INLÖSENAVTAL / ACQUIRING AGREEMENT

1  BACKGROUND AND APPLICATION

Paytrim AB, corp. reg. no. 559155-1329 (“Paytrim”), is a company providing services within acquiring of card transactions. Paytrim has a license to provide payment services and is under the supervision of the Swedish Financial Supervisory Authority (Sw. Finansinspektionen).

These general terms for e-commerce card acquiring (the “E-commerce Terms”) apply when the Merchant, under the Agreement, accepts payment by Card for purchases of goods and/or services made at a distance via the Merchant’s Website, app or other digital sales channel approved by Paytrim, where the Card is not physically present at the time of the Transaction (“E-commerce Transactions”).

2 ADDITIONAL DEFINITIONS

In addition to the definitions set out in the General Terms, the following definitions shall apply to these E-commerce Terms.

“3-D Secure (3DS)” means the authentication protocols approved by the Card Schemes for authentication of Cardholders in E-commerce Transactions (e.g., Visa Secure and Mastercard Identity Check), in the version required by the Card Schemes from time to time.

“Approved E-commerce Solution” means a hosted payment page, redirect solution or other technical solution for the initiation and processing of E-commerce Transactions which has been approved in writing by Paytrim, and which is provided by Paytrim or by a PCI DSS-certified PSP approved by Paytrim.

“Credential-on-File Transaction” means a Transaction based on Card Information that has, with the Cardholder’s consent, been stored by Paytrim or an approved PSP for future Transactions.

“Hosted Payment Page” means a payment page hosted and controlled by Paytrim or an approved PCI DSS-certified PSP, on which the Cardholder enters Card Information, and to which the Cardholder is redirected from the Merchant’s Website.

“Recurring Transaction” means a Transaction within a series of Transactions which the Cardholder has agreed shall be charged to the Card at predetermined intervals (e.g., subscriptions).

“SAQ” means a PCI DSS Self-Assessment Questionnaire in the form prescribed by the PCI Security Standards Council (e.g., SAQ A), and “AOC” means the related Attestation of Compliance.

“SCA” means strong customer authentication within the meaning of Directive (EU) 2015/2366 (PSD2), the Swedish Payment Services Act and Commission Delegated Regulation (EU) 2018/389.

“Website” means the website(s), app(s) and other digital sales channels of the Merchant, registered with and approved by Paytrim in the Order Form, from which E-commerce Transactions are initiated.

3 APPROVED E-COMMERCE SOLUTION

The Merchant may only initiate and submit E-commerce Transactions through an Approved E-commerce Solution. Card Information may only be entered by the Cardholder on a Hosted Payment Page or in another payment interface controlled by Paytrim or an approved PSP. The Merchant’s own systems, including the Website, may not collect, transmit, process or store Card Information in any form.

The Merchant may not modify, reconfigure, integrate or otherwise alter the Approved E-commerce Solution, the checkout flow or any scripts or content affecting the payment flow, without Paytrim’s prior written approval. The Merchant shall notify Paytrim in writing in advance of any planned change to its technical solution, PSP, platform provider or business model that may affect the payment flow.

Paytrim may withdraw its approval of an Approved E-commerce Solution if the solution no longer meets the PCI Standards, the CSR or Paytrim’s internal requirements. In such case, the Parties shall cooperate to migrate the Merchant to a compliant solution; pending such migration, Paytrim may suspend the acquiring of E-commerce Transactions.

4 PCI STANDARDS AND VALIDATION FOR E-COMMERCE

Section 6 of the General Terms applies to E-commerce Transactions. In addition, the provisions of this Section 4 apply. The Merchant shall never request, retain or store sensitive authentication data, including card verification codes (e.g., CVV2/CVC2), in any form.

Where the Merchant uses an Approved E-commerce Solution based on a Hosted Payment Page or redirect, the Merchant’s PCI DSS validation may, subject to the criteria of the PCI Security Standards Council, be performed by way of SAQ A. The Merchant shall in such case confirm that the Website used in connection with the payment solution is not susceptible to script-based attacks that could affect the payment flow, in accordance with the PCI SSC eligibility criteria for SAQ A.

Unless Section 4.4 applies, the Merchant shall annually provide Paytrim with a completed and signed SAQ of the type designated by Paytrim, together with the related AOC, and any other validation documentation required by the Card Schemes (including, where applicable, a Report on Compliance (ROC) performed by a Qualified Security Assessor).

Simplified PCI validation for standard solutions. For Merchants classified as PCI Level 4 using a Paytrim-approved standard solution (e.g., a Hosted Payment Page), the Merchant warrants that such solution is used in accordance with Paytrim’s Instructions and has not been altered or integrated with other systems in a way that captures or stores Card Information. By entering into the Agreement, and continuously by using the services, the Merchant confirms that the requirements of the applicable SAQ (e.g., SAQ A) are met. This confirmation shall serve as the Merchant’s annual validation of compliance, unless the Merchant notifies Paytrim otherwise or Paytrim notifies the Merchant that separate validation is required.

Paytrim classifies each Merchant’s PCI level and applicable validation form in accordance with the rules of the Card Schemes and Paytrim’s internal Merchant PCI DSS programme, based on, inter alia, transaction volumes per Card Scheme and payment channel. Paytrim may at any time reclassify the Merchant and apply stricter validation requirements where the Card Schemes’ rules or the risk profile so require. The Merchant shall provide the information and cooperation reasonably required for such classification and follow-up.

5 STRONG CUSTOMER AUTHENTICATION (3-D SECURE)

The Merchant shall ensure that all E-commerce Transactions support SCA through 3DS in the version required by the Card Schemes from time to time, and shall not take any measure that circumvents or disables SCA.

Exemptions from SCA may only be applied where permitted under applicable law and the CSR and as approved or applied by Paytrim or the approved PSP. The Merchant acknowledges that Transactions completed without successful 3DS authentication may carry increased Chargeback liability for the Merchant in accordance with the CSR.

6 WEBSITE REQUIREMENTS

The Merchant shall ensure that the Website at all times clearly displays at least the following information, in accordance with the CSR and applicable law:

(a) the Merchant’s legal name, corporate registration number and contact details (including customer service contact and the country of the Merchant’s domicile);

(b) a complete and accurate description of the goods and/or services offered;

(c) the price, the transaction currency and all taxes, fees and delivery costs;

7 RESTRICTED ACTIVITIES

In accordance with Section 3.4 of the General Terms, the Merchant may only accept payment for activities, products and services that have been registered with and approved by Paytrim. In addition, the following activities, products and services may only be sold through E-commerce Transactions with Paytrim’s prior written approval:

(b) memberships, subscriptions and other goods or services of a continuous or future-delivery nature;

(d) gambling, betting, lotteries and similar activities;

(f) pharmaceuticals and other medicinal products;

(h) adult entertainment, dating and chat services; and

8 DELIVERY AND ADVANCED PAYMENTS

The Merchant shall deliver the goods and/or services in accordance with the terms communicated to the Cardholder, and may only submit a Purchase Transaction for settlement in accordance with the CSR and the Instructions.

Where payment is collected in advance of delivery (e.g., pre-orders, bookings, vouchers or subscriptions), the Merchant acknowledges that this entails an increased Chargeback exposure for Paytrim. In addition to its rights under Section 10 of the General Terms, Paytrim may, based on a risk assessment, apply a rolling reserve, delayed settlement or other security arrangements in respect of such Transactions. Paytrim shall inform the Merchant of any such arrangement applied.

9 RECURRING AND CREDENTIAL-ON-FILE TRANSACTIONS

The Merchant may only carry out Recurring Transactions and Credential-on-File Transactions where this has been approved by Paytrim and in accordance with the CSR. The Merchant shall obtain and retain evidence of the Cardholder’s consent, clearly disclose the terms of the recurring charge (amount, frequency and duration) prior to the first Transaction, and provide the Cardholder with a simple mechanism to cancel future charges.

Storage of Card Information for future Transactions may only take place with Paytrim or an approved PSP (e.g., through tokenisation). The Merchant may not itself store Card Information.

10 REFUNDS AND CHARGEBACK

Refund Transactions shall be made to the same Card that was used for the corresponding Purchase Transaction, in accordance with Section 5.2 of the General Terms. Refunds in cash or via other payment methods are not permitted for purchases paid by Card.

The Merchant is liable for Chargebacks in accordance with Section 8 of the General Terms, including Chargebacks relating to fraudulent E-commerce Transactions to the extent liability is not shifted to the issuer under the CSR (e.g., following successful 3DS authentication).

If the Merchant’s fraud or Chargeback ratios exceed the thresholds applied by the Card Schemes (e.g., under the Visa and Mastercard fraud and dispute monitoring programmes), the Merchant shall reimburse Paytrim for any fines, fees and costs imposed on Paytrim as a result thereof, and shall implement the remedial measures reasonably required by Paytrim. Paytrim may suspend or terminate the acquiring of E-commerce Transactions in accordance with the Agreement if such ratios are not restored within a reasonable time.

11 FRAUD PREVENTION

The Merchant shall apply the fraud prevention measures set out in the Instructions or otherwise reasonably required by Paytrim, including screening of orders and verification of delivery details where appropriate.

Paytrim may suspend the processing or settlement of E-commerce Transactions where Paytrim reasonably suspects fraud, money laundering or other illegal activity, pending investigation.

12 RISK ASSESSMENT AND SECURITY

12.1

13 CHANGES TP THE E-COMMERCE TERMS

Paytrim may, at any time and at its sole discretion, amend, supplement or otherwise change these E-commerce Terms without the Merchant’s prior approval and without prior notice to the Merchant. Amended E-commerce Terms become effective when published on Paytrim’s website (www.paytrim.io). The Merchant is responsible for keeping itself informed of the version of the E-commerce Terms in force from time to time. By continuing to submit E-commerce Transactions after publication of amended E-commerce Terms, the Merchant shall be deemed to have accepted the amendments.

Section 18 of the General Terms shall not apply to changes to these E-commerce Terms. If the Merchant does not accept amended E-commerce Terms, the Merchant’s sole remedy is to terminate the Agreement in accordance with Section 11.1 of the General Terms.

14 SUSPENSION AND TERMINATION

In addition to Paytrim’s rights under Section 11 of the General Terms, Paytrim may suspend the acquiring of E-commerce Transactions or terminate the Agreement with immediate effect if (i) the Merchant breaches Sections 3, 4, 5, 7, 9 or 12.4 of these E-commerce Terms, (ii) the Merchant’s PCI DSS validation is missing, invalid or has been revoked, (iii) the Merchant fails to provide security required under Section 12.2 within the time reasonably set by Paytrim, or (iv) the Merchant’s e-commerce activities expose Paytrim to fines, sanctions or material reputational risk under the CSR or applicable law.

15 MISCELLANEOUS

15.1