Merchant PCI Terms

Last updated

This Merchant PCI addendum (“MPCI Terms“) is entered into between Mako Networks, Inc. (“Mako“), and the customer identified on the applicable sign-up form (“Customer“) and supplements the Services Agreement between the parties.

Definitions

For purposes of these MPCI Terms, the following terms shall have the meanings set forth below:

ASV Scans” means Approved Scanning Vendor scans performed by Mako using PCI SSC approved third-party scanning services to identify external vulnerabilities in Customer’s internet-facing systems.

Cardholder Data Environment (CDE)” means the people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data.

Configuration Review” means the semi-annual review of system configurations required under PCI DSS v4.0 to ensure security settings remain properly implemented.

Merchant PCI Services” means the suite of tools and services provided by Mako to assist Customer with PCI DSS compliance validation activities, including SAQ portal access, ASV scanning services, Configuration Review tools, and PCI Dashboard access, as further described herein.

PCI Dashboard” means the online portal provided by Mako that allows Customer to monitor its PCI compliance validation status and access compliance-related documentation.

SAQ” means Self-Assessment Questionnaire, the PCI DSS validation tool used by merchants to document their compliance with PCI DSS requirements.

Services Agreement” means the Services Agreement between Mako and Customer identified on or referenced in the applicable sign-up form, as may be amended from time to time.

Division Of Responsibilities

Mako Responsibilities. Mako shall provide the following services:

  1. General guidance on interpreting PCI DSS requirements as they relate to SAQ completion.
  2. Quarterly external vulnerability scans performed using PCI SSC Approved Scanning Vendor services.
  3. Configuration Review tools and automated reminders for semi-annual reviews.
  4. Access to PCI Dashboard for monitoring compliance validation status.

Customer Responsibilities. Customer shall be solely responsible for:

  1. All physical security assessment, implementation, measures, and controls.
  2. Accuracy and completeness of all information provided to Mako.
  3. Selection of the appropriate SAQ type for Customer’s environment.
  4. Completion of all SAQ responses and attestations truthfully and accurately.
  5. Timely remediation of all identified vulnerabilities.
  6. Definition and maintenance of accurate scan scope, including all external-facing IP addresses.
  7. Development and maintenance of internal security policies, procedures, and employee training.
  8. Ongoing PCI DSS compliance beyond validation activities.
  9. Obtaining and maintaining adequate cyber liability insurance coverage.
  10. Internal vulnerability scans and penetration testing if required for Customer’s merchant level.

Services Explicitly Excluded. The following services are expressly excluded from the Merchant PCI Services and remain Customer’s responsibility:

  1. Audit, validation, or verification of SAQ responses.
  2. Remediation implementation for identified vulnerabilities.
  3. 24/7 security monitoring or managed security services.
  4. Incident response services.
  5. Legal or compliance advice.
  6. Insurance or financial protection against security incidents or non-compliance.

SAQ Assistance and Portal Access

Mako provides the SAQ portal, templates, and general guidance on interpreting PCI DSS questions. Mako does not audit, validate, verify, or attest to the accuracy or completeness of Customer’s SAQ responses. Customer acknowledges and agrees that Customer is the sole attesting party for its PCI DSS compliance. Any autofill features or suggested responses in the SAQ portal are based entirely on information previously provided by Customer and do not constitute Mako’s endorsement or verification of such responses.

Vulnerability Scanning Services

ASV Status. Mako performs quarterly external vulnerability scans using third-party services that are PCI Security Standards Council Approved Scanning Vendors (ASVs). Such scans are performed in accordance with ASV Program requirements.

Scan Limitations. Customer acknowledges that a “passing scan” represents a point-in-time assessment only and does not guarantee the security of Customer’s systems or prevent data breaches. Scan results may change immediately after scan completion due to system changes, new vulnerabilities, or other factors.

Scope Accuracy. Customer is solely responsible for providing Mako with a complete and accurate list of all external-facing IP addresses and systems that comprise the CDE. Failure to include all relevant systems in the scan scope may result in non-compliance and increased security risk.

Remediation Responsibility. Customer is solely responsible for the timely remediation of all vulnerabilities identified during scanning. Mako’s identification of vulnerabilities does not create an obligation to assist with remediation.

Scanning vs. Penetration Testing. ASV scanning is distinct from and does not include penetration testing. Customers requiring penetration testing must obtain such services separately.

Configuration Review

Mako provides tools and automated reminders to assist Customer in meeting the semi-annual configuration review requirements under PCI DSS v4.0. Customer is solely responsible for conducting the actual configuration reviews, documenting results, and maintaining all required documentation. Mako’s tools are provided for convenience only and do not constitute performance of the configuration review on Customer’s behalf.

Customer Representations and Warranties

Customer represents and warrants that:

  1. All information provided to Mako is true, complete, and accurate.
  2. Customer’s description of its cardholder data environment is accurate and complete.
  3. Customer understands that Mako’s services depend entirely on the accuracy of Customer’s information and representations.
  4. Customer has selected the appropriate SAQ type for its environment based on its actual card processing methods and volumes.
  5. Customer owns or has full legal authority to authorize vulnerability scanning of all IP addresses, domains, and systems provided to Mako for scanning purposes.<\li>
  6. Customer has obtained all necessary consents from any third parties, including but not limited to hosting providers, internet service providers, and cloud service providers, to perform vulnerability scanning on the identified systems.

Service Modifications for Regulatory Changes

Regulatory Updates. Mako reserves the right to modify the Merchant PCI Services as necessary to comply with changes to PCI DSS requirements, including version updates (e.g., from v4.0 to v4.1), new Security Standards Council guidance, or changes in card brand compliance programs.

Notice of Changes. Mako will provide Customer with reasonable advance notice of material service modifications required by regulatory changes, except where immediate implementation is required by PCI SSC or card brand mandates.

Customer Obligations. Customer acknowledges that PCI DSS requirements may change and agrees to adapt its compliance practices accordingly. Additional services or fees may apply if regulatory changes require substantial modifications to the Merchant PCI Services.

No Grandfathering. Customer understands that compliance with outdated PCI DSS versions is not permitted once new requirements become effective, and Mako will align its services with current requirements.

Compliance Responsibility

Ultimate Responsibility. Customer acknowledges and agrees that ultimate responsibility for PCI DSS compliance remains solely with Customer. Mako’s services facilitate compliance validation activities only and do not constitute continuous security management or compliance maintenance. Customer is responsible for meeting all PCI DSS requirements, including those not addressed by the Merchant PCI Services.

No Guarantee of Compliance. Mako makes no warranties, express or implied, regarding the Merchant PCI Services, including any warranty that the services will enable Customer to achieve or maintain PCI DSS compliance or prevent data breaches. The services do not guarantee compliance or security.

No Insurance or Financial Protection. Customer acknowledges and agrees that the Merchant PCI Services do not constitute insurance, a financial guarantee, or warranty against security incidents, data breaches, or non-compliance penalties. Service fees paid to Mako do not include any insurance premium or assumption of financial risk by Mako. Customer is solely responsible for obtaining and maintaining adequate cyber liability insurance and other appropriate coverage.

Breach Notification

Mako Breach. Mako shall notify Customer if Mako’s systems experience a breach that affects or may affect Customer’s data or compliance status.

Customer Breach. Customer shall immediately notify Mako of any security breach or incident in Customer’s environment that involves or may involve cardholder data.

Cooperation. In the event of a breach investigation, Mako’s cooperation shall be limited to providing historical scan reports and documentation of services performed. Mako is not obligated to provide forensic analysis, expert testimony, or other investigative services.

General Provisions

These MPCI Terms are subject to and incorporate by reference all terms and conditions of the Services Agreement. In the event of any conflict between these MPCI Terms and the Services Agreement, the terms of these MPCI Terms shall control solely with respect to the Merchant PCI Services.

If you have any questions about these policies, please contact legal@makonetworks.com.

Previous : Mako Voice Services Addendum
Privacy Statement : Next
Was this post helpful?
Please let us know if this helped you find answers.
Yes
No