Data security at Moov

Please carefully review the following important information regarding cardholder data protection. Non-compliance may result in significant fines, liabilities for unauthorized disclosures, and termination of the processing agreement.

Payment card industry data security standards (PCI DSS)

The Payment Card Industry Data Security Standards (PCI DSS) define the requirements with which all entities that store, process, or transmit payment card data must comply. PCI DSS is the name used to identify those common data security requirements. While the card networks have their own versions of security programs, they are all based on the PCI DSS requirements. PCI DSS compliance validation is focused on the merchant environment where cardholder data is processed, stored, or transmitted, including:

• All external connections into your network (i.e., employee remote access, third-party access for processing, and maintenance).

• All connections to and from the authorization and settlement environment (i.e., connections for employee access or for devices such as firewalls and routers).

• Any data repository outside of the authorization and settlement environment.

The “merchant environment” includes any and all equipment you use in connection with card authorization, clearing, completing, settling, transmitting, or other related processing, including, without limitation, all telecommunication lines and wireless connections and software, systems, point-of-sale terminals, card readers, merchandise and card scanners, printers, PIN pad devices, and other hardware, whether owned by you, Merchant Providers, or other persons used by you.

Penalties may be imposed if it is determined that merchants are not compliant with the applicable data security requirements.

Data security requirements

For detailed information on the data security requirements, please refer to the following sources:

• PCI DSS Council’s website: www.pcisecuritystandards.org

• Visa’s CISP website: www.visa.com/cisp

• Mastercard’s SDP website: www.mastercard.com/sdp

• Discover’s DISC website: www.discovernetwork.com/merchants/data-security/disc.html

• American Express’ DSOP website: www.americanexpress.com/datasecurity

Penalties may be imposed if it is determined that merchants are not compliant with the applicable data security requirements.

Compliance

Merchants accepting card payments may be subject to ongoing validation of your compliance with PCI DSS standards by means of a self-assessment questionnaire, attestation of compliance, onsite assessment, or any other method deemed appropriate by the PCI DSS Council.

Immediate notice required

In the event that transaction data is known or suspected of having been accessed or retrieved by any unauthorized person, you must contact us immediately, and in no event more than 24 hours after becoming aware of such activity.

Noncompliance fees

If we have not received receipt of your validation of compliance with your PCI DSS standards within the first 90 days of the date of the Agreement, you may be subject to a monthly non-receipt of PCI Validation fee. This fee may continue until you become compliant or terminate your account.