number assigned to a location where a merchant accepts bank cards for payment Notice Period means the sixty (60) day period of time the policyholder or merchant shall have to notify us that a data security event has occurred. The notice period shall commence immediately upon first discovery of the data security event by the policyholder or merchant. PCI Assessment means any written demand against the merchant, policyholder or acquiring bank by the card association for monetary assessments or fines due to the merchant s non-compliance with accepted PCI Data Security Standards that result in a data compromise incurred by the merchant. PCI Compliance Level means the Payment Card Industry compliance level assigned by the card association based, in part, upon annual transaction volume. For clarification purposes, the customary definitions for PCI Compliance Levels as defined by Visa are: PCI Compliance Level 1: any merchant, regardless of acceptance channel processing over 6,000,000 transactions per year or has been subject to a data compromise or whom the card association determines should meet Level 1 requirements to minimize risk to the card system. PCI Compliance Level 2: any merchant, regardless of acceptance channel processing 1,000,000 to 6,000,000 transactions per year. PCI Compliance Level 3: any merchant processing 20,000 to 1,000,000 e-commerce transactions per year. PCI Compliance Level 4: any merchant processing fewer than 20,000 e-commerce transactions per year, and all other merchants regardless of acceptance channel processing up to 1,000,000 transactions per year. PCI Data Security Standards means generally accepted and published Payment Card Industry standards for data security (DSS), including but not limited to the following objectives: a. Install and maintain a firewall configuration to protect cardholder data; b. Do not use vendor-supplied defaults for system passwords and other security parameters; c. Protect store cardholder data; d. Encrypt transmission of cardholder data across open, public networks; e. Use and regularly update anti-virus software; f. Develop and maintain secure systems and applications; g. Restrict access to cardholder data by business need-to-know; h. Assign a unique ID to each person with computer access; i. Restrict physical access to cardholder data; j. Track and monitor all access to network resources and cardholder data; k. Regularly test security systems and processes; and l. Maintain a policy that addresses information. Policy means the blanket Policy issued to the policyholder and any endorsements attached hereto, together, when applicable, with the Service Agreements any attachments thereto and material incorporated therein. Policy Period means the period of time commencing at 12:00 a.m. on the effective date specified on the Declarations Page of this Policy and ending at 12:00 a.m. on the earlier of either the expiration date specified on the Declarations Page of this Policy or the effective date of cancellation of this Policy. Policyholder means North American Data Security Program, LLC and Verifone, Inc.as a participating organization. Page 3

4 Pollutants means, but are not limited to, any solid, liquid, gaseous, biological, radiological or thermal irritant or contaminant, including smoke, vapor, dust, fibers, mold, spores, fungi, germs, soot, fumes, asbestos, acids, alkalis, chemicals and waste. Waste includes, but is not limited to, materials to be recycled, reconditioned or reclaimed and nuclear materials. Post Event Services Expenses means reasonable fees and expenses incurred by the policyholder or a merchant with our prior written consent, for any service specifically approved by us in writing, including without limitation, identity theft education and assistance and credit file monitoring. Such services must be provided by or on behalf of the policyholder or a merchant within one (1) year following discovery of a data security event covered under these Terms and Conditions, to a cardholder whose cardholder information is the subject of that data security event for the primary purpose of mitigating the effects of such data security event. Security Event Expenses means card association assessments, forensic audit expenses and card replacement expenses. We, Us and Our means the insurer issuing this Policy. DUTIES IN THE EVENT OF A DATA SECURITY EVENT A. Before coverage will apply, the policyholder or merchant shall notify us in writing as soon as practicable within the notice period of any actual or alleged data security event first discovered by the policyholder or merchant during the policy period. Notice must include: 1. the name of the merchant and all MIDs alleged to have been breached; 2. a description of the data security event; 3. the number of cardholders affected by the data security event; and 4. a copy of all notices and correspondence from the policyholder, the merchant, or a card association concerning the data security event. B. Under all circumstances, the policyholder or merchant shall not admit any liability, assume any financial obligation, pay any money, or incur any expense in connection with any data security event without our prior written consent. If the policyholder or merchant does, it will be at the policyholder s or merchant s own expense. C. The policyholder and merchant shall take reasonable steps to prevent a data security event and to mitigate the loss arising out of a data security event, including without limitation, following the procedures required by a card association in the event of a data security event. In all events, no policyholder or merchant shall take any action, or fail to take any action, without our prior written consent, which prejudices our rights under these Terms and Conditions. ADDITIONAL OBLIGATIONS In addition to all other duties and obligations contained elsewhere in these Terms and Conditions: A. The policyholder and merchant shall allow us to examine and audit all of its records that relate to this coverage. We may conduct the audits during regular business hours during the policy period and within three (3) years after the policy period or the Service Agreement between the relevant merchant and the policyholder ends, whichever occurs first. B. The policyholder and merchant shall also be responsible for the giving and receiving of any notice under this coverage, including, but not limited to, notice of a data security event and any claim arising out of such, and the reporting of any merchant categorized as a Level 1 merchant by the card association for a reason other than transaction volume. EXCLUSIONS Coverage shall not apply to: A. a data security event known or discovered outside of the policy period; B. a merchant that is not an eligible merchant; C. any data security event caused by or resulting, directly or indirectly, from an act, error or omission of the policyholder, including, without limitation, (i) the disclosure of any cardholder information by the policyholder, its employees or any Page 4

5 person or entity to whom the policyholder provides cardholder information, or (ii) any failure of the policyholder s or merchant s security, computer system or payment processing network; provided however, this exclusion does not apply to the actual or alleged failure of the policyholder or merchant to monitor the operations of, or the security procedures or computer systems used by, any merchant; D. any security event expenses and post event services expenses arising out of or resulting from a claim, suit, action or proceeding against the policyholder or a merchant that is brought by or on behalf of any federal, state or local government agency; E. any data security event relating to a merchant which has experienced a prior data security event unless such merchant was later certified as PCI compliant by a qualified security assessor; F. any data security event arising out of a merchant allowing any party (other than its employees or the policyholder) to hold or access cardholder information; G. any data security event involving: (i) a merchant categorized by any card association as Level 1 by the card association for a reason other than transaction volume or (ii) a merchant that is not an eligible merchant as set forth in the Plan Aggregate Limit section of these Terms and Conditions; H. any expenses, other than security event expenses and post event services expenses, incurred by the policyholder or a merchant, arising out of or resulting, directly or indirectly, from a data security event, including without limitation, expenses incurred to bring a merchant into compliance with the PCI Data Security Standard or any similar security standard; I. any security event expenses, and post event services expenses arising out of or resulting, directly or indirectly, from physical injury, sickness, disease, disability, shock or mental anguish sustained by any person, including without limitation, required care, loss of services or death at any time resulting there from; J. any security event expenses, and post event services expenses arising out of or resulting, directly or indirectly, from any of the following: 1. fire, smoke, explosion, lightning, wind, water, flood, earthquake, volcanic eruption, tidal wave, landslide, hail, an act of God or any other physical event, however caused; 2. strikes or similar labor action, war, invasion, act of foreign enemy, hostilities or warlike operations (whether declared or not), civil war, mutiny, civil commotion assuming the proportions of or amounting to a popular rising, military rising, insurrection, rebellion, revolution, military or usurped power, or any action taken to hinder or defend against these actions; or 3. electrical or mechanical failures, including any electrical power interruption, surge, brownout or blackout; a failure of telephone lines, data transmission lines, satellites or other infrastructure comprising or supporting the internet, unless such lines or infrastructure were under the policyholder s operational control; I. any security event expenses, and post event services expenses arising out of or resulting, directly or indirectly, from the presence of or the actual, alleged or threatened discharge, dispersal, release or escape of pollutants (including nuclear materials), or any direction or request to test for, monitor, clean up, remove, contain treat, detoxify or neutralize pollutants, or in any way respond to or assess the effects of pollutants; J. any data security event that was not properly reported to us during the notice period; K. any data security event discovered before the effective date of the Service Agreement between the relevant merchant and the policyholder, or after the termination of such Service Agreement, if applicable; L. any expenses incurred for, or as a result of, regularly scheduled, recurring or routine security assessments, regulatory examinations, inquiries or compliance activities; Page 5

6 M. any (i) gaining of a profit or advantage to which the policyholder or merchant is not legally entitled; or (ii) the policyholder s or merchant s expenses or charges, including employee compensation and benefits, overhead, over-charges or cost over-runs; N. any liability or obligation of the policyholder or merchant under any contract or agreement; however, this exclusion shall not apply to (i) liability the policyholder or merchant would have in the absence of such contract or agreement, (ii) liability or obligation under any customer processing agreement with a merchant, or (iii) any agreement with a card association relating to the merchant s processing and settling of transactions involving bank cards issued or authorized by such card association; O. any security event expenses, and post event services expenses arising out of or resulting, directly or indirectly, from the infringement of copyright, patent, trademark, trade secret or other intellectual property rights; P. any security event expenses, and post event services expenses alleging, arising out of or resulting, directly or indirectly, from any discrimination against any person or entity on any basis, including but not limited to: race, creed, color, religion, ethnic background, national origin, age, handicap, disability, sex, sexual orientation or pregnancy; Q. any fines or assessment levied against the policyholder or a merchant that are not the direct result of any data security event; R. any data security event arising out of any software not within the control of the merchant; provided, however, this exclusion shall not apply to a data security event arising out of a virus, Trojan horse or other software used by a third party to obtain fraudulent access to data on a merchant s computer system or to collect data in transit to or from a merchant s computer system; or S. any data security event arising out of a breach in a computer system in which multiple merchants, with no legal relationship to one another, have hosted accounts or share a common database, operating system or software applications. LIMITS OF INSURANCE A. The most we shall pay for the total of all security event expenses and post event services expenses arising out of or related to any merchant is the Per Merchant Limit of Insurance set forth in the Plan Aggregate Limit section of these Terms and Conditions, regardless of the number of data security events first discovered by the policyholder or merchant during the policy period and reported to us within the notice period. B. The most we shall pay for the total of all security event expenses and post event services expenses arising out of or related to any MID is the Per MID Limit of Insurance set forth in the Plan Aggregate Limit section of these Terms and Conditions, regardless of the number of data security events first discovered by the policyholder or merchant during the policy period and reported to us within the notice period. C. All security event expenses and post event service expenses resulting from the same, continuous, related or repeated data security events shall be subject to the terms, conditions, exclusions and limits of insurance of the Policy issued to the policyholder in effect at the time of the first such data security event is first discovered by the policyholder or merchant. OTHER PROVISIONS A. Concealment, Misrepresentation or Fraud No coverage will be provided for, any security event expenses and post event services expenses arising out of or resulting, directly or indirectly, from any dishonest, fraudulent, criminal or malicious act, error or omission, or any intentional or knowing violation of the law, if committed by the policyholder s or merchant s: 1. directors, officers, trustees, governors, management committee members, members of the management board or partners (or the equivalent positions), whether acting alone or in collusion with other persons; or 2. employees (other than officers) if any of the policyholder s or merchant s elected or appointed officers possessed knowledge of any such: a) dishonest, fraudulent, malicious, or criminal or malicious act, error or omission; b) intentional or knowing violation of the law or the privacy policy of the policyholder or merchant, or Page 6

7 c) gaining of any profit or advantage to which the policyholder or merchant is not legally entitled; prior to or at the time a), b) or c) above were committed. B. Duties in the Event of Claim 1. As soon as practicable after the date of discovery, the merchant shall provide a written Notice of Claim to <us>. Such Notice of Claim shall include the fullest information obtainable, including but not limited to: a. the circumstances by which the merchant discovered the data security event, including but not limited to, a copy of the first formal written notification by the card association (including case number) to either the policyholder, acquiring bank, independent sales organization (ISO) or merchant of either an actual or suspected data security event at the merchant level or a request for a mandatory forensic audit. b. security event expenses or post event services expenses which may have resulted from the data security event; c. evidence and description of the data security event giving rise to the claim; d. a copy of the executed and legally binding merchant agreement or such other documentation (including merchant statements) establishing to our satisfaction that the merchant is contractually liable for the security event expenses and/or post event services expenses. e. any demand, notification letters, mandatory forensic audit reports, fee and security event expense and/or post event services expense invoices and other documents pertinent to the claim that are in the possession of the merchant or Policyholder. 2. Claims and incidents giving rise to a claims shall be reported to as follows: Attention: RGS Customer Support Representative Toll Free: Fax: claims@royalgroupservices.com 3. The policyholder and merchant shall cooperate with us in the investigation and settlement of all claims, including but not limited to: a. enforcing any contractual right to contest any security event expenses or post event services expenses (other than forensic audit expenses); and b. assisting in making statements; in the conduct of suits; and in enforcing any right of contribution or indemnity against any party other than the merchant who may be liable for security event expenses or post event services expenses. If we are prejudiced by the failure of the policyholder or the merchant to comply with any of these duties, our liability or obligation as to that claim shall terminate. Should the policyholder or the merchant be unable or unwilling to comply with any of the duties required herein, any successive party contractually liable to the claimant for the security event expenses or post event services expenses may assume such duties to comply with the terms and conditions of this Policy. 4. Payment by any part of security event expenses or post event services expenses shall not automatically bind us with respect to any claim. No party shall, except at their own risk, assume any obligation, incur any cost, charge, or expense or enter into any settlement. C. Settlement of Claims 1. Upon receipt of a Notice of Claim, we shall commence investigation and request all items, statements and information that we reasonably believe will be required. Additional requests may be made if, during the investigation of the claim, such additional requests are necessary. 2. Within thirty (30) days of receipt of all items, statements and information required by us to verify the claim and determine coverage (including but not limited to any mandatory forensic audit results), we shall notify the policyholder and the merchant of our acceptance or rejection of the claim. If we reject the claim, in whole or in part, Page 7

8 we shall state the reasons for the rejection. The parties may accept such rejection, exercise their rights under the Policy, or submit an amended Notice of Claim. An amended Notice of Claim must be submitted within thirty (30) days of our rejection and contain such additional information as necessary for us to reevaluate the reasons for rejection. 3. Payment of the claim shall be made within thirty (30) days after we reach agreement with the claimant, or the entry of a judgment against us. We will only make payment to the merchant unless it can be demonstrated by the claimant and the policyholder that payment has already been made to the claimant by another party in the succession of contractual liability (whether that be the policyholder, acquiring bank, independent sales organization (ISO) or merchant). In such event, we will make payment in reimbursement of such security event expenses or post event services expenses to the one and only unreimbursed party in the succession of reimbursement. 4. As a condition precedent to payment, we shall have the right to require any party receiving payment other than the claimant (including but not limited to the policyholder) to execute a written release from liability to us acknowledging: D. Subrogation a. that payment by us to such party is in satisfaction of liability to the claimant under the Policy; and b. such party has either: 1) satisfied the merchant s liability to the claimant by payment of such security event expense or post event services expense; or 2) contractually warrants to us that payments received from us will be property disbursed to the claimant or such successor in interest to the claim proceeds. However, we are under no obligation to make payment to any party other than the claimant. In the event of any payment under these Terms and Conditions, we shall be subrogated to the extent of such payment, to all rights of recovery of the policyholder or merchant arising out of a covered data security event. The policyholder or merchant shall do whatever is necessary, including signing documents, to help us obtain any recovery we may seek. To the extent we make a payment under these Terms and Conditions and, prior or subsequent to such payment, the policyholder or merchant receives any amount from any other person or entity in connection with or arising out of the data security event with respect to which we made such payment, the policyholder shall immediately remit such amount to us up to the amount of our payment. Notwithstanding the foregoing, to the extent the policyholder or merchant waives its right to recover security event expenses or post event services expenses from a merchant in connection with the coverage provided under this Policy, we shall also waive our right of recovery for any such amounts from such merchant. E. Other Insurance This Policy shall be primary with respect to any other valid and collectible insurance available to the policyholder or merchant, unless such other valid and collectible insurance is also stated to be primary. In that case, we will share with all other insurance by the method described below. 1. If all of the other insurance permits contribution by equal shares, we will follow this method also. Under this approach, each insurer shall contribute equal amounts in excess of the applicable retention until it has paid its applicable limit of insurance or none of the loss remains, whichever comes first. 2. If any of the other insurance does not permit contribution by equal shares, we will contribute by limits. Under this method, each insurer s share shall be based on the ratio of its applicable limit of insurance to the total applicable limits of insurance of all insurers. UPON REQUEST, FOR FULL TERMS, CONDITIONS AND EXCLUSIONS BACKING THE PLAN, PLEASE CONTACT Page 8