First Amendment to Sponsorship Agreement (effective March 11, 2013) between Prosperity Bank, successor by merger to American State Bank, and Everi FinTech

This First Amendment to Sponsorship Agreement (this “Amendment”) is made and entered into this 11th day of March 2013 (the “Amendment Effective Date”), by and between Global Cash Access, Inc., a Delaware corporation with its principal place of business at 3525 E. Post Road, Suite 120, Las Vegas, NV 89120 (“Company”), and Prosperity Bank, a Texas State Banking Association and successor in interest to American State Bank, with a place of business located at 1401 Avenue Q, Lubbock, Texas 79408 (“Bank”).

A.Company and Bank have previously entered into a Sponsorship Agreement effective February 11, 2011 (the “Agreement”).

B.Company and Bank now desire to amend the Agreement, to, among other things, register Company as a Third Party Processor with certain Networks, upon the term and conditions set forth herein.

C.Capitalized terms not otherwise defined in this Amendment shall have the meanings assigned to them in the Agreement.

2.Addendum A attached hereto is hereby incorporated into the Agreement as Addendum A.

a.Due Authorization. This Amendment has been duly and validly authorized, executed and delivered by each party hereto and no other action by such party is required to the valid and binding execution, delivery and performance of this Amendment by such party, except as otherwise expressly set forth herein. Each person signing this Amendment on behalf of a party hereto represents and warrants that it is duly authorized to do so.

b.Conflict. To the extent, if any, that any provision of this Amendment conflicts with or differs from any provision of the Agreement, such provision of this Amendment shall prevail and govern for all purposes and in all respects. Otherwise, all terms and conditions of the Agreement shall likewise apply to this Amendment

c.Entire Agreement. The Agreement and this Amendment, between the parties, constitutes the entire agreement between the parties hereto regarding the subject matter contained herein and supersedes any and all prior and/or contemporaneous negotiations, agreements, understandings between the parties with respect to the subject matter hereof.

d.Counterparts. This Amendment may be executed in one or more counterparts, each of which shall be deemed an original and both of which together shall constitute one and the same agreement. This Amendment may be executed by a party’s signature transmitted by facsimile or by electronic mail in pdf format, and copies of this Amendment executed and delivered by means of faxed or pdf signatures shall have the same force and effect as copies hereof executed and delivered with original signatures.

b.“TR-39” means the Technical Guide developed by the American National Standards Institute (“ANSI”) as part of the X9, Inc. Financial Industry Standards, titled, “X9/TR-39 Retail Financial Services Compliance Guideline Part I: PIN Security and Key Management (formerly TG-3).”

Company will provide Processing Services pursuant to the terms and conditions of this Addendum and in compliance with the Regulations and the Rules established by the Networks and any applicable Regulatory Authority.

Bank and Company will alert each other within five (5) business days of any notification of an out-of-compliance condition either has received from any Network or Regulatory Authority. A detailed written explanation and proposed action plan will be provided by Company to Bank within ten (10) business days of notification, or as otherwise mutually agreed upon by the Bank and Company. Based on the severity of the out-of-compliance condition and/or the time and programming required to cure, both parties will determine a reasonable time frame to resolve the outstanding issue, except that if the parties cannot agree as to a course of action after using commercially reasonable efforts to resolve the matter, Bank may upon ten (10) days written notice terminate this Addendum.

Company agrees that its non compliance with the Rules or Regulations will be grounds for termination of sponsorship as detailed in Section 5.2(a)(i)of the Agreement.

Company will establish and maintain commercially reasonable policies and procedures (but no less than industry standard) that will ensure that acquired Transactions are and will be received from Terminals in compliance with time schedules determined by the Network and available to Company. Company will provide all such information

to Bank that is required or reasonably requested by the Bank to assist in the parties’ efforts to remain in compliance with all Rules and Regulations of the Networks. Company will not enter into any agreement that would prohibit the disclosure of information that is required by the Network and agrees that the Bank has the right and authority to have and review any information concerning any Transaction, Terminal or equipment it sponsors to ensure compliance with Rules, Regulations, and this Addendum.

Company will ensure that commercially reasonable controls, policies and procedures (but not less than industry standard), including redundancy, back up, security, required compliance changes and notification of changes, will be established, maintained, documented and followed and that all policies and procedures comply with the Rules and Regulations.

Company will ensure that commercially reasonable controls, policies and procedures (but not less than industry standard), including redundancy, back up, security, firewalls, sign-on codes, access, servers, required compliance changes and notification of changes, will be established, maintained, documented, and followed to a standard that is at least in compliance with the Rules and Regulations concerning Cardholder security. Company will complete a PCI DSS review and comply with PCI DSS rules and regulations regarding penetration tests network scans and make changes as required by Networks and/or Bank to ensure Cardholder information is protected and secure not more than once on an annual, calendar year basis unless otherwise required by a Network.

Company shall be responsible for payment of all the following Network fees associated with this Agreement that are listed in any applicable fee schedule promulgated by a Network, as the Network may amend it from time to time (a “Network Fee Schedule”) as TPP or Processor fees:

Company shall pay directly to Network or reimburse Bank, as appropriate or directed by Bank, in accordance with Bank’s or Network’s notice of such fees. All payments shall be due and payable in full thirty (30) days from the date of such notice, unless otherwise specified by Bank. All Bank payment notices past due for fees or other amounts owing under this Addendum shall bear interest at a rate of [***] per month or the maximum amount allowed by law if less, until payment in full is made. Payment shall be made in U.S. Dollars.

Company agrees that Merchants activated under this Agreement and sponsored by the Bank will be activated, provided services by Company, or deactivated in accordance with Network Rules, Regulations , and certain additional procedures established by the Bank and provided to Company by the Bank with respect to “high risk” Merchants that are customers of Company based upon (i) unusually high levels of Charge backs or other fraudulent activity compared to other similarly situated Merchant customers of Company, (ii) Card not present transactions in connection with Telebet Quasi-Cash Transactions; (iii) and other uniquely situated Merchants compared to Company’s customary gaming establishment customers that pose a heightened regulatory risk to Bank If Bank provides Company with written documentation showing a violation of the Rules or Regulations by such Terminal or Merchant and requests deactivation of such Terminal and/or Merchant, Company shall promptly remediate such violation within three (3) days or deactivate any Terminal(s) located at any such Merchant. Company agrees that it has full liability for any Transaction authorized at a Terminal after Company receives instructions from the Bank to discontinue accepting Transactions at such Terminal.

Company shall complete any required Network certification, review or processing requirements and provide to the Bank copies of such documentation if requested. Additionally, copies of all audits and reviews completed by any Network or Regulatory Authority will be provided to Bank upon request. Company agrees to complete an annual operational on-site review of procedures, by a qualified company approved by the Bank and provide a copy to Bank of the report promptly upon receipt by Company.

Company agrees that any Transactions identified as being sponsored by Bank will be submitted only after ISO, agent or Merchant has been approved and registered by Bank with the appropriate Networks.

(b)Implement Key Management and PIN security systems policies and procedures that comply with the Rules of each Network.

(c)    At its own expense, complete an annual PCI PIN Security Review and/or TR-39 and provide a copy to Bank.

(d)    Remain in compliance with all Network requirements concerning Cardholder security.

(e)Complete a PCI DSS review of systems and provide a copy of the PCI attestation of compliance of the Company for review by Bank. Only independent qualified security assessors will complete such review and Company will utilize a different qualified security assessor every three years if requested by Bank.

(f)Complete a SSAE 16 Audit as required by a Network or if requested by Bank and provide the results of such report to Bank on an annual basis or as Bank may otherwise require.

(g)Company will process Transactions in a manner that is at least consistent with industry standards.

l.Professional Liability, including Technology Errors and Omissions, insurance covering the effects of errors and omissions in the performance of professional duties and network security/data protection liability insurance (also called cyber liability) covering liabilities for financial loss resulting or arising from acts, errors, or omissions, in connection with the services provided under this Agreement and including without limitation the following:

a.violation or infringement of any right of privacy, including breach of security/privacy laws or regulations;

b.data theft, damage, unauthorized disclosure, destruction, or corruption, including without limitation, unauthorized access, unauthorized use, identity theft, theft of personally identifiable information or confidential corporate information in whatever form, transmission of a computer virus or other type of malicious code; and participation in a denial of service attack on third party computer systems;

with a minimum limit of [***] each and every claim and in the aggregate.

2.Commercial General Liability insurance in an amount of not less than [***] per occurrence, subject to a [***] aggregate, covering bodily injury (including death), personal injury, property damage including without limitation, all contractual liability for such injury or damage assumed by Company under this Agreement and including products/completed operations coverage. This policy shall include products/completed operations coverage.

3.Workers Compensation insurance written according to the statutory laws in which Company reports payroll. This policy shall include Employers’ Liability in an amount of not less than [***] for Injury by Accident and Bodily Injury by Disease.

4.Commercial Property insurance protecting Company’s premises at a minimum against fire, extended coverage (including windstorm), vandalism, and theft. This policy shall include loss adjustment based on replacement value of the damaged property in the event of a loss.

5.Commercial Automobile Liability Insurance to include owned, non-owned, leased and hired vehicles and coverage for Property Damage and Bodily Injury, combined single limit: [***].

Such insurance must explicitly address all of the foregoing without limitation if caused by an employee of the Company or an independent contractor working on behalf of the Company in performing services under this Addendum. Policy must provide coverage for wrongful acts, claims, and lawsuits anywhere in the world. Data protection insurance must include contractual liability coverage for the confidentiality/data breach indemnity requirement in the Agreement Section 6.2 for civil liability, regulatory investigations, and notification costs resulting from a breach of confidentiality or breach of security by or on behalf of the Company.

Insurer must have a Best's rating of A or better. Any material change in the policy or cancellation must be reported to Bank with not less than thirty (30) days prior written notice. The policy must be kept in force during the life of the Addendum and for 1 year after Addendum termination or any pending or existing litigation is settled. Company shall provide a Certificate of Insurance in compliance with these requirements on an annual basis and at the time of renewal, and Bank reserves the right to obtain a copy of the professional liability and data protection liability insurance policy.

Company will reimburse Bank promptly upon receipt of Bank’s notice for Bank’s out-of-pocket costs incurred in conducting a due diligence examination of Company in connection with Network or Regulatory Authority requirements including but not limited to, registration as a TPP, annual review of TPP, or any new or ongoing Rules or regulations. Documentation will be provided to Company by Bank in order to facilitate registration requirements of other Members.

During the term of the Agreement, and for five years after the termination of this Agreement, Company shall use its best efforts to keep and maintain complete and accurate Transaction processing records, documents, and information, in sufficient detail, and in compliance with the Rules, Regulations and any Regulatory Authority . Upon the written request of Bank for specific reports for accounting, review, audit, litigation, investigation, or other reasonable purpose fully set forth in such request (a “Request”), Company shall promptly make or cause to be made available to Bank and its representatives any and all such reports, records, documents and information in Company possession and shall promptly permit Bank and its representatives to inspect and copy such records, documents and information. All reports, records, documents and information delivered in response to a Request shall be used only for the specific purposes stated in such Request and shall otherwise be kept confidential by each Party.

Should Company cease to operate, or be asked to cease operations by any Network or Regulatory Authority, Company, at its own expense, shall contract with a third party to decommission systems and provide to the Bank information required by the Networks to respond to any dispute or chargeback. Company agrees that any fees owed to the Company by the Bank or the Bank’s agents may be held in reserve to off set the cost of a decommission.

Company shall promptly comply with any request by the Bank, Network or any Regulatory Authority to perform any audit, inspection, examination or review of Company's performance under this Agreement (an “Audit(s)”), which may include an onsite inspection of Company’s facilities and operating practices at the option of the applicable regulator or Bank, including, without limitation, an annual PCI PIN Security Review, a biennial TR-39 review, and an annual penetration test. Within sixty (60) days of the execution hereof, Company must submit a PCI DSS review that indicates an initial review and assessment has been completed within the last 12 calendar months. The costs of any such Audit shall be the responsibility of Company. Additionally, Company will provide copies of any or all such Audits by any Network or Regulatory Authority to the Bank immediately after the receipt of such Audit by Company.

Company shall respond to any findings, recommendations or deficiencies in any such Audit within thirty (30) days following the date of the receipt of the report setting forth the findings, recommendations and deficiencies of such Audit, unless otherwise directed by Bank. Company’s response will include, without limitation, its proposal to correct any deficiencies and the status of its correction efforts. Failure of Company to respond to any finding or recommendation or to correct any deficiency identified in such report as described above shall be deemed a material breach of this Agreement.

Within six months after a PCI DSS, TR-39 or PCI PIN Security Review, Bank may require an operational overview completed by a third party qualified auditor confirming that any noted deficiencies have been cured and procedures are being followed as documented in the PCI DSS, TR-39 and PCI PIN Security Review.

If the processing software utilized by Company is marketed and sold on the open market, Company must ensure the software owner has obtained PA-DSS (Payment Application Data Security Standard) validation for the software and it must be on the PCI Security Standards Council’s List of Validated Payment Applications located at https://www.pcisecuritystandards.org/security_standards/vpa/vpa approval list.html.

Following Bank’s review of Company’s sponsorship request and completion of any due diligence Bank deems appropriate or as required by the relevant Network(s), if approved by Bank and the relevant Network, Bank shall sponsor/register Company with the Network(s) requested by Company in which Bank holds a Membership. Company has requested and Bank has agreed to provide Sponsorship for the following Networks: [***] (each a “Sponsored Network”), subject to the terms of this Agreement.

Company shall be responsible for the prompt payment of all costs and expenses associated with the Agreement and this Addendum including, but not limited to:

(a) Reimbursement of any decommission costs including cost of obtaining files of Transactions, data, and other information required to answer chargebacks or disputes.

Expiration or termination of this Addendum shall not release either Party of its respective obligations of payment or reimbursement of expenses previously incurred, warranty, intellectual property rights, governing law, notices, disputes and waiver of jury trial, and from the confidentiality and indemnity provisions hereof.

Bank shall not be liable to Company, any other participant or any other person for any loss, cost, damage, claim, demand, cause of action or expense (including, without limitation, the cost of investigating any claim, the cost of litigation and attorneys’ fees, whether or not legal proceedings are instituted), or any compensatory, punitive, special, incidental or consequential damages (including loss of profits), arising from any use or operation of the Network system or failure to use or operate the Network system, or otherwise arising under or in connection with this Addendum, except where and only to the extent such loss, cost, damage, claim, demand, cause of action or expense is due wholly to the gross negligence or willful misconduct of Bank. Bank hereby disclaims any and all warranties with respect to the operation of the Network system and the services to be provided by Network under and in connection with this Agreement, whether express or implied, including, without limitation, any implied warranty of merchantability or fitness for a particular purpose.

Company is responsible for the performance of any subcontractors and agents it engages to provide services under this Addendum and shall ensure that any such subcontractors and agents comply with all applicable terms and conditions of the Agreement and this Addendum.