Rights & Responsibilities

PCI SECURITY STANDARDS COUNCIL LLC

PCI PARTICIPANT RIGHTS, OBLIGATIONS AND RULES OF PARTICIPATION

Each participant in the PCI Security Standards Council, LLC (PCI SSC) PCI Participant Program (each a “PCI Participant”) is entitled to the corresponding rights set forth below by PCI Participant Class (defined below).  By executing and submitting its application for acceptance by PCI SSC, each PCI Participant agrees to be bound by the obligations and rules of participation set forth or referenced below and the PCI Participant Agreement on the PCI SSC website (the “Website”).   

I.    Eligibility and Classes

There are three classes of PCI Participant (each a “Class”): Principal Participating Organizations (“Principal POs”), Associate Participating Organizations (“Principal POs”), and Individual Participants.  Subject to Section VI below, any association, partnership, organization, governmental agency, company, corporation, academic entity, or non-profit entity (each of the foregoing, an “Entity”), and any individual, may join as a PCI Participant.  Principal and Associate Classes are reserved for Entities; the Individual Class is reserved for natural persons. 

II.    Rights of PCI Participants

A.    Board of Advisors.  PCI Participants in Good Standing (defined below) are eligible to participate in the PCI SSC Board of Advisors, subject to applicable eligibility requirements, limitations, terms and Class restrictions, as set forth herein and in the Charter of the Board of Advisors and  the PCI SSC Standards Development Policy on the Website. 
“Good Standing” means that the applicable PCI Participant:

  • Has executed and submitted to PCI SSC the current version of the PCI Participant Agreement;
  • Has paid to PCI SSC all applicable PCI Participant fees; and
  • Is in compliance with all agreements with PCI SSC and all applicable rules, policies and procedures established by PCI SSC from time to time.

B.    Principal POs.  Each Principal PO, while in Good Standing, is entitled to the following rights:

1.  Board of Advisors participation, as follows:

  1. Principal PO Seats.   Designation of a representative for a “Principal PO Seat” on the Board of Advisors in its industry category, unless the number of Principal POs in that category exceeds the number of Principal PO Seats for that category, in which case Principal PO Seats for that category are determined by lottery.
  2. Elected Seats.    Nomination of a representative to stand for election to an “Elected Seat” on the Board of Advisors for its industry category (unless otherwise serving on the Board of Advisors).
  3. Appointed Seats.  Consideration for an Appointed Seat on the Board of Advisors (unless otherwise serving on the Board of Advisors).

2.   Seat on the PCI SSC Technical Guidance Group (TGG) (reserved for Primary and Alternate (or other designated principal) Principal PO representatives).

3.   Seat on the PCI SSC Technical Advisory Board (TAB) (reserved for seated representatives serving on the Board of Advisors and designated subject matter experts).

4.   Participation in PCI SSC Roadmap Roundtables (reserved for Primary Board of Advisors representatives).

5.   Comment on drafts of all revisions PCI Data Security Standard, and on any new PCI SSC standards, prior to public release.

6.   Community Meeting Contribution, via priority consideration for calls for Speakers.

7.   Community Meeting Access – four (4) complimentary Community Meeting tickets.

8.   All rights of Associate POs specified in II.C.2 through II.C.8 below.

C.    Associate POs.  Each Associate PO, while in Good Standing, is entitled to:

1.   Board of Advisors participation via Elected or Appointed Seats, as described in Sections II.B.1(b) and II.B.1(c) above.

2.   Vote in elections for Elected Seats.

3.   Seat on the TAB (reserved for seated representatives serving on the Board of Advisors and designated subject matter experts).

4.   Participation in Special Interest Groups.

5.   Recommend new initiatives for consideration to PCI SSC.

6.   Provide input on agendas, and receive corresponding advance materials, for all PCI SSC meetings at which such PCI Participant is permitted to attend.

7.   All rights of Individual Participants specified in Sections II.D.3 though II.D.7 below.

8.   Community Meeting Contribution, via calls for Speakers.

9.   Community Meeting Access – 2 complimentary Community Meeting tickets.

D.    Individual Participants. Each Individual Participant, while in Good Standing, shall be entitled to:

1.   Board of Advisors participation, in an observer (non-voting) capacity, by invitation of the PCI SSC Executive Committee.

2.   Discount on Community Meeting tickets.

3.   Participation in PCI SSC Task Forces.

4.   Access to communications to all PCI Participants.

5.   Training Discounts.

6.   Publicly disclose its status as a PCI Participant.

7.   Such other rights as may from time to time be approved and announced by PCI SSC for the PCI Participant’s Class.

IV. Usage Rights

Each PCI Participant is subject to the obligations set forth in this document and in the PCI Participant Agreement, and grants the following permissions to PCI SSC:

1.   PCI SSC may disclose and include the name of each PCI Participant in a public list of PCI Participants. Such list may be displayed on the Website and in such other materials as PCI SSC from time to time may desire.

2.   PCI SSC may display and include the logo of each PCI Participant in the manner provided above, subject to such PCI Participant’s usage guidelines as may from time to time be provided to PCI SSC in writing.

V.    Intellectual Property Rights

1.   No PCI Participant shall have any obligation whatsoever to offer any suggestions, contributions or other input to the PCI SSC technical or other process regarding the development of any PCI SSC standard, specification or other technical work product (each a “Standard”).  To the extent any PCI Participant elects to provide any such suggestion, contribution or other input (each a “Contribution”) or otherwise participates in any such process, the PCI SSC Intellectual Property Rights Policy (the “Policy”) shall apply, and the PCI Participant agrees to, and agrees that it shall have and comply with all of the corresponding obligations of a “Technical Participant” under, the terms and provisions of the Policy.

2.   By making a Contribution, each PCI Participant shall be representing and warranting that it is not aware that its Contribution violates any    copyright, patent right, or other intellectual property right of any third party.

3.   PCI SSC reserves the right to require that a PCI Participant enter into such Contribution form or other agreement as PCI SSC may from time to time use in connection with Contributions to more fully address any intellectual property rights that may be contained in or infringed by a Contribution or the implementation thereof.

4.   No PCI Participant or other participant in PCI SSC activities will be expected to reveal trade secret information in the course of participation. PCI SSC will not be held responsible for the disclosure of any PCI Participant’s or other participant’s trade secrets, regardless of the circumstances. Except as otherwise agreed in writing or electronically, neither PCI SSC, any of the PCI Participants, nor any other participant in any PCI SSC activity shall have any obligation, expressed or implied, to maintain the confidentiality of any information disclosed by any PCI Participant or other participant in any PCI SSC activity, and the identity of the PCI Participant disclosing such information may be incorporated into a draft or final Standards and distributed or published freely.

VI.    Rules of Participation

1.   Continuing participation in PCI SSC as a PCI Participant is subject to:

(a) Timely payment of such annual dues and other fees, if any, as shall be specified from time to time by PCI SSC; and

(b) Compliance with these Rights, Obligations and Rules of Procedure, the PCI Participant Agreement, and such other rules and policies as PCI SSC may from time to time specify or communicate to PCI Participants in connection with their participation in PCI SSC.

2.   A PCI Participant’s relationship with PCI SSC may be terminated by PCI SSC for breach of these Rights, Obligations and Rules of Procedure, the PCI Participant Agreement, or such other rules or policies as may from time to time apply to PCI Participants, by notice to the Primary Contact identified by such PCI Participant when completing the PCI Participant registration form on the Website, as such contact may from time to time be updated by such PCI Participant. Such notice shall specify the reason for such termination, and such termination shall automatically become effective thirty (30) days from the date of such notice, unless the PCI Participant has cured such breach to the satisfaction of PCI SSC within such thirty (30) day period.

3.   No annual dues or other fees shall be refundable upon the resignation or termination of any PCI Participant, or upon the merger or other combination of PCI Participants.

4.   PCI Participants may not engage in any conduct deemed by PCI SSC to be unlawful, offensive, abusive, libelous, harassing, defamatory, vulgar, obscene, profane, hateful, fraudulent, sexually explicit or racially, ethnically, or otherwise objectionable in any manner. Upon request, each PCI Participant shall provide to PCI SSC additional information relating to the foregoing.

5.   All Entities that are PCI Participants within a Related Entity Group (defined below) shall be treated as one PCI Participant for purposes of voting on matters submitted to the PCI Participants or any subset or Class thereof.  For purposes of these Rights, Obligations and Rules of Procedure, “Related Entity Group” means a group comprising each Entity that directly or indirectly controls, is controlled by, or is under common control with any other Entity; and the term “control” (and each derivate thereof) means the direct or indirect beneficial ownership of, right to exercise a majority of the voting power of, or power to direct the activities or operations of an Entity.

6.   Participation as a PCI Participant is not open to any Entity that is either (a) approved by PCI SSC to evaluate conformance to PCI SSC security standards (each a “Standards Assessor”), including but not limited to any Qualified Security Assessor (QSA) Company or Approved Scanning Vendor (ASV) Company, or (b) part of a Related Entity Group that includes a Standards Assessor, except as follows:

(a) An Entity that is not a Standards Assessor but is part of a Related Entity Group that contains one or more Standards Assessors may become a PCI Participant if such Entity (i) is a separate and independent Entity from such Standards Assessor(s) and there is no integration of business operations between such Entity or Unit and such Standards Assessor(s) and (ii) certifies the foregoing to PCI SSC’s satisfaction and maintains and agrees to maintain such independence at all times;

(b) A business division, department, unit or similar group (each a “Unit”) within an Entity that is a Standards Assessor may become a PCI Participant if (i) such Unit (the “PO Unit”) is separate and independent from each Unit within such Entity that performs any functions, including but not limited to decision-making, associated with performance of such Entity’s obligations as a Standards Assessor (each a “Standards Assessor Unit”), (ii) there is no integration of business operations between such PO Unit and such Standards Assessor Units and (iii) the PO Unit certifies the foregoing to PCI SSC’s satisfaction and maintains and agrees to maintain such independence at all times; and

(c) Notwithstanding the foregoing, no PCI Participant (Entity or PO Unit) may permit any Standards Assessor Unit or Standards Assessor within its Related Entity Group to send any representative to any PCI Participant meeting or exercise any other PCI Participant rights or privileges.

VII.   Other

These Rights, Obligations and Rules of Procedure may be amended at any time by PCI SSC without the consent of the PCI Participants, provided that no such amendment shall become effective less than thirty days from the date that such amendment is communicated to the PCI Participants, including by posting the amended terms on the Website.