[Rider revised as of 26 November 2012. The confidentiality terms stated in this Rider are required in any contract with a vendor who processes credit card information, primarily names and credit card numbers, on behalf of Harvard in connection with credit card transactions. If the vendor provides no other services, this Rider will generally be sufficient. If the vendor provides any other services involving credit card information or other HRCI, the contract must also include the terms of the Rider for the Protection of Personally Identifiable Information. Please delete this head note before transmitting.]
Contract Rider:
Requirements for the Protection of Credit Card Data
Effective as of _____________, this Rider is added to and incorporated as part of the [name of Agreement] (in this Rider, the “Agreement”), dated as of _____________, between [identify Harvard party] (in this Rider, “Harvard”) and [identify consultant] (in this Rider, “Consultant”). In the event of any conflict between the terms of this Rider and the Agreement, the terms of this Rider shall govern.
“PCI Data” is comprised of cardholder account numbers, security codes and personal identification (PIN) numbers, and any other categories of data subsequently identified by the PCI Security Standards Council, LLC as being subject to the then current version of the Payment Card Industry (“PCI”) Data Security Standard (together with any successor or other applicable PCI standards, the “PCI Standard”), the contemporaneous version of which is available through the following URL: HYPERLINK “https://www.pcisecuritystandards.org” www.pcisecuritystandards.org .
Consultant acknowledges that it is responsible for the security of PCI Data that Consultant receives from or processes on behalf of Harvard.
In addition to complying with other provisions of the Agreement requiring the protection of confidential information, the Consultant shall at all times during the term of the Agreement comply with all applicable provisions of the PCI Standard with respect to PCI Data to which Consultant is provided access pursuant to the Agreement.
Consultant represents and warrants that it has been certified as “PCI Compliant” by a PCI Security Standards Council approved “Qualified Security Assessor” (QSA) and that it shall maintain such designation during the term of the Agreement. Without limiting the foregoing, Consultant represents and warrants that it has in place, and shall maintain in place for as long as it has possession of or access to PCI Data, a system for transmission, reception, storage and use of such PCI Data that complies with the PCI Standard from time to time in effect.
Consultant shall use PCI Data obtained pursuant to the Agreement only for completing transactions and performing other obligations as called for by the Agreement, providing fraud control services and for uses specifically required by law, but not for marketing purposes.
In the event of an actual or suspected breach of security regarding PCI Data obtained pursuant to the Agreement, Consultant shall immediately notify Harvard and cooperate with the investigative actions of PCI, PCI’s card brand members, Harvard and/or its affiliates, and any appropriate law enforcement entity.
Consultant agrees to provide Harvard on request the results of any SSAE 16 audit (Type I or Type II) of Consultant’s services (but Consultant is not obliged hereby to conduct such an audit).
403686