Updated: September 16, 2025
This Data Processing Agreement (“DPA”) is an agreement between you and the entity you represent (“Customer” or “you”), on the one hand, and Cybersource Corporation and/or any other applicable affiliated Cybersource contracting entity(ies) ("Cybersource”), on the other hand. It forms part of any written or electronic agreement between you and Cybersource (each, an “Agreement”) under which Cybersource Processes Personal Information (“Customer Personal Information”), except with respect to any Agreement under which you and Cybersource have entered data processing terms that address the subject matter hereof.
General Terms
1. Definitions. Unless otherwise defined in the Agreement (including this DPA), all terms in this DPA shall have the definitions given to them in Applicable Data Protection Law.
“Applicable Data Protection Law” |
means any law or regulation pertaining to data protection, privacy, and/or the Processing of Personal Information, to the extent applicable in respect of a party’s obligations under the Agreement and this DPA. For illustrative purposes only, Applicable Data Protection Laws include, without limitation, and to the extent applicable, the General Data Protection Regulation (Regulation (EU) 2016/679 (the “GDPR”), the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”), UK Data Protection Laws, Swiss DP Laws, Argentina Data Protection Law (No 25.326/2000), Brazil Data Protection Law (Law No. 13,709/2018), Colombia Data Protection Law (No 1581/2012), and any associated regulations or any other legislation or regulations that transpose, supersede or are deemed substantially similar to the above. |
“EEA Standard Contractual Clauses” |
means the Standard Contractual Clauses set out in the European Implementing Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as amended or replaced from time to time by a competent authority under the Applicable Data Protection Law, including the Swiss amendments to the EU Standard Contractual Clauses required by the Swiss Federal Data Protection Information Commissioner (the "Swiss Addendum") to the extent applicable. |
“End-User(s)” |
means any person that purchases goods or services of Customer, whose information is submitted by Customer to Cybersource during the course of Customer using the Transaction Services hereunder. |
“Personal Information” |
means all data or information, in any form or format, that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer (“Data Subject”) or household or that is regulated as “personal data,” “personal information,” or otherwise under Applicable Data Protection Law. For the avoidance of doubt, this includes any information relating to an End-User as defined in the Agreement. For the avoidance of doubt, this includes data relating to legal entities, if and as long as they are protected under the Swiss DP Laws as well as any information relating to an End-User as defined in the Agreement. |
“Process” or “Processed” or “Processing” |
means any operation or set of operations which is performed upon Personal Information, whether or not by automatic means, such as access, collection, recording, organization, storage, adaptation or alteration, retrieval, disclosure or otherwise making available, duplication, transmission, combination, blocking, redaction, erasure or destruction. |
“Security Breach” |
means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information. A Security Breach includes a “personal data breach” (as defined in the GDPR), a “breach of security of a system” (as defined in any US law), a “breach of security safeguards” (as defined in PIPEDA) or similar term (as defined in any other applicable privacy laws) as well as any other event that compromises the security, confidentiality or integrity of Personal Information. |
“Swiss DP Laws” |
means the Federal Act on Data Protection of June 19, 1992 (as updated, amended and replaced from time to time), including all implementing ordinances. In this DPA, in circumstances where and solely to the extent that the Swiss DP Laws apply, references to the GDPR and its provisions shall be construed as references to the Swiss DP Laws and their corresponding provisions. |
“Transfer” |
means to transmit or otherwise make Customer Personal Information available across national borders in circumstances which are restricted by Applicable Data Protection Law. |
“UK Data Protection Laws”
|
means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 ("UK GDPR”), together with the Data Protection Act 2018, the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and other data protection or privacy legislation in force from time to time in the United Kingdom. In this DPA, in circumstances where and solely to the extent that the UK GDPR applies, references to the GDPR and its provisions shall be construed as references to the UK GDPR and its corresponding provisions. |
“UK IDTA” |
means the International Data Transfer Addendum to the EEA Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018. |
2. Processing of Customer Personal Information. The parties acknowledge and agree that under Applicable Data Protection Law, that Cybersource may act in various data processing roles. To enable each party to comply with its obligations under Applicable Data Protection Law, each party further agrees to comply with any required provisions of Schedule A: U.S. State Privacy Laws and/or Schedule B: General Data Protection Regulation, each, to the extent applicable.
2.1 GDPR. Where the General Data Protection Regulation (Regulation (EU) 2016/679 (the “GDPR”) applies to your use of Transaction Services or if Applicable Data Protection Law imposes a comparable requirement, the parties acknowledge and agree that with respect to the Customer Personal Information that Cybersource Processes, that:
2.1.1 Cybersource is a “processor” or such equivalent term under Applicable Data Protection Law, if any (referred to as “Processor” for purposes of this DPA) for the “Processor Services”. Such Processor Services include, by way of example and for illustrative purposes the Processing detailed on Details of Processing (Exhibit 2, section 1); and
2.1.2 both Customer and Cybersource are “joint controllers”, or such equivalent term under Applicable Data Protection Law, if any, for the “Controller Services”. Such Controller Services include the Processing detailed on Details of Processing (Exhibit 2, section 2).
2.1.3 Cybersource is a “controller”, or such equivalent term under Applicable Data Protection Law, if any, for any other Processing permitted under this Agreement.
2.2 Other Applicable Data Protection Law. Where section 2.1 does not apply, the parties acknowledge and agree that Cybersource is a Processor or “Service Provider” as defined in applicable U.S. State Privacy Laws for all Transaction Services.
3 Compliance with law. Each of Cybersource, in its provision of Transaction Services to Customer, and Customer, in its use of the Transaction Services, shall Process Customer Personal Information in accordance with Applicable Data Protection Law.
4 Privacy Notice. Customer shall provide its End-User(s) with all privacy notices, information and any necessary choices and shall obtain any necessary consents to enable the parties to comply with Applicable Data Protection Law with respect to the Transaction Services.
5 Authorization to Process. Cybersource will Process Personal Information on behalf of Customer to provide Transaction Services, and Customer authorizes Cybersource to Process Customer Personal Information in connection with the following activities:
5.1 In accordance with the applicable Agreement(s), including, without limitation, any exhibits, schedules, and applicable price schedule(s), to provide the Transaction Services, and any Processing required under applicable law or regulations;
5.2 Based on the instructions of Customer and in its use of the Transaction Services, Processor transfers Personal Information to acquiring banks, issuing banks, payment processors providing services on behalf of acquiring banks, credit/debit card companies, or service providers performing payer authentication services used by Customer, such as Verified by Visa and MasterCard Identity Check (ID Check);
5.3 Providing customer support; performing internal analysis to maintain the quality of Transaction Services and systems reliability; to detect, prevent, and/or address technical errors, security vulnerabilities, and fraudulent or illegal actions from disrupting or impairing intended functionality of Transaction Services.
5.4 As reasonably necessary to enable Cybersource to comply with any other directions or instructions provided by Customer in the provision of Processor Services.
6 Cybersource may use Customer Personal Information in Cybersource’s capacity as an independent controller to evaluate, analyze, develop, improve, and enhance the fraud, risk and identity capabilities and offerings of Cybersource and/or its Affiliates, including to enable technical or operational features that support the above purpose(s) in Section 5.
7 Staff. Cybersource shall ensure that persons authorized to Process Customer Personal Information have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
8 Security of Processing. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Cybersource shall implement technical and organizational measures to ensure a level of security appropriate to that risk. In assessing the appropriate level of security, Cybersource shall, in particular, take into account the sensitivity of the Personal Information and the risks that are presented by the Processing, in particular from unauthorized or unlawful Processing, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Information transmitted, stored or otherwise Processed. Cybersource shall provide reasonable assistance to Customer in ensuring Customer meets its own compliance obligations with respect to these same security measures. The parties shall also comply with PCI-DSS as set out in the Agreement.
8.1 Security Breach. A party shall promptly and thoroughly investigate all allegations of unauthorized access to, use or disclosure of Customer Personal Information. In the event of an actual Security Breach (defined below) affecting Customer Personal Information the parties shall cooperate and assist one another in good faith as needed to comply with Applicable Data Protection Laws including as applicable, notifying a Supervisory Authority of the Security Breach and communicating the Security Breach to the relevant Data Subjects.
8.2 In the event of an actual Security Breach (defined below) affecting Customer Personal Information contained in:
8.2.1 Cybersource’s systems, Cybersource shall notify Customer of the Security Breach without undue delay and continue to keep Customer informed on a regular basis of the progress of investigation and remediation efforts. Notice in accordance with this section shall be made by sending an email and/or text message to the email address and/or mobile phone number registered by Customer in the Business Center. For Controller Services, Customer shall cooperate and assist Cybersource as necessary for Cybersource to communicate the Security Breach to the relevant Supervisory Authorities.
8.2.2 Customer’s systems, Customer may elect to notify Cybersource of the Security Breach, and such notice should be made by sending an email to vsirt@visa.com. Cybersource shall cooperate and assist Customer as necessary for Customer to communicate the Security Breach to the relevant Supervisory Authorities.
8.2.3 Customer shall be responsible for communicating any Security Breach to End Users if notice is required under Applicable Data Protection Laws.
8.2.4 Except as required by applicable law or regulation, neither party will make (or permit any third party to make) any statement concerning the Security Breach that directly or indirectly references the other party, unless the other party provides its explicit written authorization.
8.2.5 To the extent that a Security Breach was caused by Customer or Customer’s End Users, Customer shall be responsible for the costs arising from the Processor’s provision of assistance under this section 8.
9 Audit Cybersource shall make available to Customer all information necessary to demonstrate compliance with its obligations under this DPA and allow for (and contribute to) audits, including inspections conducted by Customer or another auditor under the instruction of the Customer for the same purposes of demonstrating compliance with obligations set out in this DPA.
9.1 Customer’s right under this section 9 is subject to the following: If Cybersource can demonstrate compliance with its obligations set out in this DPA by adhering to an approved code of conduct, by obtaining an approved certification or by providing Customer with an audit report issued by an independent third party auditor (provided that Customer will comply with appropriate confidentiality obligations as set out in the Agreement and shall not use such audit report for any other purpose), Customer agrees that it will not conduct an audit or inspection under this section 9;
9.2 In acknowledgement of the time, expense and disruption to business associated with performing audits and inspections involving interviews and onsite visits, Customer agrees to only conduct such audits and inspections on condition that Customer can demonstrate such audit, or inspection is necessary beyond the information made available by Cybersource under section 9.1 above. Such audits and inspections, shall be at reasonable intervals (but not more than once per year) upon not less than 60 days' notice and at a date mutually agreed by the Parties, provided that the audit will (i) not disrupt Cybersource's business; (ii) be conducted during business hours and at the Customer’s expense; (iii) not interfere with the interests of Cybersource’s other customers; and (iv) not exceed a period of two successive business days.
10 Deletion and Retention. Cybersource shall, at the direction of Customer, delete or return all Customer Personal Information upon termination of the provision of Transaction Services and delete existing copies in accordance with its global Records and Information Management (RIM) policy, unless storage is required by applicable law.
11 Cross-Border Transfers. Any cross-border transfer between Cybersource and Customer shall be made in accordance with Applicable Data Protection Law, by incorporating, without limitation, the Standard Contractual Clauses and other applicable transfer mechanisms set forth in Schedule B: General Data Protection Regulation of this DPA, and/or other applicable information provided in Exhibit 1 of this DPA. Where a transfer pertains to a jurisdiction not covered by the mechanisms referenced above, the Parties shall work in good faith to enter into terms that implement appropriate safeguards providing an adequate level of protection in accordance with Applicable Data Protection Law, including by incorporating the information provided under Schedule B (GDPR) or Exhibit 1 (Standard Contractual Clauses), and, where applicable, other regional transfer clauses which may be attached hereto.
12 Miscellaneous. To the extent not inconsistent herewith, the applicable provisions of the Agreement(s) (including without limitation, indemnifications, limitations of liability, enforcement, and interpretation) shall apply to this DPA. In the event of any conflict between this DPA and the terms of an applicable Agreement, the terms of this DPA shall control solely with respect to data processing terms where required by Applicable Data Protection Law, and, in all other respects, the terms of the applicable Agreement shall control. Notwithstanding any term or condition of the DPA, the DPA does not apply to: (1) any data or information that Customer inputs into any software, tool, or service outside of the Transaction Services covered in this Agreement, including Customer’s use of any chatbots in the Enterprise Business Center, product demos, sandbox, pilots, or previews; and (2) any data or information that does not relate to one or more identifiable individuals under Applicable Data Protection Law, such as data that has been aggregated, de-identified or anonymized, or to the extent that Cybersource and you have entered separate data processing terms that address the subject matter hereof. Cybersource shall have the right to analyze and aggregate Customer Information relating to the provision, use, and performance of the Services including information relating to, derived from, or generated from Customer Information to enable, improve, and optimize the Services and Cybersource products, and to support the creation and enhancement of security and fraud prevention tools and models.
Schedule A
U.S. STate law privacy compliance
This U.S. State Privacy Law Schedule applies in addition to any terms set forth in the General Terms of the DPA (and is incorporated therein) when your use of Transaction Services is subject to the California Consumer Privacy Act of 2018 and its implementing regulations, as amended or superseded from time to time (California Civil Code §§ 1798.100 to 1798.199) (collectively, the “CCPA”) or similar state laws (“U.S. State Privacy Laws”), or if Applicable Data Protection Law imposes a comparable requirement outlined under Schedule A.
1. APPLICATION
1.1 This Schedule is applicable solely to the extent that any Customer Personal Information Processed by Cybersource while performing the Transaction Services is subject to applicable U.S. State Privacy Laws. Nothing in this Schedule indicates acknowledgement by either party that it is subject to the applicable U.S. State Privacy Laws for any purpose, including the provision of Transaction Services, nor does anything in this Schedule waive either party’s right to object to application of the U.S. State Privacy Laws. Notwithstanding anything else to the contrary, the parties agree that this Schedule does not apply to any information that is collected, processed, or disclosed by the parties subject to the Gramm Leach Bliley Act (“GLBA”).
1.2 Capitalized terms used but not defined in this Schedule shall have meaning assigned to such terms in the DPA or, if not defined therein, in the applicable U.S. State Privacy Laws. In the event of a conflict between this Schedule and the Agreement, this Schedule will control, to the extent necessary to ensure compliance with U.S. State Privacy Laws. The foregoing recitals are hereby incorporated by reference into this Schedule.
2. DATA PRIVACY ROLES AND OBLIGATIONS
2.1 For purposes of this Schedule, the parties acknowledge that, with respect to Customer Personal Information Cybersource processes on behalf of Customer under the Agreement that is not processed pursuant to GLBA (a) Customer acts as a Business and Cybersource acts as a Service Provider as those terms are defined under the CCPA; and (b) Customer acts as a Controller and Cybersource acts as a Processor within the meanings provided by other applicable U.S. State Privacy Laws.
2.2 Each party shall comply with its obligations under the applicable U.S. State Privacy Laws in respect of any Customer Personal Information Processed under this Schedule. Customer specifically acknowledges and agrees that its use of the Services will not violate the rights of any Consumer, including those that have opted-out from sales or other disclosures of Customer Personal Information, to the extent applicable under the U.S. State Privacy Laws.
3. CYBERSOURCE OBLIGATIONS
3.1 In its role as a Service Provider or Processor, Cybersource:
a) Will ensure Customer Personal Information is used consistently with applicable U.S. State Privacy Laws;
b) Will Process Customer Personal Information for the business purposes set forth in the DPA;
c) Will not:
i. sell or share for cross-contextual behavioral advertising Customer Personal Information
ii. retain, use, or disclose Customer Personal Information for any purpose other than as necessary to fulfill the business purposes set forth in the DPA, including retaining, using, or disclosing Customer Personal Information for a commercial purpose other than the business purpose set forth in the DPA or outside of the direct business relationship between Cybersource and Customer;
iii. combine the Customer Personal Information with Customer Personal Information that it receives from or on behalf of any other person(s) or entity(ies), or collects from its own interaction with an individual, except as otherwise permitted by U.S. State Privacy Laws;
iv. where applicable, use any Sensitive Customer Personal Information received from Customer other than to assist the Customer in purposes authorized by Customer instruction.
Each, except as permitted by U.S. State Privacy Laws or as required to perform business purpose(s) defined in the DPA.
d) Will implement reasonable security procedures and practices, appropriate to the nature of the Customer Personal Information, to protect the Customer Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure;
e) Will immediately notify Customer of any material changes in Cybersource’s ability to meet its obligations under the applicable U.S. State Privacy Laws, including but not limited to any determination that Cybersource can no longer meet its obligations under this Schedule;
f) Will ensure that Cybersource personnel involved in the processing of Customer Personal Information are subject to a duty of confidentiality and ensure that Cybersource’s agreement with any sub-processors used to Process Customer Personal Information complies with U.S. State Privacy Laws, including, without limitation, the contractual requirements for Service Providers and Contractors;
g) Will provide reasonable cooperation to Customer, upon request, to enable Customer to comply with consumer requests made pursuant to the applicable U.S. State Privacy Laws;
h) Will provide reasonable information necessary for Customer to conduct and document data protection assessments;
i) Grants Customer the right to take reasonable and appropriate steps in accordance with section 9 of the DPA General Terms to ensure that Cybersource uses Customer Personal Information in a manner consistent with Customer’s obligations under the applicable U.S. State Privacy Laws;
j) Grants Customer the right, upon notice, and in accordance with the Agreement to take reasonable and appropriate steps to stop and remediate Cybersource’s unauthorized use of Customer Personal Information; and
k) Will delete Customer Personal Information of the Customer at the end of the provision of Services under the Agreement, unless retention of the Customer Personal Information is required or authorized under the Agreement or U.S. State Privacy Laws.
Cybersource certifies that it understands its obligations, including restrictions, imposed upon it by CCPA with respect to Customer Personal Information and will comply with them.
3.2 Notwithstanding the above, Cybersource may retain, use or disclose Customer Personal Information as permitted under the applicable U.S. State Privacy Laws, including:
a) For its internal use to build or improve the quality of the Services, provided that Cybersource does not use the Customer Personal Information to perform services on behalf of another person;
b) To prevent, detect, or investigate data security incidents or protect against malicious, deceptive, fraudulent or illegal activity;
c) For the purposes enumerated in California Civil Code § 1798.145(a)(1) through §1798.145(a)(7); and/or
d) For any other purpose expressly contemplated or permitted by U.S. State Privacy Laws or other Applicable Data Protection Law.
SCHEDULE B
GENERAL DATA PROTECTION REGULATION
This GDPR Schedule applies in addition to any terms set forth in the body of the DPA (and is incorporated therein) when the GDPR applies to your use of Transaction Services or if Applicable Data Protection Law imposes a comparable requirement outlined under Schedule B. Capitalized terms not defined herein have the meaning assigned to them under the DPA. To the extent there are any conflicts between this GDPR Schedule and the DPA, this GDPR Schedule shall prevail.
1 Processor Obligations. Processor shall Process Customer Personal Information only on documented reasonable instructions from Customer (including instructions with respect to transfers of Customer Personal Information to a third country, if applicable) unless Processor is required to otherwise Process Customer Personal Information by Applicable Data Protection Law. In such circumstances, Processor shall inform Customer of that legal requirement before Processing, unless prohibited from doing so by applicable law, on important grounds of public interest. Processor shall immediately inform Customer if, in Processor’s opinion, Customer’s instructions would be in breach of Applicable Data Protection Law. Customer agrees that Processor shall be under no obligation to take actions designed to form any such opinion. Notwithstanding the foregoing, Customer acknowledges and agrees that Cybersource may perform certain Processing activities on Customer Personal Information in Cybersource’s capacity as an independent controller as described in section 6 of the General Terms.
2 Use of Sub-Processor
2.1 Customer provides authorization for Processor to engage with the Sub-Processors listed in the Business Center. Processor reserves the right to maintain its Sub-Processor list through means such as publication of its Sub-Processor list online.
2.2 Processor shall inform Customer of any intended changes concerning the addition or replacement of other Sub-Processors to give Customer a reasonable opportunity to object to such changes. In the event Customer objects to Processor’s change or addition of a Sub-Processor, Customer shall promptly notify Processor of its objections in writing within 10 business days after receipt of Processor’s notice of such change or addition.
2.3 Processor may, at its option, undertake reasonable efforts to make available to Customer a change in the Transaction Services or recommend a commercially reasonable change to Customer’s configuration or use of the Transaction Services to avoid Processing of Customer Personal Information by the objected-to new Sub-Processor. If Processor is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the Agreement with respect to only those aspects of the Transaction Services, which cannot be provided by Processor without the use of the objected-to new Sub-Processor by providing written notice to Processor. If the Transaction Services as a whole cannot be performed without the objected-to new Sub-Processor, Customer may terminate the entire Agreement.
2.4 Processor agrees not to impose a penalty on Customer for any termination under this section 2.
3 Data Protection Impact Assessments and Prior Consultation with Regulator. Processor shall provide reasonable assistance to Customer with any legally required (i) data protection impact assessments; and (ii) prior consultations initiated by the Customer with its regulator in connection with such data protection impact assessments. Such assistance shall be strictly limited to the Processing of Customer Personal Information by Processor on behalf of Customer under the Agreement taking into account the nature of the Processing and information available to the Processor.
4 Cross-Border Transfers for Processor Services. Processor shall comply with Customer’s documented instructions concerning the Transfer of Customer Personal Information to a third country. The Processor shall only Transfer any Customer Personal Information outside the Customer’s applicable jurisdiction or the End-User’s resident jurisdiction, including, without limitation, outside the European Economic Area (“EEA”), the UK or Switzerland, in compliance with the Applicable Data Protection Law. Customer agrees and acknowledges that Processor Transfers and stores certain Customer Personal Information (including relating to individuals located in the EEA, Switzerland and/or the UK) in the United States.
5 Transfers subject to the GDPR, UK GDPR or Swiss DP Laws. Module 2 (Transfer controller to processor) of the EEA Standard Contractual Clauses shall apply with respect to any Transfer of Customer Personal Information from the EEA, UK or Switzerland to Cybersource and any of its affiliated entities in the United States or other third countries ("Cybersource Entities"). The parties acknowledge and agree that Module 2 (Transfer controller to processor) of the EEA Standard Contractual Clauses is hereby incorporated by reference and;
5.1 Customer and any of its commonly owned or controlled affiliates that have signed an Agreement for Processor Services ("Customer Entities") shall be deemed to be “data exporter” and the Cybersource Entities shall be the "data importer";
5.1.1 Clause 7 – Docking clause shall apply;
5.1.2 Clause 9 – Use of subprocessors Option 2 shall apply and the “time period” shall be 10 business days;
5.1.3 Clause 11(a) – Redress the optional language shall not apply;
5.1.4 Clause 13(a) – Supervision
5.1.5 Where the data exporter is established in an EU Member State the following shall apply: “The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C , shall act as competent supervisory authority.”
5.1.6 Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of the GDPR the following shall apply: “The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.”
5.1.7 Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of the GDPR, the following shall apply: “The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.”
5.1.8 Clause 17 – Governing law Option 1 shall apply and the “Member State” shall be Ireland;
5.1.9 Clause 18 – Choice of forum and jurisdiction the Member State shall be Ireland; and
5.1.10 the information in Exhibit 1 (Table 1) of this GDPR Schedule is incorporated into Annexes 1, 2 and 3 of the EEA Standard Contractual Clauses.
6 Transfers subject to the UK GDPR: where the Transfer is subject to the UK GDPR, the EEA Standard Contractual Clauses and section 5.1 of this Schedule B shall be read in accordance with, and deemed amended by, the provisions of Part 2 (Mandatory Clauses) of the UK IDTA. For the purposes of Table 4 in Part 1 (Tables) of the UK IDTA, the parties select the “neither party” option. Otherwise, the Parties confirm that the information required for the purposes of Part 1 (Tables) of the UK IDTA is set out in Exhibit 1. If there is any conflict or inconsistency between a term in the body of this DPA, an Agreement and a term in Module 2 (Transfer controller to processor) of the EEA Standard Contractual Clauses, incorporated into this DPA, the term in Module 2 (Transfer controller to processor) of the EEA Standard Contractual Clauses shall take precedence.
7 Transfers subject to Swiss DP Laws: Where the Transfer is subject to the Swiss DP Laws, the EEA Standard Contractual Clauses and Clause 5 of this Schedule B shall be read in accordance with section 10.4 of Schedule B to this DPA.
8 Use of third parties in Controller Services. Cybersource may share certain Personal Information received from Customer with third parties who use that Personal Information to help Cybersource to detect and prevent fraud. These third parties are responsible for their own use of your End User’s Personal Information as described in their notices included in Exhibit 3.
9 Controller Services.
9.1 Joint Controller Arrangement The obligations in this DPA, including those set out below in this GDPR Schedule, shall constitute the written arrangement allocating responsibilities between joint controllers required under Article 26 of the GDPR with respect to the Controller Services.
9.1.1 Reasonable Assistance. With respect to the Controller Services, each party shall assist the other party as reasonably required, in meeting any regulatory obligations in relation to data security, notification of a Security Breach, and data protection impact assessments for the Controller Services.
9.1.2 Notice. With respect to the Controller Services, Customer shall provide its End-User(s) with all privacy notices, information and any necessary choices and shall obtain any necessary consents to enable the parties to comply with Applicable Data Protection Law and shall inform its users of the Processing described in section 6 of the DPA.
9.1.3 Data Subject Rights. The parties agree that the Customer shall be the designated point of contact for the Data Subject with respect to Data Subject Rights requests for Controller Services, and Cybersource shall reasonably cooperate with and assist Customer in the execution and fulfilment of its obligations under Applicable Data Protection Laws in relation to such requests.
9.1.4 Supervisory Authority. The parties shall without undue delay notify each other upon receipt of any correspondence from a Supervisory Authority in respect of the Controller Services where and to the extent permitted by applicable law.
9.1.5 Security of Processing. Each party shall be responsible for ensuring adequate security in respect of processing of Personal Information for Controller Services that takes place within that party’s own systems.
9.1.6 Security Breach. For the avoidance of doubt, in the event of a Security Breach related to Controller Services, section 8.1 of the DPA General Terms shall govern.
10 Cross border transfers for Controller Services
10.1 Transfers subject to the GDPR, UK GDPR or Swiss DP Laws: Module 1 (transfer controller to controller) of the EEA Standard Contractual Clauses shall apply with respect to any Transfer of Customer Personal Information from the EEA, UK or Switzerland to Cybersource Corporation in the United States, solely when Cybersource Corporation is acting as a controller for the purposes of the Controller Services. The parties acknowledge and agree that Module 1 (transfer controller to controller) of the EEA Standard Contractual Clauses is hereby incorporated by reference and;
10.1.1 Customer and any Customer Entities shall be deemed to be “data exporters” and the Cybersource Entities shall be the "data importer";
10.1.2 Clause 7 – Docking clause shall apply;
10.1.3 Clause 11(a) – Redress the optional language shall not apply;
10.1.4 Clause 13(a) – Supervision
(a) Where the data exporter is established in an EU Member State the following shall apply: “The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C , shall act as competent supervisory authority.”
(b) Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of the GDPR the following shall apply: “The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.”
(c) Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of the GDPR, the following shall apply: “The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.”
10.1.5 Clause 17 – Governing law Option 1 shall apply and the “Member State” shall be Ireland;
10.1.6 Clause 18 – Choice of forum and jurisdiction the Member State shall be Ireland;
10.1.7 the information in Exhibit 1 (Table 1) of this GDPR Schedule is incorporated into Annexes 1, 2 and 3 of the EEA Standard Contractual Clauses.
10.2 Transfers subject to the UK GDPR: where the Transfer is subject to the UK GDPR, the EEA Standard Contractual Clauses and Clause 10.1 of this Schedule B shall be read in accordance with, and deemed amended by, the provisions of Part 2 (Mandatory Clauses) of the UK IDTA. For the purposes of Table 4 in Part 1 (Tables) of the UK IDTA, the parties select the “neither party” option. Otherwise, the Parties confirm that the information required for the purposes of Part 1 (Tables) of the UK IDTA is set out in Exhibit 1.
10.3 If there is any conflict or inconsistency between a term in the body of this DPA, an Agreement and a term in Module 1 (transfer controller to controller) of the EEA Standard Contractual Clauses incorporated into this DPA, the term in the EEA Standard Contractual Clauses shall take precedence.
10.4 Transfers subject to the Swiss DP Laws: to the extent the Swiss DP Laws are applicable to a data export under the EEA Standard Contractual Clauses set forth in this DPA, the Parties agree on the following amendments to the EEA Standard Contractual Clauses and Clause 10.1 of this Schedule B:
10.4.1 The term "Member State" according to Clause 18 (c) of the EEA Standard Contractual Clauses shall not be interpreted in a such a way that data subjects in Switzerland are excluded from exercising their rights, if any, at their place of habitual residence;
10.4.2 The supervisory authority pursuant to Clause 13 of the EEA Standard Contractual Clauses is the Swiss Federal Data Protection and Information Commissioner;
10.4.3 The law applicable to the EEA Standard Contractual Clauses pursuant to Clause 17 of the EEA Standard Contractual Clauses shall be Swiss DP Laws;
10.4.4 The place of jurisdiction under Clause 18 (b) of the EEA Standard Contractual Clauses shall be the courts of the city of Zurich;
10.4.5 Where the EEA Standard Contractual Clauses include references to the GDPR, such references shall be understood as references to the Swiss DP Laws.
EXHIBIT 1
INFORMATION REQUIRED FOR CROSS-BORDER TRANSFER CLAUSES
Part 1: EEA STANDARD CONTRACTUAL CLAUSES, UK IDTA, SWISS DP LAWS, AND OTHER REGIONAL TRANSFER CLAUSES)
Table 1: Information to be incorporated into the EEA Standard Contractual Clauses |
|
ANNEX I A. List of Parties |
|
Data EXPORTER identity and contact details |
|
Name |
Customer Entities |
Address |
To be provided on request |
Contact person’s name, position and contact details: |
To be provided on request |
Activities relevant to the data transferred under these Clauses: |
As set out in the table in Exhibit 2 under "Nature and Purpose of the Processing". |
Role (controller/processor): |
Controller |
Data IMPORTER identity and contact details |
|
Name |
Cybersource Entities |
Address |
900 Metro Center Boulevard Foster City, CA 94404 U.S.A. |
Contact person’s name, position and contact details: |
|
Activities relevant to the data transferred under these Clauses: |
As set out in the table in Exhibit 2 under "Nature and Purpose of the Processing". |
Role (controller/processor): |
Module 1: Controller Module 2: Processor |
ANNEX I B. Description of Transfer |
|
Categories of data subjects whose personal data is transferred |
As set out in the table in Exhibit 2 under "Categories of Data Subjects". |
Categories of personal data transferred |
As set out in the table in Exhibit 2 under "Types of Personal Information". |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. |
Not Applicable |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). |
Continuous |
Nature of the processing |
As set out in the table in Exhibit 2 under "Nature and Purpose of the Processing". |
Purpose(s) of the data transfer and further processing |
As set out in the table in Exhibit 2 under "Nature and Purpose of the Processing". |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period |
Personal data will be retained in accordance with Cybersource’s retention policies, for only as long as is required to meet Cybersource’s legal, regulatory and operational requirements and as necessary to perform services. |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing |
As set out in the table in Exhibit 2 under "Nature and Purpose of the Processing". |
Annex I C. Competent Supervisory Authority |
|
Competent supervisory authority/ies |
To be provided by the data exporter on request. |
ANNEX II Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data |
|
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. |
Cybersource Corporation is certified as compliant with all standards established by the Payment Card Industry Data Security Standards (together with any successor organization thereto, “PCI DSS”) that are applicable to Cybersource Corporation and its affiliates (such standards, the “PCI Standards”). As evidence of compliance, Customer may access Cybersource Corporation’s current Attestation of Compliance signed by a Payment Card Industry Qualified Security Assessor through Visa Online. Cybersource Corporation maintains and enforces commercially reasonable information security and physical security policies, procedures and standards, that are designed (i) to insure the security and confidentiality of Customer’s records and information, (ii) to protect against any anticipated threats or hazards to the security or integrity of such records, and (iii) to protect against unauthorized access to or use of such records or information which could result in substantial harm (the “Visa Information Security Program”). At a minimum, the Visa Information Security Program is designed to meet the standards set forth in ISO 27002 published by the International Organization for Standardization, as well as any revisions, versions or other standards or objectives that supersede or replace the foregoing. Cybersource Corporation engages its independent certified public accountants to conduct a review of Cybersource Corporation’s operations and procedures at Cybersource Corporation’s cost. The accountants conduct the review in accordance with the American Institute of Certified Public Accounts Statement on Standards for Attestation Engagements No. 18 SOC I Type II (“SSAE 18”) and record their findings and recommendations in a report to Cybersource Corporation. Upon request, and subject to standard confidentiality obligations, Cybersource Corporation will provide its most recent SSAE 18 and, in Cybersource Corporation’s reasonable discretion, additional information reasonably requested to address questions or concerns regarding the SSAE 18’s findings. |
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter |
In respect of Transaction Services: initiatives, products, processes and supporting technology are assessed from a data privacy perspective, allowing Cybersource to embed privacy controls to mitigate risks at early stages (privacy by design). Cybersource has a robust privacy risk assessment framework (including privacy impact assessments), embedding this process in our change vehicles across the business, to ensure that both new and changed personal data processing activities are reviewed. Where Customer requires specific assistance, Customer may submit such requests for assistance to the Business Center. |
| ANNEX III List of Sub-Processors The controller has authorised the use of the following sub-processors: |
|
As listed in the Business Center. |
|
PART 2: MAINLAND CHINA REQUIREMENTS
To the extent required under applicable Chinese laws and regulations, including the Personal Information Protection Law (“PIPL”), the following provisions shall modify this DPA solely to the extent necessary to ensure compliance with Mainland China data protection requirements. For purposes of this Schedule, “China” refers to Mainland China and excludes the territories of Hong Kong SAR, Macau SAR, and Taiwan.
This Schedule applies to Personal Information:
- (a) that the receiving Party (“Data Importer”) receives or accesses from a controller located in China; or
- (b) that the other Party (“Data Exporter”) notifies the Data Importer is subject to these requirements.
The Data Exporter shall:
- Ensure that the processing of Personal Information complies with the standards of protection under the PIPL.
- Cooperate with the Data Importer to execute data cross-border transfer contracts that comply with Chinese regulatory requirements (“China SCCs”), where required.
- Not transfer Personal Information outside of China if it falls within a category prohibited from cross-border transfer (e.g., important data or categories of financial data prohibited from cross-border transfers under financial regulations).
- Not transfer Personal Information stored in China to foreign justice or law enforcement authorities without prior approval from the applicable Chinese regulator.
- Not transfer Personal Information to any country or region that has been publicly designated by Chinese regulators as discriminatory or restrictive in respect of personal information protection.
- Implement any contractual obligations, assessments, or regulatory approvals required for cross-border transfers not already permitted under this Agreement.
The Data Importer shall:
- Promptly inform the Data Exporter of any requests from foreign justice or law enforcement authorities for Personal Information and shall not disclose such information without approval from the applicable Chinese regulator and the Data Exporter.
- Not engage in any processing activities that may reasonably be interpreted as:
- (i) infringing on the personal information rights or interests of individuals or organizations in China; or
- (ii) endangering China’s national security or public interest.
- Cooperate with the Data Exporter in conducting Personal Information Protection Impact Assessments (“PIPIA”) and obtaining regulatory approvals, if required.
- Cooperate with the Data Exporter in conducting Personal Information Protection Compliance Assessments (“PIPCA”), if required.
PART 3: LATIN AMERICA AND THE CARIBBEAN (LAC) STANDARD CONTRACTUAL CLAUSES
This Exhibit 1, Part 3 applies solely to the extent the Latin America and Caribbean (LAC) region is within the scope of the Agreement and the Parties are required by Applicable Data Protection Law to implement regional transfer mechanisms. In the event of any conflict or inconsistency between these LAC regional terms and any other provision of the DPA, these terms shall prevail solely to the extent the conflict pertains to transfers subject to LAC data protection laws.
1.1 Transfers subject to the Argentina DP Laws, Colombia DP Laws, Peru DP Laws, or Uruguay DP Laws. Controller to Processor Clauses from the Standard Contractual Clauses issued by Red Iberoamericana de Protección de Datos, which have been approved by Argentina’s Data Protection Authority through Resolution 198/2023, by Peru´s Data Protection Authority through Directorial Resolution N.° 0074-2022-JUS/DGTAIPD and Uruguay’s Data Protection Agency through Resolution N° 50/022 URCDP available in RIPD Web Page (the “RIPD Standard Contractual Clauses”) shall apply with respect to any Transfer of Customer Personal Information from Argentina, Colombia, Peru, Uruguay or any LAC jurisdiction where Applicable Data Protection Law imposes a comparable requirement outlined under this section 2 to Cybersource and any of the Cybersource Entities.
1.2 The parties acknowledge and agree that the RIPD Standard Contractual Clauses are hereby incorporated by reference and;
1.2.1 Customer and any of Customer Entities shall be deemed to be “data exporter” and the Cybersource Entities shall be the "data importer";
1.2.2 Clause 7 – Reliance on sub-processors. Option 2 shall apply;
1.2.3 Clause 9(a) – Redress the optional language shall not apply;
1.2.4 Annex I A. List of Parties, ANNEX I B. Description of Transfer and ANNEX II Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data from Exhibit 1. INFORMATION REQUIRED FOR THE EEA STANDARD CONTRACTUAL CLAUSES AND THE UK IDTA AND SWISS DP LAWS shall apply for the purposes of Appendix 2 – Description of the Transferred Personal Data and Appendix 3 – Security Measures from the RIPD Standard Contractual Clauses.
1.3 Transfers Subject to the Brazilian DP Laws. Controller to Processor Clauses from the Brazilian Standard Contractual Clauses approved by the Brazilian Data Protection Authority (ANPD) through Resolution CD/ANPD No. 19 of 23 August 2024 (the “Brazilian Standard Contractual Clauses”) shall apply as available in https://www.in.gov.br/en/web/dou/-/resolucao-cd/anpd-n-19-de-23-de-agosto-de-2024-580095396 with respect to any Transfer of Customer Personal Information from Brazil to Cybersource and any Cybersource Entities.
2.1 Cross border transfers for Controller Services
2.1.1 Transfers subject to the Argentina DP Laws, Colombia DP Laws, Peru DP Laws, or Uruguay DP Laws. With respect to any Transfer of Customer Personal Information from Argentina, Colombia, Peru, Uruguay or any LAC jurisdiction for Controller Services, the Parties acknowledge and agree that Controller to Controller clauses of the RIPD Standard Contractual Clauses are hereby incorporated by reference and;
2.1.1.1 Customer and any Customer Entities shall be deemed to be “data exporters” and the Cybersource Entities shall be the "data importer";
2.1.1.2 Clause 5 – Docking clause shall apply;
2.1.1.3 Clause 8 (a) – Redress the optional language shall not apply;
2.1.1.4 Annex I A. List of Parties, ANNEX I B. Description of Transfer and ANNEX II Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data from Exhibit 1. INFORMATION REQUIRED FOR THE EEA STANDARD CONTRACTUAL CLAUSES AND THE UK IDTA AND SWISS DP LAWS shall apply for the purposes of Appendix 2 – Description of the Transferred Personal Data and Appendix 3 – Security Measures from the RIPD Standard Contractual Clauses.
2.2 Transfers Subject to the Brazilian DP Laws. Controller to Controller Clauses from the Brazilian Standard Contractual Clauses shall apply as available in https://www.in.gov.br/en/web/dou/-/resolucao-cd/anpd-n-19-de-23-de-agosto-de-2024-580095396 with respect to any Transfer of Customer Personal Information from Brazil to Cybersource Corporation in the United States, solely when Cybersource Corporation is acting as a controller for the purposes of the Controller Services.
EXHIBIT 22.1 Cross border transfers for Controller Services
2.1.1 Transfers subject to the Argentina DP Laws, Colombia DP Laws, Peru DP Laws, or Uruguay DP Laws. With respect to any Transfer of Customer Personal Information from Argentina, Colombia, Peru, Uruguay or any LAC jurisdiction for Controller Services, the Parties acknowledge and agree that Controller to Controller clauses of the RIPD Standard Contractual Clauses are hereby incorporated by reference and;
2.1.1.1 Customer and any Customer Entities shall be deemed to be “data exporters” and the Cybersource Entities shall be the "data importer";
2.1.1.2 Clause 5 – Docking clause shall apply;
2.1.1.3 Clause 8 (a) – Redress the optional language shall not apply;
2.1.1.4 Annex I A. List of Parties, ANNEX I B. Description of Transfer and ANNEX II Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data from Exhibit 1. INFORMATION REQUIRED FOR THE EEA STANDARD CONTRACTUAL CLAUSES AND THE UK IDTA AND SWISS DP LAWS shall apply for the purposes of Appendix 2 – Description of the Transferred Personal Data and Appendix 3 – Security Measures from the RIPD Standard Contractual Clauses.
2.2 Transfers Subject to the Brazilian DP Laws. Controller to Controller Clauses from the Brazilian Standard Contractual Clauses shall apply as available in https://www.in.gov.br/en/web/dou/-/resolucao-cd/anpd-n-19-de-23-de-agosto-de-2024-580095396 with respect to any Transfer of Customer Personal Information from Brazil to Cybersource Corporation in the United States, solely when Cybersource Corporation is acting as a controller for the purposes of the Controller Services.
EXHIBIT 2
DETAILS OF PROCESSING CUSTOMER PERSONAL INFORMATION
1. Details of Processing in respect of the Processor Services
The table below includes certain details of the Processing of Customer Personal Information in respect of the Processor Services as required by Article 28(3) of the GDPR. Each of the service descriptions below apply to the extent that Customer uses such service under the Agreement.
Service |
Nature and purpose of the processing |
Types of personal information |
Categories of data subjects to whom the personal information relates to |
Acceptance Devices |
Processing of card present transactions |
Cardholder information, including, without limitation, encrypted card numbers, name, address, phone number, e-mail address. |
End-Users as defined under the Agreement (including Credit card holders, bank transfer users, direct debit users, all End-Users whose cardholder or bank account data is submitted to Processor for processing). |
Account Updater |
Account Updater provides a single interface to access card updater services using either Token Management Service tokens or card account numbers |
Cardholder information including card account numbers and card expiration dates. |
End-Users as defined under the Agreement (including Credit card holders, direct debit users, all End-Users whose cardholder or bank account data is submitted to Processor for processing). |
Alternative Payment Methods (AltPay) |
Alt Pay services for E-wallets, Online Banks Transfers, Buy Now Pay Later and Cash based payments |
Name, address, email address, phone number, account Number Optional: IBAN, BIC/SWIFT |
End-Users as defined under the Agreement (including Credit card holders, direct debit users, all End-Users whose cardholder or bank account data is submitted to Processor for processing). |
Card Processing (Traditional Connections) |
Card-present and In-person acceptance credit/debit card authorization, settlement, authentication and credit, including processing, provision of customer support |
Cardholder information, including, without limitation, card numbers, name, address, phone number, e-mail address. |
End-Users as defined under the Agreement (including Credit card holders, bank transfer users, direct debit users, all End-Users whose cardholder or bank account data is submitted to Processor for processing). |
Click to Pay Drop-In UI |
User interface to provide access to gateway services for credit/debit card authorization, settlement, authentication and credit, including processing, provision of customer support |
Cardholder information, including, without limitation, card numbers, CVV, card expiration dates, name, billing and shipping addresses, phone number, e-mail address. |
End-Users as defined under the Agreement (including Credit card holders, bank transfer users, direct debit users, all End-Users whose cardholder or bank account data is submitted to Processor for processing). |
Digital Wallets |
Support for compatibility with digital wallet payment services. Data received from these services can be leveraged for a multitude of service such, including, but not limited to, gateway services, Risk Services, Tokenization Services and Payer Authentication services |
Cardholder and banking information, including, without limitation, card numbers, CVV, card expiration dates, bank account numbers, name, billing and shipping addresses, phone number, e-mail address |
End-Users as defined under the Agreement (including Credit card holders, bank transfer users, direct debit users, all End-Users whose cardholder or bank account data is submitted to Processor for processing). |
Dynamic Currency Conversion (DCC) |
DCC enables merchants to convert the local price into the price and currency of cardholders’ credit cards. It helps them cater to an international customer base and increase conversion because cardholders can understand the price by displaying it in a familiar currency |
Partial card numbers |
End-Users as defined under the Agreement (including Credit card holders, direct debit users, all End-Users whose cardholder or bank account data is submitted to Processor for processing). |
eCheck |
eCheck is the full-service end to end solution for SMB/ MM merchants enabling them to collect ACH payments from their customers |
Merchant (during onboarding and risk management) - 1. Owner’s information including name, address, contact information, SSN/ Passport number. 2. Federal Tax ID 3. Bank Account information for funding Merchant's customers (during transaction processing) 1. Routing and account number |
End-Users as defined under the Agreement (including Credit card holders, bank transfer users, direct debit users, all End-Users whose cardholder or bank account data is submitted to Processor for processing). |
ACH Gateway |
ACH solution is the gateway mode solution where CYBS is the gateway for processing ACH transactions for merchants. The merchant has treasury relationship with the respective acquirer.
|
Merchant's customers (during transaction processing) - Routing and account number |
End-Users as defined under the Agreement (including Credit card holders, bank transfer users, direct debit users, all End-Users whose cardholder or bank account data is submitted to Processor for processing). |
In Person Accept |
In-person acceptance credit/debit card authorization, settlement, authentication and credit, including processing, provision of customer support |
Cardholder information, including, without limitation, card numbers, name, address, phone number, e-mail address. |
End-Users as defined under the Agreement (including Credit card holders, bank transfer users, direct debit users, all End-Users whose cardholder or bank account data is submitted to Processor for processing). |
Invoicing |
Invoicing enables business owners to create and send invoices digitally via the online portal (Enterprise Business Center) or API. Business owners send their customers the link to a digital invoice, and they pay it online |
Customer’s customer name, address, phone number, e-mail address Cardholder and banking information, including, without limitation, card numbers, CVV, card expiration dates, bank account numbers, name, billing and shipping addresses, phone number, e-mail address. |
End-Users as defined under the Agreement (including Credit card holders, bank transfer users, direct debit users, all End-Users whose cardholder or bank account data is submitted to Processor for processing). |
Microform Integration |
Microform Integration helps protect every transaction by allowing card and eCheck information fields to be replaced with a microform and embedded directly into the checkout page.
The microform is hosted by Cybersource, so when End-Users enter their card or eCheck information and click submit, their sensitive data is encrypted, sent directly to the Cybersource payment gateway and tokenized, without ever coming in contact with a merchant's business.
|
Cardholder and banking information, including, without limitation, card numbers, CVV, card expiration dates, name |
End-Users as defined under the Agreement (including Credit card holders, bank transfer users, direct debit users, all End-Users whose cardholder or bank account data is submitted to Processor for processing).
|
Order Screening |
Order Screening provides customers risk management and order review services. Customer Personal Information is used to evaluate the potential for fraud and mark those transactions with recommendations for the client |
Order Screening leverages the Customer’s data available in the Decision Manager service. This data includes Cardholder and banking information, including, without limitation, card numbers, bank account numbers, name, address, phone number, e-mail address, as well as cardholder’s device that is used to complete Customer’s transactions (such as device fingerprint if the customer elects to use ThreatMetrix). |
End-Users as defined under the Agreement (including Credit card holders, bank transfer users, direct debit users, all End-Users whose cardholder or bank account data is submitted to Processor for processing). |
Pay By Link |
Pay by link enables merchant to collect multiple payment from multiple clients through an out of the box hosted checkout page by sharing a link, QRcode or having a payment button on their website |
Cardholder and banking information, including, without limitation, card numbers, CVV, card expiration dates, bank account numbers, name, billing and shipping addresses, phone number, e-mail address.
|
End-Users as defined under the Agreement (including Credit card holders, bank transfer users, direct debit users, all End-Users whose cardholder or bank account data is submitted to Processor for processing). |
Payer Authentication |
Payer Authentication, also called 3D Secure, provides Customer with risk management and authentication services. Payer Authentication facilitates the exchange of data between Customer and a card issuer to authenticate a cardholder by routing data to Payer Authentication programs, such as Visa Secure, Mastercard Identity Check (ID Check), American Express SafeKey and JCB J/Secure. Payer Authentication helps to minimize costly fraudulent transactions by adding an extra layer of protection to the payment process, helping to increase authorization approval rates as well as reduce the risk of fraud. |
Cardholder and banking information, including, without limitation, card numbers, bank account numbers, names, addresses, phone numbers, and e-mail addresses |
End-Users as defined under the Agreement (including Credit card holders, bank transfer users, direct debit users, all End-Users whose cardholder or bank account data is submitted to Processor for processing). |
Payment Gateway |
Gateway services for bank transfers, direct debits, credit/debit card authorization, settlement, authentication and credit, including processing, provision of customer support |
Cardholder and banking information, including, without limitation, card numbers, bank account numbers, name, address, phone number, e-mail address.
|
End-Users as defined under the Agreement (including Credit card holders, bank transfer users, direct debit users, all End-Users whose cardholder or bank account data is submitted to Processor for processing). |
Payouts |
Account Funding Transactions (AFTs) and Original Credit Transactions (OCTs also known as Payouts) are both methods for transferring funds to and from Visa or non-Visa accounts. Through these transactions, Cybersource facilitates swift, secure and efficient fund transfers, thereby saving time and money while simplifying the process |
Cardholder, banking information and wallet information. This includes, card numbers, bank account numbers, name, address, phone number, e-mail address.
|
End-Users as defined under the Agreement (including Credit card holders, bank transfer users, direct debit users, all End-Users whose cardholder or bank account data is submitted to Processor for processing). |
Performance Monitoring |
Performance Monitoring provides a Customer with an expert risk analyst for consultative purposes in the fraud management space, specifically related to using Decision Manager |
Performance Monitoring leverages the Customer’s data available in the Decision Manager service. |
End-Users as defined under the Agreement (including Credit card holders, bank transfer users, direct debit users, all End-Users whose cardholder or bank account data is submitted to Processor for processing). |
Recurring Billing |
Recurring billing is a payment model that enables business owners to charge their customers at predefined frequencies (weekly, monthly, annually, or custom intervals), for the products or services they purchase. Recurring Billing stores customer data securely, with seamless integration into Account Updater ensuring customer data is up to date. |
Cardholder and banking information, including, card numbers, bank account numbers, name, address, phone number, e-mail address |
End-Users as defined under the Agreement (including Credit card holders, bank transfer users, direct debit users, all End-Users whose cardholder or bank account data is submitted to Processor for processing). |
Service Orchestration |
Service Orchestration helps merchants improve their auth rate by opting for retry, enrichment and routing of a transaction under gateway. The data under gateway are used to efficiently recover a false declined transaction |
Cardholder and banking information, including, without limitation, card numbers, bank account numbers, name, address, phone number, e-mail address.
|
End-Users as defined under the Agreement (including Credit card holders, bank transfer users, direct debit users, all End-Users whose cardholder or bank account data is submitted to Processor for processing). |
VMS Intelligent Decisioning for DM |
VMS Intelligent Decisioning for DM automatically decisions orders that are in Decision Manager for manual review |
Customer name, phone, email, address, shipping address. |
End-Users as defined under the Agreement (including Credit card holders, bank transfer users, direct debit users, all End-Users whose cardholder or bank account data is submitted to Processor for processing). |
Tax Calculation Service |
Automated tax calculation service for US sales and use tax, Canada sales tax, and VAT |
Cardholder shipping address or billing address. Billing address will be sent in the tax calculation service request if shipping address is unavailable |
|
Token Management Services (TMS) |
Tokenization is a Data Security technology which helps customers facilitate a safe transfer and storage of sensitive information. |
If the Customer enrolls for the Tokenization service, they can choose which Customer data to store. Cybersource can support data such as account numbers, name, billing address, shipping address, phone number, e-mail address, etc.
|
End-Users as defined under the Agreement (including Credit card holders, bank transfer users, direct debit users, all End-Users whose cardholder or bank account data is submitted to Processor for processing). |
Unified Checkout |
User interface to provide access to gateway services for bank transfers, direct debits, credit/debit card authorization, settlement, authentication and credit, including processing, provision of customer support |
Cardholder and banking information, including, without limitation, card numbers, CVV, card expiration dates, bank account numbers, name, billing and shipping addresses, phone number, e-mail address. |
End-Users as defined under the Agreement (including Credit card holders, bank transfer users, direct debit users, all End-Users whose cardholder or bank account data is submitted to Processor for processing). |
Virtual Terminal |
Virtual Terminal is an out-of-the-box solution for quick one-time payments within the EBC. It's 100% browser-based, so no hosting, development, or additional hardware required to process card payments |
Cardholder and banking information, including, without limitation, card numbers, CVV, card expiration dates, bank account numbers, customer name, billing and shipping addresses, phone number, e-mail address. |
End-Users as defined under the Agreement (including Credit card holders, bank transfer users, direct debit users, all End-Users whose cardholder or bank account data is submitted to Processor for processing). |
Visa Bank Account Validation |
Provides the ability for merchants to validate their customer's bank routing and account number combination as a standalone service prior to processing an ACH transaction |
Accountholder’s bank routing and account number |
End-Users as defined under the Agreement (including Credit card holders, bank transfer users, direct debit users, all End-Users whose cardholder or bank account data is submitted to Processor for processing). |
Watchlist Screening |
Screens customer transactions against various government-issued and third‑party watchlists |
Cardholder name and address |
End-Users as defined under the Agreement (including Credit card holders, bank transfer users, direct debit users, all End-Users whose cardholder or bank account data is submitted to Processor for processing). |
2. Details of Processing in respect of the Controller Services
The table below includes certain details of the Processing of Customer Personal Information in respect of the Controller Services. Each of the service descriptions below apply to the extent that Customer uses such service under the Agreement.
Service |
Nature and purpose of the processing |
Types of personal information |
Categories of data subjects to whom the personal information relates to |
||
Decision Manager (DM) |
Decision Manager provides the Customer with risk management and fraud mitigation services. Customer Personal Information is used to support the creation and enhancement of security and fraud prevention tools and models for use by Customer and any other customer of Cybersource. These models ensure that scoring in Fraud Services is kept up-to-date. |
Cardholder and banking information, including, without limitation, card numbers, bank account numbers, name, address, phone number, e-mail address, as well as cardholder’s device that is used to complete Customer’s transactions (such as device fingerprint if the customer elects to use ThreatMetrix). |
End-Users as defined under the Agreement (including Credit card holders, bank transfer users, direct debit users, all End-Users whose cardholder or bank account data is submitted to Processor for processing). |
||
Fraud Management Essentials (FME) |
Fraud Management Essentials provides the Customer with risk management and fraud mitigation services. Customer Personal Information is used to support the creation and enhancement of security and fraud prevention tools and models for use by Customer and any other customer of Cybersource. These models ensure that scoring in Fraud Services is kept up-to-date. |
Cardholder and banking information, including, without limitation, card numbers, bank account numbers, name, address, phone number, e-mail address, as well as cardholder’s device that is used to complete Customer’s transactions (such as device fingerprint if the customer elects to use ThreatMetrix). |
End-Users as defined under the Agreement (including Credit card holders, bank transfer users, direct debit users, all End-Users whose cardholder or bank account data is submitted to Processor for processing). |
||
EXHIBIT 3
THIRD PARTY FRAUD PROVIDER PRIVACY NOTICES
Provider |
Notice |
ThreatMetrix |
https://risk.lexisnexis.com/group/processing-notices/threatmetrix |
Emailage |
https://risk.lexisnexis.com/corporate/processing-notices/emailage |