What cardholder data security and storage requirements must an Atwell Suites client comply with?

luding the Payment Card Industry Data Security Standard ("PCI DSS"), applicable to the Card types you accept. You are responsible for staying up to date with all changes to Card Organization Rules and maintaining compliance with Card Organization Rules. Card Organization Rules may be available on websites such as https://usa.visa.com, http://www.mastercard.com/us/merchant/support/rules.html, www.discovernetwork.com/en-us, and www.americanexpress.com/merchantopguide, as links and their content may change from time to time.

• 3.2 Applicable Law. Each party is responsible for determining all Applicable Law that is applicable to it and for complying with all such Applicable Law in connection with the Agreement.
• 3.3 Your Payments Acceptance Guide. You agree to comply with the Your Payments Acceptance Guide, as it may change over time ("Your Payments Acceptance Guide"). The current Your Payments Acceptance Guide is available at www.businesstrack.com. To the extent of any inconsistencies between these Terms and Conditions and the Your Payments Acceptance Guide, these Terms and Conditions will govern.
• 3.4 Conflicts. For the avoidance of doubt, your use of the Services, the transactions you process, and all of your acts and omissions must comply with the Agreement, Applicable Law, and Card Organization Rules (including PCI DSS). If there is a conflict between Applicable Law, Card Organization Rules, and the Agreement, the conflict shall be governed in the following order of precedence: (1) Applicable Law; (2) Card Organization Rules; and (3) the Agreement.

4 Data Security and Third Parties Used by Client

The following is important information regarding the protection of Cardholder data. Please review carefully as failure to comply can result in substantial liabilities and termination of the Agreement.

• 4.1 Payment Card Industry Data Security Standard.
  • (a) You Must Comply with PCI DSS. As part of your obligation to comply with Card Organization Rules, you are required to comply with PCI DSS. PCI DSS compliance is focused on Merchant Systems where Cardholder data can be accessed, processed, stored, or transmitted, including external connections into your network, connections to and from the authorization and settlement environment (e.g., connections for employee access or for devices such as firewalls and routers), and data repositories outside of the authorization and settlement environment. Information about PCI DSS can be found at www.pcisecuritystandards.org. You also are solely responsible for ensuring that all Merchant Providers, Merchant Systems, Third Parties, Third Party Services, equipment, and software that you use in connection with Card transactions comply with Card Organization Rules, including PCI DSS.
  • (b) Non-Compliance. The Card Organizations or we may impose fines or penalties, or restrict you from accepting Cards, if it is determined that you are not compliant with the applicable data security requirements. Subject to Section 4.3, we may in our sole reasonable discretion suspend certain or all Services under the Agreement if we reasonably believe in good faith and based on evidence that an actual or suspected data security compromise has occurred, provided that we will use reasonable efforts to provide you advance written notice of such suspension, unless such notice is prohibited by Applicable Law or Card Organizations Rules. We will use commercially reasonable efforts to implement a workaround that allows you to continue receiving Card processing services from us during the suspension and we will remove the suspension and restore Services promptly after the threat has been resolved.

Source: Item 23 — Receipts (FDD pages 99–486)