Merchant Services Terms & Conditions
CARDZ3N MERCHANT SERVICES AGREEMENT
Terms and Conditions – Updated January 2026
PREAMBLE
This Merchant Card Processing Agreement ("Merchant Agreement") is entered into between CARDZ3N (doing business as Z3N Group, AerospacePay, 1-Z3N Services, Z3N Payments, Z3N Capital, Z3N Payroll, Z3N Gateway, Z3N Pay, or Z3N; collectively "Bank"), Merchant Bank, Processor, Acquirer, Payment Services Provider (PSP), Payment Facilitator (PayFac), Merchant Service Provider (MSP), Independent Software Vendors (ISVs), Independent Sales Organization (ISO), and Payment Gateway Provider (collectively "Bank"), and the business entity completing the Merchant Application ("Merchant").
Effective Date: January 14, 2026
SECTION 1: SERVICES AND PROGRAM PARTICIPATION
1.1 Services Covered
This Agreement governs the following goods, products, and/or services provided by Bank to Merchant:
- Merchant Services
- Credit Card Processing (Visa, MasterCard, Discover, American Express)
- Electronic Payments (ACH, Wire Transfers)
- Electronic Checks and PIN Debit transactions
- Online Payroll Services
- Accounting and Bookkeeping Services
- Working Capital and Financing
- Merchant Cash Advances (MCA)
- Payment Gateway Services
- Point-of-Sale (POS) Equipment and Software
- Fraud Detection and Prevention Services
- Compliance and Reporting Tools
1.2 Merchant Application Binding Effect and Third-Party Vendor Terms
By completing and executing the Merchant Application, and by signing Third-Party Vendor Terms and Conditions provided with the Application, Merchant acknowledges that:
- Merchant has read and understands this entire Merchant Agreement and all Third-Party Vendor Terms;
- Merchant understands all obligations, fees, and terms contained in this Agreement and Third-Party Vendor Terms;
- Merchant consents to be bound by this Agreement, all Third-Party Vendor Terms, and all attachments;
- Merchant's signature on Third-Party Vendor Terms constitutes binding acceptance of this Merchant Agreement;
- Merchant's processing of the first transaction constitutes acceptance of all terms;
- Merchant grants Bank authority to:
- Access Merchant's bank accounts for settlement and fee collection;
- Process ACH debits for Processing Fees, chargebacks, and reserve deposits;
- Conduct background checks and credit inquiries;
- Report processing activity to Card Associations and regulatory bodies;
- Implement terms modifications subject to notice requirements in Section 10 and Section 23.1;
- Share Merchant information with Third-Party Vendors necessary for transaction processing.
1.3 Bank's Sole Discretion in Acceptance
Bank, in its sole and absolute discretion, may:
- Accept or reject Merchant's Application
- Accept the Application conditionally (with enhanced due diligence, reserves, or monitoring)
- Request additional documentation, certifications, or business verification
- Decline to process specific transaction types despite acceptance
- Set limitations on transaction volumes, daily processing caps, or geographic restrictions
- Require personal or corporate guaranties as condition of approval
Merchant may NOT process any transactions with Bank until Bank provides written confirmation of approval.
1.4 Merchant Agreement Hierarchy (Incorporating Third-Party Vendor Terms)
This Merchant Agreement and Merchant's binding contract consists of the following documents in order of precedence (highest to lowest):
- This Master Merchant Agreement (Sections 1-25)
- Merchant Application (with all representations and certifications)
- Third-Party Vendor Terms and Conditions (payment gateway, processor, POS, hardware, and service provider agreements)
- Operating Guide (payment network-specific procedures)
- Fee Schedule (pricing addendum)
- Card Association Operating Rules (Visa, MasterCard, Discover, Amex)
- Bank's policies as amended from time to time
Clarification of Third-Party Vendor Terms Precedence:
For any services, systems, or products provided by Third-Party Vendors, that vendor's specific terms shall control with respect to:
- Use of that vendor's platform, system, or equipment
- That vendor's specific fees or service charges
- That vendor's liability limitations and warranties
- That vendor's data handling or security procedures
- That vendor's intellectual property and usage rights
This Merchant Agreement applies to all other aspects of Bank's payment processing services.
In the event of conflict, higher-precedence documents control. Merchant shall comply with ALL documents in this hierarchy.
SECTION 2: PAYMENT CARD NETWORK COMPLIANCE OBLIGATIONS
2.1 Merchant's Payment Card Industry Obligations
Merchant acknowledges that it MUST comply with Operating Rules established by Visa, MasterCard, Discover, and American Express ("Card Associations"). These Operating Rules are incorporated by reference into this Agreement.
Key Operating Rules Include:
- Visa Client Compliance Program (CISP) – Mandatory security requirements
- MasterCard Security Program (SDP) – Data protection standards
- Discover Information Security Compliance (DISC) – Security compliance requirements
- American Express Data Security Requirements – Cardholder protection standards
- PCI DSS 4.0 – Industry-wide Payment Card Data Security Standards (mandatory as of April 1, 2024)
- Chargeback Management Requirements – Dispute procedures and timelines
- Transaction Authorization Standards – Authorization capture and settlement procedures
- Merchant Categorization Rules – Merchant Category Code (MCC) compliance
2.2 Operating Rules Compliance Consequences
Merchant's failure to comply with Card Association Operating Rules constitutes material breach of this Agreement. Bank may:
- Impose Compliance Remediation Fees ($500-$2,000 monthly)
- Require third-party PCI DSS assessment at Merchant's expense ($1,500-$5,000)
- Suspend transaction processing until remediation is complete
- Increase Reserve Account to cover estimated losses
- Terminate this Agreement for cause if violations continue beyond 30-day cure period
- Pursue enforcement actions and injunctive relief
Merchant acknowledges that Card Associations may impose fines directly on Bank for Merchant's non-compliance (Visa: up to $25,000 monthly for Level 1 non-compliance). Merchant shall fully indemnify Bank for all such fines and penalties.
2.3 Merchant's Representation Regarding Operating Rules
Merchant represents and warrants that it:
- Has reviewed all Card Association Operating Rules applicable to Merchant's business
- Understands Merchant's obligations under these Rules
- Shall maintain continuous compliance with all current and future Operating Rule amendments
- Shall notify Bank within 5 business days of any amendment or change to Operating Rules
- Authorizes Bank to provide Operating Rule documentation and compliance guidance
- Acknowledges that Operating Rules may change with little or no advance notice and shall be binding upon Merchant immediately
2.4 Bank's Authority to Modify Terms for Operating Rules Compliance
If Card Associations amend Operating Rules in ways that require changes to this Agreement, Bank may:
- Amend this Agreement upon less than 15 days' notice (or immediately if required by Operating Rules)
- Suspend services to ensure compliance with Operating Rules
- Implement additional security measures, reserve requirements, or reporting obligations
- Modify fee structures to reflect Card Association assessments or penalties
Merchant shall comply with such modifications or immediately cease processing Transactions.
SECTION 3: PCI DSS 4.0 COMPLIANCE REQUIREMENTS (MANDATORY)
3.1 PCI DSS 4.0 Applicability and Merchant Responsibility
Merchant acknowledges that as of April 1, 2024, PCI DSS Version 4.0 is the mandatory standard for all entities that store, process, or transmit cardholder data. Merchant is responsible for achieving and maintaining PCI DSS compliance at the level appropriate to Merchant's transaction volume and business model.
PCI DSS Compliance Levels:
Level
Annual Volume
Requirements
Level 1
>6 million transactions
Annual Report on Compliance (ROC) by QSA; quarterly network scans
Level 2
1-6 million transactions
Attestation of Compliance (AOC); annual external network scan
Level 3
20,000-1 million Visa transactions
Self-assessment questionnaire (SAQ); annual compliance attestation
Level 4
<20,000 Visa transactions
Annual compliance questionnaire
Merchant shall provide Bank with evidence of PCI DSS compliance appropriate to Merchant's level upon request (and at least annually).
3.2 Twelve Core PCI DSS Requirements
Merchant shall implement and maintain controls addressing the following 12 PCI DSS requirements:
1. Firewall Configuration and Access Control
- Install and maintain firewall configuration protecting cardholder data environment (CDE)
- Establish clear rules defining permitted/denied traffic
- Implement multi-factor authentication for all remote access to CDE
2. Default Passwords and Security Parameters
- Never use vendor-supplied default passwords for systems, devices, or applications
- Change default settings immediately upon system deployment
- Maintain documented inventory of all systems with security parameters configured
3. Cardholder Data Protection
- Render stored cardholder data unreadable through encryption or masking
- Implement encryption for data at rest using AES-256 or equivalent
- Maintain secure key management procedures
- Do not store Magnetic Stripe data (Track data), CVV/CVC values post-authorization, or PIN blocks
4. Encrypted Transmission of Cardholder Data
- Encrypt cardholder data in transit across public networks (internet)
- Use TLS 1.2 or higher for all HTTPS connections
- Implement certificate pinning for critical connections
- Ensure all wireless networks use WPA2 or WPA3 encryption
5. Malware Protection and Antivirus
- Deploy and maintain antivirus software on all systems processing cardholder data
- Update antivirus signatures daily or automatically
- Disable unnecessary services and ports
- Implement endpoint detection and response (EDR) tools
6. Secure Systems and Application Development
- Implement secure software development lifecycle (SDLC)
- Conduct application security testing (static and dynamic analysis)
- Implement code review processes for all cardholder data handling code
- Maintain patch management for all systems (apply security patches within 30 days)
7. Restricted Access to Cardholder Data
- Limit access to cardholder data to personnel with business need-to-know
- Implement role-based access controls (RBAC)
- Require multi-factor authentication for all access to cardholder data
- Maintain access logs documenting all user access (preserved for minimum 12 months)
8. User Authentication and Identification
- Assign unique user IDs to all personnel accessing cardholder data
- Implement strong password requirements (minimum 12 characters, complexity)
- Require multi-factor authentication (MFA) for all CDE access
- Disable accounts after 90 days of inactivity
- Implement account lockout after 6 failed login attempts
9. Physical and Logical Access Control
- Restrict physical access to facilities and systems containing cardholder data
- Implement video surveillance monitoring access points
- Maintain visitor logs and badge access controls
- Destroy physical records containing cardholder data securely (shredding, incineration)
- Control disposal of electronic media containing cardholder data (verified destruction)
10. Monitoring and Testing of Access Controls
- Implement continuous monitoring of all access to cardholder data
- Maintain audit logs with date, time, user, activity details
- Retain logs for minimum 12 months (at least 3 months readily available)
- Conduct regular monitoring to detect and alert on suspicious access patterns
- Implement intrusion detection systems (IDS) or intrusion prevention systems (IPS)
11. Vulnerability Management and Regular Testing
- Conduct external network penetration testing at least annually
- Conduct web application penetration testing annually
- Conduct internal network segmentation testing annually
- Implement automated vulnerability scanning quarterly
- Conduct remediation of identified vulnerabilities within 30 days (critical) / 90 days (other)
12. Information Security Policy and Incident Response Plan
- Establish documented information security policy covering all 12 requirements
- Implement incident response plan tested at least annually
- Designate incident response team with clear responsibilities
- Maintain forensic investigation procedures and evidence preservation protocols
- Prepare incident notification procedures (within 24-48 hours of discovery per state law requirements)
3.3 Merchant's PCI DSS Attestation
Merchant shall:
- Complete annual PCI DSS self-assessment or obtain third-party QSA attestation appropriate to Merchant's level
- Submit attestation to Bank upon request (and at least annually)
- Maintain certification records demonstrating ongoing compliance
- Notify Bank within 5 business days of any compliance audit findings
- Execute corrective action plan for any compliance gaps within 15 days
- Provide evidence of remediation within 30 days of identification
Merchant's failure to provide timely attestations or remediate findings shall permit Bank to:
- Suspend Merchant's ability to process transactions
- Impose PCI non-compliance fees ($100-$500 monthly)
- Require daily settlement and increased reserve deposits
- Terminate this Agreement for material breach
3.4 Enhanced Security Requirements for Merchants Processing Card-Not-Present (CNP) Transactions
For merchants processing transactions where the physical card is not presented (online, phone, mail orders), Merchant shall implement:
3-D Secure (3DS) Authentication:
- Implement Visa Secure (formerly Verified by Visa) for all Visa Card-Not-Present transactions
- Implement MasterCard SecureCode for all MasterCard transactions
- Implement Discover's Authentication Service
- Implement American Express SafeKey (if offering Amex)
- Target minimum 90% 3DS coverage across Card-Not-Present portfolio
Advanced Fraud Detection:
- Implement real-time fraud detection scoring for all transactions
- Conduct automated velocity checking (multiple rapid transactions from same customer/payment method)
- Perform automated Address Verification Service (AVS) and CVV matching
- Flag and review transactions with: (i) mismatched billing/shipping addresses; (ii) geographically impossible transactions; (iii) high-value orders from new customers
- Manually review transactions scoring above fraud threshold before authorization submission
EMV Compliance (Point-of-Sale):
- Implement EMV chip-reading capability on all POS terminals
- Require EMV insertion/contactless for all in-person card-present transactions
- Configure terminals to decline transactions if chip data is not read
- Maintain updated terminal firmware (security patches applied monthly)
Merchant's failure to implement 3DS or fraud detection may result in:
- Liability shift to Merchant for fraudulent chargebacks (normally cardholder's liability)
- Increased chargeback fees ($25-$100 per chargeback)
- Reserve account increases (up to 50% of monthly volume)
- Possible termination for material non-compliance
SECTION 4: DATA BREACH NOTIFICATION AND INCIDENT RESPONSE PROTOCOL
4.1 Mandatory Breach Notification Requirements
In the event of a confirmed or suspected breach, compromise, or unauthorized access to Cardholder data, Merchant shall immediately:
4.1A – Immediate Notification (Within 24 Hours of Discovery)
Merchant must notify Bank within 24 hours (not later than close of business next day) of discovery or reasonable suspicion of:
- Unauthorized access to cardholder account numbers, names, or authentication credentials
- Unauthorized exposure of Magnetic Stripe data, CVV values, or PIN blocks
- Suspected malware infection on POS terminals or payment processing systems
- Suspected data exfiltration or unauthorized file transfers
- Suspected hacking or network intrusion
- Loss or theft of devices or media containing unencrypted cardholder data
- Any security incident that could impact cardholder data confidentiality, integrity, or availability
Notification Method: Merchant shall contact Bank's Incident Response Team:
- Phone (24/7 Hotline): [Bank-provided emergency number]
- Email: [Bank-provided incident response email]
- Online Portal: [Bank-provided incident management system]
Required Information in Initial Notification:
- Merchant name and processor ID
- Approximate date/time of discovery
- Nature of suspected breach (unauthorized access, malware, data theft, etc.)
- Estimated scope (number of payment terminals, systems, or records affected)
- Initial containment measures taken (system shutdown, network isolation, credential reset, etc.)
- Name and phone number of Merchant's incident response contact
4.1B – Detailed Written Notice (Within 3 Business Days)
Within 3 business days of discovery, Merchant shall provide Bank with detailed written notice containing:
(i) Incident Nature and Scope:
- Detailed description of what occurred and how it was discovered
- Date/time of incident detection (or estimated date if unknown)
- Timeline of initial discovery through notification to Bank
- Types of cardholder data involved (account numbers, names, CVV, etc.)
- Data elements exposed (e.g., "full PAN, expiration date, no CVV")
- Estimated number of unique cardholders affected
- Estimated number of payment cards impacted
- Geographic distribution of affected cardholders
- Affected card types (Visa, MasterCard, Discover, Amex, debit cards, prepaid cards)
- Actions taken to contain the breach
- Systems taken offline or isolated
- Compromised credentials reset or revoked
- Patches or security updates applied
- Network segmentation or access controls implemented
- Initial assessment of root cause (malware, credential compromise, insider threat, misconfiguration, etc.)
- Systems or components involved
- Attack vectors or vulnerability exploited
- Duration of potential exposure (how long was system compromised before detection)
- Accredited by PCI Security Standards Council (listed on official PFI directory at https://www.pcisecuritystandards.org)
- Licensed and bonded cybersecurity forensics firm
- Experienced in payment card incident investigations
- Available for 24/7 response (target response within 5 business days of engagement agreement)
- Capable of conducting full digital forensics with proper evidence chain of custody procedures
- Able to preserve all evidence for potential legal proceedings
- Actual date/time of unauthorized access or data compromise
- Full extent of cardholder data exposure
- Root cause analysis identifying vulnerability exploited
- Forensic evidence of attack methodology and attacker identity (if available)
- Timeline of attacker presence and activities
- Data exfiltration confirmation and scope
- Remediation recommendations to prevent future incidents
- Provide Forensic Investigator with complete unrestricted access to all systems, data, logs, and facilities
- Preserve all evidence (no deletion of logs, no rebuilding of systems) pending forensic examination
- Maintain chain of custody for all evidence
- Provide system administrator credentials and technical documentation
- Assign personnel to respond to forensic investigator inquiries within 24 hours
- Cooperate with Bank's participation in investigation (Bank has right to observe/participate in forensics)
- Pay Forensic Investigator's fees (typically $3,000-$15,000+ depending on incident complexity)
- Nevada Data Breach Notification Law (NRS 603A.220): Notify affected Nevada residents within "without unreasonable delay" (typically interpreted as 30 days)
- California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA): Notify within 30 days of discovery
- New York General Business Law § 668: Notify "in the most expedient time possible and without unreasonable delay"
- Federal FCRA/GLBA requirements if applicable
- Card Association notification requirements (within 72 hours of confirmed breach affecting 5+ cardholders per card type)
- Clear statement that a data breach occurred
- Specific cardholder information compromised (account number ranges, but not full PAN)
- Merchant's contact information
- Recommended protective actions (e.g., monitor accounts, place fraud alert, credit freeze)
- Information on free credit monitoring services (if offered)
- Advise to contact Merchant and Card Associations for fraud liability information
- Company website and phone number for additional information
- Notify relevant regulatory authorities as required by applicable law
- Provide FBI/Secret Service with forensic investigation results if breach involves fraud rings or organized crime
- Cooperate with any state attorney general investigation
- Report incident to Card Associations within timeframes specified in Operating Rules (typically 72 hours for breaches affecting 5+ cards per type)
- Forensic investigation fees (PCI SSC-qualified investigator)
- Credit monitoring services offered to affected cardholders (typically 12-24 months)
- Notification costs (mailing, email, phone notification services)
- Regulatory fines imposed by state attorneys general or card associations
- Chargeback disputes and fraud-related losses arising from the breach
- Additional reserve account deposits required by Bank to cover breach-related liability
- Lost transaction settlement during investigation and remediation period
- Public relations and customer communication services (if offered by Merchant)
- Legal fees for regulatory defense (separate from Bank's own legal costs)
- Amounts paid for Merchant's notification obligations (if Bank pays on Merchant's behalf)
- Amounts paid for forensic investigation (if Bank retains investigator on Merchant's behalf)
- Merchant's portion of Card Association fines related to breach
- Credit monitoring fees paid to affected cardholders
- Chargeback and fraud loss recoveries
- PCI DSS 4.0 compliance (Sections 3.1-3.4 above)
- Annual written information security policy
- Documented security procedures for all personnel handling cardholder data
- Regular security awareness training for all staff (minimum annually)
- Documented incident response procedures tested annually
- Vendor risk management (approved processor/servicer list)
- Risk assessment process identifying vulnerabilities and threats
- Business continuity and disaster recovery plan tested annually
- Store Prohibited Data Post-Authorization:
- Store or retain Magnetic Stripe data (Track 1 or Track 2) after authorization
- Store CVV, CVC, or CID security codes after authorization
- Store PIN blocks or PIN values under any circumstances
- Store expiration dates combined with account numbers in unencrypted form
- Sell or Disclose Cardholder Data:
- Sell cardholder account numbers to third parties without express cardholder consent
- Disclose cardholder information to third parties except as necessary for processing
- Release cardholder information over telephone under any circumstances
- Use cardholder data for any purpose other than authorized transaction processing and dispute resolution
- Unsafe Data Transmission:
- Transmit cardholder data over unencrypted internet connections
- Email cardholder account numbers or sensitive data without encryption
- Text message cardholder data to mobile phones
- Fax cardholder account numbers or CVV values
- Insecure Storage:
- Store cardholder data on unencrypted laptops, USB drives, or mobile devices
- Maintain cardholder data on systems not compliant with PCI DSS requirements
- Keep paper records containing cardholder data in unsecured areas
- Retain cardholder data longer than legally required (discard/destroy after transaction processing)
- Suspend Merchant's processing capabilities
- Impose additional data security compliance fees ($500-$2,000 monthly)
- Require breach notification to all affected cardholders at Merchant's expense
- Terminate Agreement for material non-compliance
- Obtain Bank's prior written approval at least 60 days in advance
- Require Merchant Servicer to comply with all PCI DSS requirements
- Execute written data processing agreement with Merchant Servicer requiring:
- PCI DSS compliance
- Data confidentiality obligations
- Incident notification requirements
- Vendor liability insurance requirements
- Right of audit and inspection
- Subcontractor management and security requirements
- Maintain current list of all Merchant Servicers processing cardholder data
- Notify Bank within 5 days of any Merchant Servicer change or termination
- Conduct annual security assessment of each Merchant Servicer
- Servicer is not PCI DSS compliant
- Servicer has history of security incidents or breaches
- Servicer is located in high-risk jurisdiction for data security
- Servicer's security practices do not meet Bank's standards
- Servicer has been subject to regulatory sanctions or fines
- Transaction Receipts: Minimum 2 years or longer if required by Operating Rules
- Chargeback Documentation: Minimum 3 years from chargeback date
- Audit/Forensic Records: Minimum 7 years if related to compliance investigations
- Cardholder Account Numbers: No retention after transaction processing (destroy/delete within 24-48 hours of authorization)
- Magnetic Stripe Data: No retention post-authorization (delete/destroy immediately)
- CVV/Security Codes: No retention post-authorization (delete/destroy immediately)
- Paper Records: Shredding (cross-cut, minimum ¼ inch) or incineration
- Electronic Data: Verified deletion (degaussing, secure wipe using NIST-approved methods, overwriting with random data)
- Magnetic Media: Degaussing or physical destruction (crushing, shredding)
- Hard Drives: Verified destruction (physical destruction, certified e-waste destruction with certificate)
- Dispose of cardholder data in regular trash or recycling
- Donate equipment containing cardholder data without verified wiping
- Sell or transfer used equipment without certified data destruction
- Retain cardholder data longer than legally necessary
SECTION 12: SETTLEMENT AND FUNDING MECHANICS
12.1 Transaction Settlement Overview
Bank shall provide provisional credit to Merchant's Settlement Account for each valid Transaction processed, subject to:
- Merchant Bank's receipt of settlement through Card Association procedures
- Verification that Transaction complies with all requirements
- Absence of fraud indicators or chargeback disputes
- Verification that Merchant has not exceeded Reserve Account limits
12.2 Settlement Timing
Standard Settlement Schedule:
- Transactions submitted before 4:00 PM EST: Settlement credit within 1-2 business days
- Transactions submitted after 4:00 PM EST: Settlement credit within 2-3 business days
- Weekend/holiday submissions: Settlement credit within 3-5 business days
Accelerated Settlement (Daily):
Bank may require daily settlement (daily deposits to Merchant's bank account) if:
- Merchant's chargeback ratio exceeds 1%
- Merchant's processing activity appears elevated risk
- Merchant Account Management deems daily settlement necessary
- Merchant requests daily settlement and pays expedited settlement fee
12.3 Deductions from Settlement
Before crediting Merchant's Settlement Account, Bank shall deduct:
- Processing Fees and Assessments:
- Discount rate (percentage of transaction)
- Per-transaction fees
- Monthly minimum if applicable
- Card Association assessments and network fees
- Chargebacks and Disputes:
- Full amount of any chargeback filed by cardholder
- Dispute investigation fees ($15-$50 per chargeback)
- Chargeback-related costs incurred by Bank
- Reserve Account Deposits:
- Monthly reserve deposit if Merchant is subject to reserve requirement
- Reserve amount specified in Section 13
- ACH Return Fees:
- $5-$15 per ACH transaction returned for insufficient funds or invalid account
- Other Charges:
- POS equipment rental, gateway fees, or software licenses
- Early termination fees (if applicable)
- Compliance remediation fees (if incurred)
- Audit/forensic investigation costs (if Merchant caused)
Merchant agrees that such deductions are automatic and shall NOT require Merchant's authorization or approval.
12.4 Provisional Credit Disclaimer
MERCHANT ACKNOWLEDGES THAT ALL SETTLEMENT CREDITS ARE PROVISIONAL AND SUBJECT TO:
- Reversal and adjustment upon discovery of fraudulent transactions
- Chargeback disputes by cardholders
- Operating Rules violations or corrections
- Card Association adjustments or corrections
- Correction of errors in transaction processing or settlement calculations
- Investigation of suspected fraud or unauthorized activity
Provisional credit in one month does NOT guarantee final settlement if:
- Chargebacks are filed after settlement credit
- Fraud is discovered after settlement
- Operating Rules violations are later identified
- Card Associations issue corrective billing
Bank may reverse provisional credits and demand repayment from Merchant if later-discovered issues warrant reversal.
SECTION 13: RESERVE ACCOUNT REQUIREMENTS (EXPANDED)
13.1 Reserve Account Purpose and Mechanics
Purpose: Reserve Account protects Bank against future losses including:
- Chargeback claims filed after Merchant's closure
- Fraud losses discovered post-settlement
- Processing errors requiring correction
- Operating Rules violation fines and penalties
- Customer refund obligations
- Regulatory fines or sanctions
Mechanics: Bank maintains Reserve Account separate from Settlement Account:
- Merchant's funds held in reserve account controlled by Bank only
- Merchant may NOT access or withdraw reserve funds
- Bank may deduct reserve account funds for any obligation without notice
- Reserve account is NOT Merchant's property; merely a security deposit
13.2 Reserve Account Requirement Triggers
Bank may require Reserve Account deposit if:
- Risk-Based Reserves (Business Model):
- Merchant processes Card-Not-Present (CNP) transactions
- Merchant processes recurring/subscription transactions
- Merchant processes telemarketing or phone order transactions
- Merchant processes adult industry transactions
- Merchant processes high-ticket transactions (>$1,000 average)
- Chargeback-Based Reserves:
- Chargeback ratio exceeds 1% (triggered at 1%+)
- Monthly chargeback dollar amount exceeds 3% of Transaction volume
- Elevated chargeback activity requiring higher reserve cushion
- Merchant Profile Reserves:
- Merchant has history of fraud or processing violations
- New merchant in high-risk category (first 90 days)
- Merchant's financial condition presents risk
- Merchant's processing patterns suggest elevated risk
- Investigative or Compliance Reserves:
- Material non-compliance with PCI DSS or security requirements
- Pending investigation of suspected fraud or violations
- Regulatory examination or enforcement
- Investigation of suspected chargebacks fraud or friendly fraud
13.3 Reserve Account Amount Formula
Typical Reserve Amounts by Risk Category:
Risk Category
Reserve Formula
New Merchant (First 90 Days)
$5,000-$25,000 flat reserve
Recurring Transactions
5-15% of monthly processing volume
Card-Not-Present High Volume
10-25% of monthly processing volume
Elevated Chargeback Activity
$25,000-$100,000+ (case-by-case)
High-Risk Business Category
10-25% of monthly processing volume
At Termination
Sufficient to cover 180-day estimated chargeback liability
Bank shall determine reserve amount in its sole discretion based on risk assessment.
13.4 Reserve Account Calculation and Deposits
Calculation:
- Monthly Processing Volume = (Transaction Count) × (Average Ticket Amount)
- Monthly Reserve = Processing Volume × Reserve Percentage
- Deposit = Monthly Reserve or Flat Amount (whichever is greater)
Deposits:
- Reserve deposits shall be deducted automatically from Settlement Account
- Merchant shall NOT receive invoice or notice before deduction
- Multiple deductions may occur monthly if multiple reserves are maintained
Example:
- Merchant processes $100,000 monthly in Card-Not-Present transactions
- Reserve percentage: 15%
- Monthly reserve requirement: $100,000 × 15% = $15,000
- Bank deducts $15,000 from each month's settlement, deposits to Reserve Account
13.5 Release of Reserve Funds
Reserve Funds Released (to Merchant's Settlement Account) ONLY when:
- Time Requirement Met: Minimum 180 days have elapsed since:
- Final transaction settlement, AND
- All chargebacks have been resolved, AND
- All investigations have concluded
- Chargeback Clearance: All chargeback claims filed against Merchant have:
- Been resolved (won or lost), AND
- Passed the chargeback appeal deadline, AND
- No outstanding retrieval requests remain
- Fee Clearance: All Processing Fees, audit fees, compliance fees, and penalties have:
- Been paid in full, AND
- No outstanding disputes remain
- Investigation Clearance: Any investigations or audits have:
- Been completed, AND
- All findings remediated or resolved, AND
- No follow-up examinations pending
- Regulatory Clearance: No regulatory holds exist on funds (no governmental garnishment or levy)
Merchant's Proactive Release Request:
Merchant may request reserve release by providing Bank:
- Written request letter
- Certification that all chargebacks have been resolved
- Proof that termination occurred >180 days prior
- Evidence of full payment of all fees and penalties
Bank shall respond within 15 business days of complete request.
13.6 Reserve Account Hold Post-Termination
Upon termination of this Agreement:
Immediate Hold:
- Reserve Account is immediately frozen upon termination
- No withdrawals permitted by Merchant
- Bank shall hold reserves to cover estimated 180-day post-termination chargeback liability
Hold Duration:
- Minimum 180 days from final transaction settlement
- Up to 12+ months if chargebacks or disputes remain unresolved
- Until all chargebacks, fees, and penalties are satisfied in full
Satisfaction of Obligations:
- If chargebacks, fees, or penalties exceed reserve balance, Bank may pursue Merchant for additional amounts
- Bank may debit Merchant's other accounts (if linked) or pursue collection
- Remaining balance released to Merchant only after all obligations satisfied
SECTION 14: FEES AND PRICING
14.1 Processing Fees Components
Merchant shall pay Bank the following fees as specified in attached Fee Schedule:
- Discount Rate: Percentage of each transaction amount (varies by card type and transaction category)
- Per-Transaction Fee: Fixed amount per transaction ($0.10-$0.30 typical)
- Monthly Minimum: Minimum fee regardless of transaction volume
- Gateway/Software Fees: If Merchant uses Bank-provided gateway or software
- POS Equipment Rental: If Merchant leases terminal from Bank ($10-$50 monthly typical)
- Compliance/Monitoring Fees: If heightened monitoring required ($100-$500 monthly)
14.2 Incremental Fees
In addition to Processing Fees, Merchant shall pay:
Fee Category
Typical Amount
Chargeback Dispute Fee
$15-$50 per chargeback
ACH Return Fee
$5-$15 per returned transaction
Wire Transfer Fee
$10-$25 per outbound wire
Early Termination Fee
Per Fee Schedule (or 6-month minimum)
PCI Non-Compliance Fee
$100-$500 monthly until remedied
Excessive Chargeback Fee
$100-$500 per chargeback above threshold
Statement Reprint
$5-$10 per copy
Account Research
$50-$100 per hour
Accelerated/Daily Settlement
$25-$50 monthly
Third-Party Integration
Cost of implementation
International Transaction Fee
1-3% additional (if applicable)
14.3 Fee Schedule Amendments
Bank may increase fees by providing thirty (30) days' prior written notice. Merchant may terminate without penalty if:
- Discount rate increases >15%
- Monthly minimum increases >30%
- New mandatory fees total >20% of prior monthly fees
Merchant must provide written termination notice before fee increase effective date to avoid new fees.
SECTION 15: CREDIT REPORTS AND REGULATORY REQUESTS
15.1 Credit Reporting
Bank may obtain credit reports and other information on:
- Merchant
- Owners and principals of Merchant
- Officers and managers of Merchant
- Guarantors
Bank may obtain such information from:
- Credit reporting agencies (Dun & Bradstreet, Equifax, Experian, TransUnion)
- Business information providers (business registries, property records)
- Customers, suppliers, and lenders of Merchant
- Regulatory sources and government databases
- Third-party fraud databases and chargeback networks
15.2 Information Bank May Furnish
Bank may furnish information about Merchant to:
- Card Associations (Visa, MasterCard, Discover, Amex)
- Law enforcement and regulatory agencies (upon valid request)
- Other payment processors and acquiring banks (for fraud prevention)
- Chargeback networks and fraud prevention databases
- Merchant's other financial institutions (upon authorization)
Merchant shall sign consent forms authorizing such information sharing.
15.3 Business and Financial Information
Bank may request and Merchant shall provide:
- Updated business and financial information (balance sheets, income statements, tax returns)
- Copies of business licenses and professional certifications
- Proof of adequate business insurance
- Beneficial ownership documentation (Form W-9, K-1, partnership agreements, corporate resolutions)
- Criminal background consent (Merchant shall authorize background check)
Merchant shall provide such information within 10 business days of request.
15.4 Audit and Examination Rights (EXPANDED)
At any time, Bank, any Card Association, or regulatory authority may audit Merchant:
Audit Scope:
- PCI DSS and security compliance verification
- AML/KYC compliance and sanctions screening
- Transaction authorization and chargeback procedures
- Merchant Application accuracy and Merchant Agreement compliance
- Processing activity pattern analysis
- Billing and fee compliance
Audit Notice:
- Routine audits require 10 business days advance notice
- Risk-based audits may be conducted without notice
- High-risk merchants subject to unannounced audits
- Remote audits via systems access acceptable
Merchant Obligations:
- Provide unrestricted access to all systems, facilities, records, and documentation
- Designate compliance officer to coordinate audit activities
- Respond to audit information requests within 48 hours
- Remediate findings within 30 days (or timeframe specified)
- Pay Bank's audit costs exceeding 2 hours ($250-$500 per hour)
Audit Results:
- Bank shall provide written audit report
- Merchant shall execute Corrective Action Plan for findings
- Bank may require follow-up audits at Merchant's expense
- Material findings trigger Reserve Account increase and possible termination rights
SECTION 16: REPRESENTATIONS, WARRANTIES, AND MERCHANT COVENANTS
16.1 Merchant's Initial Representations
Upon execution of Merchant Application, Merchant represents and warrants:
- Accuracy: All statements in Merchant Application are true, accurate, and complete
- Authority: Person executing Application has full authority to bind Merchant
- Business Legitimacy: Merchant's business is legal and conducted in compliance with all laws
- No Prohibited Status: Merchant is not sanctioned, investigated, or listed on OFAC/FinCEN lists
- No Bankruptcy: Merchant is not bankrupt, insolvent, or subject to similar proceedings
- Valid Account: Settlement Account is owned and controlled by Merchant and is valid for processing
- No Conflicting Agreements: Merchant has no agreements conflicting with this Agreement
- Financial Capacity: Merchant has financial capacity to perform all obligations
- No Misrepresentations: Merchant has made no false, incomplete, or misleading statements to Bank
- Guaranty Authority: If guarantors sign, they have full authority to guarantee obligations
16.2 Ongoing Representations
Each time Merchant submits a transaction and throughout the Term, Merchant represents:
- Compliance: Merchant has complied and shall comply with all Agreement terms and all Third-Party Vendor Terms (Section 16.2A)
- Beneficial Changes: No material adverse changes in Merchant's financial condition or operations
- Business Consistency: No material changes in business type, products, services, or operations
- No Default: Merchant is not in default under this Agreement or any other agreement, including Third-Party Vendor agreements
- Transaction Legitimacy: Each transaction is genuine, lawful, and arises from bona fide sale of merchandise/services
- Transaction Validity: Each transaction represents a valid obligation in the amount shown on receipt
- Valid Title: Merchant has good title to all transactions submitted for processing
- No Disputes: Transactions are not subject to disputes, set-offs, counterclaims, or chargebacks
- No Prior Submission: Transactions have not been previously presented for processing
- AML Compliance: Transactions do not involve sanctioned persons, countries, or prohibited activities
- Data Integrity: Transaction data is accurate and complete; receipts are genuine
16.2A – Third-Party Vendor Terms and Conditions Applicability
Merchant acknowledges that Bank provides certain payment processing services through third-party vendors, service providers, and technology platforms ("Third-Party Vendors"). Merchant shall comply with all Third-Party Vendor Terms and Conditions ("Third-Party Vendor Terms") in addition to this Merchant Agreement.
Third-Party Vendor Terms Incorporation:
The following third-party vendor terms are incorporated by reference and form binding conditions of Merchant's account:
- Payment gateway provider terms and conditions
- POS terminal provider or leasing agreement terms
- Acquiring bank or payment processor terms (if different from Bank)
- Payment network operating rules and agreements
- Merchant Servicer or ISO partner agreement terms
- Software, API, or integration provider terms
- Hardware manufacturer or lessor terms
- Fraud detection or compliance service provider terms
- Any other third-party service provider agreement necessary for transaction processing
Merchant's Receipt of Third-Party Vendor Terms:
Merchant shall receive copies of all applicable Third-Party Vendor Terms with the Merchant Application package and during account setup. Merchant acknowledges and agrees that:
- Merchant has reviewed and understands all Third-Party Vendor Terms
- Third-Party Vendor Terms are incorporated into and form part of Merchant's formal contract with Bank
- Merchant shall comply with all Third-Party Vendor Terms
- Merchant shall be bound by all restrictions, obligations, and requirements in Third-Party Vendor Terms
- Third-Party Vendor Terms shall govern Merchant's use of third-party systems, equipment, and services
- In case of conflict between this Merchant Agreement and Third-Party Vendor Terms, the Third-Party Vendor Terms shall control with respect to that third party's systems and services
Hierarchy of Binding Agreements:
Merchant's binding contract obligations consist of (in order of precedence):
- This Master Merchant Agreement (Sections 1-25)
- Merchant Application (with all representations and certifications)
- Third-Party Vendor Terms and Conditions (payment gateway, processor, POS, hardware, and other service provider terms)
- Operating Guide (payment network-specific procedures)
- Fee Schedule (pricing addendum)
- Card Association Operating Rules (Visa, MasterCard, Discover, Amex)
- Bank's policies as amended from time to time
Merchant's Compliance Obligation:
Merchant shall comply with ALL documents in this hierarchy. Merchant's failure to comply with Third-Party Vendor Terms constitutes material breach of this Merchant Agreement and permits Bank to:
- Suspend transaction processing
- Impose additional compliance fees
- Require remediation within 10 days
- Terminate Agreement for material non-compliance after 30-day cure period
Binding Effect Without Merchant Signature on CARDZ3N Terms:
Merchant acknowledges that Merchant will NOT be signing separate CARDZ3N Merchant Agreement documentation. Instead:
- Merchant shall sign Third-Party Vendor Terms and Conditions provided at account application
- Third-Party Vendor Terms serve as the formal executed contract between Merchant and third-party vendors
- Merchant's acceptance of Third-Party Vendor Terms constitutes Merchant's binding consent to all terms herein
- Merchant's completion of Merchant Application and processing of first transaction constitutes acceptance of this Agreement
- Merchant's continued use of Bank's processing services constitutes continued acceptance of all Agreement terms
- Merchant's receipt and acknowledgment of Third-Party Vendor Terms constitutes acknowledgment of this Agreement
Merchant shall NOT contest the enforceability of this Agreement based on lack of signature by Merchant on separate CARDZ3N documentation. Merchant's acceptance of Third-Party Vendor Terms, completion of Merchant Application, and commencement of transaction processing are sufficient to bind Merchant to all terms herein.
Third-Party Vendor Changes and Updates:
Bank may change Third-Party Vendors at any time without prior notice. Merchant shall:
- Accept changes to Third-Party Vendors as necessary for service continuity
- Comply with new Third-Party Vendor Terms upon notice of vendor change
- Bear any costs or fees associated with vendor transitions
- Not suspend processing or dispute charges due to vendor changes
- Cooperate fully with vendor transition procedures
Merchant's continued processing after Third-Party Vendor change constitutes acceptance of new vendor terms.
16.3 Warranties Regarding Operating Rules Compliance
Merchant warrants that:
- Merchant has reviewed and understands applicable Card Association Operating Rules
- Merchant shall maintain continuous compliance with Operating Rules
- Merchant shall promptly notify Bank of any Operating Rules violations discovered
- Merchant authorizes Bank to perform Operating Rules monitoring and audits
16.4 Warranties Regarding PCI DSS Compliance
Merchant warrants that:
- Merchant shall achieve and maintain PCI DSS compliance level required by Merchant's processing volume
- Merchant shall implement all 12 PCI DSS requirements and security controls
- Merchant shall not store prohibited cardholder data post-authorization
- Merchant shall engage only PCI DSS-compliant Merchant Servicers
- Merchant shall use only PCI SSC-qualified forensic investigators for breach investigations
- Merchant shall provide Bank with annual PCI DSS attestations and assessment reports
16.5 Warranties Regarding Cardholder Data
Merchant warrants that:
- Cardholder data received is protected with security equivalent to Bank's standards
- Cardholder data is not disclosed to unauthorized third parties
- Cardholder data is not retained longer than legally required
- Cardholder data is securely destroyed using verified destruction methods
- No Magnetic Stripe, CVV, or PIN data is stored post-authorization
- All Merchant Servicers maintain equivalent cardholder data protections
16.6 Merchant's Covenant to Notify
Merchant covenants to immediately notify Bank (within 24 hours) of:
- Any data breach, security incident, or unauthorized access
- Chargeback disputes or retrieval requests exceeding 2 per month
- Chargebacks ratio exceeding 0.75%
- Ownership changes, relocations, business modifications
- OFAC match, sanctions designation, or regulatory investigation
- Litigation involving Merchant exceeding $50,000
- Bankruptcy petition or insolvency event
- Operating Rules violations or compliance failures
- Material adverse changes in financial condition
- Loss or theft of POS equipment or cardholder data materials
- Any incident affecting Merchant's creditworthiness or reliability
SECTION 17: CONFIDENTIALITY AND INTELLECTUAL PROPERTY
17.1 Confidentiality of Bank's Information
Merchant shall maintain strict confidentiality of:
- Bank's processing systems, networks, and infrastructure
- Bank's transaction routing logic, fraud detection algorithms, and risk assessment models
- Bank's pricing structures, fee calculations, and discount rates
- Bank's settlement procedures, reserve formulas, and chargeback protocols
- Bank's customer lists, processor relationships, and vendor agreements
- Bank's proprietary software, technology, and intellectual property
- Any non-public information about Bank's operations or strategy
- Operating Guides, policies, procedures, and training materials
Merchant shall NOT:
- Disclose Bank's confidential information to any third party without written consent
- Use Bank's proprietary information to develop competing services
- Benchmark Bank's fees against competitors or use fee information in negotiations
- Reverse-engineer, decompile, or attempt to analyze Bank's systems
- Share Operating Guides or agreements with other merchants or competitors
- Use Bank's information to leverage negotiations with Bank or competitors
17.2 Bank's Trade Secrets and IP Protection
Bank's processing systems, algorithms, models, and procedures constitute valuable trade secrets and proprietary information protected under:
- Nevada Uniform Trade Secrets Act (NRS 600A.010 et seq.)
- Federal Economic Espionage Act (18 U.S.C. § 1836)
- Common law trade secret protection
Merchant's misappropriation or unauthorized use permits Bank to:
- Seek injunctive relief preventing disclosure or continued use
- Pursue monetary damages for trade secret misappropriation
- Pursue exemplary damages (up to 3x actual damages under UTSA)
- Recover all attorney's fees and litigation costs
- Obtain court orders destroying Merchant's copies of confidential information
- Terminate Agreement immediately
17.3 Trademark and Brand Usage (EXPANDED)
Merchant may NOT:
- Indicate or imply that Bank, Card Associations, or any regulatory authority endorses Merchant's products or services
- Use Bank's name, logos, or marks to market Merchant's business without Bank's prior written approval
- Claim Bank sponsorship or endorsement in signage, marketing materials, website, or advertising
- Reference Card Association membership or claim Merchant is "Card Association approved" without authorization
- Use "Bank-certified" or "Bank-approved" language in marketing without express permission
- Display Bank marks on Merchant's website or materials without Brand Compliance Team approval
- Associate Bank reputation with Merchant's goods/services or business practices
Permitted Uses (Limited):
Merchant may use Bank's name only as follows:
- "Processed by [Bank]" in fine print on receipts or billing statements
- "[Bank]" in payment option descriptions on website ("Pay by Credit Card through [Bank]")
- Minimal attribution in terms of service or legal documentation
- Any use must be approved in advance by Bank's Brand Team
Violations Consequences:
Merchant's misuse of Bank marks, name, or reputation shall:
- Constitute material breach permitting immediate termination
- Require immediate cease-and-desist and destruction of marketing materials
- Expose Merchant to trademark infringement claims and injunctions
- Result in recovery of Bank's litigation costs and damages
SECTION 18: LIMITATION OF LIABILITY AND REMEDIES (FINAL VERSION)
18.1 Merchant's Indemnification NOT SUBJECT TO CAP
Merchant's indemnification obligations (Section 6.1) are NOT subject to liability caps and survive all limitations:
- Merchant indemnifies Bank for all third-party claims regardless of amount
- Indemnification obligations are separate from and in addition to limitation of liability
- Indemnification applies to claims exceeding Bank's stated liability cap of $5,000
- Merchant assumed full liability by agreeing to indemnification clause
18.2 Bank's Liability Cap: $5,000
Except as explicitly carved out below, Bank's maximum total liability to Merchant for any and all claims arising from:
- This Merchant Agreement
- Bank's provision or failure to provide services
- Bank's breach, negligence, or misrepresentation
- Any other legal theory or cause of action
Shall not exceed the LESSER of:
- $5,000, OR
- Aggregate Processing Fees paid by Merchant in the 3-month period immediately preceding the claim
This cap applies to:
- Single claims
- Class actions
- Aggregate claims across all proceedings
- All legal theories (breach, negligence, misrepresentation, strict liability, tort)
- All remedies (damages, restitution, rescission, etc.)
18.3 Excluded and Non-Capped Damages
The following are NOT subject to liability cap and Bank may be liable for these amounts:
- Merchant's Indemnification Obligation – Merchant's indemnity of Bank under Section 6.1 is not subject to cap; Merchant assumes full liability for all third-party claims
- Misappropriation of Settlement Funds – If Bank wrongfully withholds, transfers, or misappropriates funds from Merchant's Settlement Account, liability is not subject to $5,000 cap
- Bank's Gross Negligence or Willful Misconduct – Claims arising from Bank's gross negligence, willful misconduct, fraud, or criminal conduct shall NOT be capped; however, consequential damages exclusion (18.4) may still apply
- Cardholder Data Theft by Bank Employee – If Bank employee fraudulently discloses, steals, or sells cardholder data, liability for resulting data breach not subject to cap
- Statutory Damages – Statutory penalties that cannot be limited by contract (e.g., statutory damages under FCRA, GLBA, state data protection laws) are not subject to cap
- Injunctive Relief – Injunctive relief to prevent ongoing harm or enforce confidentiality is not subject to monetary cap
- Attorney's Fees Awards – If Merchant prevails in arbitration/litigation and contract or law provides for attorney's fees, such fees not subject to cap
18.4 Excluded Damages (MERCHANT ASSUMES THESE LOSSES)
EXCEPT as prohibited by law, Bank shall NOT be liable for any of the following, regardless of amount or liability cap:
- Lost Profits or Revenue – Lost business profits, revenue, or income resulting from Bank's actions or inactions
- Lost Data – Loss of transaction data, customer records, or other business data
- Lost Opportunities – Loss of business opportunity, competitive advantage, or market position
- Business Interruption – Losses from inability to process transactions, system downtime, or service disruption
- Substitute Services – Costs of obtaining substitute payment processing or workarounds
- Goodwill and Reputation – Loss of customer goodwill, business reputation, or brand value
- Indirect Damages – Indirect, incidental, consequential, special, or remote damages
- Punitive Damages – Punitive or exemplary damages (except where required by law)
- Personal Injury – Emotional distress, mental anguish, or personal injury claims
- Merchant's Own Negligence – Damages resulting from Merchant's failure to maintain business continuity planning, data backups, or security measures
- Third-Party Failures – Losses from failures of payment networks, Merchant Servicers, or Third-Party Providers (Section 6.5)
18.5 Consequential Damages Exclusion (HIGHLIGHTED)
TO THE EXTENT PERMITTED BY LAW:
"Bank shall not be liable for any lost profits, revenue, business opportunity, goodwill, business interruption, or any indirect, incidental, special, or consequential damages of any kind, even if Bank has been advised of possibility of such damages."
This exclusion applies to:
- Damages from service outages or processing failures
- Damages from data loss or system failures
- Damages from third-party failures
- Damages from regulatory actions or compliance failures
- Damages from merchant servicer failures
- Damages from cardholder disputes or chargebacks
18.6 Remedies for Specific Breaches
In addition to limitation of liability, Merchant's sole remedies for Bank's breach are:
- Termination of Agreement (if material uncured breach)
- Fee credits for SLA failures (Section 12.9)
- Specific performance (injunctive relief if requested)
- Direct damages (limited by 18.1-18.5 above)
Merchant may NOT:
- Suspend transaction processing or refuse to submit transactions
- Offset fees or hold settlement funds
- File chargeback claims for Bank's alleged failures
- Pursue punitive or exemplary damages
- Recover business losses or consequential damages
- Pursue class action or multi-merchant claims
18.7 Merchant's Assumption of Risk
Merchant acknowledges and assumes the risk of:
- Payment network failures or service disruptions
- Third-party processor failures or delays
- POS terminal malfunctions or failures
- System downtime or internet outages
- Loss of transaction data due to system failures
- Card Association rule changes or fee increases
- Regulatory changes affecting payment processing
- Chargeback claims and fraud losses
- Bank's reliance on third-party service providers
Merchant agrees to maintain business continuity planning, data backups, and fraud prevention measures to mitigate these risks.
SECTION 19: DISPUTE RESOLUTION AND GOVERNING LAW
19.1 Governing Law
This Merchant Agreement shall be governed by and construed in accordance with the laws of Nevada, without regard to its conflicts of law principles. All disputes shall be resolved under Nevada law.
19.2 Binding Arbitration
Any dispute arising from or relating to this Merchant Agreement, Bank's services, or Merchant's account shall be resolved by binding arbitration, not litigation (except as carved out in 19.3 below).
Arbitration Rules:
- Administered by American Arbitration Association (AAA) Commercial Arbitration Rules
- Single arbitrator (for claims under $100,000) or three arbitrators (for larger claims)
- Located in: Las Vegas, Nevada (Merchant may request virtual/telephonic arbitration if claim <$50,000)
- Timeframe: Arbitrator shall issue decision within 60 days of hearing conclusion
Arbitration Procedures:
- Limited discovery permitted (document exchange, 3 depositions per side, interrogatories)
- Expedited procedures available for claims under $50,000
- Arbitrator shall issue written award with brief findings
- Award enforceable in any court of competent jurisdiction
Cost Allocation:
- If Bank prevails: Merchant pays AAA/arbitrator costs
- If Merchant prevails on majority of claims: Bank pays all AAA costs and arbitrator compensation
- Each party pays its own attorney's fees (unless prevailing party demonstrates frivolous claims under Fed. R. Civ. P. 11)
19.3 Exceptions to Arbitration (Not Arbitrated)
The following disputes shall NOT be arbitrated; instead:
- IP Infringement Claims – Bank may seek injunctive relief in court for trademark misuse, trade secret misappropriation, or IP infringement claims
- Fraud/Hacking Claims – Either party may litigate (not arbitrate) claims involving allegations of fraud, hacking, unauthorized access, or criminal conduct
- Card Association Disputes – Disputes submitted to Card Association dispute resolution procedures (not arbitration)
- Collection Actions – Bank may pursue unpaid fees in small claims court or civil court without arbitration
- Temporary Restraining Orders/Preliminary Injunctions – Either party may seek emergency injunctive relief in court to prevent ongoing harm pending arbitration
SECTION 20: ASSIGNMENT, BANKRUPTCY, AND SUCCESSORS
20.1 No Merchant Assignment
Merchant shall NOT assign this Agreement to another entity without Bank's prior written consent. Any attempted assignment without consent is void.
Merchant may not:
- Sell, transfer, or assign processing rights to another party
- Sublicense processing services
- Use processing services as security for loans or financing
- Permit affiliate or related entity to assume Merchant's account
Bank may assign this Agreement to any successor or assignee without Merchant consent.
20.2 Bankruptcy Provisions
20.2A – Bankruptcy Notification
Merchant shall immediately notify Bank if:
- Merchant files bankruptcy petition (Chapter 7, 11, 13, or other)
- Any bankruptcy petition is filed against Merchant
- Merchant becomes subject to insolvency or receivership proceedings
Merchant acknowledges this Merchant Agreement is an executory contract under 11 U.S.C. §365(c)(2) that cannot be assumed or assigned in bankruptcy.
20.2B – Bank's Rights in Bankruptcy
In the event of Merchant's bankruptcy:
- Bank may immediately suspend further performance and processing
- Bank may refuse to recognize Merchant's trustee and deal only with official receiver
- Bank's right to offset claims against settlement funds survives bankruptcy
- Merchant's indemnification obligations to Bank survive bankruptcy discharge
- Personal guaranties (if executed) survive bankruptcy and are enforceable against guarantors
20.2C – Reserve Account in Bankruptcy
Upon Merchant's bankruptcy filing:
- Reserve Account funds are NOT Merchant's property; they are Bank's security deposits
- Bank retains right to set off Reserve Account against all Merchant obligations
- Bank may hold Reserve Account indefinitely to cover potential chargebacks
- Reserve Account is not part of Merchant's bankruptcy estate (funds belong to Bank)
SECTION 21: NOTICES AND COMMUNICATIONS
21.1 Notice Methods
All notices under this Agreement shall be in writing and delivered by:
- Personal delivery to Merchant's principal place of business
- Certified mail, return receipt requested to Merchant's registered address
- Email to Merchant's email address on file (with read receipt confirmation)
- Posting to Bank's website with electronic notification to Merchant's email
- Phone call for emergency notifications followed by written confirmation
21.2 Effective Date of Notice
Notices are effective upon:
- Personal delivery
- Certified mail: 3 business days after mailing
- Email: Upon confirmation of receipt
- Website posting: Upon electronic notification
- Phone: Upon completion of call
21.3 Merchant's Notification Obligations
Merchant shall immediately notify Bank (within 24 hours maximum) of:
- Data breaches or security incidents
- Operating Rules violations
- Compliance failures or audit findings
- Ownership, management, or location changes
- Material business changes
- Regulatory investigations or enforcement actions
- Chargebacks or retrieval requests exceeding thresholds
Merchant shall designate compliance officer responsible for notifications to Bank.
SECTION 22: PERSONAL GUARANTY
If this Merchant Agreement is executed by a business entity (partnership, corporation, LLC), the owner(s), principal(s), and manager(s) shall execute a personal guaranty (Section 22 Full Guaranty Document) providing:
- Unlimited Personal Liability for all Merchant obligations
- Waiver of Defenses (guarantors may not assert defenses available to Merchant)
- Waiver of Notice (Bank may pursue guarantors without notice to Merchant)
- Surviving Guarantee (guaranty survives Merchant's bankruptcy or dissolution)
- Direct Enforcement (Bank may pursue guarantors even if Bank did not pursue Merchant)
SECTION 23: ENTIRE AGREEMENT AND MISCELLANEOUS
23.1 Entire Agreement and Amendment Rights
This Merchant Agreement (including all attachments: Merchant Application, Third-Party Vendor Terms and Conditions, Operating Guide, Fee Schedule, any addenda) constitutes the entire agreement between parties and supersedes all prior negotiations, understandings, and agreements.
No modification is valid unless:
- In writing
- Signed by Bank's authorized officer (or electronic acceptance method)
- Acknowledged in writing by Merchant (or electronic acceptance method)
Merchant shall not rely on any oral representations or prior agreements not included in written Merchant Agreement or Third-Party Vendor Terms.
Bank's Right to Amend Terms:
Notwithstanding the above, Bank retains the unilateral right to amend, modify, or update this Merchant Agreement and all incorporated terms at any time, including:
- Changes to fees, rates, or pricing structure
- Changes to processing procedures or settlement mechanics
- Changes to reserve requirements or risk assessment criteria
- Changes to compliance obligations or security requirements
- Changes to limitation of liability or indemnification obligations
- Changes to termination rights or account management procedures
- Changes to any other term of this Agreement
Amendment Procedures:
Bank may amend this Agreement by:
- Standard Amendment (15+ days notice): Providing written notice of amendment at least 15 days in advance through any method specified in Section 21 (mail, email, website posting, or statement inclusion)
- Expedited Amendment (less than 15 days or immediate): Implementing amendments with less than 15 days notice (or immediately) if required by:
- Card Association Operating Rules changes
- Regulatory or legal requirement changes
- Security or compliance emergency requiring immediate action
- Material risk mitigation necessitating urgent modification
Amendment Effectiveness:
Amended terms become effective on the date specified in Bank's notice (or immediately if expedited amendment). Merchant shall comply with amended terms from effective date forward. Merchant's failure to comply with amended terms constitutes material breach permitting suspension or termination.
Merchant's Option to Terminate Upon Amendment:
If Bank implements standard amendments (with 15+ days notice), Merchant may terminate this Agreement without penalty if:
- Merchant provides written termination notice before amended terms become effective
- Merchant's termination notice is received by Bank before amendment effective date
- Merchant ceases new transaction processing upon amendment effective date
- Merchant continues to comply with existing terms until termination
If Merchant does NOT provide timely termination notice, Merchant's continued processing constitutes acceptance of amended terms.
Merchant has NO right to terminate without penalty for:
- Expedited amendments implemented by Bank for compliance or security reasons
- Fee increases of 15% or less
- Changes to Operating Rules mandated by Card Associations
- Changes to limitations of liability or indemnification (these cannot be declined)
23.2 Waiver
Bank's failure to enforce any provision of this Agreement does NOT constitute waiver of that provision or any other provision.
Waivers must be:
- In writing
- Signed by Bank's authorized officer
- Specific to the waived provision/circumstance
- NOT apply to other occasions or circumstances unless explicitly stated
23.3 Severability
If any provision is held unenforceable by court, that provision shall be severed and remaining provisions shall continue in full force.
Example: If liability cap held unenforceable in particular jurisdiction, all other Agreement terms remain binding.
23.4 Relationship of Parties
Merchant is an independent contractor, not Bank's employee, agent, or partner.
- Merchant controls all aspects of own business
- Merchant is responsible for own employees and operations
- Bank provides no employment benefits or control over Merchant
- Merchant may not bind Bank or represent Bank to third parties
23.5 Third-Party Beneficiaries
No third party (cardholder, supplier, customer, guarantor, etc.) has any rights or claims under this Agreement except as expressly provided.
23.6 Counterparts
This Agreement may be executed in counterparts (electronic and paper) and all counterparts constitute one agreement. Electronic signatures are valid.
23.7 Headings
Section headings are for convenience only and do NOT affect interpretation or meaning of terms.
APPENDICES AND ATTACHMENTS
The following documents are incorporated by reference and form binding terms of this Merchant Agreement:
- Merchant Application – Including all certifications and representations
- Operating Guide – Payment network-specific procedures and requirements
- Fee Schedule – All fees, rates, and pricing terms
- Personal Guaranty – (If applicable for business entities)
- ACH Authorization – Authorization for electronic fund transfers
- Card Association Operating Rules – Official Visa, MasterCard, Discover, Amex rules
- PCI DSS Standards – Payment Card Industry Data Security Standard 4.0
- Bank's Privacy Policy – Data handling and privacy practices
- Bank's Acceptable Use Policy – Prohibited transaction categories
EFFECTIVE DATE AND SIGNATURE
This Agreement is effective upon execution by authorized representatives of both Merchant and Bank.
By executing below, Merchant acknowledges:
- Merchant has read and fully understands all terms
- Merchant has had opportunity to review with legal counsel
- Merchant agrees to all terms and conditions
- Merchant acknowledges all representations are true and accurate
- Merchant assumes all obligations, liabilities, and risks stated herein
- Merchant waives any claim of surprise or misunderstanding
IMPORTANT NOTICE – EXECUTION AND BINDING EFFECT:
Merchant acknowledges that Merchant will NOT be signing this CARDZ3N Master Merchant Agreement. Instead:
- Merchant shall sign Third-Party Vendor Terms and Conditions provided with Merchant Application
- Third-Party Vendor Terms serve as the formal executed contract with payment service vendors
- Merchant's acceptance of Third-Party Vendor Terms constitutes binding consent to this Agreement
- Merchant's completion of Merchant Application binds Merchant to this Agreement
- Merchant's first transaction constitutes acceptance of all Agreement terms
- Continued transaction processing constitutes continued acceptance of all terms
This Merchant Agreement is incorporated by reference into all Third-Party Vendor Terms and conditions executed by Merchant.
SUMMARY OF CRITICAL UPDATES (January 2026 Revision)
Major Additions in This Version:
✅ Section 2 – Payment Card Network Compliance (NEW): Comprehensive Card Association Operating Rules integration
✅ Section 3 – PCI DSS 4.0 Compliance (NEW): Full 12-requirement mandatory framework
✅ Section 4 – Data Breach Notification & Incident Response (EXPANDED): 24-hour notification, forensic investigator requirements, cost allocation
✅ Section 5 – Cardholder Data Protection (EXPANDED): PCI DSS-specific requirements, third-party servicer management
✅ Section 6 – Indemnification & Liability (COMPREHENSIVE EXPANSION): Complete indemnity scope, carve-outs, non-capped liability
✅ Section 7.1A – AML Compliance & Re-screening (NEW): Quarterly OFAC screening requirements
✅ Section 7.4 – Cross-Border Transactions (NEW): High-risk jurisdiction controls
✅ Section 18 – Limitation of Liability (FINAL VERSION): Enhanced $5,000 cap with detailed carve-outs and exemptions
Prepared: January 14, 2026
Last Updated: January 14, 2026
Applies To: CARDZ3N Merchant Services
