Amendment No. 2 to Co-Brand Credit Card Program Agreement by and between Comenity Capital Bank and BJs Wholesale Club, Inc., dated as of January 16, 2015
Exhibit 10.4(a)
[*] Text Omitted and Filed Separately with the Securities and Exchange Commission Confidential Treatment
Requested Under 17 C.F.R. Sections 200.80(b)(4) and 230.406
EXECUTION VERSION
AMENDMENT NO. 2
TO
CO-BRAND CREDIT CARD PROGRAM AGREEMENT BETWEEN COMENITY
CAPITAL BANK AND BJ’S WHOLESALE CLUB, INC.
THIS AMENDMENT NO. 2 TO CO-BRAND CREDIT CARD PROGRAM AGREEMENT BETWEEN COMENITY CAPITAL BANK AND BJ’S WHOLESALE CLUB, INC. (“Amendment No. 2”), is dated January 16, 2015, by and between BJ’S WHOLESALE CLUB, INC, a Delaware corporation having its principal office at 25 Research Drive, Westborough, MA 01581 (“BJ’s” or “Company”), and COMENITY CAPITAL BANK, having its principal offices at 2795 E. Cottonwood Parkway, Suite #100, Salt Lake City, Utah (“Bank”). Capitalized terms not otherwise defined herein shall have the meanings ascribed to such terms in the Agreement.
WHEREAS, Company and Bank are parties to the Co-Brand Credit Card Program Agreement dated June 5, 2014 (the Agreement);
WHEREAS, the Agreement provides that BJ’s may elect, in its sole and absolute discretion, to have Bank conduct in-club events at mutually agreed upon BJ’s Wholesale Club, Inc. retail club locations to obtain Credit Card applications;
WHEREAS, Bank wishes to conduct a series of such in-club events in January and February 2015 as well as throughout the calendar year, primarily during new club openings (“Club Events”);
WHEREAS, Company approval of the Club Events and any other Bank in-club events is subject to the implementation by Bank of security measures set forth herein.
NOW, THEREFORE, in consideration of the mutual covenants contained herein, the parties agree the following shall apply with regard to Bank’s participation at Club Events:
1. Bank shall, [*] and using its own equipment, conduct Club Events at the Company clubs designated on Appendix A attached hereto and as may be amended from time to time by the mutual agreement of the parties. At such events, Bank shall provide consumers with information about the Credit Card and the opportunity to apply for the Credit Card at various dates between from January 1, 2015 through December 31, 2015 in Company clubs designated in Appendix A, which may be amended from time to time upon the mutual agreement of the parties. All of the other features of the Program and Rewards Program will remain as otherwise provided in the Agreement.
2. Section 5.5 of the Agreement, Insurance, shall apply to Bank during each Club Event, and Bank or its subcontractor, (if subcontractor is conducting Club Event), shall provide and maintain minimum insurance coverage as follows:
[*] Text Omitted and Filed Separately with the Securities and Exchange Commission Confidential Treatment
Requested Under 17 C.F.R. Sections 200.80(b)(4) and 230.406
| (a) | Worker’s Compensation at statutory limits; |
[*]
In addition Bank shall provide Company with a certificate of insurance completed by its insurance carrier prior to the Club Events certifying that minimum insurance coverage as required above is in effect and, with the exception of workers’ compensation coverage, listing Company as an additional insured as its interests apply.
3. With respect to each Club Event, [*]. For the avoidance of doubt, Schedule 8.9 constitutes a set of data security requirements that in addition to applying generally for the handling of Confidential Information and Consumer Personal Information, shall apply to the Consumer Personal Information collected by Bank during Club Events. In addition, Bank agrees that for purposes of the Club Events specifically, [*]. Bank agrees to take all [*] precautions and measures to ensure the security and integrity of the Confidential Information, including Consumer Personal Information, in their control, and that it is maintained in a safe and secure manner. Bank agrees to cause any of its subcontractors who provide services in connection with the Club Events to comply with the requirements of this Section 3 as well as all of the terms of the Agreement.
4. With regard to Club Events, the following indemnification obligations shall apply:
[*]
5. Effect. Except as set forth in this Amendment No. 2, the Agreement shall remain in full force and effect and each party hereby restates and affirms all of the terms and provisions of the Agreement. If any conflict exists between the terms and provisions of the Agreement and this Amendment No. 2, the terms and provisions of this Amendment No. 2 will govern and control.
6. Entire Agreement. The Agreement, as amended, including as amended by this Amendment No. 2, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior understandings with respect thereto.
7. Counterparts. This Amendment No. 2 may be executed in any number of counterparts, each of which shall be deemed an original and all of which when taken together shall constitute one and the same instrument. Delivery of an executed counterpart signature page by facsimile shall be effective as a manually executed signature page.
8. Governing Law. The governing law provisions of this Amendment No. 2 shall be the same as the governing law of the Program Agreement.
IN WITNESS WHEREOF, Bank and Company have executed and delivered this Amendment No. 2 as of the date first written above.
[*] Text Omitted and Filed Separately with the Securities and Exchange Commission Confidential Treatment
Requested Under 17 C.F.R. Sections 200.80(b)(4) and 230.406
COMENITY CAPITAL BANK
By: /s/ Ronald J. Ostler
Name: Ronald J. Ostler
Title: President
Date: 1/16/15
BJ’S WHOLESALE CLUB, INC.
By: /s/ Robert W. Eddy
Name: Robert W. Eddy
Title: EVP, CFO
Date: 1/16/15
[*] Text Omitted and Filed Separately with the Securities and Exchange Commission Confidential Treatment
Requested Under 17 C.F.R. Sections 200.80(b)(4) and 230.406
EXECUTION VERSION
Appendix A
Company Club Event List – Calendar 2015
(Please complete Appendix A with Date of Club Event, Club # and City where Club is located
| Date | # Club Number | Club City |
[*] Text Omitted and Filed Separately with the Securities and Exchange Commission Confidential Treatment
Requested Under 17 C.F.R. Sections 200.80(b)(4) and 230.406
Schedule 8.9
Data Security
1. Security Policy. Bank will establish and maintain a formal, documented, mandated, Bank-wide information security program, including security policies, standards and procedures (collectively “information security policy”). The information security policy will be communicated to all Bank personnel, employees, agents, and contractors in a relevant, accessible, and understandable form and will be regularly reviewed and evaluated (but no less frequently than as may be required by applicable law) to ensure its operational effectiveness, compliance with all applicable laws and regulations, and to address new threats and risks. On request, Bank will provide Company the then current version of the information security policy. Among other things, the information security policy and Bank’s overarching security program must address the following:
a. Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing Company confidential information and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to: (i) ongoing employee (including temporary and contract employee) training; (ii) employee compliance with policies and procedures; and (iii) means for detecting and preventing security system failures;
b. Address whether and how employees should be allowed to keep, access and transport records containing confidential information outside of business premises;
c. Imposing disciplinary measures for violations of the information security policy;
d. Preventing terminated employees from accessing records containing Company confidential information by immediately terminating their physical and electronic access to those records, including deactivating their passwords and user names;
e. Limiting the amount of confidential information, including personal information, collected to that which is reasonably necessary to accomplish the legitimate purpose for which it is collected; limiting the time such information is retained to that which is reasonably necessary to accomplish such purpose; and limiting access to those persons who are reasonably required to know such information in order to accomplish such purpose or to comply with state or federal record retention requirements;
f. Identifying paper, electronic and other records, computing systems, and removable media (as defined below) used to store confidential information, to determine which records contain confidential information, except where the information security policy provides for the handling of all records as if they all contained confidential information;
g. Reasonable restrictions upon physical access to records containing confidential information, including a written procedure that sets forth the manner in which physical access to the records is restricted, and storage of the records and data in locked facilities, storage areas or containers;
[*] Text Omitted and Filed Separately with the Securities and Exchange Commission Confidential Treatment
Requested Under 17 C.F.R. Sections 200.80(b)(4) and 230.406
h. Regular monitoring to ensure compliance with the information security policy is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of confidential information, and upgrading information safeguards as necessary to limit risks;
i. Reviewing the scope of the security measures [*] or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing confidential information; and
j. Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of confidential information.
2. Personnel and Bank Protections. Prior to commencement of services, Bank shall have performed a criminal background check [*] on all associates assigned to perform services under this agreement. In the event an associate assigned to perform services under the Program Agreement has been convicted of a crime that is honesty related or would present safety or security risks, including without limitation individuals with a conviction(s) or indictment(s) for any of the following crimes: crimes against persons; crimes involving weapons; crimes involving the use/misuse of a computer/network; crimes involving trade secret/proprietary information theft, burglary, theft, embezzlement, corruption, bribery, forgery, fraud, receiving stolen property; crimes involving the possession, manufacture, transportation or sale of illegal drugs and controlled substances or any other crime that qualifies as a misdemeanor or felony in the jurisdiction involved, Bank shall first consult with Company prior to assigning such associate or if the associate is already assigned to Company, then the Bank will consult with Company regarding the associate’s continued assignment to Company account. Prior to associates’ assignment to the Program, Bank shall certify that the background checks have not revealed any incidents which would require consultation with Company prior to assigning such individual to the Program. Bank shall supply each of its associates and contractors with appropriate, ongoing training regarding information security procedures, risks, and threats. Bank will have an established set of procedures to ensure associates and contractors promptly report actual and/or suspected breaches of security.
3. Removable media. Except in the context of Bank’s routine back-ups or as otherwise specifically authorized by Company in writing, Bank will institute strict physical and logical security controls to monitor transfer of personal information to any form of removable media. For purposes of this exhibit, “removable media” means portable or removable hard disks, floppy disks, usb memory drives, zip disks, optical disks, cds, dvds, digital film, memory cards (e.g., secure digital (sd), memory sticks (ms), compactflash (cf), smartmedia (sm), multimediacard (mmc), and xd-picture card (xd)), magnetic tape, and all other removable data storage media.
4. Data control; media disposal and servicing. Company confidential information (i) may only be made available and accessible pursuant to the Program Agreement; (ii) if transferred across the internet, any wireless network (e.g., cellular, 802.11x, or similar technology), or other public or shared networks, must be protected using appropriate cryptography consistent with industry best practices or as designated or approved by Company in writing; and (iii) if transferred using removable media (as defined above) must be sent via a bonded courier or protected using cryptography consistent with industry best practices or as designated or approved by Company in writing. The foregoing requirements apply to back-up data stored by Bank at off-site facilities. In
[*] Text Omitted and Filed Separately with the Securities and Exchange Commission Confidential Treatment
Requested Under 17 C.F.R. Sections 200.80(b)(4) and 230.406
the event any hardware, storage media, or removable media must be disposed of or sent off-site for servicing, Bank will ensure all Company confidential information, including personal information, has been “scrubbed” from such hardware and/or media using industry best practices (e.g., dod 5220-22-m standard) and in accordance with the privacy and security requirements.
5. Physical and environmental security. Bank facilities that process Company confidential information will be housed in secure areas and protected by perimeter security such as barrier access controls (e.g., the use of guards and entry badges) that provide a physically secure environment from unauthorized access, damage, and interference.
6. Communications and operational management. Bank shall (i) monitor and manage all of its information processing facilities, including, without limitation, implementing operational procedures, change management and incident response procedures; and (ii) deploy adequate anti-viral software and adequate back-up facilities to ensure essential business information can be promptly recovered in the event of a disaster or media failure; and (iii) ensure its operating procedures will be adequately documented and designed to protect information, computer media, and data from theft and unauthorized access.
7. Access Control. Bank will implement formal procedures to control access to its systems, services, and data, including, but not limited to, user account management procedures and the following controls:
| a. | Network access to both internal and external networked services shall be controlled, including, but not limited to, the use of properly configured and patched firewalls; |
| b. | Operating systems will be properly patched and used to enforce access controls to computer resources including, but not limited to, authentication, authorization, and event logging; |
| c. | Applications will include access control to limit user access to information and application system functions; |
| d. | All systems will be monitored to detect deviation from access control policies and identify suspicious activity. Bank shall record, review and act upon all events in accordance with incident response policies set forth in Incident Notification, below; |
| e. | Bank will change Company confidential information access passwords on a regular basis in accordance with Bank policy, but at least as frequently as [*]; |
| f. | Remote access to Bank’s network must be controlled with a virtual private network or other device (“VPN”) or private lines, consistent with [*]. Two factor authentication should be used for all remote access; |
| g. | Wireless networks will have controlled deployment, secure configuration, and monitoring processes in place that provide for the effective authorization and management of wireless devices; |
[*] Text Omitted and Filed Separately with the Securities and Exchange Commission Confidential Treatment
Requested Under 17 C.F.R. Sections 200.80(b)(4) and 230.406
| h. | Bank will maintain a network environment that prevents all external ingress and egress points with firewalls. Intrusion detection/prevention systems will be strategically placed to prevent or detect potential breaches. Firewalls will be configured appropriately to prevent intrusions due to common protocol exposure; |
| i. | Company personal information electronically stored or maintained by Bank will be encrypted consistent with [*] and the privacy and security requirements; |
| j. | Bank will ensure Bank personnel do not use any VPN to simultaneously connect machines on any Company system to any machines on any Bank or third party systems, without (i) using only a remote access method consistent with industry best practices; |
| k. | Operating systems and network devices must be adequately “hardened” to the most appropriate secure configuration for Bank’s applications. Configuration management will include a monitoring process to ensure that configurations remain secure; |
| l. | [*]; |
| m. | [*]; and |
| n. | All access to Company confidential information will be on a password protected basis, with unique identifications plus passwords, which are not vendor-supplied default passwords, that are reasonably designed to maintain the integrity of the security of the access controls, and implement secure user authentication protocols, including: |
| i) | control of user ids and other identifiers; |
| ii) | a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, [*]; |
| iii) | control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect; |
| iv) | restricting access to active users and active user accounts only; and |
| v) | blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system. |
| o. | [*]. |
8. Back-up/Retention. Bank will regularly back-up systems used to provide services to Company to ensure adequate recovery capabilities. Back-ups will be appropriately protected to ensure only authorized individuals are able to access the Company confidential information, including but not limited to encryption of data stored off-site in electronic media and appropriate
[*] Text Omitted and Filed Separately with the Securities and Exchange Commission Confidential Treatment
Requested Under 17 C.F.R. Sections 200.80(b)(4) and 230.406
classification and protection of hard-copy records. If not separately backed up, Bank will secure any files containing Company confidential information against unauthorized access in accordance with the terms of this Agreement until the back-up tapes are recycled or properly destroyed so that information on them cannot practicably be read or reconstructed.
9. Patch Management. Bank will subscribe to and monitor notifications to the United States computer emergency readiness team (“US-CERT”) or similar service, vendor notifications, and other recognized sources of information for critical patches. Bank will implement a process to fix or patch identified security problems in an adequate and timely manner. Unless otherwise expressly agreed in writing, “timely” means that Bank will introduce a fix or patch as soon as commercially reasonable after Bank becomes aware of the security problem or availability of a fix or patch in accordance with Bank policy.
10. Change Management. Bank will use a documented change control process to ensure that access to its systems is controlled and recorded. Bank will promptly notify company of any planned system configuration changes or other changes that would adversely affect the confidentiality, integrity, or availability of Company confidential information.
11. SSAE 16. Unless otherwise agreed to in writing by the parties, Bank will provide Company annually with a copy of latest Bank’s SSAE 16 or equivalent report. In the event the accounting firm performing the audit issues a qualified opinion due to a material weakness or significant deficiency, Bank will promptly advise Company of its plan for remedying such material weakness or significant deficiency and use [*] to mitigate any potential damages or adverse consequences resulting from such material weakness or significant deficiency.
12. PCI Compliance; Audits. To verify ongoing compliance with the PCI DSS Bank will engage (i) a qualified security assessor (“QSA”) to conduct, [*], an onsite compliance review; and (ii) an approved scanning Bank (“ASV”), [*], to conduct a network security scan. On written request from Company, Bank will provide Company with copies of the foregoing reviews. Unless otherwise agreed to in writing the Bank will provide to Company annually a copy of Bank’s Attestation of Compliance Letter (“AOCL”), or provide onsite access to the Bank’s Report of Compliance (“ROC”). In the event the Bank does not have a, AOCL or ROC marked as “compliant” due to some requirements in the AOCL or ROC marked “not in place” and therefore Bank has not demonstrated full compliance with the PCI DSS, Bank will promptly advise Company of its plan for remediation of such deficiencies and use [*] to mitigate any potential damages or adverse consequences resulting from such deficiencies. In any case, Bank will be in full compliance with the PCI DSS [*] from the receipt of the AOCL or ROC in which non-compliance was noted.
13. Incident notification. Bank will immediately notify ([*]) the designated Company security contact by telephone and subsequently via written letter of any actual security attacks or incidents related to Company confidential information. The notice shall include the approximate date and time of the occurrence and a summary of the relevant facts, including a description of measures being taken to address the occurrence, and a monthly update noting the actions taken to address the security incident.
[*] Text Omitted and Filed Separately with the Securities and Exchange Commission Confidential Treatment
Requested Under 17 C.F.R. Sections 200.80(b)(4) and 230.406
14. Annual Certification. On an annual basis, or on Company request, Bank will certify in writing to Company that Bank is in compliance with its obligations under this Schedule 8.9. The certification will be made on a form provided by Company.
