Rights & Responsibilities
PCI SECURITY STANDARDS COUNCIL LLC
PARTICIPATING ORGANIZATION RIGHTS, OBLIGATIONS AND RULES OF PARTICIPATION
PCI Security Standards Council LLC (PCI SSC) Participating Organizations shall be entitled to the following rights, and by executing and submitting its application for acceptance by PCI SSC, each Participating Organization agrees to be bound by the following obligations and rules of participation.
I. Rights of Participating Organizations
Each Participating Organization, while in good standing, shall be entitled to:
1. Vote for Participating Organization representatives on the PCI SSC Board of Advisors. Elections shall be at such times and under such policies and procedures as shall from time to time be approved by the Board of Managers of PCI SSC.
2. Nominate a representative to stand for election to the PCI SSC Board of Advisors, pursuant to such policies and procedures as shall from time to time be approved by the Board of Managers of PCI SSC.
3. Comment on drafts of all revisions to the DSS specification, and on any new specifications, prior to public release.
4. Attend any annual Standards Community Meeting to be hosted by PCI SSC.
5. Publicly disclose its status as a PCI SSC Participating Organization.
6. Recommend new initiatives for consideration to PCI SSC.
7. Such other rights as may from time to time be approved and announced by PCI SSC.
II. Usage Rights
Each Participating Organization is subject to the following obligations, and grants the following permissions to PCI SSC:
1. PCI SSC may disclose and include the name of each Participating Organization in a public list of Participation Organizations. Such list may be displayed at the PCI SSC Website and in such other materials as PCI SSC may from time to time desire.
2. PCI SSC may display and include the logo of each Participating Organization in the manner provided above, subject to such Participating Organization’s usage guidelines
as may from time to time be publicly available.
III. Intellectual Property Rights
1. No Participating Organization shall have any obligation whatsoever to offer any suggestions, contributions or other input to the PCI SSC technical or other process regarding specifications or any other PCI SSC work product (collectively, “Specifications”). To the extent that any Participating Organization elects to make any suggestions, contributions or other input (collectively, “Contributions”), the following rules shall apply.
2. The copyright for all Specifications shall belong to PCI SSC.
3. Each Participating Organization making a Contribution (a “Contributor”) shall retain copyright ownership of its original Contribution, while at the same time granting PCI SSC a non-exclusive, irrevocable, worldwide, perpetual, sublicenseable royalty-free license under the Contributor’s copyrights in its Contribution to reproduce, distribute, publish, display, perform, and create derivative works of the Contribution based on that original Contribution for the purpose of developing draft and final Specifications under PCI SSC’s own copyright. PCI SSC shall be free to sublicense such copyrights to implementers of a Specification as may be necessary to fully implement a Specification.
4. By making a Contribution, each Contributor shall be representing and warranting that it is not aware that its Contribution violates any copyright, patent right, or other intellectual property right of any third party.
5. Neither Participating Organizations nor any other participants in PCI SSC activities will be expected to reveal trade secret information in the course of participation. PCI SSC will not be held responsible for the disclosure of any Participating Organization’s or other participant’s trade secrets, regardless of the circumstances. Except as otherwise agreed in writing, neither PCI SSC, any of the Participating Organizations, nor any other participant in any PCI SSC activity shall have any obligation, expressed or implied, to maintain the confidentiality of any information disclosed by any Participating Organization or other participant in any PCI SSC activity, and the identity of the Participating Organization disclosing such information may be incorporated into a draft or final Specification and distributed or published freely.
6. PCI SSC reserves the right to require that a Contributor enter into such Contribution form or other agreement as PCI SSC may from time to time use in connection with Contributions to more fully address any intellectual property rights that may be contained in, or infringed by, a Contribution.
IV. Rules of Participation
1. Continuing participation in PCI SSC as a Participating Organization is subject to:
(a) Timely payment of such annual dues and other fees, if any, as shall be specified from time to time by PCI SSC.
(b) Compliance with these Rights, Obligations and Rules of Procedure, and such other rules and policies as PCI SSC may from time to time communicate to Participating Organizations in connection with their participation in PCI SSC.
2. A Participating Organization’s relationship with PCI SSC may be terminated by PCI SSC for breach of these Rights, Obligations and Rules of Procedure, or such other rules or policies as may from time to time apply to Participating Organizations, by notice to the Business Contact specified by such Participating Organization as submitted in its Application, as from time to time updated by such Participating Organization. Such notice shall specify the reason for such termination, and such termination shall automatically become effective thirty days from the date of such notice, unless the Participating Organization has cured such breach to the satisfaction of PCI SSC within such thirty-day period.
3. No annual dues or other fees shall be refundable upon the resignation or termination of any Participating Organization, or upon the merger or other combination of Participating Organizations.
4. Participating Organizations may not engage in any conduct deemed by PCI SSC to be unlawful, offensive, abusive, libelous, harassing, defamatory, vulgar, obscene, profane, hateful, fraudulent, sexually explicit or racially, ethnically, or otherwise objectionable in any manner. Upon request, each Participating Organization shall provide to PCI SSC additional information relating to the foregoing.
5. Participating Organization membership is open to any legal entity, business unit, division, group or other affiliate of any of the foregoing, whether or not formally established (each an “Entity”); provided that:
(a) No Qualified Security Assessor, Approved Scanning Vendor or other Entity approved by PCI SSC to evaluate conformance to PCI SSC security standards (each a “Standards Assessor”) may become a Participating Organization;
(b) An Entity within a Related Entity Group (defined below) that contains one or more Standards Assessors may only become a Participating Organization if such Entity (i) is a separate and independent legal entity or business unit from such Standards Assessor(s) and there is no integration of business operations between such Entity and such Standards Assessor(s) and (ii) certifies the foregoing to PCI SSC’s satisfaction and maintains and agrees to maintain such independence at all times;
(c) No Participating Organization may permit any Standards Assessor within its Related Entity Group to send any representative to any Participating Organization meeting or exercise any other Participating Organization rights or privileges; and
(d) All Entities within a Related Entity Group shall be treated as one Participating Organization for purposes of voting on matters submitted to the Participating Organizations.
For purposes of the foregoing, “Related Entity Group” means a group comprising each Entity that directly or indirectly controls, is controlled by, or is under common control with any other Entity; and the term “control” (and each derivate thereof) means the direct or indirect beneficial ownership of, right to exercise a majority of the voting power of, or power to direct the activities or operations of an Entity.
These Rights, Obligations and Rules of Procedure may be amended at any time by PCI SSC without the consent of the Participating Organizations, provided that no such amendment shall become effective less than thirty days from the date that such amendment is communicated to the Participating Organizations.