As an Intuit Inc., Intuit Payment Solutions, LLC, and/or its subsidiaries and affiliates (“Company”) merchant (“Merchant” or “You”) that has paid a PCI service fee as listed in the applicable pricing schedule (“PCI Fee”), You are eligible to receive Card Data Breach Forgiveness benefits from Company. This document describes the forgiveness benefit (“Forgiveness”) that is offered to Merchant. THIS IS NOT AN INSURANCE POLICY OR A CERTIFICATE OF INSURANCE.

Forgiveness Limit: $50,000 USD per incident (maximum of 1 incident claimed per calendar year).

Forgiveness Period: The Forgiveness Period begins the first day of the month in which Company bills You for the PCI Fee, so long as You pay the PCI Fee on time. This Forgiveness may be renewed monthly by You, as long as the Company continues to offer it.

BENEFITS: (1) Subject to the limitations elsewhere in this document, Company will waive Expenses which You are obligated to pay Company under the Merchant Agreement as a result of an incident to which this Forgiveness applies (a “Covered Incident”, as defined fully below) up to the Forgiveness Limit of $50,000 USD per Covered Incident (maximum of 1 incident claimed per calendar year). (2) Company’s obligations to provide this Forgiveness to You is conditioned on Company’s right (which is not an obligation) to defend You against any legal action or proceedings arising out of a Covered Incident, and Company has the right (but not an obligation) to investigate, defend, appeal, or settle Expenses arising out of a Covered Incident. “Expenses” (defined fully below) include certain fines, penalties, Mandatory Audit fees, and other costs imposed by Claimants in the case of a Covered Incident, but do not include direct payments to consumers for loss of personally identifiable information (“PII”) or other loss of identity. “Claimants” (defined fully below) include, as applicable, a Card Association, an Acquiring Bank, or a Qualified Security Assessor, but exclude consumers. Chargebacks and fraudulent charges are generally excluded. In any event, the Covered Incident must be discovered within the applicable Forgiveness Period.

COVERED INCIDENT: A Covered Incident means one or more actions, omissions, inactions, errors, unauthorized accesses, intrusions, Breaches of Security, or Failures of Security resulting in a Data Compromise, if identified as such in a written Demand Letter (including case number or incident number) issued by a Card Association or a contractually enforceable Demand by a Card Association for reimbursement that is linked to Your MID. “Breach of Security” and “Failure of Security” means the failure of the Merchant’s computer system to prevent infiltration, or loss resulting from infiltration, of hardware or software on which data is stored or through which data passes, and includes physical theft of hardware or software resources and theft of passwords. “Data Compromise” means exposure of Card information that compromises the confidentiality or integrity or security of PII due to a Failure of Security by Merchant. Continuous or ongoing or repeated Breaches of Security or Failures of Security shall be considered part of the same Covered Incident if committed by the same actor, actors, or conspiracy of actors. All Expenses resulting from the same Covered Incident shall be subject to a single Forgiveness Limit of $50,000 USD.

EXCLUSIONS AND LIMITATIONS TO FORGIVENESS: (1) Company has no Forgiveness obligation for any Covered Incidents discovered or reported before or after the Forgiveness Period or for any time for which a PCI Fee is not paid, or which exceed any applicable Forgiveness Limit. (2) Company’s Forgiveness obligation shall be the lesser of actual Expenses and the applicable Forgiveness Limit. (3) Company’s Forgiveness obligation is limited to waiving Expenses incurred by the Merchant who has paid the PCI Fee; other Merchants are not entitled to Forgiveness. (4) Company’s Forgiveness obligation does not apply to, and Company shall not be liable based upon, losses resulting directly or indirectly from any fraudulent, illegal, dishonest, or criminal act by or with the knowledge of any officer, director, employee, agent, representative, consultant, or contractor of Merchant. (5) Inadvertent accounting and arithmetic errors are excluded. (6) Costs incurred in becoming compliant with PCI Data Security Standards or achieving a particular PCI Compliance Level, or in reacquiring PCI compliant status or requalifying for a particular PCI Compliance Level, are excluded from Company’s Forgiveness obligation. (7) Damages, costs, penalties, or fines imposed by any Card Association, Card issuer, Acquiring Bank, ISO or Processor for non-compliance with accepted PCI standards are not within the Company’s Forgiveness obligation, other than an Expense or Card replacement cost that is contractually recoverable from Merchant under the Merchant Agreement, if arising from a Data Compromise at the Merchant level. (8) Company’s Forgiveness obligation does not apply to costs associated with any governmental or regulatory or third-party actions, investigations, litigation, or settlements, including any contribution, restitution, injunctive relief, or reimbursement of costs associated therewith. (9) Expenses associated with the following are also excluded from the Company’s Forgiveness obligation: (a) war and civil war (declared or undeclared), insurrection, rebellion, revolution, governmental intervention, or any matter certified by the Secretary of the Treasury as an Act of Terrorism subject to the Terrorism Risk Insurance Act of 2002 as amended in 2007; (b) any software not within the control of the Merchant, unless subject to an end user agreement (but this exclusion does not limit any indemnity by the Company for Expenses arising from the use by third parties of software, virus, Trojan, or other malware to infiltrate the Merchant’s data systems); (c) any Data Compromise that occurs in any computer network upon which multiple, unrelated Merchants have their Merchant accounts hosted on the same web server; and (d) any transaction against a Merchant’s or cardholder’s account unless the transaction is a fraudulent or illegal use of a Card number and a Demand is made against Merchant by the Card Association for such transaction(s).

ADDITIONAL DEFINITIONS: The following additional definitions apply to this Forgiveness: (1) “Acquiring Bank” means a bank or other financial institution that accepts or processes payment transactions on behalf of Company and its Merchants, using a Card issued by itself or other financial institutions. For clarity, Company holds a direct acquiring relationship with the Acquiring Bank, and Merchant is considered a sub-merchant to Company under said acquiring relationship. (2) “Card” means credit cards, debit cards, stored value cards, and pre-funded cards. (3) “Card Association” means any one of the following, or other entities whose primary purpose is to administer and promote Cards: MasterCard International, Inc., VISA U.S.A., Inc., VISA International, Inc., Discover Financial Services, American Express, or JCB International Credit Card Company, Ltd. “Card Association” also includes any of the following debit provider networks: Exchange/Accel, Interlink, Maestro, NYCE, Plus, PrestoLink, Shazam and STAR. (4) “Chargeback” means the procedure by which a Card transaction or portion of a Card transaction is returned to the selling Merchant, and liability for such transaction becomes the selling Merchant’s responsibility under the Merchant Agreement. (5) “Claim” means a contractual Demand by a Claimant against Merchant’s MID for payment of Expenses as a result of a Covered Incident. (6) “Claimant” means (a) a Card Association or Acquiring Bank assessing PCI Assessments, Related Costs and/or Card replacement cost against Merchant’s MID; or (b) a Qualified Security Assessor incurring and seeking reimbursement for Mandatory Audit fees or making a Demand for Expense reimbursement from the Merchant of such amounts. (7) “Compliance Case” means a determination by a Card Association that: (a) a Data Compromise of Merchant violated a specific operating rule of the Card Association; (b) the Data Compromise is not covered by a Chargeback right; and (c) the issuing bank suffered a financial loss as the result of the Data Compromise. (8) “Demand” or “Demand Letter” means any written request for payment by Merchant of Expenses that are contractually recoverable from Merchant under the Merchant Agreement. (9) “Expenses” means PCI Assessments and Related Costs, Mandatory Audit fees, and/or Card replacement costs that assessed by the Card Association, pursuant to contract, against Merchant as a result of Covered Incident. “Expenses” do not include the following: (a) economic damage, legal costs, punitive or exemplary damages, or governmental or regulatory fines or penalties assessed directly against Merchant ; (b) any multiplication of actual damages under federal or state law; (c) loss of consumer PII unless otherwise recoverable by a Claimant hereunder pursuant to the terms of the Merchant Agreement; or (d) the cost to restore consumer identities or monitor or correct damage to the credit of any consumer (including but not limited to paying for any credit bureau report). The cost of hardware or software upgrades, interchange fees, Chargeback costs, and actual or alleged fraudulent Card charges not specifically assessed as a fine or recoverable Expense by a Card Association are also excluded. (10) “ISO” means registered Independent Sales Organization or Merchant service provider. (11) “Mandatory Audit” means a forensic, legal and/or information technology examination of Merchant that is required by the Card Association or Acquiring Bank based upon reports by one or more cardholders of actual or potential fraudulent activities which the Card Association has grounds to believe are due to Merchant’s non-compliance with accepted PCI Data Security Standards. Mandatory Audits must be initiated by the Card Association or Acquiring Bank in writing and conducted by a Qualified Security Assessor. (12) “Merchant” means a sole proprietorship or other business entity that is authorized to process Card transactions through Company’s relationship with its Acquiring Bank. (13) “Merchant Agreement” means the executed contract between a Merchant and Company which sets forth the Merchant’s contractual liability for PCI Assessments, Related Costs, Mandatory Audit fees, and Card replacement costs resulting from a Data Compromise. (14) “MID” or merchant identification number means an identification number that, to the Acquiring Bank, represents a merchant’s point-of-sale terminal or profit center for the purpose of processing and tracking credit card transactions. For instance, each register in a retail store has an individual MID, so the Acquiring Bank knows exactly at which point of sale each transaction is processed. (15) “PCI” means Payment Card Industry. (16) “PCI Assessment” means any written Demand for a monetary assessment or fine against a Merchant by the Card Association based on non-compliance with accepted PCI Data Security Standards resulting in a Data Compromise. (17) “PCI Compliance Level” means the Payment Card Industry compliance level assigned by the Card Association for the type of merchant. (18) “PCI Data Security Standards” means generally accepted and published Payment Card Industry standards for data security. PCI Data Standards may include, without limitation, the following: (a) protective firewalls; (b) encryption; (c) system passwords and other security requirements; (d) anti-virus and security software; (e) restrictions on access to cardholder data; (e) monitoring of network and data access; and (f) regular testing and monitoring of security systems and processes. (19) “Processor” means an Acquiring Bank, ISO, or other PCI compliant system vendor approved by the Acquiring Bank to provide Card processing services. (20) “Qualified Security Assessor” means a security assessor that has been certified by the PCI Security Standards Council. (21) “Related Costs” means costs related to the PCI Assessment, demanded in writing by or from the Card Association, for which a Merchant is liable under the Merchant Agreement. Related Costs include Compliance Case costs of the Card issuer associated with the monitoring of at risk Card accounts filed under the rules of the Card brands. Related Costs shall also include fines, liability for Account Data Compromise Recovery (ADCR) process(es) as established by Visa, or similar processes established by other Card Associations, to the extent assessed against Merchant by the Card Association for the uncollectable amount of any transaction directly as a result of fraudulent or illegal use of a compromised Card number.

TERRITORY: The Company’s indemnity obligation only applies to Covered Incidents occurring within the United States, excluding its territories and possessions.

PAYMENTS:The Merchant is responsible for paying the PCI Fee. The Forgiveness will only be effective for the period in which the Company receives the appropriate payment of the PCI Fee. All fees due in connection with the Forgiveness benefit are non-refundable.

FORGIVENESS DEMAND: (1) Demand for Forgiveness. As soon as practicable following discovery of a Covered Incident, Merchant shall notify the Company in writing of Merchant’s desire to request Forgiveness for said Covered Incident (“Demand for Forgiveness”). The Demand for Forgiveness shall be submitted by email to Merchant shall cooperate fully with Company in providing all required information, which at a minimum shall include the following: (a) the circumstances of discovery; (b) a description of all known Expenses resulting from the Covered Incident; and (c) a description (and copies, if available) of all known evidence relating to the Covered Incident, including any reports from third parties and government agencies. (2) Duty to cooperate. Merchant or its employees will provide any necessary witness statements or other information to Company upon request and will cooperate in the prosecution or defense of any legal action as requested by Company. Merchant will assist Company in enforcing any right of contribution or indemnity or similar right, which includes executing any necessary and related documents upon Company’s request. As against any third party, Merchant will cooperate with Company in asserting any defenses or other right to challenge a Claim and will provide truthful information (including any required statements) in connection with Company’s investigation and processing of the Claim. Failure of Merchant to comply with these requirements terminates any waiver obligation of Company with respect to the Claim, if Company is prejudiced as a result. (3) Forgiveness Payment. Payment by Merchant of a Claim does not automatically bind Company to reimburse Merchant for such payment. Upon receipt of a Demand for Forgiveness, the Company or its representative will investigate, and additional requests may be made if Company deems them necessary. Within thirty (30) days of receipt of all requested items (including but not limited to any Mandatory Audit results), Company will notify Merchant of acceptance or rejection of the Demand for Forgiveness. If the Company rejects the Demand for Forgiveness, in whole or in part, the Company shall state in writing the reasons for the rejection. In such a case the Merchant may accept such rejection or submit an amended Demand for Forgiveness. An amended Demand for Forgiveness must be submitted within thirty (30) days following the Company’s rejection and contain any additional information necessary for the Company to reevaluate the rejection. If the Claim is accepted, payment shall be made within thirty (30) days after Company reaches agreement with the Claimant, or the entry of a judgment against the Company. Company may make any required payment to the Claimant only, unless it can be demonstrated to Company’s satisfaction that payment has already been made to the Claimant by another party (such as the Merchant, Acquiring Bank, or ISO) in the succession of contractual liability. In such event, the Company will make payment to the one and only unreimbursed party in succession. As a condition precedent to payment, the Company shall have the right to require that the Merchant, or any party receiving payment other than the Claimant, execute a written release to the Company acknowledging that payment is in satisfaction of liability under this Forgiveness benefit. Company may also require that the party receiving payment from the Company will properly disburse such payment to the Claimant or the successor in interest to the Claim proceeds. Company is under no obligation to make payment to any party other than the Claimant. (4) Third-party insurance; multiple policies. Benefits provided hereunder shall be in excess of any applicable insurance or other third-party coverage. Company may offset or reduce its Forgiveness payment obligations by any amounts that have already been received by the Merchant or a Claimant from a third party, including an insurer. In no case will the Merchant or a Claimant be entitled to payment hereunder that results in the total of all payments to such party (including payments from third parties) exceeding the Forgiveness Limit set forth above. If the Forgiveness and other benefits under any other Forgiveness or similar document issued by the Company apply to the same incident, the per-incident limits under all combined shall not exceed the largest single limit. (5) Conditions precedent. No action shall lie against the Company unless there has been full compliance with all of the terms herein, and both the fact and amount of Merchant’s liability have been finally determined by judgment against the Merchant after actual trial or by written agreement of the Claimant and the Company. Any person, organization, or legal representative of a person or organization who has secured such a judgment or written agreement shall be entitled to recover hereunder to the extent that the Forgiveness Limit remains available for payment of Expenses, and to the extent allowed by law.

ASSIGNMENT:No rights or duties hereunder may be assigned or transferred without the Company’s prior written consent.

Changes to this Agreement: Company reserves the right to change this Forgiveness at any time, and the changes will be effective when posted through the Services, on our website for the Services, the Merchant service center or when we notify You by email or other means. Company may also change or discontinue the Forgiveness, in whole or in part. Your continued payment of the monthly PCI Fee indicates your acceptance and agreement to the changes.

CANCELLATION:Company may cancel this Forgiveness upon fifteen (15) days’ notice of cancellation for fraud or material misrepresentation or failure to submit any required fees or payments, and upon sixty (60) days’ notice for any other reason.

RECORDS AND INSPECTION: Merchant shall keep copies of all information, books, and records that relate to the Forgiveness. Company may examine such books and records at any time during the Forgiveness Period, and up to one (1) year thereafter.

ENTIRE AGREEMENT:This document embodies all terms and conditions existing between the parties or their representatives with respect to the subject matter hereof. No other or additional terms have been agreed upon by the parties.

File last updated 2/21/2018