Loading...
The URL can be used to link to this page
Your browser does not support the video tag.
9.c PSN Service Agreement
Staff Report Date of Meeting: December 17, 2019 To: City Council From: Colleen Firkus, Treasurer Re: Electronic Payments Background: Pursuant to the City Council directing staff to move forward with a convenient way to process electronic payments, a Service Agreement was obtained from Payment Service Network (PSN) for the Council’s consideration. Proposal Details: The Service Agreement is enclosed along with Schedules that outline the services (A) that will be provided and their costs (B). Council member Kronmiller questioned the company’s compliance with Payment Card Industry (PCI) security standards. PSN charges an $89.00 Annual Security Compliance fee to assist in their costs of staying compliant with the Payment Card Industry (PCI) Standard for Security and keeping the highest level security available which includes an annual 3rd party audit. Attached is their PCI Attestation of Compliance. On Page 14, you can find all of the requirements that the PCI has and that they meet all of them. Setup costs are a One-time Setup fee of $149.00 and $50 Web Customization fee so the PSN site looks like a City website. Payments at the City office would require the purchase of a swipe machine for $250 with a $4.95 per month lifetime warranty service fee that would keep the software updated and replacement/upgraded at no charge. Fees charged to the customer at 2.75% per transaction, plus $.50 if payment is less than $100. There is an additional $1.00 fee if they choose to pay from their checking or savings accounts. Recommendation: I recommend approving this 3-year Service Agreement with PSN. Their good reputation, customer service and link to our accounting system make PSN a good choice to provide our customers with the convenience of electronic payment. Once PSN receives the signed contract for service, it would be 4-6 weeks to go live. PAYMENT SERVICE NETWORK, INC. SERVICE AGREEMENT Note: Bank interchange rates are subject to change; therefore, this quote is valid for 15 days from date of issue . 1 Payment Service Network, Inc. | 2901 International Lane, Madison WI 53704 | www.PaymentServiceNetwork.com THIS AGREEMENT FOR SERVICE (“Agreement”) is made as of __________ (insert date) (the “Effective Date”) between ________City of Scandia, MN__________________________ (“Account Holder”) and Payment Service Network, Inc. (“PSN”). RECITALS Account Holder wishes to register its business with PSN so that Account Holder’s customers (“Customers”) can make payments to Account Holder through the PSN Web site, www.PaymentServiceNetwork.com (the “Site”) and/or via such other payment methods as are specified on Schedules A and B attached hereto or otherwise authorized in writing from time to time. Account Holder and PSN desire to formalize their agreement as set forth below. NOW THEREFORE, in consideration of the Account Holder’s registration for the Services, the foregoing recitals, the mutual promises herein contained and other good and valuable consideration the receipt and sufficiency of which is hereby acknowledged, Account Holder and PSN, intending to be legally bound, hereby agree as follows: 1. Account Holder hereby appoints PSN as its agent solely for purposes of receiving and processing payments from Customers on Account Holder's behalf, and hereby authorizes PSN to collect payments from Customers to the extent such Customers have agreed to the terms and conditions of the Site. PSN shall collect the “Fees” (as shown on Schedule B) in the manner, amounts and pursuant to the terms set forth on Schedule B. Schedule B specifies those Fees payable by the Customer and those Fees payable by the Account Holder. As Account Holder’s agent for receipt and processing of payments from Customers, Account Holder acknowledges and agrees that, as between Account Holder and its Customers only, PSN’s receipt of payments from Customers shall constitute receipt by Account Holder. 2. The Services to be provided by PSN (the “Services”) are as follows: a. PSN agrees to accept payments from the Customers by checking/savings account or credit/debit card through the Site, or otherwise (phone in or fax in). Customers who utilize PSN’s payment network will also be required to register on the Site and will be bound by the terms and conditions set forth on the Site. b. Account Holder is given real-time access to all account information via PSN’ s administrative logon. Such access will be provided to all Account Holder representatives designated in writing by Account Holder. The account information available will include transaction totals, specification by account, and specification by transaction/account type (e.g. utilities, taxes). PSN and Account Holder will jointly work to develop compatibility of the reporting and accounting information with the Account Holder’s managem ent and account software. Said access to all account information will be provided by PSN to Account Holder under the following conditions. 1. Said compatibility does not adversely affect, alter or change PSN’s established service; 2. Said compatibility is a joint effort between PSN and Account Holder with the Account Holder providing all the needed information to PSN regarding current and/or future management and accounting software. c. PSN will provide, for each Customer who sets up a profile within the PSN system, real- time access to such Customer’s account information (but not the information of any other Customer) through the Site. If applicable, PSN will inform each Customer of the charge and amount of any subscription and/or fees or charges for the Services that will be charged to the Customer for the Services. PSN agrees to indemnify and hold harmless Account Holder from all claims and liabilities arising out of a dispute based on non - disclosure of PSN Fees to Customers. PAYMENT SERVICE NETWORK, INC. SERVICE AGREEMENT Note: Bank interchange rates are subject to change; therefore, this quote is valid for 15 days from date of issue . 2 Payment Service Network, Inc. | 2901 International Lane, Madison WI 53704 | www.PaymentServiceNetwork.com d. PSN will provide Account Holder with Check 21 services as described in, and on the terms and conditions set forth in, the Check 21 Addendum if Account Holder provides PSN with a written request for such services. Account Holder agrees to be bound by the terms of such Addendum if it elects to receive such services. e. PSN will provide Account Holder with V Post services as described in, and on the terms and conditions set forth in, the V Post Addendum if Account Holder provides PSN with a written request for such services. Account Holder agrees to be bound by the terms of such Addendum if it elects to receive such services. f. PSN will provide Cash Distribution services as described in, and on the terms and conditions set forth in, the Cash Distribution Addendum if Account Holde r provides PSN with a written request for such services. Account Holder agrees to be bound by the terms of such Addendum if it elects to receive such services. g. PSN will provide a non-exclusive license to use a Customized Mobile App as described in, and on the terms and conditions set forth in, the Mobile Application Addendum if Account Holder provides PSN with a written request for such services. Account Holder agrees to be bound by the terms of such Addendum if it elects to receive such services. h. PSN will maintain a Payment Card Industry (“PCI”) Level 1 security certification (or other succeeding security standard required of PSN by PCI) to ensure security of Customer and Account Holder data. 3. PSN reserves the right to modify the Services and Fees and service charges chargeable to Account Holder or its Customers in its sole discretion from time to time. PSN will notify Account Holder of material modifications to the Services or Fees and service charges by electronic means to a designated representative of Account Holder or by written notice at least thirty (30) days prior to the effective date of any such modifications. Account Holder also consents to receiving from PSN any Federal tax statements or other notices required by Federal, State or Local law in an electronic format. 4. Account Holder agrees to cooperate with PSN in resolving any disputes between Account Holder and Customers in a timely manner, reaffirming that PSN is only a payment intermediary and does not own the property or business or represent the Account Holder or Customer in such disputes. Disputed transactions and chargeback’s will be handled in the following manner: a. Credit Card Transactions: 1. PSN will notify Account Holder via electronic mail of any disputed credit card payments or chargebacks from Account Holder’s Customers. Account Holder agrees to follow its standard operating procedures to resolve such disputed or charge-backed credit card payments and work with PSN, the credit card company, or its agents to investigate any such cases and assist in resolving any such claims. 2. Account Holder will be charged a fee of Fifteen Dollars ($15.00) for each chargeback that is ultimately allowed, at which time, Account Holder gives PSN the authorization to automatically debit Account Holder’s account for the total of the original transaction plus the Fifteen Dollars ($15.00) chargeback fee for the purpose of charging it back to the Customer. b. ACH – Checking and Savings Account Transactions , Bank Bill Pay and Check 21 Transactions: 1. Problem transactions: NSF, Invalid Account, Receiver’s Account Closed, No Account, Stopped Payment, Account Frozen, Customer Does Not Authorize Payment, RDFI Not ACH Member and/or any other Return Reason Codes as labeled in NACHA Processing Guidelines will be resolved in the following manner: a. PSN will notify Account Holder and Customer of said problem; PAYMENT SERVICE NETWORK, INC. SERVICE AGREEMENT Note: Bank interchange rates are subject to change; therefore, this quote is valid for 15 days from date of issue . 3 Payment Service Network, Inc. | 2901 International Lane, Madison WI 53704 | www.PaymentServiceNetwork.com b. PSN will stop payment if funds have not already been deposited or, if directed by Customer, process another transaction for Customer. c. In the event that PSN, within one (1) business day, cannot collect the appropriate information from Customer in order to complete the reprocessing of the Customer’s transaction and funds from said transaction have been deposited into Account Holder’s account, PSN will debit Account Holder’s account for a total sum of the original deposit for said transaction. 5. The initial term of this Agreement shall be for a period of three (3) years commencing on the date that the first payment transaction is processed by PSN for any Customers under this Agreement (the “Initial Term”), and shall automatically extend for additional periods of one (1) year (each, an “Extension Term”) unless one of the parties provides the other party with written notice of termination of this Agreement at least sixty (60) days prior to the end of the Initial Term or any Extension Term. Notwithstanding the foregoing, Account Holder may terminate this Agreement upon ninety (90) days’ prior written notice and payment of Five Hundred Fifty Dollars ($550.00) to PSN as an early termination fee, provided however , that no early termination fee shall be due or payable by Account Holder if it terminates this Agreement under this Section within thirty (30) days of the date on which PSN delivers not ice of material modifications to the Services, Fees or service charges under Section 3 of this Agreement other than increases of fees and service charges that are attributable to direct pass through increases from PSN’s merchant bank. PSN will process all payments received prior to the date of termination and forward them to Account Holder’s account. No Payments will be accepted from Customers after the date of termination. All obligations of Account Holder arising from transactions prior to termination shall survive termination of this Agreement. PSN will notify all Customers registered on the Site as to the termination of this Agreement and inform such Customers that future payments are to be made directly to Account Holder. Notwithstanding any termination of this Agreement, for a period of one hundred eighty (180) days after such termination, Account Holder acknowledges and agrees that PSN shall have the right to automatically withdraw any amounts from Account Holder’s depository account that PSN would otherwise have the right to withdraw during the term of this Agreement, including without limitation, credit card chargebacks, the reversal of any Customer payments deposited by PSN into Account Holder’s account for which there are insufficient funds, and other disputed charges and problem transactions specified in paragraph 4 of this Agreement. 6. This Agreement may not be assigned by Account Holder without PSN’s prior written consent. If PSN gives consent to assignment of this Agreement by Account Holder as set forth above, PSN reserves the right to charge the assignee the Setup Fees shown in Schedule B. PSN may assign this Agreement. 7. This Agreement and the Services to be provided by PSN hereunder in no way alters or modifies the obligations contained in the agreements, if any, between Account Holder and Customers. 8. Account Holder represents, warrants and covenants to PSN that PSN is authorized to collect payments from the Customers for which Account Holder provides PSN the required information. Account Holder further represents, warrants and covenants to PSN: (a) Account Holder has the authority to enter into this Agreement and perform its obligations set forth therein; (b) Account Holder will provide all reasonable assistance to PSN and its subcontractors in providing the Services set forth herein; (c) Account Holder and its authorized users will only use the Services for lawful purposes and in compliance with the rules and regulations of the applicable payment processors (including, without limitation, MasterCard, Visa, Discover and American Express), credit card issuers, and depository account institutions (collectively, the “Rules and Regulations”), and in accordance with PSN’s account documentation, policies, specifications, and operating procedures, and will not violate any law of any country or the intellectual property rights of any party; (d) Account Holder shall timely provide all required disclosures to its Customers and obtain any required authorizations pursuant to the Rules and Regulations; (e) Account Holder shall maintain or destroy, as applicable, checks, receipts, and/or payer authorizations in accordance with applicable law and/or retention periods; and (f) Account Holder and its authorized users will PAYMENT SERVICE NETWORK, INC. SERVICE AGREEMENT Note: Bank interchange rates are subject to change; therefore, this quote is valid for 15 days from date of issue . 4 Payment Service Network, Inc. | 2901 International Lane, Madison WI 53704 | www.PaymentServiceNetwork.com not (i) sell, lease, distribute, license or sublicense PSN’s Site, technology or Services, (ii) engage in spamming, mail-bombing, spoofing or any other fraudulent, illegal or unauthorized use of the Services; (iii) introduce or transmit through the Site, technology or Services, without limitation, via any portion of the Account Holder’s computer system that interfaces with the Site, technology or Services, or otherwise, any virus, worm, software lock, drop dead device, trojan-horse routine, trap door, back door, timer, time bomb, cl ock, counter or other limiting routine, instruction or design or any other codes or instructions that may be used to access, modify, delete, damage, disable or prevent the use of the Site, technology, or services or other computer systems of PSN or its subcontractors; and (iv) should Account Holder receive notice of any claim regarding the Site or Services, Account Holder shall promptly provide PSN with a written notice of such claim. 9. a. Account Holder agrees to defend, indemnify, and hold PSN harmless from and against any third-party claims and/or Customer claims, including any damages, costs, expenses and attorneys’ fees to the extent arising, in whole or in part, out of (a) any inaccuracy in or breach of Account Holder’s representations and warranties contained in this Agreement; (b) Account Holder’s breach of any covenant or obligation contained in this Agreement; (c) any claims or disputes arising under any agreement between Account Holder and a Customer (or any third party) or otherwise relating to t he relationship between Account Holder and a Customer (or any third party) including, without limitation, any dispute over the amount owed by a Customer to Account Holder (other than claims relating to PSN fees); and (d) any claims or disputes caused in whole or in part by the information or directions provided to PSN by Account Holder or its agents. b. PSN agrees to defend, indemnify, and hold Account Holder harmless from and against any third-party claims and/or Customer claims, including any damages, costs, expenses and attorney’s fees to the extent arising, in whole or in part, out of (a) any inaccuracy in or breach of PSN’s representations and warranties contained in this Agreement; (b) PSN’s breach of any covenant or obligation contained in this Agree ment; and (c) any claims or disputes arising under any agreement between PSN and a Customer (or any third party) or otherwise relating to the relationship between PSN and a Customer (or any third party). PSN’s obligations under this paragraph do not apply to any of the foregoing causes to the extent resulting from acts or omissions of Account Holder. 10. PSN and Account Holder are independent contractors and this Agreement does not establish any relationship of partnership, joint venture, employment, franchise or agency between PSN and Account Holder. Neither PSN nor Account Holder will have the power to bind the other or incur obligations on the other’s behalf without the other’s prior written consent, except as otherwise expressly provided herein. Notwithstanding the foregoing, Account Holder acknowledges that PSN shall be Account Holder’s agent solely for purposes of receiving and processing payments from Account Holder’s Customers as provided in this Agreement. 11. PSN represents that it owns and will retain during the term of this Agreement all proprietary rights in and to all development tools, routines, subroutines, applications, software and other materials that PSN may use in connection with implementation and operation of the Site, and has the right to license and otherwise permit Account Holder’s and Customers’ usage of such Site and other materials in accordance with the terms of the Agreement. This Agreement does not transfer to Account Holder any ownership or proprietary rights in PSN’s Site , technology or any work or any part thereof, and all right, title and interest in and to PSN’s Site and technology will remain solely with PSN. PSN agrees to indemnify and hold Account Holder harmless from any liabilities or charges, including attorney’s fees, arising out of any claim that PSN or Account Holder has infringed the proprietary rights of others in performing the Services under this Agreement or in operating the Site. a. PSN shall notify Account Holder if PSN changes or adds any functionality of the Services as implemented on the Site. Under no circumstance shall PSN offer Customers of Account Holder any community features (such as mail, chat, message boards, or the ability to create home pages) from the Site. PSN shall not, in conjunction wi th the Site or the Services, use any interstitials Web pages, pop-up windows, other intermediate steps or any other content which acts as a barrier to the transition of a Customer from Account Holder’s Web site to the Site. PAYMENT SERVICE NETWORK, INC. SERVICE AGREEMENT Note: Bank interchange rates are subject to change; therefore, this quote is valid for 15 days from date of issue . 5 Payment Service Network, Inc. | 2901 International Lane, Madison WI 53704 | www.PaymentServiceNetwork.com b. PSN shall be responsible for providing all customer support regarding the Services or the Site and Account Holder may redirect to PSN any associated customer support inquires. c. PSN’s privacy policy shall make any disclosures, or obtain any Customer consent necessary, to make the disclosures about Customers back to Account Holder required by this Agreement. d. Account Holder hereby grants to PSN a non-exclusive, worldwide, revocable right to use Account Holder’s domain names, trademarks and logos reasonably necessary for PSN to perform under this Agreement (collectively, the “Marks”). Account Holder may terminate the foregoing right to use the Marks if, in Account Holder’s sole discretion, PSN‘s use of the Marks is not related to PSN’s performance under this Agreement or PSN’s use of the Marks tarnishes, blurs, diminishes, or dilutes the quality associated with the Marks or the associated goodwill and such inappropriate use is not cured within thirty (30) days of notice of such inappropriate use. Title to and ownership of the Marks sh all remain with Account Holder, and PSN shall have no ownership interest in the Marks. PSN shall not take any action inconsistent with Account Holder’s ownership of the Marks, and any benefits accruing from the use of such Marks shall automatically vest i n Account Holder. 12. PSN WARRANTS THAT IT WILL PERFORM THE SERVICES IN ACCORDANCE WITH THE TERMS OF THIS AGREEMENT. EXCEPT AS SET FORTH IN THE PREVIOUS SENTENCE AND PARAGRAPH 11 ABOVE, PSN AND ITS SUBCONTRACTORS MAKE NO REPRESENTATIONS OR WARRANTIES, WHETHER EXPRESS, IMPLIED OR STATUTORY REGARDING OR RELATING TO ANY OF THE SITE, TECHNOLOGY OR SERVICES AND/OR ACCESS TO OR USE OF THE SITE SERVICES OR TECHNOLOGY PROVIDED TO ACCOUNT HOLDER AND/OR ITS CUSTOMERS HEREUNDER. PSN AND ITS SUBCONTRACTORS SPECIFICALLY DISCLAIM ANY AND ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINEGEMENT. PSN AND ITS SUBCONTRACTORS ALSO DO NOT GUARANTEE THAT ACCOUNT HOLDER’S AND/OR ITS CUSTOMERS’ ACCESS TO THE SITE OR SERVICES PROVIDED UNDER THIS AGREEMENT WILL BE UNINTERRUPTED, ERROR FREE OR SECURE. PSN AND ITS SUBCONTRACTORS DO NOT GUARANTEE THE ACCURACY OF, AND SPECIFICALLY DISCLAIM LIABILITY FOR, INFORMATION OR DATA THAT IS SUPPLIED OR KEY-ENTERED BY ACCOUNT HOLDER, ACCOUNT HOLDER’S CUSTOMERS OR ACCOUNT HOLDER’S EMPLOYEES OR AGENTS. PSN AND ITS SUBCONTRACTORS DO NOT WARRANT THE ACCURACY, RELIABILITY, COMPLETENESS OR TIMELINESS OF THE CONTENT OF INTERNET WEB SITES OR OTHER DATA RECEIVED BY ACCOUNT HOLDER OR ACCOUNT HOLDER’S CUSTOMERS VIA THE INTERNET. NOTWITHSTANDING ANYTHING TO THE CONTRARY HEREIN, IN NO EVENT WILL PSN’S LIABILITY TO ACCOUNT HOLDER, CUSTOMERS, OR ANY THIRD PARTY FOR ANY DAMAGES OF ANY KIND, WHETHER ARISING IN CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, EXCEED AN AMOUNT EQUAL TO THE FEES PAID BY ACCOUNT HOLDER AND ITS CUSTOMERSTO PSN FOR THE SERVICES DURING THE SIX (6) MONTHS PRECEDING THE DATE ON WHICH THE CLAIM FIRST ACCRUED (THE “LIABILITY CAP”). PSN SHALL NOT BE LIABLE TO ACCOUNT HOLDER, CUSTOMERS OR ANY OTHER PERSON FOR ANY SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL (INCLUDING LOSS OF BUSINESS PROFITS) OR PUNITIVE DAMAGES FOR ANY MATTER ARISING OUT OF OR RELATING TO THE SITE, THE SERVICES, THIS AGREEMENT OR ITS SUBJECT MATTER, EVEN IF PSN HAS BEEN APPRISED OF THE LIKELIHOOD OF SUCH DAMAGES OCCURRING. 13. PSN agrees that all information of Account Holder and Customers, including without limitation, Customers’ names, addresses and account numbers, shall be treated as confidential by PSN, shall not be disclosed to any third party (other than to credit card issuers or PSN’s processing bank in the performance of this Agreement) except as required by law. PSN agrees not to exploit or use such information except as expressly permitted by this Agreement, and shall not sell, purchase, provide or exchange credit card account number PAYMENT SERVICE NETWORK, INC. SERVICE AGREEMENT Note: Bank interchange rates are subject to change; therefore, this quote is valid for 15 days from date of issue . 6 Payment Service Network, Inc. | 2901 International Lane, Madison WI 53704 | www.PaymentServiceNetwork.com information without the written consent of the Customer. PSN will destroy any cardholder information that is no longer necessary in a manner that will render the data unreadable. 14. PSN agrees to procure and maintain the following insurance policies and bond in no less that the following minimum amounts (or such other minimum amounts, if higher, as required by law), with such reasonable deductibles as PSN shall determine: Errors and Omissions Professional Liability Coverage $2,000,000 Each Claim; $2,000,000 Aggregate; $100,000 Deductible Commercial Umbrella Liability Coverage $2,000,000 Each Occurrence; $2,000,000 Aggregate; $10,000 Retained Limit Commercial Crime Coverage $250,000 Form A – Blanket Employee Dishonesty; $250,000 Form B – Forgery or Alteration; $10,000 Form C – Money and Securities; $250,000 Business Service Bond; $2,500 Deductible Commercial General Liability Coverage $2,000,000 General Aggregate; $1,000,000 Each Occurrence; $100,000 Fire Damage; $5,000 Medical Expense Workers Compensation and Employers Liability Coverage $100,000 Accident; $500,000 Policy Limit; $100,000 Each Employee. 15. Account Holder understands that PSN is party to a Merchant Services Agreement pursuant to which PSN is being provided with certain payment processing services by a member (a “Provider”) of Mastercard, Visa, Discover and/or similar entities (collectively, “Associations”), and that Account Holder is a sub-merchant under said Merchant Services Agreement. As a conditional precedent to PSN’s obligations under this Agreement, Account Holder shall enter into a Sub-Merchant Agreement with the Provider (on Provider’s current form) to satisfy the Associations’ requirement that the Account Holder have a direct c ontractual relationship with a member of the Associations. 16. This Agreement shall be governed by and construed in accordance with the laws of the State of Wisconsin, without application of its conflicts of law principles. For the purpose of any dispute arising under, or related in any way to, the subject matter of this Agreement, the parties agree that such dispute shall be heard exclusively by the federal or state courts situated in Dane County, Wisconsin. The parties hereby submit to the exclusive jurisdic tion of the federal and state courts situated in Dane County, Wisconsin, and agree not to raise any objection to or defense based upon the venue of said courts. EACH PARTY HEREBY WAIVES, TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, ANY RIGHT IT MAY HAVE TO A RIGHT OF TRIAL BY JURY WITH RESPECT TO ANY DISPUTE ARISING UNDER OR RELATED IN ANY WAY TO THE SUBJECT MATTER OF THIS AGREEMENT. 17. Account Holder will certify to PSN the identity of any person Account Holder has authorized to act as its agent with respect to the Services. Any such person is authorized to, without limitation, take any action on behalf of Account Holder as it relates to any Services. PSN shall be able to conclusively presume that such agency continues until PSN receives written notice to the contrary. PSN may rely on instructions received from such persons and need not make any inquiries to confirm that the instructions are within the scope of the agency. 18. The undersigned warrants and represents that he/she has all requisite authorit y to execute this Agreement on behalf of Account Holder, and that he/she is authorized to bind Account Holder to the terms of this Agreement. 19. This Agreement may be executed in counterparts. Each such counterpart shall be considered an original, and all of such counterparts shall constitute a single agreement binding the parties as if they had signed a single document. Faxed, photocopied and scanned signatures shall be acceptable to and legally binding on the parties to this Agreement. No party to this Agreement shall raise the use of a facsimile machine, email transmissions, or other electronic transmission to deliver a signature or the fact that any signature or this Agreement were transmitted or communicated through the use of facsimile PAYMENT SERVICE NETWORK, INC. SERVICE AGREEMENT Note: Bank interchange rates are subject to change; therefore, this quote is valid for 15 days from date of issue . 7 Payment Service Network, Inc. | 2901 International Lane, Madison WI 53704 | www.PaymentServiceNetwork.com machine, by email, or other electronic transmission as a defense to the formation of a contract and each such party forever waives any such defense. IN WITNESS WHEREOF, the parties have executed this Agreement as of the date first written above. ACCOUNT HOLDER Company: Signature: Print Name: Title: PAYMENT SERVICE NETWORK, Inc. By: Name: Title: Payment Service Network, Inc. 2901 International Lane, Suite 101 Madison, WI 53704 608-442-5088 Direct; 877-390-7368 Toll Free; 608-442-5116 Fax City of Scandia Ken Cammilleri City Administrator PAYMENT SERVICE NETWORK, INC. SERVICE AGREEMENT Note: Bank interchange rates are subject to change; therefore, this quote is valid for 15 days from date of issue. 8 Payment Service Network, Inc. | 2901 International Lane, Madison WI 53704 | www.PaymentServiceNetwork.com SCHEDULE “A” [Complete Sections I, II and III] I. CORPORATE OFFICE INFORMATION Contact Name: Business Legal Name: Address: City, State, ZIP: Telephone: Fax: Email: Website: II. LIST OF ADDITIONAL PROPERTIES, ACCOUNTS OR SERVICES: (Please use a separate sheet if needed or an Excel spreadsheet if possible.) Total Number Potential Payers Service Description or Property Name Address (If different from Corporate above) (Include: Street Address, City, State, ZIP) Tax ID REQUIRED Last 4 Digits of Checking Account Contact Person (for this account, if different from above) Email (for this account, if different from above) Phone Number (for this account, if different from above) 100 Utility Payment III. DEPOSITING AND INVOICING INSTRUCTIONS AND REQUEST FOR VOIDED CHECK(S): Check the box as to how you want PSN to debit its fees from your bank account(s). ☐ PSN should invoice and take its fees from the same bank account(s) to which it is depositing funds ☐ PSN should invoice and take its fees from a different bank account than the one to which it is depositing funds. Last 4 digits of bank account from which PSN takes fees: _________ (please provide voided check, no deposit slips allowed) Attach to this Agreement, an actual voided check(s) for the bank account that PSN will deposit funds into and, if applicable, a voided check of the account from which PSN will debit its fees. It must be a printed voided check and not a starter check, a deposit slip or other substitute. If it is not possible to attach a voided check(s), then you can attach a letter from your bank(s) on bank letterhead that is legally signed by a bank representative, verifying your checking/savings account number and the bank’s routing number. NOTE: If using more than one bank account, mark each voided check to clearly identify which account it represents. In order to debit fees from your account(s), you may have to inform your bank(s) that Payment Service Network (PSN) is an approved vendor. Once you have signed and returned this Agreement, PSN will provide you with its official NACHA vendor number to provide to your bank(s). Brenda Eklund City of Scandia 14727 209th St. N.Scandia, MN 55073 651-433-2274 651-433-5112 b.eklund@ci.scandia.mn.us ci.scandia.mn.us 41-0904438 3102 250 Building Permits 50 Park Programs X PAYMENT SERVICE NETWORK, INC. SERVICE AGREEMENT Note: Bank interchange rates are subject to change; therefore, this quote is valid for 15 days from date of issue . 9 Payment Service Network, Inc. | 2901 International Lane, Madison WI 53704 | www.PaymentServiceNetwork.com SCHEDULE “B” Fee Schedule for _____Scandia, MN___________________ The items marked with an “X” are applicable to this Agreement. SETUP/EQUIPMENT FEES ☒ One-time Setup $149 Paid by Account Holder ☒ Web Customization Custom $50 Paid by Account Holder ☒ Mobile App Standard Included NA ☒ Training Included NA ☒ Software Integration Banyon Included NA ☐ Custom Programming $ NA ☒ Integrated Swipe Credit Card Setup Included NA ☐ Check Scanning Equipment $ NA ☒ Credit Card Swipe Machine Verifone VX520 – Qty x 1 $250 Paid by Account Holder MONTHLY FEES ☒ Gateway for each PSN Account WAIVED NA ☐ Bank Bill Pay eSolution/eCash Solution $ NA ☒ Mobile App WAIVED NA ☐ Outbound Auto-Call Messaging $ NA ☒ Integrated Swiped Credit Card $4.95 Paid by Account Holder TRANSACTION FEES (all fees are per item; unless otherwise noted, only one fee will be charged per transaction) ☒ eChecking or eSavings Payment ☒ Online/Mobile/Field Net Deposit $1.00 Paid by Customer ☐ Automated Phone NA $ NA ☐ Text NA $ NA ☐ Live PSN Rep NA $ NA ☒ Credit Card Payments ☒MasterCard ☒VISA ☒Discover ☒AMEX ☒ Online/Mobile/Field Net Deposit 2.75%* Paid by Customer ☐ Automated Phone NA $ NA ☐ Text NA $ NA ☐ Live PSN Rep NA $ NA Rates for AMEX (above rates are for all other credit cards) 2.75%* Paid by Customer ☐ Bank Bill Pay eSolution (bank-issued checks) NA $ NA ☐ Back Office Auto-Pay NA $ NA ☐ eCash Solution NA $ NA ☐ Auto-Post Check Scanning (Check 21 or RDC) NA $ NA ☒ Advanced Integrated Credit Card Swipe Net Deposit 2.75%* Paid by Customer OTHER FEES ☒ Annual Security Compliance (billed annually) Due each December $89.00 Paid by Account Holder ☐ Outbound Auto-Call Messaging Only answered calls get assessed the fee; recording device pickups are considered answered. 15¢ per minute, 2-minute minimum NA ☒ NSF (for online and phone check/savings transactions with insufficient funds) $35.00 Paid by Customer ☐ NSF (for scanned and VPOST checks) NA ☒ Chargeback (for credit cards that are disputed) $15.00 Paid by Account Holder *If payment is less than $100, the Customer will be charged 2.75% plus 50¢. Net Deposits are Customer payment deposits less Transaction Fees. PAYMENT SERVICE NETWORK, INC. SERVICE AGREEMENT Note: Bank interchange rates are subject to change; therefore, this quote is valid for 15 days from date of issue . 10 Payment Service Network, Inc. | 2901 International Lane, Madison WI 53704 | www.PaymentServiceNetwork.com SCHEDULE “B” continued FEE SCHEDULE Account Holder’s designated depository account(s) shall mean any and all depository accounts which Account Holder has designated in a writing delivered to PSN for PSN to make deposits of payments made by Account Holder’s Customers/Payees. Account Holder may only change designated depository account(s) upon not less than fifteen (15) days prior written notice to PSN, provided that Account Holder completes and timely delivers to PSN all forms required by PSN to complete the change in designated depository account(s). Account Holder agrees to pay the Setup/Equipment Fees set forth in this Schedule B upon execution of this Agreement. Account Holder agrees to pay Monthly Fees set forth in this Schedule B on or about the first day of each month. All such Setup/Equipment and Monthly Fees are non-refundable and will be automatically withdrawn by PSN via auto debit from the Account Holder’s designated depository account(s) as set up with PSN or, at PSN’s option, deducted from Customer payments before such payments are deposited into Account Holder’s designated depository account. Account Holder agrees to pay Transaction Fees and Other Fees as designated in Schedule B. PSN shall, at PSN’s option, (a) deduct Transaction Fees and Other Fees from Customer payments before such payments are deposited into Account Holder’s designated depository account and/or (b) auto-debit from Account Holder’s depository account(s) on or around the first of every month the total of all Transaction Fees and Other Fees incurred during the immediately preceding month which were deposited into the Account Holder’s depository account. PSN will endeavor to have Customer payments deposited into Account Holder’s designated account or accounts within three (3) banking days of payment, however, Account Holder acknowledges that it may take up to five (5) banking days to complete such deposits due to bank notification times and different deposit frequencies from the credit card processors to PSN. A “banking day” is a day of the week on which a bank or financial institution is open to the public for carrying on all of its banking functions (i.e., Monday through Friday, excluding Saturday, Sunday and legal holidays). PSN acknowledges and agrees that all amounts received from Customers less per item Transaction Fees collected by PSN, and less any Monthly Fees and Other Fees (collectively, “Fees”) owed by Account Holder, will be the property of the Account Holder and PSN will have no right to retain such amounts for any reason, including, without limitation, pursuant to any rules of bankruptcy or insolvency. PSN will function as a repository for the net funds and not as owner of the net funds at any time (other than the Fees owed to PSN). PSN’s failure to deduct or auto-debit any Setup/Equipment Fees, Monthly Fees, Transaction Fees or Other Fees (“Unpaid Fees”) does not forfeit PSN’s right to collect such Unpaid Fees from Account Holder at a later date, and Account Holder agrees to pay such Unpaid Fees to PSN. PSN is hereby granted a security interest in amounts received from Customers to secure payment of the Unpaid Fees, and shall have a contractual right of offset against amounts received from Customers equal to the amount of Unpaid Fees. ACCOUNT HOLDER: Signature: Date: Print Name: Title: Ken Cammilleri City Administrator Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments – Service Providers Version 3.2.1 June 2018 Section 1: Assessment Information Instructions for Submission v3.2.1 Attestation of Compliance for Onsite Assessments – Rev. 1.0 June 2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 1 This Attestation of Compliance must be completed as a declaration of the results of the service provider’s assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS). Complete all sections: The service provider is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact the requesting payment brand for reporting and submission procedures. Part 1. Service Provider and Qualified Security Assessor Information Part 1a. Service Provider Organization Information Company Name: Payment Service Network, Inc. DBA (doing business as): Contact Name: Norman Ehiorobo Title: CTO Telephone: 608-442-5091 E-mail: nehiorobo@PaymentServic eNetwork.com Business Address: 2901 International Lane City: Madison State/Province: WI Country: USA Zip: 53704 URL: https://www.paymentservicenetwork.com Part 1b. Qualified Security Assessor Company Information (if applicable) Company Name: MegaplanIT, LLC Lead QSA Contact Name: Jennifer Boyd Title: Principal Security Consultant Telephone: 602-900-1706 E-mail: jboyd@megaplanit.com Business Address: 8700 E. Vista Bonita Dr. Suite 270 City: Scottsdale State/Province: AZ Country: USA Zip: 85255 URL: https://www.megaplanit.com PCI DSS Service Providers, © 2006-2018 PCI DSS v3.2.1 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 June 2018 © 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 2 Part 2. Executive Summary Part 2a. Scope Verification Services that were INCLUDED in the scope of the PCI DSS Assessment (check all that apply): Name of service(s) assessed: Payment collection and processing services Type of service(s) assessed: Hosting Provider: Applications / software Hardware Infrastructure / Network Physical space (co- location) Storage Web Security services 3-D Secure Hosting Provider Shared Hosting Provider Other Hosting (specify): Managed Services (specify): Systems security services IT support Physical security Terminal Management System Other services (specify): Payment Processing: POS / card present Internet / e-commerce MOTO / Call Center ATM Other processing (specify): Account Management Fraud and Chargeback Payment Gateway/Switch Back-Office Services Issuer Processing Prepaid Services Billing Management Loyalty Programs Records Management Clearing and Settlement Merchant Services Tax/Government Payments Note: These categories are provided for assistance only, and are not intended to limit or predetermine an entity’s service description. If you feel these categories don’t apply to your service, complete “Others.” If you’re unsure whether a category could apply to your service, consult with the applicable payment brand. Network Provider Others (specify): PCI DSS v3.2.1 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 June 2018 © 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 3 Part 2a. Scope Verification (continued) Services that are provided by the service provider but were NOT INCLUDED in the scope of the PCI DSS Assessment (check all that apply): Name of service(s) not assessed: None Type of service(s) not assessed: Hosting Provider: Managed Services (specify): Payment Processing: Applications / software Systems security services POS / card present Hardware IT support Internet / e-commerce Infrastructure / Network Physical security MOTO / Call Center Physical space (co-location) Terminal Management System ATM Storage Other services (specify): Other processing (specify): Web Security services 3-D Secure Hosting Provider Shared Hosting Provider Other Hosting (specify): Account Management Fraud and Chargeback Payment Gateway/Switch Back-Office Services Issuer Processing Prepaid Services Billing Management Loyalty Programs Records Management Clearing and Settlement Merchant Services Tax/Government Payments Network Provider Others (specify): Provide a brief explanation why any checked services N/A were not included in the assessment: Part 2b. Description of Payment Card Business PCI DSS v3.2.1 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 June 2018 © 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 4 Describe how and in what capacity your business stores, processes, and/or transmits cardholder data. Payment Service Network (PSN) is a Service Provider who provides payment and billing options for merchants and consumers. They provide services to businesses primarily in the rental, utility, and municipal marketplace. PSN’s purpose is to provide the broadest array of payment options, including taking credit card payments for business customers while at the same time making the remittance process more streamlined for the business itself. Payment card transactions can be initiated in several ways; online through the PSN Account Management Center application, IVR via automated third-party service, Customer Service Representatives (CSRs) who enter the data on behalf of the customer, or through PCI approved Verifone PTS devices which are owned by and located at the merchant locations. The devices submit payment data to PSN’s secure web portal via HTTPS TLS 1.2. PSN stores cardholder data for recurring transactions. They transmit cardholder data to payment processors for authorization and payment processing on behalf of customers. Describe how and in what capacity your business is otherwise involved in or has the ability to impact the security of cardholder data. As a Service Provider, PSN stores and transmits cardholder data on behalf of it's customers. Part 2c. Locations List types of facilities (for example, retail outlets, corporate offices, data centers, call centers, etc.) and a summary of locations included in the PCI DSS review. Type of facility: Number of facilities of this type Location(s) of facility (city, country): Example: Retail outlets 3 Boston, MA, USA Payment Service Network Corporate Office / Call Center / Data Room 1 Madison, WI, USA Third Party PCI-DSS Compliant Data Center 1 Madison, WI, USA PCI DSS v3.2.1 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 June 2018 © 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 5 Part 2d. Payment Applications Does the organization use one or more Payment Applications? Yes No Provide the following information regarding the Payment Applications your organization uses: Payment Application Name Version Number Application Vendor Is application PA-DSS Listed? PA-DSS Listing Expiry date (if applicable) PSN Account Management Center 15.11.1 Internally developed application Yes No N/A Yes No Yes No Yes No Yes No Yes No Yes No Yes No Part 2e. Description of Environment PCI DSS v3.2.1 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 June 2018 © 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 6 Provide a high-level description of the environment covered by this assessment. For example: • Connections into and out of the cardholder data environment (CDE). • Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable. The assessment focused on technologies such as internal network segments, DMZ segments, and VPN connections into the cardholder data environment as well as the transmission of cardholder data to the payment processors. Two facilities were included in the scope of the assessment. The PCI DSS compliant third-party hosted data center, where the cardholder data environment is located and the PSN corporate office where call center representatives and business and technical personnel reside. The cardholder environment at the thirdparty data center includes database, web, and application servers, in addition to network equipment and supporting systems such as IDS, FIM, logging servers, virtual hosts, etc. The call center houses the customer service representatives who have the ability to input cardholder data into the web based application. Customer service workstations as well as network equipment, domain controllers and centralized event logging and monitoring systems at the call center were included in the scope of this assessment. Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation) Yes No PCI DSS v3.2.1 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 June 2018 © 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 7 Part 2f. Third-Party Service Providers Does your company have a relationship with a Qualified Integrator & Reseller (QIR) for the purpose of the services being validated? Yes No If Yes: Name of QIR Company: N/A QIR Individual Name: N/A Description of services provided by QIR: N/A Does your company have a relationship with one or more third-party service providers (for example, Qualified Integrator Resellers (QIR), gateways, payment processors, payment service providers (PSP), web-hosting companies, airline booking agents, loyalty program agents, etc.) for the purpose of the services being validated? Yes No If Yes: Name of service provider: Description of services provided: Plum Voice Third-party hosted IVR solution OneNeck IT Solutions CDW Managed Services Third-party data center Third-party managed service provider RingCentral Third-party call center application provider TSYS Acquiring Solutions First Data Merchant Services Payment processor Payment processor ItelBPO Smart Solutions Third-party call center Iron Mountain Third-party backup storage Note: Requirement 12.8 applies to all entities in this list. Part 2g. Summary of Requirements Tested For each PCI DSS Requirement, select one of the following: • Full – The requirement and all sub-requirements of that requirement were assessed, and no subrequirements were marked as “Not Tested” or “Not Applicable” in the ROC. • Partial – One or more sub-requirements of that requirement were marked as “Not Tested” or “Not Applicable” in the ROC. • None – All sub-requirements of that requirement were marked as “Not Tested” and/or “Not Applicable” in the ROC. For all requirements identified as either “Partial” or “None,” provide details in the “Justification for Approach” column, including: • Details of specific sub-requirements that were marked as either “Not Tested” and/or “Not Applicable” in the ROC PCI DSS v3.2.1 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 June 2018 © 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 8 • Reason why sub-requirement(s) were not tested or not applicable Note: One table to be completed for each service covered by this AOC. Additional copies of this section are available on the PCI SSC website. Name of Service Assessed: Payment collection and processing services PCI DSS Requirement Details of Requirements Assessed Full Partial None Justification for Approach (Required for all “Partial” and “None” responses. Identify which sub-requirements were not tested and the reason.) Requirement 1: 1.2.2 - There are no PSN owned routers in the cardholder environment. 1.2.3 - There are no wireless technologies in the cardholder environment. Requirement 2: 2.1.1 - There are no wireless technologies in the cardholder environment. 2.2.3 - There are no insecure services, daemons, or protocols in use. 2.6 - PSN is not a Shared Hosting Provider. Requirement 3: 3.4.1 - Disk encryption is not used. 3.6.a - PSN does not share keys with their customers. Requirement 4: 4.1.1 - There are no wireless technologies in the cardholder environment. Requirement 5: Requirement 6: Requirement 7: Requirement 8: 8.1.5 - There are no third-party vendors with access to the cardholder environment. 8.5.1 - PSN does not have remote access to customer premises. Requirement 9: 9.5-9-8 - There are no media backups in use. Data is electronically replicated to Iron Mountain. There are no hard copy materials containing carholder data. 9.9 - PSN does not have any devices in their environment that capture payment card data. Requirement 10: PCI DSS v3.2.1 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 June 2018 © 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 9 Requirement 11: 11.1.1 - PSN does not have any authorized wireless access points in the cardholder environment. Requirement 12: Appendix A1: PSN is not a Shared Hosting Provider. Appendix A2: There are no POS POI terminals in the environment. June 2018 Page 10 This Attestation of Compliance reflects the results of an onsite assessment, which is documented in an accompanying Report on Compliance (ROC). The assessment documented in this attestation and in the ROC was completed on: June 10, 2019 Have compensating controls been used to meet any requirement in the ROC? Yes No Were any requirements in the ROC identified as being not applicable (N/A)? Yes No Were any requirements not tested? Yes No Were any requirements in the ROC unable to be met due to a legal constraint? Yes No Section 2: Report on Compliance PCI DSS v3.2.1 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 June 2018 © 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 11 PCI DSS v3.2.1 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 © 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Section 3: Validation and Attestation Details Part 3. PCI DSS Validation This AOC is based on results noted in the ROC dated June 10, 2019. Based on the results documented in the ROC noted above, the signatories identified in Parts 3b -3d, as applicable, assert(s) the following compliance status for the entity identified in Par t 2 of this document (check one): Compliant: All sections of the PCI DSS ROC are complete, all questions answered affirmatively, resulting in an overall COMPLIANT rating; thereby Payment Service Network, Inc. has demonstrated full compliance with the PCI DSS. Non-Compliant: Not all sections of the PCI DSS ROC are complete, or not all questions are answered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby (Service Provider Company Name) has not demonstrated full compliance with the PCI DSS. Target Date for Compliance: An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with the payment brand(s) before completing Part 4. Compliant but with Legal exception: One or more requirements are marked “Not in Place” due to a legal restriction that prevents the requirement from being met. This option requires additional review from acquirer or payment brand. If checked, complete the following: Affected Requirement Details of how legal constraint prevents requirement being met Part 3a. Acknowledgement of Status Signatory(s) confirms: (Check all that apply) The ROC was completed according to the PCI DSS Requirements and Security Assessment Procedures, Version 3.2.1, and was completed according to the instructions therein. All information within the above-referenced ROC and in this attestation fairly represents the results of my assessment in all material respects. I have confirmed with my payment application vendor that my payment system does not store sensitive authentication data after authorization. I have read the PCI DSS and I recognize that I must maintain PCI DSS compliance, as applicable to my environment, at all times. PCI DSS v3.2.1 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 June 2018 © 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 12 If my environment changes, I recognize I must reassess my environment and implement any additional PCI DSS requirements that apply. Part 3a. Acknowledgement of Status (continued) No evidence of full track data1, CAV2, CVC2, CID, or CVV2 data2, or PIN data3 storage after transaction authorization was found on ANY system reviewed during this assessment. ASV scans are being completed by the PCI SSC Approved Scanning Vendor Coalfire Systems, Inc. Part 3b. Service Provider Attestation NormanEhiorob o NormanEhiorobo (Jun 11, 2019 ) Signature of Service Provider Executive Officer Date: June 10, 2019 Service Provider Executive Officer Name: Norman Ehiorobo Title: CTO Part 3c. Qualified Security Assessor (QSA) Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed: The QSA performed the Level 1 Service Provider assessment. Jennifer Boyd (Jun 11, 2019 ) Signature of Duly Authorized Officer of QSA Company Date: June 10, 2019 Duly Authorized Officer Name: Jennifer Boyd QSA Company: MegaplanIT, LLC. Part 3d. Internal Security Assessor (ISA) Involvement (if applicable) If an ISA(s) was involved or assisted with this assessment, identify the ISA personnel and describe the role performed: N/A Part 4. Action Plan for Non-Compliant Requirements 1 Data encoded in the magnetic stripe or equivalent data on a chip used for authorization during a card-present transaction. Entities may not retain full track data after transaction authorization. The only elements of track data that may be retained are prim ary account number (PAN), expiration date, and cardholder name. 2 The three- or four-digit value printed by the signature panel or on the face of a payment card used to verify card-not-present transactions. 3 Personal identification number entered by cardholder during a card-present transaction, and/or encrypted PIN block present within the transaction message. PCI DSS v3.2.1 Attestation of Compliance for Onsite Assessments – Service Providers, Rev. 1.0 June 2018 © 2006-2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 13 Select the appropriate response for “Compliant to PCI DSS Requirements” for each requirement. If you answer “No” to any of the requirements, you may be required to provide the date your Company expects to be compliant with the requirement and a brief description of the actions being taken to meet the requirement. Check with the applicable payment brand(s) before completing Part 4. PCI DSS Requirement Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 1 Install and maintain a firewall configuration to protect cardholder data 2 Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks 5 Protect all systems against malware and regularly update anti-virus software or programs 6 Develop and maintain secure systems and applications 7 Restrict access to cardholder data by business need to know 8 Identify and authenticate access to system components 9 Restrict physical access to cardholder data 10 Track and monitor all access to network resources and cardholder data 11 Regularly test security systems and processes 12 Maintain a policy that addresses information security for all personnel Appendix A1 Additional PCI DSS Requirements for Shared Hosting Providers N/A Appendix A2 Additional PCI DSS Requirements for Entities using SSL/early TLS for CardPresent POS POI Terminal Connections N/A