In addition to the General Terms and the other terms and conditions in the Agreement (as defined in the Hosting Agreement Summary), these Service Terms (the “PCI Service Terms”) govern all Logicworks Services that are used to store, process or transmit any cardholder data or sensitive authentication data. Capitalized terms used but not defined in these mAWS Service Terms will have the meanings given them elsewhere in the Agreement.
1. PCI SERVICES. Client acknowledges that Logicworks offers numerous security options as part of the Services that when configured and used properly will provide Client with the means to comply with the Payment Card Industry (“PCI”) Data Security Standard (the “PCI DSS”) posted online at https://www.pcisecuritystandards.org, as it may be amended or placed on a successor site. Client shall interpret the PCI DSS as it applies to the transfer, use, storage, backup, availability, integrity, security and destruction of any Cardholder Data in connection with the Services provided by Logicworks.
2. LOGICWORKS’ COMPLIANCE. In each year during the Term of this Agreement, Logicworks shall obtain an annual validation of its compliance with the PCI DSS as a service provider. Logicworks shall undertake an annual service provider audit in accordance with the PCI DSS for the purposes of ongoing information security compliance verification. The annual audit will not include Client’s Configuration or its security policies and practices. On request, Logicworks shall make available to Client a copy of its most recent certificate of compliance.
3. CLIENT’S COMPLIANCE. If Client uses the Services to store, process, or transmit Cardholder Data (as defined in the PCI DSS), Client shall ensure that such use complies with the rules and regulations of all payment networks its uses and with the PCI DSS, as they may be amended from time to time during the Term, and Client shall be solely responsible for selecting the Services required for it to comply with the PCI DSS. Client shall independently implement and maintain all measures that are not identified on a Service Order to the extent they are required to comply with the PCI DSS. Logicworks’ sole responsibility for Client’s compliance with the PCI DSS is to provide the Services that are expressly described in a Service Order in accordance with the applicable SLA. Notwithstanding any other provision in this Agreement, Client shall make the final decision regarding whether the Services meet or exceed Client’s obligations under the PCI DSS with respect to the transfer, use, storage, backup, availability, integrity, security and destruction of all Cardholder Data. To the extent Client makes a determination regarding the interpretation of the PCI DSS and Logicworks complies with that determination, Logicworks shall be relieved of responsibility for any resulting non-compliance with Client’s misinterpretation.
4. NO GUARANTEES. Client’s selection and use of Services that are intended to comply with the PCI DSS does not guarantee Client’s compliance with the PCI DSS. Client’s compliance with the PCI DSS can only be determined by Client and its applicable compliance auditors. Client is responsible for providing notice of any suspected breach of Client’s systems, and for any fines, penalties or registration fees imposed by any payment card association relating to Client’s use or possession of any Cardholder Data.
5. INDEMNIFICATION. In addition to the other indemnification requirements in the Agreement, Client shall indemnify, defend and hold Logicworks and its employees, agents, shareholders, officers, directors, successors and assigns harmless from and against any and all claims, damages, liabilities, costs, settlements, penalties and expenses (including attorneys’ fees, expert’s fees and settlement costs) arising out of or relating to any suit, action, proceeding, arbitration, subpoena, claim or demand brought or asserted by a third party pursuant to any theory of liability against Logicworks arising out of or relating to Client’s failure to comply with the PCI DSS. Client’s obligations under this paragraph will survive the termination of the Agreement.
6. PENETRATION TESTING. Client acknowledges that penetration testing involves inherent risks, including risks related to system or network performance and availability, and data corruption or loss. If Client requests penetration testing, Logicworks will not be liable for any damages arising from the performance of the penetration testing, except for damages caused by Logicworks’ gross negligence or Intentional Misconduct. Client shall not perform network scanning or penetration testing on the Configuration without Logicworks’ prior written consent.
7. AMENDMENT. Logicworks may amend this PCI Addendum on thirty days’ notice in response to a change in any PCI standard or regulation, including the DSS, or in response to any interpretation of PCI standards or regulations by the PCI Security Standards Council or the card associations.
8. CARDHOLDER DATA COMPROMISE. In the event of a Cardholder Data compromise, each party shall reasonably cooperate with the other to provide support for any investigations regarding the compromise.
9. DISCLAIMER. LOGICWORKS’ COMPLIANCE WITH THE PCI DSS IS AN AGREEMENT BETWEEN LOGICWORKS AND CLIENT, AND THERE ARE NO THIRD-PARTY BENEFICIARIES OF THIS OBLIGATION. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, LOGICWORKS DISCLAIMS ANY LIABILITY TO ANY THIRD PARTY ARISING OUT OF OR RELATING TO ANY PCI STANDARD. NO THIRD-PARTY CUSTOMER, BANK, CARD ISSUER, NETWORK MEMBER, ASSOCIATION, OR ANY OTHER THIRD PARTY, WILL HAVE ANY RIGHT TO ASSERT ANY CLAIM OR CAUSE OF ACTION AGAINST LOGICWORKS.
10. SUSPENSION OR TERMINATION. Logicworks may immediately (and without prior notice) suspend or terminate Client’s Services if Logicworks reasonably believes that Client is in violation of the PCI DSS.
12. THE AGREEMENT. These PCI Terms are appended to and made a part of the Agreement. The Agreement remains in full force and effect and is unmodified except as provided herein.