Data Security; Data Protection; Data Portability.

Last update: January 11th, 2023


a. General. 


You are fully responsible for the security of data on your website or otherwise in your possession or control. You agree to comply with all applicable laws and rules in connection with your collection, security, and dissemination of any personal, financial, Card, or transaction information (defined as “Data”) on your website. You must report any Data breach or incident to WAAVE and the Card Companies immediately after discovery of the incident.


b. PCI DSS Compliance.


i. Merchant PCI Compliance. You agree that at all times you shall be compliant with the Payment Card Industry Data Security Standards (PCI DSS), the Payment Application Data Security Standards (PA DSS), and any Card Company data security requirements, as applicable. You agree to promptly provide us with documentation evidencing your compliance with PCI DSS, PA DSS, or other Card Company data security requirements if requested by us. You also agree that you will use only PCI-compliant service providers in connection with the storage, or transmission of Card Data. You must not store CVV2 Data at any time.


Your customers’ Card Data is handled by WAAVE through our partner VeryGoodSecurity (VGS)

If you are accessing the Services through a platform service partner, you acknowledge that your platform service partner may offer solutions that help you comply with certain of these Merchant PCI compliance standards. While the platform service partner may help you comply or perform certain obligations on your behalf, you remain liable for compliance with these Merchant PCI Compliance standards.


You are responsible for completing the PCI SAQ questionnaire within 90 days of going live with WAAVE and yearly after that.

We send you instructions over email. We send two emails with this info every year, it is your responsibility to follow the instructions and complete the questionnaire for each and every MID you hold through WAAVE

Failure to do so will result in PCI non-compliance charges, these charges may be weekly or monthly depending on your agreement.


ii. WAAVE PCI Compliance. WAAVE agrees that it shall comply with the applicable PCI DSS requirements, as such may be amended from time to time, with respect to all cardholder data received by it in connection with this Agreement. WAAVE acknowledges that it is responsible for the security of cardholder data it possesses or otherwise stores, processes or transmits on behalf of the Merchant, or to the extent that they could impact the security of the Merchant’s cardholder data environment.


c. Data Usage. 


Unless you receive the express consent of your customer, you may not retain, track, monitor, store or otherwise use Data beyond the scope of the specific transaction. Further, unless you get the express written consent of WAAVE and each Acquiring Bank and/or the Card Companies, as applicable, you agree that you will not use nor disclose the Card Data for any purpose other than to support payment for your goods and services. Card Data must be completely removed from your systems, and any other place where you store Card Data, within 24 hours after you receive an authorization decision unless you have received the express consent of your customer to retain the Card Data for the sole purpose of processing recurring payments. To the extent that Card Data resides on your systems and other storage locations, it should do so only for the express purpose of processing your transactions. All Data and other information provided to you by WAAVE in relationship to the Services and all Card Data will remain the property of WAAVE, its Acquiring Bank or the Card Companies, as appropriate.


d. Password Security. 


You agree to restrict use and access to your password and log-on ID to your employees and agents as may be reasonably necessary and you will ensure that each such employee or agent complies with the terms of this Agreement. You will not give, transfer, assign, sell, resell or otherwise dispose of the information and materials provided to you to utilize the Services. You are solely responsible for maintaining adequate security and control of any and all IDs, passwords, or any other codes that are issued to you by WAAVE, each Acquiring Bank or the Card Companies.


e. Audit. 


If WAAVE believes that a security breach or compromise of Data has occurred, WAAVE may require you to have a third-party auditor that is approved by WAAVE conduct a security audit of your systems and facilities and issue a report to be provided to WAAVE, the Acquiring Banks and the Card Companies. In the event that you fail to initiate an audit within ten (10) business days of WAAVE’s request, WAAVE may conduct or obtain such an audit at your expense. In addition, the Card Companies may conduct an audit at any time, for the purpose of determining compliance with the Card Company Rules.


f. Compliance with Data Protection Addendum. 


You, as a Merchant, and WAAVE agree to comply with the WAAVE Data Protection Addendum for Card Processing Products found here (the “Data Protection Addendum”), which forms part of this Agreement. The terms of the Data Protection Addendum prevail over any conflicting terms in this Agreement relating to data protection and privacy.



g. Data Portability. 


Upon any termination or expiration of this Agreement, WAAVE agrees, upon your written request, to provide your new Acquiring Bank or payment service provider (“Data Recipient”) with any available credit card information including personal data relating to your Customers (“Card Information”). In order to do so, you must provide WAAVE with all requested information including proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements and is level 1 PCI compliant. WAAVE agrees to transfer the Card Information to the Data Recipient so long as the following applies: (a) you provide WAAVE with proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements (Level 1 PCI compliant) by providing WAAVE a certificate or report on compliance with the Association PCI-DSS Requirements from a qualified provider and any other information reasonably requested by WAAVE; (b) the transfer of such Card Information is compliant with the latest version of the Association PCI-DSS Requirements; and (c) the transfer of such Card Information is allowed under the applicable Association Rules, and any applicable laws, rules or regulations (including data protection laws).

Was this article helpful?

0 out of 0 liked this article