Compliance Reimbursement Program Overview
The Compliance Reimbursement Program covers any qualifying merchant that receives a written letter (the “Demand Letter”) from any one of the card associations that have adopted the PCI DSS asserting that the following events have occurred (a “PCI Breach”): (i) the merchant has failed to comply with accepted PCI DSS by reason of the failure and inability of the security of the merchant’s computer system or point of sale terminal equipment to mitigate loss from or prevent computer data infiltration; and (ii) such failure has resulted in the exposure of card information that compromises the security, confidentiality, or integrity of personally identifiable information. In the event that a Demand Letter is received by a qualifying merchant, then we will reimburse that merchant for the following expenses that it must pay in connection with the cited PCI Breach, up to a maximum reimbursement in the aggregate of $25,000 per merchant account:
- monetary assessments and fines asserted by such card association;
- mandatory forensic, legal and/or information technology examinations required by such card association; and
- monetary costs demanded by such card association to reproduce and distribute cards.
The maximum reimbursement will be based on the merchant’s account, and not on the merchant’s location(s), the latter being commonly referred to as the merchant’s MID. Multiple Demand Letters received in respect of the same PCI Breach or related chain of incidents, actions, errors, intrusions, breaches, events, omissions or occurrences will be treated as a single Demand Letter for purposes of the Compliance Reimbursement Program.
In order to qualify for reimbursement under the Compliance Reimbursement Program, a merchant must satisfy the following requirements:
- the merchant must be an actively processing merchant in good standing under its merchant agreement, have participated in our Compliance Program as recommended and, for merchants that have processed more than twelve months with us, have paid in full all monthly PCI compliance fees in timely fashion prior to the time the Demand Letter is received;
- the merchant must not have been the subject of any prior PCI Breach, and must not have been aware of the condition giving rise to the subject PCI Breach prior to such breach;
- the subject PCI Breach must not have resulted directly or indirectly from a fraudulent, illegal, dishonest or criminal act committed by, at the direction of, or with the knowledge of the merchant, or any director, officer, shareholder, owner, employee or representative of the merchant;
- if the merchant is a level 4 merchant under the PCI DSS, it must have completed the SAQ and attestation of compliance within the 12 month period immediately preceding the subject PCI Breach, and remedied all security issues identified during the course of that self-evaluation process;
- if the merchant is a level 3 merchant under the PCI DSS, it must have satisfied the foregoing requirements for a level 4 merchant, and completed all quarterly network security scans with an approved PCI DSS Vendor, as required by the PCI DSS;
- if the merchant is a level 1 or level 2 merchant under the PCI DSS, it must have a full security program in place developed and certified by an approved PCI DSS Vendor, or have developed a full security program through Trustwave, our recommended Approved PCI DSS Vendor, within the 12 month period immediately preceding the subject PCI Breach, and have completed all quarterly network security scans with an approved PCI DSS Vendor, as required by the PCI DSS;
- the merchant must provide our claim administrator with a copy of the Demand Letter within five (5) business days of the merchant’s receipt, and provide copies of all other communications from the card association regarding the PCI Breach within five (5) business days of the merchant’s receipt.
The contact information of our claim administrator is set forth below. All claims and inquiries under the Compliance Reimbursement Program must be directed to our claim administrator. Our claim administrator shall have the right to investigate, contest, defend, appeal and/or settle any PCI Breach that is the subject of a claim by a merchant.
ATTN: Compliance Administrator
21650 Oxnard Street Ste. 1200
Woodland Hills, CA 91367