A legal restriction due to a local or regional law, regulation, or regulatory requirement, where meeting a PCI DSS requirement would violate that law, regulation, or regulatory requirement. Contractual obligations or legal advice are not legal restrictions.
See the following PCI DSS v4.x documents for information on reporting legal exceptions:
- The Report on Compliance (ROC) Template and related Attestations of Compliance.
- The Self-Assessment Questionnaires (SAQs) and related Attestations of Compliance.
Note: Where an entity operates in multiple locations, a legal exception may only be claimed for the locations governed by the law, regulation, or regulatory requirement, and may not be claimed for locations in which such law, regulation, or regulatory requirement is inapplicable.
