Terms & Conditions
SCHEDULE 1
AGREED TERMS
1.1The Contract will commence on the Commencement Date.
1.2The Contract shall continue in force for the Initial Term and Rolling Term of one year thereafter unless and until terminated by one of the Parties’ giving to the other no less than 30 days written notice.
2 CARDSTREAM’S RIGHTS, OBLIGATIONS AND SERVICE LEVEL AGREEMENT (SLA)
Cardstream’s rights:
2.1 Cardstream may terminate the Contract under condition 9.2;
3 MERCHANT’S OBLIGATIONS
3.1 The Merchant will:
3.1.1 allow Cardstream to use and copy the Merchant Information to enable Cardstream to carry out its obligations under the Contract including providing PCI compliant fraud screening services;
3.1.2 be responsible for the security and proper use of all user identities (“User IDs”) and passwords and privileged access to agreed operational areas in connection with the Services and inform Cardstream immediately if there has been (or is likely to be) a breach of security or misuse of the Service and fully indemnify Cardstream in the event of any security breach for damages arising from such access;
3.1.3 promptly change any or all of the passwords used in connection with the Service when requested to do so by Cardstream where Cardstream reasonably believes that there is or is likely to be a breach of security or misuse of the Services;
3.1.4 promptly inform Cardstream if any of the information supplied on or in relation to the Merchant Registration Form changes;
3.1.5 not store card details on their systems whether in plain text or encrypted form unless Merchant has current PCI:DSS Level 1 certification;
3.1.6 immediately notify Cardstream if it becomes aware of any unauthorised use of all or any part of the Services;
3.1.7 only access the Services as permitted by the Contract and not make any attempt to circumvent the system security of the Services or those of Cardstream at any time;
3.1.8 acknowledge and accept that Cardstream will have no responsibility for nor any liability (whether to the Merchant or any Merchant) in respect of any Authorisation and/or Settlement process provided by any Third Party Provider;
3.1.9 indemnify Cardstream and not hold Cardstream liable in respect of any misuse of Cardstream’s Services or breach of Scheme rules.
3.2 The Merchant is solely responsible for the detection and reporting of settlement error risk and is advised to prevent or mitigate that risk by conducting a periodic check of its settlement process. Cardstream accepts no liability for Merchant fund settlement errors. If, notwithstanding, the Merchant claims that Cardstream or its service providers is responsible for any settlement misrouting losses, Cardstream and its service providers will require evidence from the Merchant that MID Checks have been carried out reasonably and assiduously in their opinion.
3.3 Merchants’ use of 3-D Secure processes provided by Cardstream and its service providers does not guarantee or imply automatic liability shift in the event of chargebacks with all Acquirer-Issuer combinations. Cardstream and its service providers take no responsibility for chargebacks or any other liability where a Merchant deploys 3-D Secure.
3.4 Integration Health: Merchants are responsible for ensuring the quality, stability, and integrity of their systems and their connection to the Cardstream platform, including, but not limited to, the following:
3.4.1 ensuring that appropriate testing is conducted by the Merchant prior to handling any live traffic.
3.4.2 actively monitoring all connections and requests to identify and prevent spurious or malicious traffic.
3.4.3 regularly reviewing and updating all Software Development Kits (SDKs), and modules to maintain compatibility and performance.
3.4.4 ensuring that any additional connections not provided or supported by Cardstream do not cause conflicting outputs or interfere with platform functionality.
3.4.5 warranting that its online presence is safeguarded against DDos (Distributed Denial of Service) attacks and similar hazards.
3.5 The Merchant is responsible for verifying the authenticity of third party platform URLs and ensuring secure access prior to entering any login credentials. The third party Platform shall not be liable for any loss, damage, or unauthorised access resulting from a Merchant’s failure to confirm the legitimacy of the access point.
4 CHARGES AND PAYMENT
4.1 All payment must be made via Direct Debit or Card on File, lodgement of one of which must be made before service delivery begins.
4.2 Cardstream will invoice the Merchant monthly.
4.3 Payment will be due on receipt of invoice, without any set-off, withholding or counterclaim.
4.4 Cardstream may charge interest at the rate of 5% above the Bank of England Base Rate on overdue sums and/or suspend the provision of its Services until payment has been made in full in cleared funds.
5 PRICING
5.1 Cardstream is entitled to increase the fees in the Merchant Registration Form automatically in line with inflation on each anniversary of the Signature Date.
6 INTELLECTUAL PROPERTY RIGHTS
6.1 All Intellectual Property Rights in the Services will be owned by Cardstream.
7 NON-DISCLOSURE, CONFIDENTIALITY AND CARDSTREAM’S PROPERTY
7.1 The Merchant and Cardstream both agree that all commercial arrangements including the names of Third Parties, their customers, Fixed Charges, Services Charges, Throughput Charges, Special Conditions and Services within this agreement will not be disclosed to any third party and will remain strictly confidential.
8 LIMITATION OF LIABILITY
8.1 Neither Party will be liable to the other Party or any Third Party for consequential, indirect or punitive damages, losses or costs; and
8.2 the total liability of either Party for direct damages or losses, however arising, together with their reasonable legal costs in any twelve month period will not exceed the Fixed Charges payable during that twelve month period, with the exception of claims for events where liability cannot be lawfully limited.
9 DATA PROCESSING AGREEMENT
9.1 Processing of Personal Data
9.1.1 Both Parties will comply with all applicable requirements of the Data Protection Legislation. This clause is in addition to, and does not relieve, remove, or replace, a Party’s obligations or rights under the Data Protection Legislation.
9.2 Third Party Service Providers (TPSP)
9.2.1 Merchant may contract the services of TPSP(s) who will act as other processors independent of Cardstream for Merchant to provide certain limited or supplementary services on its behalf via Cardstream’s gateway platform. Cardstream may integrate technically with such TPSPs and charge a facilitation fee to Merchants that will form part of the fees contained in the Merchant Registration Form.
9.2.2 Merchant authorises, requests or requires this or these TPSP engagement(s) independently of Cardstream. Merchant’s de facto use of TPSP(s) constitutes Merchant’s agreement that consequent GDPR and Data governance between Merchant and TPSP(s) is solely Merchant’s responsibility and Merchant will indemnify and hold harmless Cardstream with regard to claims, culpability and regulatory action arising from any data breaches or contractual inadequacies in relation to any services provided by TPSP(s).
9.2.3 Where Cardstream is required to deliver data to or to receive data from any such TPSP, this will be on a delivery service basis on behalf of Merchant only and neither to be construed as nor to be in actuality the TPSP’s participation in the role of sub-processor to Cardstream, whether such delivery has been confirmed in writing or entered into by custom and practice.
9.2.4 The Merchant gives Cardstream the general authorisation to replace any of the Merchant’s TPSPs; to add a new TPSP(s) as one of Merchant’s independent processors on request from Merchant; and to pass data to and receive data from an acquirer TPSP for the purpose of MID creation.
9.2.5 Merchant shall be responsible for ensuring that TPSP’s data protection provisions comply with all Applicable Laws and meet Merchant’s standards.
9.2.6 The Parties are independently responsible for and shall comply with their statutory responsibilities under the UK GDPR, and neither party is liable for the independent actions of the other party under that law.
10 FORCE MAJEURE
Neither party will be liable to the other under the Contract if it is prevented from, or delayed in performing, its obligations under the Contract or from carrying on its business by acts, events, omissions or accidents beyond its reasonable control, including (without limitation) strikes, lock-outs or other industrial disputes; failure of a utility service or transport network; failure of or interruption to the internet or any other communication network; act of God and natural disaster; war, riot, civil commotion, malicious damage; compliance with any law or governmental order, rule, regulation or direction; accident; breakdown of plant or machinery; fire, flood, storm; or default of suppliers or subcontractors.
11 ENTIRE AGREEMENT
11.1 The Contract constitutes the whole agreement between the Parties and supersedes all previous agreements between the Parties relating to its subject matter.
11.2 Each Party acknowledges that, in entering into the Contract, it has not relied on, and will have no right or remedy in respect of, any statement, misrepresentation, assurance or warranty (whether made negligently or innocently), other than as expressly provided in the Contract.
12 ASSIGNMENT
12.1 Cardstream shall have the right to assign all or any of its rights and obligations under the Contract and should apprise the other Party of any such assignment.
12.2 Merchant shall not assign this Contract without written permission from Cardstream.
12.3 The Merchant having rights under the Contract is acting on its own behalf and not for the benefit of another person.
13 RIGHTS OF THIRD PARTIES
A person who is not a Party to the Contract will not have any rights under or in connection with it pursuant to the Contract (Rights of Third Parties) Act 1999 but nothing in the Contract will affect any right or remedy of a Third Party that exists or is available otherwise than as a result of that Act.
14 NOTICES
14.1 Any notice required to be given under the Contract and its Schedules will be in writing and will include delivery of the communication to the address listed below in this subsection either in person; or by pre-paid first class post; or by recorded delivery; or by commercial courier; or by e-mail from the email address listed below in this subsection to the email address of the other party listed below in this subsection.
14.2 Addresses and numbers to be used for delivery are as follows:
CS Gateway Partners Limited
Birches Corner,
Heron Gate,
Taunton,
TA1 2LP,
Somerset, England
email: support@cardstream.com
14.3 Any notice will be deemed to have been duly received if delivered personally, when left at the address as specified on the Merchant Registration Form or as otherwise notified to the other Party in writing; or, if sent by pre-paid first-class post or recorded delivery, at 9.00 am on the second Business Day after posting; or, if delivered by commercial courier, on the date and at the time that the courier’s delivery receipt is signed; or, if sent by email from the email address listed above in 14.2 to the email address of the other party listed above in 14.2.
14.4 This condition 14 will not apply to the service of any documents in any proceedings or any legal action.
15 GOVERNING LAW AND JURISDICTION
15.1 The Contract and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims), will be governed by and construed in accordance with the law of England and Wales.
15.2 The Parties irrevocably agree that the Courts of England and Wales will have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with the Contract or its subject matter or formation (including non-contractual disputes or claims).
16 DEFINITIONS OF TERMS USED HEREIN
16.1 API: application protocol interface.
16.3 Business Day: Monday, Tuesday, Wednesday, Thursday and Friday with the exception of UK Bank Holidays.
16.4 Cardstream: CS Gateway Partners Limited, being a company registered in United Kingdom (UK) with registered office at Birches Corner, Heron Gate, Taunton, TA1 2LP.
16.5 Charges: collectively, the Fixed Charge, Throughput Charge (as more particularly described on the Merchant Registration Form) and any other additional amounts payable to Cardstream by the Merchant pursuant to these conditions as amended from time to time in accordance with these conditions.
16.6 Commencement Date: the effective start date of the Contract as set out on the Merchant Registration Form.
16.7 Contract: the Merchant Registration Form and all applicable Special Conditions (if any) and these conditions.
16.8 Core Service: transaction authorisation and payment settlement.
16.9 Customer: the person or entity that is transacting with the Merchant in an e-commerce context.
16.10 Data Protection Legislation: all privacy laws applicable to the data which is processed under or in connection with this Agreement, including EU Directive 94/96/EC and 2002/58/EC, as interpreted by the DPA (or equivalent local laws), all regulations made pursuant to and in relation to such legislation and including the Privacy and Electronic Communications (EC Directive) Regulations 2003 (or equivalent local regulations) together with all codes of practice and other guidance on the foregoing issued by any relevant Data Protection Authority, all as amended from time to time and including the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”) from 25 May 2018.
16.11 DPA: Data Protection Act 2018 (as amended or replaced from time to time).
16.12 Duration: the total time, usually expressed in minutes, comprising any particular calendar month.
16.13 Emergency Maintenance: time periods during which emergency repairs to software or systems may be necessary in order to ensure overall integrity of the Service and when there may be brief periods of Service interruption.
16.14 Fixed Charge: an annual or monthly fixed charge, payable in advance either per annum or per calendar month of the Contract in respect of the Merchant’s being given access to the Services.
16.15 Initial Term: the period specified as Initial Term on the Merchant Registration Form, from and including the Order Date of the Contract.
16.16 Intellectual Property Rights (“IPR”): all patents, rights to inventions, utility models, copyright and related rights, trade marks, service marks, trade, business and domain names, rights in computer software.
16.17 Merchant: the company or legal entity entering into this agreement.
16.18 MID Check: A MID Check comprises paying an amount of 1.01, in each of Merchant’s currencies, through its use of the Cardstream gateway and recording its correct settlement into its appointed bank account, including 3-D Secure if required.
16.19 Merchant Registration Form: the Merchant Registration form appearing as a front sheet to these conditions.
16.20 PAN Access: permission under an Attestation of Compliance for a user to access PAN ranges of cards on a view only basis.
16.21 Party(ies): CS Gateway Partners Limited and the Merchant as named in the Merchant Registration Form.
16.22 PCI: the Payment Card Industry.
16.23 PCI:DSS: the Payment Card Industry Data Security Standard.
16.24 Merchant/User: the person, firm or company that purchases Services from Cardstream as set out on the Merchant Registration Form or any recipient of or with access to Software.
16.25 Merchant Information: data and any other materials (in whatever form) published or otherwise made available (directly or indirectly) by the Merchant or on behalf of the Merchant by using the Services or relating to the Services. Merchant Information may include information about the Merchant itself (including individual employees or representatives) or permitted users or clients of the Merchant (or prospective clients) that may include personal data subject to laws or regulations.
16.26 Personal Data: those data processed or controlled by either Party that are the subject of Data Protection Legislation.
16.27 REST: Cardstream gateway management interface.
16.28 Rolling Term: one year successively following Initial Term.
16.29 Services: the services to be provided by Cardstream under the Contract for the authorisation and payment of credit, debit, purchase, fuel, charge and like card transactions (“Core Services”) together with the provision of the necessary interface through which authorisation and payment of credit/debit/charge card transactions takes place (as more particularly described in the Merchant Registration Form) (“Ancillary Services”).
16.30 Software: All integration and customised software builds (“Software”) developed and provided by Cardstream or any member of the Cardstream Group for use by a Merchant or Merchant (“User”) thereof.
16.31 Special Conditions: special conditions relating to particular aspects of the Service required as set out in the Contract or otherwise that applies more particularly specified in the Merchant Registration Form.
16.32 Term: the period for which the Parties are contracted as defined in the Initial Term.
16.33 Transaction: a transaction is defined as a successful or declined pre-authorisation, full authorisation or refund; this includes 3D Secure authentication requirements.
16.34 VAT: value added tax chargeable under English law for the time being and any similar additional tax.
