Addendum A - General Services Addendum to The Agreement - Version 07.2023
This General Services Addendum including all exhibits, schedules, and supplemental addenda hereto and all documents and materials referenced herein (“Addendum A”) will be an addendum to the Payrix Sub-Merchant Agreement (the “Agreement”) between Payrix and Sub-Merchant in accordance with the provisions as set forth in the Agreement. As used in this Addendum A, the term Processor may be used for Payrix where Processor has contracted with Payrix to assist Payrix in delivering the Payrix Services. If there is a conflict in the terms or pricing provided in this Addendum A and the pricing or terms in any Application and/or Fee Schedule or amendment otherwise contained in the Agreement, the pricing or terms contained in the Agreement, without reference to this Addendum A, will control.
1. Security Services.
A. Terms and Conditions.
(i) SaferPayments Basic – is a bundle of security services offered by or through Payrix that are intended to address the risks associated with accepting, transporting and storing cardholder data within and throughout the Sub-Merchant’s environment in accordance with Payrix’s standards, which Payrix may change from time to time in its sole discretion. PCI Level 4 as well as certain PCI Level 3 Sub-Merchants must validate adherence to PCI DSS which, in part, can be achieved through participation in one of the following bundles: SaferPayments Basic or SaferPayments Managed. Notwithstanding anything to the contrary in this Agreement, Payrix may enroll Sub-Merchant in SaferPayments Basic at any time in Payrix’s sole discretion. Sub-Merchants may elect to enroll into SaferPayments Managed at their own discretion. Additionally, Card Not Present PCI Level 4 Sub-Merchants may also select and buy separately:
Tokenization Management Solutions (TMS)
Legacy Tokenization Solutions
(ii) SaferPayments Managed – is a subscription service whereby a third party will assist with the management of Sub-Merchant’s PCI compliance and provide access to certain Cyber Security Tools under a separate agreement. As part of Sub-Merchant’s PCI compliance subscription Sub-Merchant will be eligible to receive telephone and email support in relation to:
the completion of the PCI self-assessment questionnaire;
Sub-Merchant attestation of compliance with PCI DSS; and
ASV scans (where there is a PCI DSS compliance scan requirement). If required, this includes quarterly scan scheduling report and management.
If at any time Sub-Merchant elects to opt out of the SaferPayments Managed bundle, Sub-Merchant will be enrolled into SaferPayments Basic to help validate adherence to PCI DSS. If Sub-Merchant has already become PCI DSS compliant through the managed compliance support offered in SaferPayments Managed, Sub-Merchant is subject to a one-time cancellation fee up to $99.00. If Sub-Merchant has downloaded cybersecurity tools offered through the program, these tools will be disabled.
(iii) Non-Validation Fee (NVF) / Non-Compliance Fee (NCF) – In alignment with Section 16 of the Agreement Terms and Conditions, Sub-Merchant is responsible for demonstrating compliance with PCI DSS programs. Failure to report compliance validation status or reporting a failed status to Payrix will result in a NVF/NCF being assessed. Active Sub-Merchants will have a 60-day grace period to validate and report compliance validation status. Sub-Merchant’s compliance validation and reporting status will be evaluated monthly. This fee will only be assessed if the Sub-Merchant has failed to report the status or has reported a failed status and will not be assessed once Sub-Merchant meets compliance requirements.
(iv) Security Services – Sub-Merchant may utilize the services and products in this Section 1 of the Addendum ((individually and collectively, the “Security Services”) in conjunction with services provided wholly or partially by a third party with the support and agreement of Processor. Sub-Merchant bears all risk and responsibility for conducting Sub-Merchant’s own due diligence regarding the fitness of Security Services for a particular purpose and for determining compliance with the Bank rules, the Payment Network Rules, and the Laws. Accordingly, Sub-Merchant’s use of Security Services is at Sub-Merchant’s own risk. Processor’s decision to offer Security Services will not limit Sub-Merchant’s duties and obligations contained in this provision or the Agreement. Neither Payrix nor Processor warrants or guaranties that use of the Security Services , in itself, will: (i) result in Sub-Merchant’s compliance with Bank rules, Payment Network Rules, and/or Laws; (ii) prevent any and all unauthorized breaches of Sub-Merchant’s terminals, systems or facilities; or, (iii) be uninterrupted or error-free. Sub-Merchant agrees that it will not acquire any interest in (ownership, intellectual property or otherwise) in any of the third party provider software used to provide the Security Services. Sub-Merchant will not, and will have no right to, own, copy, distribute, sub-lease, sub-license, assign or otherwise transfer any portion of such third-party provider software used to provide the Security Services or any materials provided by Processor or to modify, decompile, or reverse engineer any such software, materials, or the Services.
(v) EMV Support – Europay, MasterCard, and Visa (“EMV”) is a set of global standards for credit, debit and contactless card payments. EMV chip cards help prevent in-store fraud and are nearly impossible to counterfeit. Starting October 1, 2015 Sub-Merchants who have not made the investment in chip-enabled technology may be held liable for card-present fraud. EMV acceptance requires an EMV enabled standalone terminal or POS system. Payrix is enabled to process in-store EMV transactions to help reduce fraud liability.
(vi) EMV Non-Enabled Fee - The EMV Non-Enabled Fee is applicable if Sub-Merchant does not have EMV enabled equipment and/or software. The EMV Non-Enabled Fee is determined based on the chargeback liability risk of Sub-Merchant’s MCC as determined by Payrix. Transactions will be evaluated monthly at the MID level and assessed at the chain level when applicable. This fee is based on the gross sales amount of each card present transaction.
(vii) Breach Assistance – In the event Sub-Merchant is enrolled in the Breach Assistance Program (“BAP”) offered by Payrix through SaferPayments or otherwise, the indemnification required by Sub-Merchant under this Agreement will only be reduced by amounts up to the limits set by the service provider that are actually recovered by Payrix in connection with the BAP and only to the extent that such amounts are specifically related to a data breach involving solely Sub-Merchant. The limited indemnity waiver provided by the BAP will not cover all the costs associated with a data breach. The specific terms and conditions of the BAP are available for Sub-Merchant to review at www.RoyalGroupServices.com/breach-assist/ or by contacting a customer service representative at 1-800-393-1345.
(viii) Encryption – Encryption is a two-part service offering designed to: (i) encrypt (make unreadable) PCI sensitive payment data at the origin of the payment transaction and, (ii) decrypt payment data information at the destination of the transaction. Payrix’s service offering availability requires alignment between the encryption technology deployed within the Sub-Merchant’s terminals and the decryption technology hosted by the service provider, which may require the use or upgrading of certain terminals and/or equipment or new message specifications (which will be at Sub-Merchant’s sole expense) and may not be supported on all terminals/equipment.
Sub-Merchant acknowledges and agrees that encryption functionality is required and may require Sub-Merchant to license encryption technology from appropriate third party provider or authorized reseller and that said licensed functionality may incur fees in addition to those set forth herein. Sub-Merchant also acknowledges that provision of Payrix’s service offering to Sub-Merchant may require a corresponding decryption technology license and that Payrix’s service offering is subject to availability of required decryption license from applicable third party provider. Upon reasonable notice, Payrix maintains the right to cease, modify or enhance providing the service offering without penalty and will use commercially reasonable efforts to offer a substitute service if applicable.
The value proposition associated with encrypting and decryption payment data (i.e., affects to Sub-Merchant’s risk and compliance requirements) is affected by where the payment data is encrypted, the terminal type used for encryption, and the location where the payment data is decrypted. Payrix has identified three different Encryption service offerings:
Card Data Encryption – risk reduction, no scope reduction
Point to Point Encryption – risk transference and scope reduction in alignment with PCI QSA evaluation
Validated Point to Point Encryption – risk transference and scope reduction in alignment with PCI guidelines for PCI listed P2PE solutions
Point to Point Encryption assumes: (i) Payment data is encrypted within a PCI-PTS certified Secure Cryptographic Device (SCD), using a NIST defined strong encryption algorithm, with encryption keys that were generated and handled in alignment with X9 standards and (ii) Encrypted payment data is only decrypted by Payrix within Payrix’s and/or Processor’s data systems.
Payment data information protected by the encryption service offering may include Track 1 or Track 2 data, obtained through a magnetic card swipe read, or PAN Data, obtained through manual entry directly into the SCD. The encryption service offering applies only to transactions that were encrypted and sent by the SCD to Payrix’s or its Processor’s authorization and settlement systems pursuant to the Agreement. Supported transactions include, but may not be limited to, those associated with credit (signature), debit (signature) and debit (PIN).
(ix) Tokenization – Tokenization is a service in which cardholder PAN data, once received by the Processor, is replaced with a surrogate (“Token”, also known as a TokenID or payment account identifier (“PAI”) value). Using the Token, Sub-Merchant can bill a card on file and/or schedule automatic payments, enabling the Sub-Merchant to securely process transactions from payment account records. Deliverables of the tokenization service include; (1) the creation of tokens and (2) the recognition and use of a Processor issued pre-existing token to support all post authorization transactions with the Processor, which includes initiating a new authorization with a token value. Data necessary to convert tokens back to PAN data for certain of the token services will be maintained in Processor’s systems. Card data can include Card number and expiration date however is dependent on what the Sub-Merchant software passed to the Processor when creating the token. For Sub-Merchants using detokenization services, those services will re-introduce card data into Sub-Merchant’s processing environment and may change the scope of Sub-Merchant’s PCI DSS scope. As such, the Sub-Merchant should conduct a complete assessment with a qualified PCI accessor to determine the impacts of using a detokenization service process. Sub-Merchant access to the tokenization service requires integrating and certifying systems to token services using Processor’s appropriate message specification. Message specifications are limited to those that exist in Payrix’s and Processor’s current Service offering. The Parties agree that the scope of the tokenization service does not include the certification or systematic configuration of third parties or firmware licensing as selected by the Sub-Merchant to support tokenization services. Payrix or Processor may terminate provision of the tokenization services on 30 days prior written notice to Sub-Merchant for any or no reason; or immediately (a) if Sub-Merchant is in material breach of its obligations under the Agreement, including these tokenization service terms, (b) in order to comply with applicable law or requests of governmental, administrative or judicial authorities, or (c) if Processor reasonably believes that continuing to provide the tokenization service to Sub-Merchant could create a substantial economic or technical burden or material security risk for Processor. Payrix and Processor have identified the following types of tokenization services that may be included in the Security Services.
Token Management Solutions (TMS) comprised of TMS - Delegate, TMS -Network Payment Token (NPT) which may include Revenue Boost (a managed solutions using NPT), and TMS – Security Token. TMS - Delegate is a Token with a feature for conversion of the Token back into card data for use with third party processors so that Sub-Merchant may use one token vault for Processor and one or more other processors (Processor acts as a token exchange service for Sub-Merchant with third parties, such as a payment processor). TMS – NPT is a Payment Network Token issued in accordance with the EMV payment tokenization specification technical framework of a participating Payment Network and which may include the managed solution, Revenue Boost, where offered to Sub-Merchant upon separate terms and pricing.TMS – Security Token is a Token issued by Processor in accordance with its specifications and requirements.
OmniTokens are tokens generated in such a way as to retain some of the digits of the original card value, be format preserving (i.e., length preserving and character set preserving), and be consistent across numerous requests (i.e., the same card value will result in the same token value in the context of a given merchant). OmniTokens are not limited to a specific platform and can be used interchangeably between processor’s different platforms.
eProtect is a two-part service designed to (i) capture payment data information from a given webpage using embedded Card Not Present eCommerce Data Security technology and, (ii) submitting the card data to a Processor hosted Card Not Present eCommerce Data Security server to exchange the card data for a Registration ID / Low Value Token before the data is transmitted back to the Sub-Merchant’s eCommerce website. Sub-Merchant acknowledges and agrees that it will acquire said Card Not Present eCommerce Data Security functionality from the Processor and is responsible for all development effort necessary to embed said technology as appropriate within one or more Sub-Merchant web pages. Information protected by the Card Not Present eCommerce Data Security Service includes Primary Account Number (PAN) Data manually entered into any webpage that includes embedded Card Not Present eCommerce Data Security technology. The resulting Registration ID / Low Value Token must subsequently be submitted to the Processor’s processing systems within a configurable timeframe to facilitate the exchange of the Registration ID / Low Value Token for a High Value, Multi-Use Tokenization (see tokenization service below). Sub-Merchant acknowledges that provision of the Card Not Present eCommerce Data Security services to Sub-Merchant is subject to Sub-Merchant completing integration and certification efforts with Processor. Sub-Merchant acknowledges that eProtect will result in Sub-Merchant automatically being enrolled in the Payrix or its Processor’s tokenization service. “Registration ID / Low Value Token” means a low-value token which expires in 24 hours. A Registration ID / Low Value Token is used within 24 hours to exchange for a high value token or token that can be used for card on file or recurring transactions.
Legacy Tokenization Services are tokenization services historically provided on Payrix affiliate platforms that may apply for Sub-Merchants whose accounts are converted to Payrix from such affiliate platforms. Such legacy tokenization services may have limited availability or functionality.
Non-Standard, GUI and Batch Tokenization are separate and unique service offerings and respective fees will be quoted to Sub-Merchant for the use of each service.
“Standard Tokenization” is provided on a per transaction basis in-line with each authorization request
“Non-Standard Tokenization” is provided as separate “non-authorization” message to the Processor that results in a token being generated and returned outside of a purchase transaction
“Graphical User Interface (GUI) Tokenization” is provided for Sub-Merchant operations personnel with appropriate credentials to convert or revert card values and tokens via Processor provided product interface(s).
“Batch Tokenization” / “Batch Detokenization” is provided as a file based service to support the mass conversion of any existing store of cardholder data and will mean the process of receiving a file that includes multiple values, performing the tokenization / detokenization process as appropriate for each value and returning a response file that includes the corresponding appropriate value.
Upon tokenization services termination, Sub-Merchant will have 30 days to request, via written request to Payrix, a batch de-tokenization of the Sub-Merchant’s token store, located within the Sub-Merchant’s systems. For purposes herein, batch de-tokenization will mean the process of the Processor receiving a file from Sub-Merchant that includes multiple token values, Processor performing the de-tokenization process for each token value and Processor returning a response file to Sub-Merchant that includes the corresponding card values for each token. After 30 days, Processor will no longer be responsible for maintaining the data necessary to de-tokenize Sub-Merchant’s token store or able to guarantee availability of data. Upon mutual agreement, Payrix or Processor may offer the Sub-Merchant de-tokenization data management Services under a separate agreement to support the token store after the termination of the current agreement supporting tokenization services. Notwithstanding anything to the contrary in the Agreement, dependent on the tokenization service available to Sub-Merchant, Cardholder data may not be maintained in Processor’s systems and, as such, Processor may not have the data necessary to convert Tokens back to Cardholder data. As part of the de-tokenization, Payrix or Processor will provide a data file including all stored records to a PCI DSS compliant facility designated by Sub-Merchant. Records may only be provided to a PCI DSS compliant facility with file format and encryption requirements to be determined in Payrix’s and Processor’s reasonable discretion. Furthermore, consistent with PCI DSS the above referenced data file shall not include any sensitive authentication data which includes full track data, track equivalent data generated by chip and contactless cards, card verification codes (e.g., CVDCVC2/CVV2/CID) and the PIN or PIN block located on credit and debit cards.
(x) triPOS® Service - The triPOS® Service is a turnkey, EMV certified payment processing application designed to process transactions that is compatible with the Processor’s processing platform and helps reduce the scope of Sub-Merchants’ PCI-DSS with P2PE and tokenization technology.
(xi) Security Services, Other Terms:
Communication Methods. Sub-Merchant will establish and maintain secure data communication connections and will transmit data to Payrix and Processor in the format required by Payrix and Processor.
Use of Tokens. As and where applicable, Sub-Merchant will immediately update payment account data, including but not limited to credit and debit card account data, expiration month and year, cardholder name, checking account number, and customer bank routing information upon additions, deletions, and changes to the underlying data. Sub-Merchant will create, delete, and query payment account records in accordance with instructions provided by Processor.
Disclaimer of Warranties. The Security Services, which includes the tokenization service, is provided to Sub-Merchant by Payrix and/or Processor "as-is" and without any warranty of any kind, whether express or implied. To the fullest extent permitted by law, Payrix, Processor and its and their licensors, suppliers, service providers, and business partners (the “Processor Entities”) disclaim any express or implied warranty, including but not limited to implied warranties of merchantability, non-infringement, or fitness for a particular purpose and any warranties that may arise from course of dealing, course of performance, or usage of trade. The Processor Entities do not warrant or guarantee that the Security Services, including the tokenization services, will be uninterrupted or error free, or that defects will be corrected.
Indemnification. In addition to the indemnification obligations of Sub-Merchant under the Terms and Conditions to the Agreement, Sub-Merchant agrees to indemnify, defend and hold harmless Payrix, Bank and Processor, its employees, officers, agents, shareholders, representatives and directors from any and all fines, penalties, losses, claims, expenses (including attorney fees and the allocable costs of in-house counsel), or other liabilities resulting from or in connection with; (i) Sub-Merchant's use of the Security Services, (ii) Sub-Merchant's storage of any cardholder data, or (iii) Sub-Merchant's breach of the herein Security Service terms.
Limitation of Liability. In addition to Processor’s limits of liability set forth under the Terms and Conditions to the Agreement, under no circumstances will Payrix or Processor be liable to Sub-Merchant or any third party for any indirect, special, incidental, consequential, punitive, exemplary or multiple damages arising out of or related to Payrix or Processor’s provision of the Security Services hereunder, regardless of the legal theory on which such claim is based (whether based in contract, tort, warranty, strict liability, negligence, or any other legal theory), even if Payrix or Processor has been advised, knew, or should have known of the possibility of such damages (which include, but are not limited to, loss of profits, revenue, savings, software, data or goodwill, the claims of third parties, and/or injury to persons or property). The parties expressly agree that the total liability of Processor (including, without limitation, for Payrix’s or Processor's performance or the failure of such performance hereunder, or for any breach hereof) will be exclusively limited to an amount equal to the aggregate Security Services fees actually received by Payrix from Sub-Merchant during the one-month period ending on the date on which the event giving rise to the claim for damages occurred. Sub-Merchant accepts the restrictions on its right to recover additional damages as part of its bargain with Payrix and Processor, and Sub-Merchant understands and acknowledges that, without such restrictions, the consideration for the services provided hereunder would be higher.
B. Security Services Pricing. Payrix will charge Sub-Merchant the fees set forth below per MID or per tokenization or other event, as applicable, for its use of the Security Services, which include the tokenization services.
(i) SaferPayments - Basic and Managed (see below footnotes 1 & 2) See application
(ii) P2PE(see below footnote 1) Quoted
(iii) eProtect (see below footnote 1) Quoted
(iv) PCI Non-Validation Fee (see below footnote 4) See application
(v) EMV Non-Enabled Fee
Low Risk 0.05% of the gross sales per month
Moderate Risk 0.15% of the gross sales per month
High Risk 0.27% of the gross sales per month
(vi) triPOS™ Service See application
(vii) Token Services: The fixed monthly fee listed in the Application which, if not listed will be at Payrix’s standard fees in effect from time to time.
(viii) Token Data Retrieval Fee (de-tokenization) $2,000.00 per event
Footnotes to above Section 1(B).
Pricing provided as a separate attached quote or for level 3 and 4 merchants on the Application
Required by and available only to PCI Level 3 and 4 merchants.
Required by merchants using an PCI DSS SAQ
Assessed only if merchant fails compliance validation or fails to report compliance validation
2. Token Grouping. Where Sub-Merchant shares and/or accepts Tokens with one or more merchants or otherwise permit such sharing and or/acceptance via Sub-Merchant’s third party payment application or platform provider (each a “Provider”) among a group of similarly branded merchants and/or merchants that are a part of a chain of independently owned stores, or some other group of merchants commonly connected by or through a brand, web-site, club, affiliation, and/or some other commonality (each, a “Merchant Group”) of which Sub-Merchant is a member (the “Token Grouping”), Payrix and Processor may, as part of the Services, support such Token Grouping for use with Cardholder card-on-file programs, scheduled automatic payments, and other programs for purchases of products and/or services processed by Sub-Merchant and the Merchant Group predicated and conditioned on Sub-Merchant’s agreement to the following:
Use of Tokens within the Merchant Group. Sub-Merchant authorizes Payrix and Processor to support and make available the Tokens to the Merchant Group so that Cardholder Tokens of the Merchant Group members will be available to all of the Merchant Group members as a group for use with card-on-file programs, to schedule automatic payments, and other programs enabling the member merchants to process transactions. Sub-Merchant acknowledges and agrees that the Merchant Group may change from time to time.
Variations, Limitations and Provider Duties. Payrix and Processor have several variations of the tokenization service all of which may not be available to Sub-Merchant, the tokenization service available to Sub-Merchant may have limitations on the sharing, management, and storage of Tokens and storage of Cardholder data. Where possible based on the variation of the tokenization service available to Sub-Merchant, Payrix and/or Processor will support the Tokens and tokenization service to the Member Group on file with Payrix as updated by Provider which Member Group is controlled and revised by Provider under the Provider services to Sub-Merchant. Dependent on the tokenization service available to Sub-Merchant, Cardholder data may not be maintained in Payrix’s or Processor’s systems and, as such, Payrix and Processor may not have the data necessary to convert Tokens back to Cardholder data. Furthermore, Sub-Merchant agrees that the scope of the tokenization service does not include: (a) the certification or systematic configuration of third parties or firmware licensing as selected by Sub-Merchant to support tokenization service; or (b) a duty by Payrix or Processor to provide Sub-Merchant or a Merchant Group member, individually or as a group, de-tokenization services or support during or after the term of the Agreement or their agreement(s) with Payrix except where separately agreed to in writing by Payrix or Processor and Sub-Merchant.
Cardholder Authorizations. Sub-Merchant directly or through its Provider, warrants and represents that Sub-Merchant has the appropriate written agreement and consents from all Cardholders required by applicable law and the Payment Network Rules for use of the tokenization service and Token Grouping within the Merchant Group (the “Cardholder Authorizations”). Sub-Merchant agrees to directly or through its Provider or other service provider to retain all records related to the Cardholder Authorizations, including the initiation and authorization of transactions for Sub-Merchant to collect and/or initiate transactions utilizing the Token Grouping. Copies of such records shall be delivered by Sub-Merchant to Payrix and Processor within ten (10) days of written request by Payrix or Processor and shall otherwise be retained by Sub-Merchant for a period of at least four (4) years following the date of the transaction, or longer if required by Laws or the Payment Network Rules.
Sub-Merchants and Provider Assumption of Risk, Responsibility and Other Obligations. Sub-Merchant bears all risk and responsibility for complying with the Payment Network Rules related to the Cardholder Authorizations, including card not present transactions, recurring billing, and Cardholder consent and authorization for card-on-file use related to the Token Grouping, use of Tokens, and for conducting Sub-Merchant’s own due diligence regarding the fitness of the Provider services for a particular purpose and do hereby represent, warrant and agree that it will comply at all times with Payment Network Rules, Laws, and PCI DSS. Sub-Merchant’s use of the Provider services is at Sub-Merchant’s own risk and Sub-Merchant shall be solely responsible for all authorized or unauthorized use of such Provider services including but not limited to the unauthorized use of such services whether by Sub-Merchant, Provider, a member of the Merchant Group, or each of such parties’ employees, agents, or representatives. Sub-Merchant acknowledges that the receipt and/or use of Tokens and Token Grouping may require the use or upgrading of certain terminals and/or equipment or new message specifications (which shall be at Sub-Merchant’s sole expense) and may not be supported on all terminals/equipment.
Account Monitoring; Security. Payrix and/or Processor may monitor the credit and debit card transactions processing activity received from the Merchant Group and investigate unusual or suspicious activity, provided, that in no event does Payrix or Processor assume any responsibility to discover any possible breach of Sub-Merchant’s or its Provider’s security or misuse of the Provider services. Payrix and Processor shall have the right to inspect Sub-Merchant’s operation, system and websites used by Sub-Merchant or Sub-Merchant’s service providers to verify Sub-Merchant’s compliance with security obligations. Payrix and/or Processor may discontinue acceptance of the card transactions processing activity from the Token Grouping and/or provision of the tokenization service immediately at any time without advance notice to Sub-Merchant or Sub-Merchant’s Provider.
3. Real Time Account Updater Services.
4. Additional Services or Expenses.
Sub-Merchant agrees that Payrix may charge Sub-Merchant for any non-specified service it provides Sub-Merchant (“Additional Service”) or expense it incurs on behalf of Sub-Merchant (“Additional Expense”) any time after Sub-Merchant’s initial receipt of the same, and Sub-Merchant agrees to pay for such service (at Payrix’s standard fees in effect from time to time) or expense in accordance with this Agreement. Sub-Merchant acknowledges and agrees that it will notify Payrix in writing and in accordance with the notice provisions of the Agreement in the event Sub-Merchant does not want the Additional Service and that such written notice will be sent to and actually received by Payrix within 90 days of Sub-Merchant’s first receipt of the Additional Service (“Additional Service Cancellation”). Sub-Merchant will not dispute, and will be unconditionally obligated to pay for, any Additional Service fees for which Sub-Merchant has not provided and Payrix has not actually received an Additional Service Cancellation in accordance with the foregoing and any Additional Expense.