Special conditions for card acceptance

As a payment service provider, secupay AG (hereinafter referred to as “secupay”) shall carry out the settlement of payment transactions with payment cards, mobile methods of payment and of accounts vis-à-vis commercial and service companies (hereafter referred to as contractual partner). The current version of the general terms and conditions governing secupay AG (hereinafter referred to as “secupay”) shall form an integral part of this agreement.

Following are the definitions in these special conditions:

Acquirer - the company holding a licence issued by the card organisation that concludes an acceptance contract with merchants and service providers, who accept credit and debit cards;

Authorization - the communication shared by the card company at the request of the contractual partner and forwarded by secupay to the contractual partner, which states that a payment of an amount and via a specific means of payment has been accepted or rejected;

eCommerce - distance selling where the authorisation is approved by the customer on his device;

Electronic transmission - the technical procedure by which the contractual partner and secupay communicate electronically for payment processing, which has been technically enabled or that has been approved and specified by secupay vis-à-vis the contractual partner;

EMV approval - the approval of EMV-capable POS devices for settling chip- and PIN-based payment cards. EMV is a standard for payment cards determined by Europay International (now Mastercard), Mastercard, Visa, Diners International and Discover, which are equipped with a memory chip;

Distance selling - contracts for services, if the instruction for payment is transmitted via the Internet, post, telefax or telephone and charged to the card account, even if they are not distance selling contracts according to § 312b German Civil Code (BGB);

Girocard payments - Payments that are authorised with payment cards, which are issued by banks in accordance with the standard of the electronic cash system of the German credit industry;

Merchant transaction - (Merchant Initiated Transactions, MIT), means a transaction initiated by the contractual partner, which is submitted on the basis of a mandate received by the contractual partner from the payer and which authorises the contractual partner, (a) to initiate this transaction or (b) a series of transactions without the payer needing to carry out more actions;

Card data - the type of card, the card number, the card verification number, the expiry date, and the Primary Account Number (PAN);

Cardholder - the person in whose name a payment card is issued;

Card number – the multi-digit number embossed or printed on the payment card and that represents the card account;

Card organisation - Organisations like Visa Inc, Visa Europe, Mastercard Inc., Diners Club International, Discover Financial Services, JCB International and UnionPay International (CUP), which operate payment systems and issue licences to card companies and acquirers with respect to the payment cards included in the contract, as well as the German credit industry;

Card verification number - the three or four-digit number, which is printed on the payment card in addition to the card number (usually in the signature field on the back of the payment card);

Card companies - the bank or the company that has issued a payment card;

End-of-day close-out - the collective transfer of transaction data, which is stored in the POS terminal;

Customer data - the name, the address, and the email addresses of the cardholder;

Credit cards - payment cards issued by the card organisations, regardless of whether they are debit or credit cards;

Performance - the provisions of goods and/or services to be provided by the contractual partner, which are paid for or which should be paid for by using a payment card or a payment approving service;

Mail-order / MoTo - distance selling, if the instruction for payment is transmitted by post, telefax or telephone and charged to the card account;

Mobile payment method - Payment method in which the payment data is read out optically or is transferred to or from the Smartphone of the payer via NFC;

Network operator - EMV and PCI DSS certified service provider, which authorises the desired payment;

PCI-DSS – Payment Card Industry Data Security Standards.

PCI standards - comprise PCI DSS and Payment Application Data Security Standard (PA DSS), including subsequent standards (if any).

Personal data - is any information, which is related to identified or identifiable natural persons;

POS - “Point of Sale”, i.e. the cashier station at a point of sale;

POS terminal - an EMV-certified card reader or POS card-cash register system to be used by the contractual partner for authorising payments, with which the data stored on the magnetic strip and/or memory chip of a payment card can be read out using a magnetic strip-, chip card- or contactless reader and payment transactions can be authorised;

Serious payment security breach incident - refers to an incident that has, or could have, significant impacts on the security, integrity, or continuity of the payment systems of secupay or the contractual partner and/or on the security of sensitive payment data or means of payment;

Secure customer authentication e.g. 3Dsecure - according to the Payment Services Directive (PSD2) of the European Union, this is an authentication that employs at least two elements of the categories of knowledge (something that only the user knows), possession (something that only the user possesses) or inherence (something that the user is), which are independent of each other in such a manner that if one criterion is not met, this shall not compromise the reliability of the other criteria, and which is designed such that it protects the confidentiality of the authentication data;

Text form - Text form in accordance with § 126b BGB;

Transaction - every individual authorisation or payment transaction, as well as an end-of-day close-out or technical diagnosis;

Transaction submission - the order of the contractual partner vis-à-vis secupay to settle payment transactions initiated with payment cards, which is issued by submitting data records to secupay;

Supported payment methods - all contractual payment methods, regardless of whether they are card acceptance, mobile payment methods e.g. via Smartphone or transfers from accounts via a payment approving service;

Contract - the contract between the contractual partner and secupay on the settlement of payment transactions initiated with payment cards in accordance with these conditions;

Payer - A customer who pays for a good or service;

Payment data - Card, account, and other data, which is collected from the payer in the course of a payment transaction and which is transmitted by the contractual partner;

Payment card - all credit and debit cards and other payment instruments included in the contract, issued under the regulations of the card organisations, where the cardholder gives a payment instruction by charging his card account instead of making a cash payment;

Payment approving service - Service for authorising payments by the payer via online banking of the account;

Means of payment - all payment cards and all payment data, which are used by payers for payments;

1. The contractual partner shall not provide the relevant service to any payer, who wants to use a supported payment method, at prices higher or on less favourable terms and conditions than compared to customers paying in cash. The contractual partner may not charge the payer any additional costs for acceptance. This shall not affect the right of the contractual partner to offer the cardholder a discount or other incentive for the use of a specific payment card or another means of payment.
2. The acceptance of the supported payment methods and the related request for payment data from the payer may only be used for the purpose of paying undisputed and due claims related to services rendered or yet to be rendered by the contractual partner. The contractual partner is not permitted to use the means of payment of any kind issued to them or their company, and to submit transactions via these to secupay for settlement.
3. As a rule, the contractual partner may only submit transactions from within the territory of the country of residence specified in the contract and within Germany, as well as in justified exceptional cases from within another country of the European Union, the EEA or Switzerland. If the contractual partner is located outside the territories defined above, they may not process any transactions via secupay or submit any transactions to secupay for payment, unless, secupay has provided written confirmation at least in writing. This also applies in case the contractual partner is using a mobile POS device.
4. If a secure authentication procedure within the meaning of § 1 para 24 ZAG is used, acceptance of the relevant means of payment is only permitted if the contractual partner employs the procedure.
5. The contractual partner is not authorised to accept means of payment for services,
   1. which are not rendered or provided on one's own account or on behalf of third parties;
   2. which do not take place within the scope of the ordinary scope of business of the contractual partner; in particular, they must not be based on the granting of credit and must not involve cash payments without a corresponding cash back agreement;
   3. which contravenes the law applicable to secupay, the cardholder, the service, or the contractual partner;
   4. which transgress public decency, in particular the protection of minors
   5. which contain obscene or pornographic content or instructions for manufacturing weapons or explosives, or which are related to such content. Exceptions to this shall require the prior written consent of secupay, which shall be granted at the discretion of secupay and only if the relevant service is not illegal or immoral.
6. Means of payment may not be used to fulfil an obviously illegal or immoral legal transaction or to settle claims from lotteries and gambling, or to pay for a dishonoured cheque. In case of use for recurring services (e.g. subscriptions), partial payments for one-time services and financing costs may not be included in the invoice.
7. The contractual partner may not accept means of payment in distance selling for an order if the characteristics of any of the following points are met (such an order is referred to in this contract as an “unusual order”):
   1. If the same customer has, on two consecutive calendar days, either individually or in multiple orders along with the relevant order in question
      1. ordered more than five (5) identical articles or services; or
      2. placed orders valued at more than EUR 1,500.00 to be delivered to addresses outside the European Union; or
      3. placed orders with a total value of more than EUR 10,000.00; or
      4. used more than one payment card.
   2. Orders from different customers have been placed over two calendar days using the same email address.
8. In distance selling, the contractual partner is not obligated to allow payment for services by means of payment in general or in an individual case. The contractual partner may not allow payment by a means of payment if, based on the circumstances of use, there is reason to believe misuse of the means of payment.
9. The contractual partner undertakes not to ask customers to send their card data by email and undertakes not to set up any connected options for this. Payment data may only be forwarded via a payment system approved by secupay.
10. The contractual partner is obligated to retain all payment vouchers and complete and legible documents related to the transactions underlying these card transactions, especially the original payment voucher and the legal transaction underlying the payment (e.g. sales slip, invoice, etc.), and their fulfilment by the contractual partner, for a period of eighteen months from the date of authorisation, and to provide secupay with a copy of the voucher immediately upon request within the deadline set by secupay. This shall not affect the statutory retention obligations of the contractual partner.
11. If the contractual partner fails to provide this proof within the deadline set by secupay and secupay is charged back for the card transaction by the card-issuing bank, acceptance partner, or the card company for this reason, secupay shall be entitled to charge back this card transaction plus the charge-back fees incurred to the contractual partner.

1. The contractual partner is obligated to submit an authorisation request to secupay for each card payment via a POS terminal with a valid EMV approval at the time of submission.
2. Bei Vorlage einer mit kontaktloser Schnittstelle ausgestatteten oder einer mit einem Smartphone tokenisierten Zahlkarte wird der Vertragspartner deren Daten vom POS-Terminal kontaktlos, d.h. ohne physischen Kontakt zwischen Terminal und Karte, auslesen und elektronisch eine Autorisierung von secupay einholen (“kontaktloser Zahlungsvorgang”).
3. When a card without contactless function is presented, the contractual partner shall read the chip of the payment card by inserting the payment card with chip into the chip reader of the terminal and then removing it again. The magnetic strip on the payment card must be read by the POS terminal and the data from the magnetic strip must be transmitted to secupay only if there is a technical defect in the chip on the payment card or a payment card without a chip.
4. If authorisation for the transaction is granted by the respective card company, secupay shall send a corresponding authorisation code to the contractual partner. The contractual partner is not permitted to resubmit a transaction for which it has not received authorisation. The contractual partner is particularly not permitted to split a transaction into several partial amounts in order to obtain authorisation this way.
5. If approval is granted, the contractual partner shall transmit the card transaction data to secupay fully and electronically via end-of-day close-out; otherwise, the transactions will not be processed. Such transmission must take place on each day of transactions. The payment guarantee existing for Girocard payments shall expire if the end-of-day close-out has not been submitted within seven days of authorisation.
6. The contractual partner is obligated to authenticate the card transaction by having the cardholder enter their PIN. Such an obligation of the contractual partner shall not apply in cases where the individual card transaction does not exceed the maximum amount for contactless payment without authentication (hereinafter referred to as the “maximum amount without authentication”). This amount is based on the specifications of the card organisations.
7. Manual entry of card data in the POS terminal to obtain authorisation is not permitted, unless, secupay has expressly agreed to this in writing.
8. As soon as a POS terminal is set up at a cashier station, the contractual partner shall notify secupay of this and also provide the terminal ID number so that the POS terminal can be initialised by secupay and approved for card processing.

1. The contractual partner shall ensure that the card data, including the card number, expiry date and, if applicable, card verification number, are only encrypted or tokenised in accordance with the specifications of secupay, and are transmitted with approved transport encryption. The contractual partner may not have card data transmitted or may not store card data in an unencrypted manner. Any violations shall entitle secupay to terminate this contract with immediate effect. If agreed upon, secupay shall transmit token as alias to the contractual partner for the means of payment used by the payers, with which the contractual partner, as far as possible and agreed upon, can offer its customers a checkout without having to enter payment data multiple times or can make recurring payments.
2. If payments are authorised via a payment approving service (Sofort, Giropay, EPS, aiia), the authorised payment can be deleted by the payer or not executed by the payer's bank under certain circumstances. Communication of successful authorisation of the payment by secupay therefore does not justify any claim by the contractual partner that the authorised payment amount will actually be disbursed. secupay therefore does not guarantee payment for such kind of payments.
3. The offers of the contractual partner must be designed such that they do not give the impression that the card organisations or secupay are the providers or suppliers of the service.
4. The contractual partner is also obligated to secupay to comply with all legal provisions, especially those related to distance selling contracts.
5. The contractual partner agrees that the Internet address specified in the contract will appear on the card statement of the cardholder.
6. In addition to the Internet address specified in the contract, any other Internet addresses of the contractual partner through which the services of the contractual partner are provided must be communicated to secupay immediately in writing.
7. The contractual partner shall ensure that the cardholder is clearly informed during the payment process as to which Internet address will appear on the statement. If this address is different from the one, which was used to place the order, the contractual partner shall ensure that a note, link, or redirection to the order address is set up on the billing address page.
8. The contractual partner shall always publish the following information clearly and unambiguously on a website, which can be accessed via the Internet address specified in the contract:
   1. full name and address, registered office, commercial register number, location of the commercial register and all other information about the contractual partner, which must be provided on the website in accordance with the law of the country where the branch of the contractual partner offering the services is established;
   2. the delivery terms and conditions, in particular agreements on revocation or right of return, as well as the processing of credit notes;
   3. all fees payable to the contractual partner for the service, including that related to shipping, packaging, and taxes;
   4. if the contractual partner ships abroad, the possible countries of destination and any special delivery conditions;
   5. latest at the time of ordering, the currency in which the service will be invoiced;
   6. a reference to customer service with the full address, including all channels of communication;
   7. the principles applied by the contractual partner for the use of customer data and for the transmission of payment card data;
   8. available security procedures.
9. The contractual partner undertakes
   1. to quote prices only in currencies that have been approved by secupay for submitting transactions.
   2. that in case of recurring services, to set up simple options for online cancellation for the cardholder, insofar as cancellation is possible according to the terms and conditions of the contractual partner or according to mandatory statutory provisions. Online cancellation or termination procedure must be at least as simple and accessible as the original ordering procedure,
   3. in case of a test use of its pages/services, to notify the cardholder in good time informing them of when this test use will end, specifying exactly when the payment obligation begins and what options the cardholder has to cancel, if necessary,
   4. that, if it offers its customers direct access to other companies (so-called links), to expressly point out this change.
10. If the contractual partner operates websites in a language other than German or English, it shall provide secupay with a German or English translation for these sites upon request and for any subsequent amendments, without being asked.
11. If the contractual partner conducts business that requires official permission under applicable law for all or some specific users (e.g. young persons), in particular gambling, lotteries, betting, etc., the contractual partner shall prove to secupay that this permission was granted and remains valid. If permission has not been granted for individual countries to which the offer of the contractual partner is directed, or if the relevant service is generally prohibited, or if the contractual partner is unaware of the legal situation, the contractual partner shall not submit any transactions for settlement for this purpose. In addition, the provisions of Section 3 of these terms and conditions shall apply accordingly.
12. The contractual partner shall always use secure authentication whenever this is technically possible. When using these security procedures via a payment system approved by secupay, the customer can no longer return a payment arguing that the “transaction was not authorised by the cardholder” (liability reversal). This shall also apply if the cardholder and their bank are not party to the security procedures. In these cases, the liability reversal applies worldwide for private credit cards; throughout Europe for business and company cards.
13. On the basis of a separate agreement with secupay, if the contractual partner makes use of an exception permitted under Chapter III of VO (EU) 2018/389, the contractual partner shall acknowledge that the use of such an exception in case the card is misused will be at its own risk.

1. The submission of MoTo transactions by the contractual partner via a POS terminal or an eTerminal provided by secupay in secuOffice requires the express written consent of secupay. secupay will subject any request by the contractual partner to submit MoTo transactions to a thorough risk assessment, and is not obligated to approve corresponding requests.
2. The contractual partner is obligated not to settle any transactions for which card data was accepted unencrypted via the Internet or by email.
3. The contractual partner is obligated to record the following data or documents electronically or in writing for each transaction submission:
   1. in case of distance selling by post or telefax, the documents sent by the customer,
   2. in case of distance selling by telephone, the date and time of the call, the person from whom the instruction to charge the card account was received and the content of the order, but not the card verification number,
   3. in physical selling, all documents related to the service, including any copies of vouchers.
4. The card verification number must be deleted after the authorisation request.
5. The contractual partner is obligated to store the recorded card data in encrypted format and to keep the transmitted documents secure so that only authorised access is possible.

Merchant transactions may only be initiated with credit cards via an alias transmitted by secupay and if the initial transaction was carried out with secure customer authentication. Either the initial transaction or the payment container ID is used as alias, depending on the interface. Merchant transactions may only be submitted if

1. the contractual partner has a mandate of the payer for merchant transactions as well as an agreement between the merchant and the cardholder, which states the reason for the payment and the payment amount (or an estimate if the exact amount is not yet known), and
2. the payer cannot authorise the transaction themselves because:
   • the final amount is not yet known during the payment process (e.g. for online grocery shopping), or
   • an event has initiated the transaction after the payment process (e.g. subsequent incidental costs), or
   • the transaction is part of a recurring payment agreement, or
   • the total payment was divided into instalments due at different points of time (e.g. Instalment payments, travel bookings, market places), or
   • the transaction is a deferred financing.
3. the payer was demonstrably informed of the terms of agreement for merchant transactions.
4. textual approval and authorisation by secupay is available.

Merchant transactions must not be used to circumvent secure customer authentication for transactions, e.g. if card data has been registered with the merchant (card-on-file) and the cardholder initiates the payment, e.g. with 1Click Checkout.

secupay shall only agree to a request from the contractual partner to submit merchant transactions in accordance with this section after a thorough risk assessment and is not obligated to give its consent.

If accounting or interim clearing for Girocard payments has been agreed as a service, Girocard payments are first collected in a secupay escrow account (accounting account). In case of payments submitted as direct debits or in case of delayed end-of-day close-out more than 7 days after authorisation, this may result in charge-backs, which shall be borne by the contractual partner.

1. In accordance with this agreement, secupay shall, irrespective of the payment orders of the cardholders, make a payment to the contractual partner on the basis of an independent abstract promise of payment, subject to possible reclaim, equal to the amount of payment submitted, less the agreed service fee and any other fees and charges due. At the same time, the payment to the contractual partner gives rise to a claim for charge-back in favour of secupay against the contractual partner, subject to the condition precedent of a charge-back. By making the payment, secupay does not acknowledge any legal obligation to reimburse the payment made by the contractual partner. In return for the granting of the abstract promise of payment, the contractual partner assigns its claim from the underlying transaction against the cardholder to secupay. The assignment shall take effect upon receipt of the payment data by secupay. secupay hereby accepts the assignment.
   After processing the card transactions submitted by the contractual partner and authorised by secupay, secupay shall transfer these to the bank account specified by the contractual partner for payment at the payment interval agreed upon with the contractual partner.
2. secupay is entitled to pay the card transactions submitted by the contractual partner to the contractual partner only after the expiry of the charge-back deadlines specified by the card organisations. This is applicable in the case of
   1. multiple sustained complaints from cardholders;
   2. multiple use of forged or stolen payment cards or payment data in the business operations of the contractual partner;
   3. in case of justified suspicion of the total invoice amount being divided into several individual amounts;
   4. Non-compliance with the conditions as per sections 3 to 7;
   5. to secure future claims by secupay against the contractual partner, e.g. due to charge-backs of transactions including any penalties imposed by card organisations or return debit fees charged by banks, insofar as there is a reasonable expectation that such claims will arise, or
   6. due to non-performance of the service as a result of insolvency or cessation of business operations of the contractual partner
3. secupay is also entitled to assert a right of retention on amounts received and to be received in the future on the escrow account.
4. Furthermore, secupay has the right to withhold any payments based on the card transactions submitted by the contractual partner until the contractual partner fulfils its contractual information obligations towards secupay after expiry of a reasonable deadline set by secupay.
5. The contractual partner and secupay agree that secupay shall acquire a lien on all current and future claims of the contractual partner against secupay arising from this contract. The lien helps in securing all existing, future, and conditional claims to which secupay is entitled against the contractual partner arising from the business relationship (e.g. charge-back claims and claims for service fees and reimbursement of expenses).
6. The contractual partner is not entitled to assign its claims against secupay to third parties without the prior written consent of secupay. secupay shall grant its consent if the legitimate interests of the contractual partner in the assignability of the claim outweigh the legitimate interests of secupay in prohibiting the assignment. The contractual partner must provide proof that the conditions set out in sentence 2 are met.

1. If the message “Remove card” or a similar message appears on the display of the POS terminal of the contractual partner, or if the contractual partner suspects that the payment card presented is counterfeit or falsified, e.g. because the card number or expiry date of the payment card in the electronically generated payment voucher does not match the card data (card number and expiry date) on the front of the payment card, or the four-digit number below the card number on the front of the payment card is missing or does not match the first four digits of the card number and the card number in the signature field on the back of the payment card, or if the signature on the payment card presented does not match the signature on the payment voucher, or the cardholder does not match any photo on the payment card, the contractual partner must require the cardholder to present an official identification document (identity card, passport, etc.) and, if the name of the person presenting the card does not match that of the cardholder, to refuse to accept the payment card. In these cases, the contractual partner must inform secupay immediately by telephone, and if possible before the payment card is returned to the customer. Upon request by secupay and to the extent reasonable, the contractual partner shall strive to the best of its ability to retain the payment card.
2. If the contractual partner suspects or is certain that card data is being misused in its company, or that data spying is detected in its business, or that there is an excessively high rate of rejection of authorisation requests or theft of payment vouchers or other media containing card data, it shall notify secupay immediately in writing or by email at mailto:[email protected] .
3. If there are multiple incidents of presentations of forged or stolen payment cards, the contractual partner is obligated to take measures to prevent further misuse of cards after receiving written communication from secupay. According to communication by secupay, the contractual partner must request the presentation of a valid identity document for card transactions above a certain amount and verify the identity of the cardholder. Moreover
4. When accepting the card, the contractual partner must check whether the payment card has the security features of the card organisations, e.g. the hologram of a “dove” on Visa payment cards and the “MC” symbol on MasterCard payment cards.

1. 1. The contractual partner must implement and document appropriate technical and organisational measures for handling and protecting credit card data, payment data, and personal data in accordance with the current state of the art in its company. The documentation of the technical and organisational measures must be submitted or transmitted to secupay immediately upon request, but latest after 14 days. The current version of the “Guide on the State of the Art” published by the Bundesverband IT-Sicherheit e.V. (TeleTrusT) serves as reference for determining the state of the art, it is available at teletrust.de/startseite/ and the PCI DSS (Payment Card Industry Data Security Standard).
2. However, the contractual partner must implement measures in an appropriate manner for at least the following control objectives:
   1. Establishment and maintenance of a secure network and secure systems;
   2. Secure storage or exclusively encrypted or masked digital storage of credit card data;
   3. Establishment of a process for identifying and dealing with weak spots;
   4. Implementation of strict access control measures/strict measures to control access to credit card data;
   5. Regular monitoring and testing of networks.;
3. The contractual partner must ensure compliance with the requirements of the PCI DSS that apply to them. It is the responsibility of the contractual partner to determine whether and, if so, to what extent the requirements of the PCI DSS are to be met by the contractual partner. Upon request, it shall provide secupay with information on whether or not the relevant requirements exist.
4. If the contractual partner stores, processes, or forwards credit card data on its own systems, it must prove PCI DSS compliance to secupay within 14 days when requested to do so or, if necessary, have PCI compliance certified at its own expense. In particular, card numbers may only be stored in masked or encrypted form in own systems after PCI certification has been obtained, and only if and as long as this is permissible and absolutely necessary. If the contractual partner stores data contrary to this provision, it shall bear all resulting damages. This shall not affect any further claims for damages.
5. Secupay has the right to verify compliance with the obligations laid out in this contract. A review may be carried out at the discretion of secupay by:
   1. conducting a self-audit or
   2. Submitting a certificate from a recognised auditing organisation, in particular for confirming compliance with all PCI DSS requirements, or
   3. On-site checking by secupay itself or by an auditor commissioned by it.
6. Information required for the purpose of carrying out an audit shall be provided within a reasonable period of time. The contractual partner shall provide the support necessary for the respective audit. On-site checking shall be carried out during normal business hours without disrupting operations, after notifying and taking into consideration reasonable lead time. If the contractual partner or persons acting on its behalf violate obligations under this contract, an audit relating to this can be carried out even without timely notification.
7. If there are indications that card-, account-, payer data or other personal data has been misused or stolen within the area of responsibility of a contractual partner, the contractual partner must inform secupay immediately of this. In such cases, secupay is obligated by the regulations of the card organisations to have a company commissioned by secupay and accredited by the card organisations check whether such misuse has actually occurred (PCI audit). If it turns out that such misuse has actually occurred, the contractual partner shall reimburse secupay for all expenses incurred by secupay as a result of the misuse. This includes, in particular, the costs of the PCI audit as well as fines and fees, which are imposed on secupay by the card organisations due to the misuse. Any claims for damages by secupay against the contractual partner and any further claims for reimbursement of expenses in accordance with Section 12 shall remain unaffected by this. If secupay is also responsible for the misuse, § 254 BGB shall apply accordingly.
8. If the contractual partner processes data contrary to this provision, it shall bear all resulting damages. This shall not affect any further claims for damages.

1. The contractual partner shall be liable to secupay for damages resulting from the culpable compromise of card data or from culpable breaches of contract by the contractual partner; in this case, damages shall also include any penalties imposed by the card organisations in connection with a breach of contract.
2. This shall apply in particular, but not exclusively, to penalties imposed by card organisations due to the submission of illegal and defamatory transactions, the illegal submission of third-party transactions, for exceeding charge-back limits by the contractual partner, or for non-registration and/or non-certification in accordance with the PCI DSS standard, or due to card data compromise in the system of the contractual partner or third parties commissioned by them. Instead of reimbursement, secupay can demand exemption from any liability incurred in this connection in accordance with § 257 BGB. The claim for compensation or exemption shall not apply if the penalty is imposed as a result of culpable conduct by secupay. § 254 BGB applies accordingly in this case.
3. The contractual partner is obligated to immediately provide the information necessary to defend against the penalty being imposed, but in any case in good time so that secupay can object to the imposition of the penalty within the deadline set by the card organisations. Based on the information provided by the contractual partner, secupay will take action against the imposition of penalties within the framework of the defence process provided for by the card organisations. secupay shall only take arbitration action against the imposition of penalties if the contractual partner has expressly requested secupay to do so in writing and has provided an advance payment or security for the costs that may be incurred in arbitration proceedings. In case of such (arbitration) proceedings, the contractual partner alone shall bear the risk of losing the case.

1. The contractual partner shall observe any changes to the procedural regulations of the card organisations regarding acceptance and submission of card transactions after communication by secupay and shall implement them within the deadlines specified by the card organisations. secupay shall support the contractual partner in doing this.
2. The contractual partner is obligated to affix the acceptance sticker provided by secupay in a clearly visible location in the shop or in the checkout area, on which all acceptance logos are displayed in accordance with the specifications of the card organisations, which the contractual partner is authorised to accept in accordance with the service agreement with secupay.

1. Refunds of payments related to cancelled transactions shall be made by the contractual partner, as far as possible, exclusively by instructing secupay to issue a credit note to the means of payment of the payer. secupay shall credit the amount to the payer and debit the amount to the contractual partner. The contractual partner is not authorised to initiate a credit entry if they have not previously submitted the payment to be credited to secupay for settlement.
2. When using a POS terminal, an electronic credit note record must be submitted in accordance with the provisions in the operating instructions for the device. At the same time, a credit memo document containing the card data and the credit note amount must be generated electronically, signed by the cashier and the original handed over to the cardholder.

Complaints and claims by a cardholder relating to services provided by the contractual partner in the underlying transaction shall be settled directly between the contractual partner and the cardholder.

1. If the term is not specified in an individual contract, the contract term shall be 60 months. It can be terminated for the first time at the end of the contract, subject to a notice period of six months. Otherwise, the term shall be extended indefinitely unless the agreement is terminated by one of the parties with a notice period of six months to the end of the year. Terminations must be made in writing.
2. This shall not affect termination of the agreement without notice for good cause. A good cause for termination without notice exists in particular if
   1. secupay becomes aware of significant adverse circumstances concerning the contractual partner or its owner which make it unreasonable for secupay to adhere to the contract. Such a circumstance shall exist in particular if the contractual partner has provided incorrect information in the contract, if there is a significant deterioration in its financial situation or if such a deterioration is likely to occur soon (e.g. due to the filing of an application for the opening of insolvency or settlement proceedings, direct debit return due to insufficient funds), their financial situation does not appear secure, or if they culpably fail to comply with their information obligations under this agreement at a later point of time,
   2. the contractual partner has not submitted any payments for settlement in the first six months after conclusion of the contract,
   3. the contractual partner submits transactions via this contract without the express written consent of secupay, which were made without the physical credit card being presented in distance selling, and refuses, despite being requested to do so by secupay, to conclude a separate agreement on the settlement of these transactions. Until the conclusion of the distance selling agreement, secupay is entitled to cease settlement,
   4. the contractual partner is in default with the settlement of due claims of secupay despite a deadline being set,
   5. the contractual partner submits card transactions from third parties for settlement or submits card transactions for goods or services, which are not covered by the business purpose or goods or services segment specified by the contractual partner,
   6. the contractual partner provided false information about its business operations or the goods or services offered by them when concluding the contract, in particular if they did not indicate that these include erotic offerings or gambling offers, or did not notify to secupay beforehand in writing of subsequent changes to the business purpose, or submitted card transactions from an impermissible product or service area or business purpose in accordance with sections 3.5.a to 3.5.c for settlement, despite no written approval having been given,
   7. the amount or number of card transactions charged back to the contractual partner in a calendar week or in a calendar month exceeds one per cent (1%) of the total amount or total number of card transactions submitted by the contractual partner in the relevant period, or the total amount of card transactions charged back to the contractual partner in a month exceeds the amount of 5,000 euros (five thousand), or the ratio of the submitted monthly transactions with stolen, lost or counterfeit payment cards to the submitted monthly transactions with non-stolen, non-lost or non-counterfeit payment cards exceeds 2%,
   8. the contractual partner repeatedly or with the clear intention of repeating requests authorisation for card transactions for which the contractual partner has no authorisation to accept in accordance with section 3 of these conditions,
   9. the contractual partner repeatedly initiates credit entries that are not based on any transaction submissions or sales transactions.
   10. despite written requests from secupay, the contractual partner has repeatedly failed to comply with the contractual terms and conditions described in sections 1 to 15 above,
   11. the contractual partner repeatedly fails to submit payment vouchers despite repeated requests from secupay, or fails to do so within the deadline specified by secupay,
   12. the contractual partner fails to provide the documents and information requested by secupay in accordance with this contract even after two deadlines having been set,
   13. One of the card organisations or the acquirer responsible for settling card transactions demands that secupay terminate card acceptance by the contractual partner for good cause,
   14. the contractual partner relocates its registered office abroad,
3. Upon termination of the contract, the contractual partner shall remove all references to MasterCard/Maestro, MasterCard Debit, Visa/Visa Electron/V PAY, Diners Club, JCB and/or China UnionPay acceptance, unless the contractual partner is otherwise authorised to do so.

1. The contractual partner shall pay secupay the agreed service fee for processing the card transactions submitted by it, amounting to a percentage of the payment amount submitted and a transaction-independent fee.
2. The contractual partner shall reimburse secupay the fees charged by card organisations for registration in special merchant programmes.
3. If the interchange rates and fees for card transactions applicable to the contractual relationship with the contractual partner and valid at the time of signing the contract, which secupay has to pay to the card-issuing institutions and card organisations, are changed by the card organisations, secupay shall be entitled, within reasonable discretion in accordance with § 315 BGB, to adjust the relevant fees accordingly after notifying the contractual partner in writing. The contractual partner can find out about the international interchange rates charged by the card organisations on their websites.
4. The amount of the fees, with the exception of the transaction fee and the individually agreed percentage discount, is based on the current price and service list of secupay, unless otherwise agreed in writing with the contractual partner. If the contractual partner avails a service listed there, the fees specified in the price and service list at that point of time shall apply. For services not listed therein, which are provided in the interest of the contractual partner or in their presumed interest, and which, under the circumstances, can only be expected in return for remuneration, secupay can determine the amount of the fees at its reasonable discretion (§ 315 BGB). All fees are stated before adding statutory value added tax at the applicable rate.
5. The service fee and other fees shall be deducted from the card transactions to be paid by secupay or shall be invoiced separately. If there is no possibility of offsetting, the contractual partner is obligated to make payment on time after invoicing by secupay.
6. 6. During the execution of the contract, the contractual partner shall waive the provision of information broken down individually according to card type and card brand regarding the amount of the interchange-, card scheme- and acquirer service fees included in the discount and, unless otherwise agreed upon, shall instruct secupay to settle these fees in a bundled discount. Information on the amount of interchange fees and card scheme fees included in the discount can be found at www.secupay.com/cc .
7. 7. Deviating from § 675f para 5 sentence 2 BGB, charging fees for the fulfilment of secondary obligations in accordance with §§ 675c to 676c BGB is permitted.