PCI SSC Policies

Privacy Policy

Last Updated: 18 January 2023

Your privacy is important to us. Our goal is to provide you with a personalized online experience that provides you with the information, resources, and services that are most relevant and helpful to you.

This Privacy Policy (the “Privacy Policy”) has been written to describe the privacy-related terms and conditions under which PCI Security Standards Council (“PCI SSC”, “we”, “us” or “our”) makes its web sites, web pages, domains, portals, registries, mobile apps, other events and online resources, and corresponding materials (collectively, the “Web site”) available to you, including but not limited to resources used to provide or in connection with our online meetings, events and other services.

The Privacy Policy discusses, among other things, how data obtained in connection with your use of the Web site may be collected and used. We strongly recommend that you read the Privacy Policy carefully. By using the Web site, you agree to be bound by the terms of the Privacy Policy (including its appendices, which are hereby incorporated into the Privacy Policy). If you do not accept the terms of the Privacy Policy, you are directed to discontinue accessing or otherwise using the Web site. If you are dissatisfied with the Web site, please feel free to contact us at dataprivacy@pcisecuritystandards.org

The process of maintaining the Web site is an evolving one, and we may modify the terms of this Privacy Policy without notice. Your continued use of the Web site after such change indicates your assent to the modified terms as of the effective date of the change. The effective Privacy Policy will be posted on the Web site, and you should check upon every visit for any changes.

1. Sites and Resources Covered by this Privacy Policy

This Privacy Policy applies to all PCI SSC web sites, web pages, domains, portals, registries, mobile apps, and other online resources, including but not limited to resources used to provide or in connection with our online meetings and events.  Notwithstanding the foregoing, we may from time to time require users of specific web pages, portals, or resources to agree to corresponding additional terms and conditions (“Additional Terms”), and such Additional Terms shall govern to the extent necessary to resolve any express conflicts with this Privacy Policy.

2. Children’s Privacy

We are committed to protecting the privacy needs of children, and we encourage parents and guardians to take an active role in their children’s online activities and interests. We do not intentionally collect information from children under the age of 13, and do not target the Web site to children.

3. Links to Non-PCI Security Standards Council Web Sites

The Web site may provide links to third-party web sites or mobile apps for the convenience of our users. If you access those links or apps, you will leave our Web site. We do not control these third-party web sites and apps and cannot represent that their policies and practices will be consistent with this Privacy Policy. For example, other web sites or mobile apps may collect or use personal information about you in a manner different from that described in this document. Therefore, you should use other web sites and mobile apps with caution, and you do so at your own risk. We encourage you to review the privacy policy of any web site or mobile app before submitting personal information.

4. Types of Information We Collect

Non-Personal Information

Non-personal information is data about usage and service operation that is not directly associated with a specific personal identity. We may collect and analyze non-personal information to evaluate how users use the Web site.

Aggregate Information

We may gather aggregate information, which refers to information your computer automatically provides to us and which cannot be tied back to you as a specific individual. Examples include referral data (the web sites you visited just before our Web site), the pages viewed, and time spent at our Web site.  You may control the non-essential information we collect by utilizing the cookie control settings that appear when you first access the Web site, and that is accessible via controls visible on every page of our Web site.

Logs

Every time you request or download a file from the Web site, we may store data about these events and your IP address in a log. We may use this information to analyze trends, administer the Web site, track users’ movements, and gather broad demographic information for aggregate use or for other business purposes.

Cookies

Our Web site may use a feature of your browser to set a “cookie” on your computer. Cookies are small packets of information that a Web site’s computer stores on your computer. The Web site can then read the cookies whenever you visit. We may use cookies in a number of ways, such as to save information so you don’t have to re-enter it each time you visit our site, to deliver content specific to your interests and to track the pages you’ve visited. These cookies allow us to use the information we collect to customize your Web site experience so that your visit to our site is as relevant and as valuable to you as possible.

For additional information regarding cookies and how we use them, please review our Cookie Notice at Appendix A hereto.

Personal Data

“Personal Data” is information that is associated with your personal identity and may include your name or other personal information that can be used to uniquely identify you as an individual. In general, we use Personal Data to better understand your needs and interests and to provide you with better service. The specific uses for Personal Data that we collect are described when or on the pages where such data is collected.  The types of Personal Data you provide to us through the Web site may include name, address, phone number, email address, user IDs, passwords, IP address, and billing information.  Providing this information may be required or requested in order to enable you to request and/or download information or materials, subscribe to mailing lists, participate in corresponding online or in person discussions or events, collaborate on documents, provide feedback, submit information into registries, register for or participate in programs, meetings or events, apply for participation or membership, or join technical committees, working groups or initiatives.  We collect this information so we can contact you or send you requested materials (such as with requested documents or subscriptions to mailing lists), enable participation in corresponding events and activities, and to identify you to us or others (such as in applications to register for or participate in meetings or events or join committees, to participate in programs or online discussions, or to download materials from the Website and execute corresponding licenses), and to bill you for requested services or materials. You may always elect not to provide your Personal Data to us, but that will limit your ability to participate in these activities or benefit from these services. 

Personal Data will not be kept for longer than is necessary for the purpose (s) for which it was collected, and in general, we will retain Personal Data for a period of 3 years, or if you have any qualification or contractual relationship with us, for a period of 3 years after cessation of that qualification or relationship.  In some cases it is not possible for us to specify in advance the periods for which your Personal Data will be retained. Notwithstanding this, we may retain, process and use your Personal Data where such is necessary for compliance with a legal or contractual obligation to which we are subject, in order to protect your vital interests or the vital interests of another person, or for other applicable legitimate interests.

5. Restricted Web Sites and Portals

Information you provide in connection with applying for participation or membership may be used to create a corresponding participant or member profile, or enable participation in corresponding activities, and may be shared with other PCI SSC member or participant representatives and organizations. Such information may be provided to other participants or members securely to encourage and facilitate collaboration, online discussion, research, and the free exchange of information. PCI SSC participants and members automatically are added to applicable PCI SSC mailing lists. From time to time, participant and member information may be shared with event organizers and/or other organizations that provide additional benefits to our participants or members. When you provide us with your personal information in connection with events PCI SSC is organizing or hosting, we use that data to comply with our contractual obligations to event organizers and other parties in connection with those events. Where appropriate, we also expressly obtain your consent at the time of its collection.

6. Meetings and Events

Information you provide in connection with events or initiatives or registering for events or initiatives, such as our Community Meetings, Town Halls, Work Groups, Task Forces, Special Interest Groups, requests for comments, and similar events and initiatives, whether held in person or online, may include name, email address, company name, and company type.  This information is used to comply with our contractual obligations to the event or initiative organizers or operators and other parties in connection with those events and initiatives, including to operate such events and facilitate your participation, and may be used and shared with our contractors or other event participants for such purpose and as described under “Restricted Web Sites and Portals” above.  Additionally, at the time you provide us with such information, we will where appropriate request your consent to our storing, processing, distributing, and use of such data for the purposes for which it is being provided.  In connection with such events, we may also request additional information such as address, company affiliate, number of company employees, and other company information, which may be used for marketing purposes, and may be distributed to event sponsors. Consent to such use of such additional information is requested at the time the information is collected.  All information collected in connection with such events is retained in accordance with the applicable provisions of this Privacy Policy.

7. Company Information

Company information is information that is associated with the name and address of our participant, member and other stakeholder or user organizations and may include data about usage and service operation. The primary representative of any such organization may request limited usage reports to gauge the extent of their employees’ involvement in our activities. You should be aware that information regarding your participation in technical committees, working groups, and online discussions and events, for example, may be made available to your company’s primary representative and to PCI SSC staff members.

8. How We Use Your Information

We may use non-personal data that is aggregated for reporting about the Web site activity, usability, performance, effectiveness, or participation. It may be used to improve the experience, usability, and content of the Web site or future activities.

We may use personal information to offer or provide services that support our activities or those of our participants, members, stakeholders or other users, and their collaboration with us, or to provide you with electronic newsletters, announcements, surveys or other information. When accessing restricted PCI SSC Web pages, portals or activities, your personal user information may be used or tracked in order to support collaboration, ensure authorized access, and enable communication among participants or members.

9. Information Sharing

We do not sell, rent, or lease any individual’s personal information or lists of email addresses to any third parties for marketing purposes, and we take commercially reasonable steps to maintain the security of this information. We will not do any of the foregoing in the future without providing you with notice and an opportunity to opt-out or opt-in, as required by law.  Similarly, we do not offer financial incentives associated with our collection, use, or disclosure of your personal information.  However, we reserve the right to supply any such information to any organization into which PCI SSC may merge in the future or to which it may make any transfer in order to enable a third party to continue part or all of our mission or activities. We also reserve the right to release personal information to protect our systems or business, if we reasonably believe you to be in violation of applicable terms of use, or if we reasonably believe you to have initiated or participated in any illegal activity. In addition, please be aware that in certain circumstances, we may be obligated to release your personal information pursuant to judicial or other government subpoenas, warrants, or other orders.

In keeping with our open process, we may maintain publicly accessible archives for the vast majority of our activities. For example, posting an email message to any PCI SSC-hosted mail list or discussion forum, providing request for comment feedback, or registering for one of our public or other meetings may result in your personal information becoming part of corresponding publicly accessible archives.

If you are a PCI Security Standards Council participant or member, you should be aware that some items of your personal information may be visible to other such participants and members, and to the public. Our participant and member databases may retain information about your name, email address, company affiliation and such other personal address, identifying data, and any previously-supplied such data, as you choose to supply. That data may be generally visible to other such participants or members, and to the public. Your name, email address, and other information you may supply also may be included in publicly accessible records of our various committees, working groups, online events and discussions, and similar activities that you join, in various places, including: (i) the permanently-posted attendance and other records of those activities; (ii) documents generated by the activity, which may be permanently archived; and, (iii) along with message content, in the permanent archives of our email lists, which also may be public.
Please remember that any information (including personal information) that you disclose in public areas of the Web site or in connection with public or broad participation activities, such as forums (in person or online), message boards, news groups, and other activities, may become publicly or broadly available information that others may collect, circulate, and use. Because we cannot and do not control the acts of others, you should exercise caution when deciding to disclose information about yourself or others in forums or other activities such as these.

Given the international scope of the PCI Security Standards Council, personal information may be visible to persons outside your country of residence, including to persons in countries that your own country’s privacy laws and regulations deem deficient in ensuring an adequate level of protection for such information. If you are unsure whether this Privacy Policy is in conflict with applicable local rules, you should not submit your information.

Your Personal Data will never be used for direct marketing purposes, although we may contact you to follow up on a request you made for information about a service, event or activity we provide.

If you do not want your personal information collected and used by the PCI Security Standards Council, please do not visit or use our Web site, apply for participant or member status, or engage in PCI SSC activities

10. Access to and Accuracy of Information

We are committed to keeping the personal information of our participating and member organizations and other Web site users accurate. All the information you have submitted to us can be verified, changed and deleted (consistent with legal data retention requirements). In order to do this, please email us a request at dataprivacy@pcisecuritystandards.orgWe may provide participants, members and/or others with online access to their own personal profiles, enabling them to update or delete information at any time. To protect your privacy and security, we also may take reasonable steps to verify identity, such as requiring a user ID and password, before access to modify personal profile data. Certain areas of the Web site may limit access to specific individuals through the use of passwords or other personal identifiers; a password prompt is your indication that a restricted resource is being accessed.

11. Security

We use a variety of means to protect personal information provided by users of the Web site, including using firewalls and other security measures on its servers. No server, however, is 100% secure, and you should take this into account when submitting personal or confidential information about yourself or others on the Web site or elsewhere. Much of the personal information we collect is used in conjunction with participation and/or member-level services such as collaboration and discussion, so some types of personal information such as your name, company affiliation, and email address will be visible to other PCI Security Standards Council participants or members, and to the public. We assume no liability for the interception, alteration, use or misuse of the information you provide. You alone are responsible for maintaining the secrecy of your personal information. Please use care when you access the Web site and otherwise provide personal information.

12. Opting Out

From time to time we may email you electronic newsletters, announcements, surveys or other information. If you prefer not to receive any or all of these communications, you may opt out by following the directions provided within the electronic newsletters and announcements.

13. California Privacy Rights

Under the California Consumer Privacy Act of 2018 (“CCPA”), the California Privacy Rights and Enforcement Act (“CPRA”), and other California privacy laws, California residents have certain rights relating to collection, use, and sharing of their personal information for companies that meet applicable requirements.  For example, if you are a resident of California, you have the right to request to know what personal information we have collected about you, and to access that information. You also have the right to request deletion of your personal information, though exceptions under the law may allow us to retain and use certain personal information notwithstanding your deletion request.  For additional information regarding such rights and laws, please review our Privacy Notice for California Residents at Appendix B hereto.

14. Data Privacy Laws

Depending on the state, country or region where you are located or reside (your “Jurisdiction”), you may have certain rights under the General Data Protection Regulation (“GDPR”) or other laws of your Jurisdiction relating to the privacy and protection of Personal Data, in addition to those described in this Privacy Policy.  Personal Data you provide on or through the Web site or otherwise in connection with our activities is only collected with your consent or to comply with our contractual obligations, and may be transmitted outside of the your Jurisdiction to the PCI Security Standards Council (or computer servers maintained for the benefit of the PCI Security Standards Council) pursuant to that consent.

In general, under the GDPR, if you live in the European Economic Area (“EEA”), or the United Kingdom, you may:

  • request access to your Personal Data
  • have incomplete or incorrect Personal Data corrected
  • have your Personal Data deleted
  • suspend or restrict our use of your Personal Data, or withdraw your consent, and if that request is not respected, then to object
  • request a copy of your Personal Data
  • complain to a supervisory authority if you believe your rights under the GDPR are not being respected
  • request to refuse automated decision-making of your personal data to make decisions about you, if such decision-making significantly affects you or produces legal effects

Should you request a copy of your Personal Data, we will provide you a copy. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee.  Should you request the deletion of your Personal Data, PCI Security Standards Council will generally do so as soon as practicable, although your right to have your Personal Data deleted is subject to exceptions, such as, for example, compliance with a legal obligation or for the establishment, exercise or defense of legal claims. 

If you consider that our processing of your Personal Data infringes applicable data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the UK or EEA member state of your habitual residence, your place of work or the place of the alleged infringement.

You should note that our servers are located in the United States, which is deemed by the European Union to have inadequate data protection.  Accordingly, when you provide information to us through the Web site, you are providing that information to us in the United States.  You should also note that, if you are in a country outside the United States (including but not limited to in the UK or EEA), your Personal Data may be transferred to and/or collected, stored, processed, and/or used outside of your country, including in the United States.  By way of example, this may happen if Personal Data of an individual in the UK or EEA is transferred to our servers located in the United States or in another country outside of the UK or EEA. Such countries may not have similar data protection laws to the UK or EEA or your country. If we transfer your information outside of the UK or EEA in this way, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this policy, including the following:

  • Data sent to our Website or Portal is protected by TLS and strong cryptographic algorithms when transmitted across open, public networks;
  • Data at rest on our Website or Portal is protected by full disk encryption and strong access controls. In addition, sensitive customer files uploaded to our portal are separately encrypted using unique encryption keys per file. All encryption keys use strong cryptography and are protected using role-based access controls;
  • We run vulnerability scans against our infrastructure (including our Website and Portal), at a minimum at least quarterly and after any significant change;
  • We conduct penetration tests against our infrastructure (including our Website and Portal),  at least annually and after any significant change.

15. Contacting Us

If you have any questions or concerns regarding this policy or your Personal Data, or wish to exercise any of the above rights, please contact the PCI Security Standards Council through its Data Protection Program at:

Toll Free Phone #:
Email:
Postal Address:

1-888-241-3525
dataprivacy@pcisecuritystandards.org
PCI Security Standards Council
401 Edgewater Place
Suite 600
Wakefield, MA USA 01880
Attn: Director, Technology, Infrastructure, & Privacy

Appendix A and B follow.

Appendix A

COOKIE NOTICE

This cookie notice provides you with information about how we use “cookies”, or, similar technologies, in connection with our Web site, other online resources, and each element of the foregoing (each, a “Service”), to enable us to understand how you interact with the Services, improve your experience, and allow you to use certain related features.  This notice also provides information about how third parties may use such technologies in association with the operation of our Services.

1. About this Cookie Notice

This cookie notice applies when you use any of our Services and may be supplemented by additional cookie notices or terms provided on certain areas of the Services or during our interactions with you.

2. Use of Cookies

Cookies are small pieces of data (text files) that are placed on your computer or device by websites that you visit or applications you use. Cookies are widely used in order to make websites and applications work, or work more efficiently, and help them remember certain information about you, either for the duration of your visit (using a “session” cookie) or for repeat visits (using a “persistent” cookie).

Below provides an overview of the first party and third-party cookies we use within our Services, and the purposes for which we use them.  First party cookies are cookies that our website asks your browser to store on your device when you visit, in order to remember information about you, such as your language preference or login information. Third-party cookies are cookies from a domain different than the domain of the website you are visiting, and are used for managing login information, managing cookie preferences, as well as our advertising and marketing efforts. We provide controls to allow you to manage our cookie usage on our Web site.
We classify cookies in the categories noted in section 3 below.

3. The categories of cookies used on this website are as follows:

  • Essential / Strictly Necessary cookies: These cookies do not store any personally identifiable information. However, they are necessary for the Service to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but without these cookies, some or all of the services you have asked for may not function properly.
  • Performance cookies: These are analytics and research cookies that allow us to count visits and measure traffic, so we can measure and improve the performance of our Services. They also help us to know which pages are the most and least popular, and see how visitors move around the site or application. This helps us to improve the way our Services work and improve user experience. All information collected through these cookies will be processed in an aggregated and anonymous form. You can disable these cookies using the controls provided to you. Blocking these cookies will not affect the service provided you.
  • Functionality cookies: These cookies allow our Services to provide enhanced functionality and personalization such as remembering the choices you make and your account preferences and to provide enhanced, more personal features. These cookies may be set by us or by third-party providers whose services we have added to our pages. You can disable these cookies, but without them, some or all of the services you have asked for may not function fully.
  • Targeting Cookies: These files or code may be included, either directly or from our advertising partners, social media functions, on our website, in our emails, or, mobile applications to record how you interact with us, to help us better analyze and improve our services to you, and will use this information to make the website, and, any advertising displayed to you more relevant to your interests. You can disable these cookies. Blocking these cookies will not affect the service provided you, but may limit the targeted advertising that you will see, or limit our ability to tailor the website experience to your needs.

Specific cookies that we currently use in connection with the Services are listed at the end of this cookie notice.

4. How to refuse the use of cookies

You can manage each cookie category (except essential / strictly necessary cookies) when using the PCI SSC website (www.pcisecuritystandards.org), by clicking on the cookie control icon in the bottom left of our homepage.

You can also prevent your browser from accepting certain cookies, have the browser require your consent before a new cookie is placed in your browser, or block cookies altogether by selecting the appropriate settings on your browser privacy preferences menu.

5. Changes

We may update this cookie notice from time to time. Any changes will be posted on this page with an updated revision date.

6. Contact

For more information on our collection and use of personal information, including details regarding your rights or contact details, please refer to our Privacy Policy.

If you have any questions or concerns regarding this cookie notice, please contact us through our Data Protection Program at:

Toll Free Phone #:
Email:
Postal Address:

1-888-241-3525
dataprivacy@pcisecuritystandards.org
PCI Security Standards Council
401 Edgewater Place
Suite 600
Wakefield, MA USA 01880
Attn: Director, Technology, Infrastructure, & Privacy

Where it applies, you may also lodge a complaint with the data protection authority in the applicable jurisdiction.

 

COOKIE LIST
Essential / Strictly Necessary Cookies
www.pcisecuritystandards.org

  • PHPSESSID: Session cookie

programs.pcissc.org

  • ASP.NET_SessionId: Session Cookie
  • pciAdmin: Session Cookie
  • AWSALB: AWS Load Balancer cookie
  • AWSALBCORS: AWS Load Balancer cookie

Functional Cookies
www.pcisecuritystandards.org

  • cookiecontrol: tracks acceptance/rejection of privacy notice and usage of targeting cookies
  • notification_bar: tracks closing the notification bar

programs.pcissc.org

  • session-timeout-cookie: tracks session timeout

auth.pcissc.org

  • auth0: Used to implement the Auth0 Single Sign-on session layer.
  • auth0_compat: Fallback cookie for single sign-on on browsers that don’t support the sameSite=None attribute.
  • auth0-mf: Used to establish the trust level for a given device.
  • auth0-mf_compat: Fallback cookie for multi-factor authentication on browsers that don’t support the sameSite=None attribute.
  • a0_users:sess: Used for CSRF protection in Classic Universal Login flows.
  • a0_users:sess.sig: Used for CSRF protection in Classic Universal Login flows.
  • did: Device identification for attack protection.
  • did_compat: Fallback cookie for anomaly detection on browsers that don’t support the sameSite=None attribute.

Targeting Cookies
www.pcisecuritystandards.org

  • _ga = Google Analytics, only if targeting cookies accepted
  • _gid = Google Analytics, only if targeting cookies accepted
  • _parsely_visitor, only if targeting cookies accepted
  • _parsely_session, only if targeting cookies accepted

DATE: 20 January 2023

Appendix B

PRIVACY SUPPLEMENT FOR CALIFORNIA RESIDENTS

This PRIVACY SUPPLEMENT FOR CALIFORNIA RESIDENTS (the “Privacy Notice”) supplements the information contained in our Privacy Policy and applies solely to visitors and others who reside in the State of California (“users” or “you”). We adopt this notice in connection with the California Consumer Privacy Act of 2018 (“CCPA”), the California Privacy Rights and Enforcement Act (“CPRA”),  and other California privacy laws.  Any terms defined in the those laws have the same meaning when used in this notice.

Information We Collect

We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or device (“Personal Information”). In particular, we have collected the following categories of Personal Information from users within the last 12 months:

Category

Examples

Collected

A. Identifiers.

A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.

YES

B. Personal Information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).

A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some Personal Information included in this category may overlap with other categories.

YES

C. Protected classification characteristics under California or federal law.

Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).

YES

D. Commercial information.

Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

YES

E. Biometric information.

Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.

NO

F. Internet or other similar network activity.

Browsing history, search history, information on a user’s interaction with a website, application, or advertisement.

YES

G. Geolocation data.

Physical location or movements.

NO

H. Sensory data.

Audio, electronic, visual, thermal, olfactory, or similar information.

NO

I. Professional or employment-related information.

Current or past job history or performance evaluations.

YES

J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).

Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.

YES

K. Inferences drawn from other Personal Information.

Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

NO

Personal Information does not include:

  • Publicly available information from government records.
  • De-identified or aggregated user information.
  • Information excluded from the CCPA’s and CPRA’s scope, like:
    • health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
    • Personal Information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

We obtain the categories of Personal Information listed above from the following categories of sources:

  • Directly from our visitors, participants, members, assessors, labs and others involved in our activities, our programs, or accessing our website (“Stakeholders”). For example, from documents provided to us related to the programs and other services we provide to Stakeholders (“Services”).
  • Indirectly from our representatives or their agents. For example, through information our agents collect from Stakeholders in the course of providing Services.
  • Directly and indirectly from activity or events on our website (www.pcisecuritystandards.org) or through our other online resources. For example, from submissions through our website portal, website usage details collected automatically, or participation in online events.
  • From third-parties that interact with us in connection with our Services. For example, from business partners who work with our Stakeholders to facilitate our Services.

Use of Personal Information

We may use or disclose the Personal Information we collect for one or more of the following business purposes (collectively, the “Business Purposes”):

  • To fulfill or provide the Services for which the information is provided. For example, we will use contact information (name, phone number, email and address) provided by a Qualified Security Assessor to communicate with their contact personnel in connection with corresponding program activity and participation.
  • To provide you with information, products or Services that you request from us.
  • To provide you with email alerts, event registrations and other notices concerning our products or services, or events or news, that may be of interest to you.
  • To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collections.
  • To improve our website and present its contents to you.
  • For testing, research, analysis and Services development.
  • As necessary or appropriate to protect the rights, property or safety of us, our Stakeholders or others.
  • To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
  • As described to you when collecting your Personal Information or as otherwise set forth in the CCPA or CPRA.
  • To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Information held by us is among the assets transferred.
  • As otherwise specified in the Privacy Policy.

We will not collect additional categories of Personal Information or use the Personal Information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

Sharing Personal Information

We may disclose your Personal Information to a third party for a business purpose.  When we disclose Personal Information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that Personal Information confidential and not use it for any purpose except performing the contract.

In the preceding 12 months, we have disclosed the following categories of Personal Information for a business purpose:

Category A:    Identifiers.
Category B:     Personal Information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).
Category C:     Protected classification characteristics under California or federal law.
Category D:    Commercial information.
Category F:     Internet or other similar network activity.
Category I:      Professional or employment-related information.
Category J:      Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).

We disclose your Personal Information for one or more of the Business Purposes to the following categories of third parties (collectively, “Specified Third-Parties”):

  • Our affiliates and business partners.
  • Service providers.
  • Third parties to whom you or your agents authorize us to disclose your Personal Information in connection with products or services we provide to you.

In the preceding 12 months, we have not sold or shared any Personal Information, other than with the Specified Third-Parties for the Business Purposes.

Your Rights and Choices 

The law provides users (California residents) with specific rights regarding their Personal Information. This section describes your CCPA and CPRA rights and explains how to exercise those rights.

Access to Specific Information and Data Portability Rights

You have the right to request that we disclose certain information to you about our collection and use of your Personal Information. Once we receive and confirm your verifiable user request, we will disclose to you:

  • The categories of Personal Information we collected about you.
  • The categories of sources for the Personal Information we collected about you.
  • Our business or commercial purpose for collecting or selling that Personal Information.
  • The categories of third parties with whom we share that Personal Information.
  • The specific pieces of Personal Information we collected about you (also called a data portability request).
  • If we sold or disclosed your Personal Information for a business purpose, two separate lists disclosing:
    • sales, identifying the Personal Information categories that each category of recipient purchased; and
    • disclosures for a business purpose, identifying the Personal Information categories that each category of recipient obtained.
  • You may request that the foregoing information be provided to you or a third party you designate in a structured, commonly used, machine-readable format, to the extent technically feasible.

Deletion Request and Opt-out Rights 

You have the right to request that we delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable user request, we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies.

You also have the right to request that we not share, disclose, disseminate, make available or otherwise transfer your Personal Information with third parties for advertising or similar purposes.

We may deny your request if retaining the information is necessary for us or our service providers to:

  1. Complete the transaction for which we collected the Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
  2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
  3. Debug products to identify and repair errors that impair existing intended functionality.
  4. Exercise free speech, ensure the right of another user to exercise their free speech rights, or exercise another right provided for by law.
  5. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).
  6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
  7. Enable solely internal uses that are reasonably aligned with user expectations based on your relationship with us.
  8. Comply with a legal obligation.
  9. Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

Right to Correct Information

You have the right to request that we correct inaccurate Personal Information about you, by identifying the erroneous information and providing corrected information

Right to Limit Use and Disclosure of Sensitive Personal Information

You have the right to limit the use and disclosure of “Sensitive Personal Information” (which includes PINS, social security, driver’s license, passport, or state ID card numbers. account or debit or credit card numbers combined with passwords or codes that would enable access to the accounts, exact geolocation information, information regarding racial origin, religious beliefs, or union membership, your email or text content (unless intentionally sent to us), and genetic data) to only those situations where it is necessary for us to provide requested products or services to you, and requires us to inform you before such data is used for any other reason.

Automatic Decision Making

You have the right to request information about the logic involved in automatic decision making processes we use involving your Personal Information, and to request that you not be subject to such automated decision making.

Exercising Your Personal Information Rights

To exercise the rights described above, please submit a verifiable user request to us by contacting us as described under “Contact Information” below.

Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable user request related to your Personal Information. You may also make a verifiable user request on behalf of your minor child.

You may only make a verifiable user request for access or data portability twice within a 12-month period. The verifiable user request must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative.
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you.  Making a verifiable user request does not require you to create an account with us.  We will only use Personal Information provided in a verifiable user request to verify the requestor’s identity or authority to make the request.

Response Timing and Format

We endeavor to respond to a verifiable user request within 45 days of its receipt.  If we require more time (up to 90 days), we will inform you of the reason and extension period in writing.  If you have an account with us, we will deliver our written response to that account.  If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.  Any disclosures we provide will only cover the 12-month period preceding the verifiable user request’s receipt.  The response we provide will also explain the reasons we cannot comply with a request, if applicable.  For data portability requests, we will select a format to provide your Personal Information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable user request unless it is excessive, repetitive, or manifestly unfounded.  If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Separate from the CCPA and CPRA, California’s Shine the Light law gives California residents the right to ask companies what Personal Information they share with third parties for those third parties’ direct marketing purposes. We do not disclose your Personal Information to third parties for the purpose of directly marketing their goods or services to you unless you request such disclosure.  Also, California Civil Code Section 1798.83 permits customers who are California residents and who have provided us with “personal information” (as that term is defined in Section 1798.83) to request certain information about the disclosure of that information to third parties for their direct marketing purposes. If you are a California resident with questions regarding the above, please contact us in the manner set forth under the heading “Contacting Us” in the Privacy Policy.

Non-Discrimination

We will not discriminate against you for exercising any of your data rights. Unless permitted by law, we will not, as a result of your exercising any of these rights:

  • Deny you goods or services.
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
  • Provide you a different level or quality of goods or services.
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Changes to Our Privacy Notice

We reserve the right to amend this Privacy Notice at our discretion at any time. When we make changes to this Privacy Notice, we will notify you through a notice on our website homepage, or by posting updated terms.

Contact Information

If you have any questions or comments about this Privacy Notice, our Privacy Policy, the ways in which we collect and use your Personal Information, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:

Toll Free Phone #:
Email:
Postal Address:

1-888-241-3525
dataprivacy@pcisecuritystandards.org
PCI Security Standards Council
401 Edgewater Place
Suite 600
Wakefield, MA USA 01880
Attn: Director, Technology, Infrastructure, & Privacy

DATE: 20 January 2023

 

PCI SSC Antitrust Policy

Last Updated: 18 January 2023

It is the express policy of the PCI Security Standards Council (“PCI SSC”) to require that all of its meetings, activities, and other forms of participation (“PCI SSC Activities”) be conducted strictly in accordance with U.S. federal and state antitrust laws, and with all applicable foreign antitrust and competition laws (collectively, “Antitrust Laws”).  Because Antitrust Laws are complex and differ across jurisdictions, it is not possible to summarize them in this policy, and it is important to consult appropriate legal advisors at your own company for detailed guidance.

The following rules shall apply in connection with all PCI SSC Activities:

1.  Agendas must be created, and minutes must be taken, for all PCI SSC meetings.  These agendas and minutes must then be submitted to PCI SSC, along with any meeting materials.

2.  Antitrust Statements.  A statement regarding antitrust laws and compliance should be presented at the beginning of applicable PCI SSC Activities.

3.  Certain topics should never be discussed at, or in connection with, any PCI SSC Activity, nor should any participant in PCI SSC Activities (each an “Activity Participant”) ever form an agreement with any other competitor in connection with these topics.  In particular, DO NOT, at any time, agree upon or discuss with any competitor any of the following:

  • Current or future prices, methods of determining or implementing prices, or strategies relating to pricing
  • Price or cost related information (e.g., price changes, quotations, policies, levels, differentials, markups, discounts, or allowances, delivery charges, credit or warranty policies, or other conditions of sale)
  • Output, capacity, inventory levels
  • Current or future business plans, strategies, innovations
  • Compensation and benefits of employees
  • Current or future sales conditions or volumes
  • Levels of investment or development, changes to such levels, or related strategies
  • Current or future design or marketing strategies
  • Customer and competitor details such as names, type, importance
  • How much or little an Activity Participant is capable of producing or will sell of any product or service
  • Whether an Activity Participant has submitted a bid, or will or will not bid, in any given situation
  • Where any Activity Participant will or will not sell any product or service
  • Whether any Activity Participant will or will not deal with any third party
  • The terms upon which an Activity Participant will make any intellectual property rights available, except to the extent permitted or required under the PCI SSC IPR Policy

If you become aware of any activity that may be in violation of any of the above rules, please bring them promptly to the attention of a PCI SSC representative.

For more information regarding Antitrust Laws, please see the PCI SSC Antitrust Compliance Guidelines.

PCI SSC Antitrust Compliance Guidelines

These guidelines are provided by the PCI Security Standards Council, LLC (“PCI SSC”) and are intended for annual distribution to all participants in PCI SSC meetings, activities and other forms of PCI SSC participation (“Activity Participants”), including without limitation, all PCI Participants, and all participants in PCI SSC’s Executive Committee, other Committees, Board of Advisors, Working Groups, Special Interest Groups and Task Forces.

It is the policy of PCI SSC to require that all PCI SSC meetings, activities and other forms of participation (“PCI SSC Activities”) be conducted in accordance with U.S. federal and state antitrust laws, and with applicable foreign antitrust and competition laws. While the existence of organizations such as PCI SSC is recognized by antitrust regulators as being beneficial to industry and consumers alike, there are activities which are not permissible for Activity Participants to engage in, and which are not endorsed or authorized by PCI SSC. The objective of these guidelines is to enhance Activity Participant awareness of inappropriate conduct.

These Antitrust Compliance Guidelines (the “Guidelines”) are intended to help familiarize you with areas of U.S. law that you should know about in order to maintain compliance with U.S. antitrust laws. However, these Guidelines provide a general guide only; they are not intended to be a complete or definitive statement of all aspects of U.S. antitrust law, nor does it advise you with respect to the antitrust laws of other countries, which on a country-by-country basis can vary significantly. Although PCI SSC Activities are subject to the antitrust laws of all countries where PCI SSC may be active, a worldwide review of international antitrust laws is beyond the scope of these Guidelines. For this reason, these Guidelines should be viewed as being not only selective with respect to U.S. law, but also as an unreliable and inadequate guide to antitrust issues in any other country. Each Activity Participant must make its own decisions how and where it adopts and supports PCI SSC standards around the world. These decisions may lead to different risks, and therefore to different precautions and practices being appropriate to consider from Activity Participant to Activity Participant.

For these reasons, each Activity Participant should seek advice from its own antitrust counsel and consult with that counsel as necessary or appropriate in connection with participation in PCI SSC Activities. Any specific question relating to antitrust compliance not addressed in these Guidelines should be referred to legal counsel for PCI SSC or to the Activity Participant’s antitrust counsel. An Activity Participant’s failure to consult with antitrust counsel may be injurious to the Activity Participant and/or to PCI SSC. For additional information on the applicability of antitrust laws to trade association activities, please see the Laws, Cases and Regulations section of ConsortiumInfo.org, a consortium information website created by our legal counsel, Gesmer Updegrove LLP, which prepared these Guidelines.

I. The Antitrust Laws

Broadly stated, the basic objective of the U.S. antitrust laws is to preserve and promote competition and the free enterprise system. These U.S. laws are premised on the assumption that private enterprise and free competition are the most efficient ways to allocate resources, to produce goods at the lowest possible price and to assure the production of high-quality products. These U.S. laws generally require that business people make independent business decisions without consultation or agreement with competitors. The success of PCI SSC requires that free and open competition be adhered to as the policy of PCI SSC and that this policy be followed by all Activity Participants.

PCI SSC’s insistence upon full compliance with the antitrust laws is based not solely on the desire to stay within the bounds of the law, but also on PCI SSC’s conviction that the preservation of a free, competitive marketplace is essential to the welfare of the industry and PCI SSC.

(a) Antitrust Laws Applicable to Activities of Associations

The U.S. antitrust statutes of principal concern to companies and individuals that take part in trade association activities are Section 1 of the Sherman Act and Section 5 of the Federal Trade Commission (“FTC”) Act. These laws make illegal all contracts, combinations, and conspiracies which are deemed to be in restraint of trade.

Broadly speaking, the courts have interpreted these laws as prohibiting those agreements, contracts and combinations that have the effect of unreasonably restraining trade. With some exceptions, a court considering an antitrust claim will examine all the facts and circumstances surrounding the conduct in question in order to ascertain whether the contract or combination is in violation of the law by restraining trade unreasonably.

Some activities are, however, regarded as unreasonable by their very nature and are, therefore, considered illegal “per se,” meaning that they are illegal regardless of any rationale or mitigating factors asserted by the actors. Companies and individuals are conclusively presumed to engage in these activities for no other purpose than to restrain trade. Practices within the per se category include agreements among competitors to fix prices, agreements to boycott competitors, suppliers or customers; agreements to rig bids; agreements among competitors to allocate markets or limit production; and certain tie-in sales. A tie-in sale is one in which the customer is required to purchase an additional item in order to purchase the product or service desired.

The legality of activities of PCI SSC and its Activity Participants under the antitrust laws will be determined by the application of standards no different from those used to determine the legality of the activities of other groups of persons or firms.

(b) Penalties for Violations

The U.S. antitrust laws are enforced at the Federal level by the Antitrust Division of the Department of Justice and the Bureau of Competition of the Federal Trade Commission.

A criminal conviction for an antitrust law violation may result in stiff fines for PCI SSC and its Activity Participants, jail sentences for individuals (including an individual acting in his or her capacity as a corporate employee or officer) who participated in the violation, and a court order disbanding PCI SSC or severely limiting its activities. In the past, several foreign nationals have been sentenced to serve jail time in the U.S., and corporations convicted of such a criminal offense have been fined hundreds of millions of dollars.
In addition, private persons or firms may sue for damages under the Federal laws and a company found liable may be required to pay up to three times the actual damages suffered by the plaintiff, as well as all of the plaintiff’s costs of litigation and attorneys’ fees.
Finally, State court actions may be brought by U.S. State attorneys-general or injured parties.

II. Detailed Discussion

(a) Standard Setting Activities

1.  Generally

Standard setting is recognized as being potentially “pro-competitive” in the U.S.  Nevertheless, great care must be taken in the setting of standards. When participants of a standards setting body submit or vote on technology or specifications, there is the potential for one company, or a group of companies, to act in ways deemed to be unfair to other companies.  

In the last several years, additional lawsuits have been brought by private parties, and enforcement actions and investigations have been brought by regulators in the United States and in Europe, that have been based upon standards-development behavior. Several of these cases, actions and investigations have focused on the behavior of individual companies, and on whether standards development participants have honored the licensing obligations that they, or prior owners of patents, have made to standards development organizations.

In light of the foregoing, it is important that standard setting, and other collaborative activities be conducted under close legal supervision, and that policies and procedures created to administer such processes be scrutinized to ensure that they do not lend themselves to situations which could result in antitrust exposure. This is the policy of PCI SSC.

2. Specific Standard Setting Activities

There are a variety of activities that are commonly conducted within standards development organizations that have acknowledged pro-competitive benefits, but which must be conducted in an appropriate fashion to avoid inadvertent violations of law. They include:

  • Disclosures of patent claims and the making of licensing commitments: This common activity must be conducted within well-acknowledged and easily followed guidelines that preclude, for example, the negotiation of the prices upon which patents will be licensed, but require that such licenses will be available on “reasonable and non-discriminatory terms. “Creation and management of product and service certification programs to demonstrate conformity to standards: Activity Participants should not discuss whether and how to enforce, or incentivize, compliance with a standard or whether exceptions will be granted. To the extent, Activity Participants independently choose to comply with a standard, certification programs must be available to all, and conducted in a non-discriminatory fashion.
  • Participation by trade association members and rules relating to the expulsion of participants for cause: Participation must be available to all that qualify under objective standards on a non-discriminatory basis and any rules relating to expulsion or rejection of membership renewals must be reasonable and applied in a non-discriminatory fashion. PCI SSC has agreed to permit participation based on the applicable objective criteria for each category of Activity Participant (e.g. Founding Member, Strategic Member, Affiliate Member, or PCI Participant), and applies these criteria on a non-discriminatory basis.
  • Honoring licensing obligations under IPR Policies: Activity Participants may only assert patent infringement with respect to technology approved or adopted by the organization in accordance with a participant’s obligation under the organization’s policies, and/or the participant’s disclosures and statements during the development process.
  • Joint purchasing: Joint purchasing activities by or with members may be acceptable but should be reviewed in advance by counsel.

The Executive Committee will consult with legal counsel to ensure that the proper guidelines are followed with respect to each of the above areas.

(b) Antitrust Problem Areas

From a practical standpoint, Activity Participants should take care to avoid the following principal antitrust problem areas:

1. Price-Fixing

Experience shows that trade association participants may be susceptible to violations of price-fixing prohibitions of the Sherman Act, and for this reason, the government is focused on the activities of these types of entities. Price fixing, as noted above, is illegal per se.

Trade association meetings (including committee meetings) may be considered by enforcement agencies as convenient places for price-fixing discussions. Whenever competitors get together, it is natural for them to discuss common problems, and, unless care is taken, the discussion could turn to price. This is even truer at informal meetings before or after a trade association meeting, when participants get together socially.

To avoid the risk of liability, Activity Participants should never discuss prices, pricing systems, discounts, commission rates, employee salary information, or the like, nor should PCI SSC ever be involved in Activity Participants’ pricing practices.

A formal agreement is not necessary for a finding of antitrust liability. Antitrust cases often are proven by circumstantial rather than direct evidence. Although there may be perfectly innocent explanations for business conduct, antitrust enforcement agencies, judges or juries may interpret contacts with competitors followed by similarity in conduct as circumstantial evidence of an “agreement.” It is, therefore, of the utmost importance to avoid any discussions or other conduct with competitors that might support an inference of illegal agreement. That means an Activity Participant’s relations with competitors should always be conducted as if the parties are at all times in the public view.

Activity Participants should also be aware that the antitrust prohibition on price-fixing is extremely broad. The Sherman Act itself defines price-fixing as any “combination” formed for the purpose and with the effect of raising, depressing, fixing, pegging or stabilizing “prices.”

Competitors violate this law if, for example, they:

  • Agree on a range of prices within which purchases, or sales may be made;
  • Agree that prices charged or paid are to fall within any sort of formula;
  • Agree to fix or stop giving discounts;
  • Agree to increase or limit supply; or
  • Agree on the compensation, benefits, or commission rates they will pay employees.

Because price-fixing is illegal per se, it is not a defense that the prices set are reasonable. Nor is it necessarily a defense that competitors fixed maximum prices, rather than minimum prices.

Although the discussion thus far has focused on so-called “horizontal” price fixing — that is, agreements among competitors selling the same or similar products — it also may be illegal to engage in “vertical” price fixing: an agreement to fix the price at which a purchaser will resell a product. Where a product is sold for resale, the seller is permitted to suggest resale prices to customers, but any agreement, whether formal or informal, express or implied, should always be reviewed in advance by legal counsel.

For all of the reasons above, Activity Participants should assume that no mention of prices, or price related business terms, should occur in the course of PCI SSC Activities unless the topic, scope and purpose of the discussion has been cleared in advance with PCI SSC legal counsel, and appropriate controls have been put in place if the discussion is permitted to occur at all.

2. Agreements To Allocate Markets

An agreement among participants of a trade association to allocate markets or customers may be, in and of itself, an antitrust violation. The antitrust laws expressly prohibit any understanding or agreement between competitors or participants of an association involving division or allocation of geographic markets or customers, or an agreement to divide sales by product type. Even an informal agreement whereby one participant agrees to stay out of another’s territory could constitute a violation of the antitrust laws.

3. Exclusive Selling and Dealing

An exclusive selling agreement involves the appointment of a sole distributor for the supplier’s product for a defined territory over a defined period of time, usually with the understanding that the supplier will not make separate deliveries or sales of his own into the distributor’s territory. The appointment of an exclusive distributor is generally considered to be legal, but counsel should be consulted if considering such an approach.

Exclusive dealing is an agreement where the purchaser agrees to buy exclusively from one supplier for a certain period of time.
A seller’s exclusive dealing contract may be unlawful where it covers a substantial dollar volume or forecloses a substantial market share to competitors. However, where there is a significant amount of competition from other companies that is not impacted by the exclusivity, it is less likely that an exclusive dealing agreement will be deemed illegal. Again, prior legal review of such arrangements is required.

4. Tying Arrangements

Tying is the practice whereby a seller refuses to sell the desired product or service (the tying item) to a customer unless the customer also agrees to buy a second product or service from the seller.

Tying arrangements may be illegal if the supplier occupies a dominant position in the market for the tying item or if the uniqueness of the tying item bars other sellers from producing an equivalent product.

5. Concerted Refusals to Deal

Activity Participants should avoid participating in “concerted” refusals to “deal,” more commonly known as boycotts. Activity Participants should be careful not to make agreements that in effect result in the exclusion of a competitor from a market or a competitive activity. For example, an agreement among two or more Activity Participants of PCI SSC to no longer buy from (or sell to) a particular supplier or distributor, or to work with a particular third party service provider, might constitute such a boycott. To avoid this risk, Activity Participants should avoid any discussion of or joint conduct that involves the refusal to deal with a particular supplier or customer.

PCI SSC itself, as a group of competitors and by virtue of the nature of its work, is at risk of falling into activities that might be challenged as a boycott. For this reason, counsel must have the opportunity to review any proposed changes to participation rules and any proposed rules that might disadvantage those who are not Activity Participants.

6. Price Discrimination

Price discrimination occurs when identical products are sold at different prices to different purchasers. It may be unlawful to discriminate in price between different purchasers of goods of like grade and quality where such goods are sold for use, consumption, or resale within the U.S. if the discrimination substantially lessens competition. However, price differences based on certain factors, such as a variance in costs, quantity discounts, prompt payment, or shipment fees generally are acceptable and do not violate the antitrust laws.

If you have questions regarding any of these matters, contact your company antitrust counsel, or if you are a PCI SSC member, please contact Andrew Updegrove, of the firm of Gesmer Updegrove LLP, which provides legal counsel to PCI SSC, at andrew.updegrove@gesmer.com.

PCI Security Standards Council Intellectual Property Rights Policy

Last Updated: 18 January 2023

1. IPR Generally

1.1 Purpose

PCI Security Standards Council LLC (the “Council”) has adopted this Intellectual Property Rights Policy (the “Policy”) in order to minimize the possibility of inadvertent infringement of IPR by Members and third parties using or implementing any Council Standards.

1.2 Applicability

All Members, and all third parties participating in or attending any Work Group or technical process meeting or initiative are subject to this Policy and (when approved by the Council) any related rules of procedure (the “Rules of Procedure”) for that meeting or initiative.  To the extent that any third party is permitted by the Council to participate in any Work Group or other Council technical process, it shall enter into an agreement approved by the Council under which it agrees to be bound by the terms of this Policy.

2. Definitions

Term

Definition

Compliant Product

A product or service that implements all Required Elements of a Standard.  For the avoidance of doubt, where more than one option for implementing a given Required Element is included in a Standard, implementation of any such option is regarded as implementation of such Required Element for purposes of the definition of Compliant Product.

Draft Standard

A technical standard or specification and any supporting materials, and any other work product containing IPR that is produced by a Work Group, that has not yet been formally adopted by the Council.  Unless the context otherwise requires, any reference to a Draft Standard shall also be deemed to apply to an amendment to a Standard until such amendment has been formally adopted by the Council.

Implementation License

 

An agreement substantially in the form of Exhibit A to this IPR Policy, as may be amended by the Council from time to time, between the Council and an Implementer that relates to a Standard.

Implementers

Those Members and non-Members who desire to use or implement a Standard and, with respect to that Standard, either (i) have entered into an appropriate Implementation License with the Council, or (ii) are legally bound to comply with the terms of this IPR Policy.

IPR

An abbreviation of “Intellectual Property Rights.” As used in this Policy, IPR means (i) claims in patents, patent applications, continuations, divisionals, reexaminations, reissues, continuations-in-part, and foreign equivalents of the foregoing, anywhere in the world, and (ii) copyrights and copyright applications, including renewals, in the United States or any other country; but excludes trademarks and trade secrets, which are not included in a Member’s or Related Party’s obligations under this Policy.

Investment Portfolio Subsidiary

Any entity where the shares, assets, or ownership interests of such entity are acquired and held by a Related Party and (i) such entity is not consolidated with the Related Party’s parent company for reporting, tax and accounting purposes, or (ii) such shares, assets, or ownership interests are held for a period of time to enable the sale or disposition thereof on a reasonable basis, and, during the period such shares, assets, or ownership interests are held, the holding company of such entity does not routinely manage or operate such entity except as may be necessary or required to obtain a reasonable return on investment upon resale or disposition.

Management Committee

The committee of the same name established by the Council’s LLC Agreement, or such other or successor committee authorized from time to time by the Executive Committee of the Council to consider the matters contemplated to be submitted to the Management Committee for consideration pursuant to this Policy.

Member

A member of the Council’s LLC Agreement.

Necessary Infringement

Infringement by an implementation of any Required Element or Other Element of a Standard in a Compliant Product, there being no commercially and technically reasonable alternative way to implement that element of the Standard without resulting in such infringement. For the avoidance of doubt, where more than one option for implementing a given element is included in a Standard, infringement by either option is regarded as Necessary Infringement.

Necessary Claims

Those claims under patents, patent applications, continuations, divisionals, reexaminations, reissues, and continuations-in-part, and foreign equivalents of the foregoing, anywhere in the world now or in the future that would be subject to Necessary Infringement as a result of the implementation of a Standard in a Compliant Product. Necessary Claims do not include: (a) claims covering reference implementations or implementation examples; (b) claims that would be infringed only by any enabling technology that may be necessary to make or use any implementation of a Standard, but are not expressly set forth in the Standard; and (c) claims that would be infringed only by an implementation that complies with a specification, requirement or standard not developed by or on behalf of the Council but which are merely incorporated by reference into a Standard.

Non-Assertion Commitment

A commitment under this Policy, pursuant to which a Technical Participant or Related Party thereof as grantor irrevocably covenants and agrees that it will not seek to enforce any of its Necessary Claims specified in Section 3.1(ii) below under a Standard anywhere in the world at any time now or in the future against (a) the Council for any use, implementation, or Necessary Infringement of such claims resulting from compliance with such Standard or any version thereof, or (b) any Implementers of any such Standard or version thereof with respect to those portions of any Compliant Products that implement any version of such Standard, provided that such Compliant Product has been developed by a person or entity that has also entered into, and is in compliance with, a Non-Assertion Commitment or an Implementation License.

Other Element

Any element of a Draft Standard or Standard other than a Required Element.

Other Work Product

Any materials that would not reasonably be expected to result in the infringement of a patent if used as intended.

Owned

With respect to any Necessary Claim(s), the words “Owned” and “Owner” include: (i) ownership of all right, title and interest in any Necessary Claim(s), and (ii) Necessary Claim(s) that are controlled but not owned by the Technical Participant or Related Party in question, provided that the Technical Participant or Related Party in question is entitled to sublicense such Necessary Claim(s) on a royalty-free basis.

Related Party

Any entity that is directly or indirectly controlled by, under common control with, or that controls the subject party, other than an Investment Portfolio Subsidiary. For this purpose, “control” means beneficial ownership or the right to exercise more than 50% of the voting power for the entity. Any Technical Participant or potential Technical Participant that believes that the application of this definition would result in unfairness, as applied in its unique circumstances, may apply for a limited and fact-specific exemption on such form as the Council may from time to time make available for that purpose.

Required Element

Any element of a Draft Standard or Standard that has not been identified as “Optional,” or as “included for informative purposes only”.

Standard

A Draft Standard that has been formally adopted by the Council. Unless the context otherwise requires, any reference to the adoption of a Standard shall also be deemed to apply to the adoption of an amendment to a Standard as well.

Technical Participant

Any Member, and any other person or entity that enrolls in any Work Group or technical process of the Council (as permitted by the Council in its discretion) that has not withdrawn from such Work Group within 60 days following its enrollment.

Work Group

A committee, working group, special interest group, task force or other group, sub-group or initiative (including without limitation, requests for comment on Standards or Draft Standards) established by the Council for a technical purpose.

3. Necessary Claims

3.1 Applicability and Non-Assertion Commitment

In order to reduce the possibility of adopting a Standard that would, without permission, infringe any Member or third party Necessary Claims if implemented, each Technical Participant, on its own behalf and on behalf of each Related Party thereof, hereby (i) irrevocably covenants and agrees to the rules, terms and conditions of this Policy, as supplemented by the Rules of Procedure,  (ii) grants a Non-Assertion Commitment with respect to its and its Related Parties’ corresponding patent claims in all Standards that are or were adopted by the Council, (a) in the case of a Member, before or while it was a Member, or after it was a Member to the extent such patent claims were Necessary Claims under any version of a Draft Standard developed while it was a Member and were still Necessary Claims upon adoption of the Draft Standard as a Standard, and (b) in the case of a Non-Member, any Draft Standard developed by a Work Group while it was a Technical Participant in such Work Group that is adopted by the Council to the extent such patent claims were Necessary Claims under any version of a Draft Standard developed while it was a Technical Participant and were still Necessary Claims upon adoption of the Draft Standard as a Standard, and (iii) agrees to fulfill all of its obligations under such Non-Assertion Commitment.

In the event that any Technical Participant shall breach the obligation set forth in this Section 3.1, the Consortium shall have no obligation to intervene, but the applicable Implementer shall be entitled to claim protection, and assert a complete defense against such action, under this Section 3.1 as a third party beneficiary.

3.2 Related Party Commitments

Each Technical Participant hereby further agrees that:

(a) In the event that, following adoption and publication of a Standard, a Necessary Claim is asserted in an infringement action against any Implementer, Technical Participant, or the Council by a Related Party of a Technical Participant that is not “controlled” (as defined within the definition of Related Party, below) by such Technical Participant, then such Technical Participant shall request that the Related Party grant a Non-Assertion Commitment with respect to that Necessary Claim under such Standard without cost to the Council, any other Technical Participant or any Implementer. 

(b) If such Technical Participant is unable to obtain such Non-Assertion Commitment from its Related Party for all Implementers under the terms substantially as set forth above, the Council may, in its discretion:

  1. refer the Standard in question back to the Management Committee for further consideration, as appropriate;
  2. revoke all license rights granted to such Technical Participant and its Related Parties by the Council; and/or
  1. permit all other Technical Participants and their respective Related Parties to revoke their Non-Assertion Commitment hereunder with respect to such Technical Participant and its Related Parties.

The foregoing remedies shall be available to the Council irrespective of whether the Related Party is participating, or has participated, in any Work Group or other technical process of the Council.

All prior rights and/or Non-Assertion Commitments granted by the Technical Participant, and/or any Related Party, to or through the Council or otherwise pursuant to this Policy shall remain in full force and effect, notwithstanding the revocation of rights by the Council under these provisions.

(c) The obligations of the Technical Participant with respect to its Related Parties as set forth in subsection (i) are released if subsequent to the assertion of a Necessary Claim in an infringement action, the Owner of the Necessary Claim ceases to be a Related Party of the Technical Participant, and the Technical Participant does not benefit from assertion of the Necessary Claim. Notwithstanding the foregoing, in the event the Council has taken any of the actions set forth in subsection (ii) prior to the date on which the Owner of the Necessary Claim ceases to be a Related party of the Technical Participant, the Council shall be under no obligation to reverse any such prior action or to reinstate any rights that may have been revoked.

3.3 Document Notations

3.3.1 Notation for Draft Standards

All Draft Standards that are subject to comment shall include the following introductory language:

“Recipients of this document are requested to submit, with their comments, notification of any relevant third party IPR of which they may be aware that might be infringed by any implementation of the standard or specification set forth in this document, and to provide supporting documentation.”

3.3.2 Notation when no Necessary Claims have been Identified All Standards shall include the following introductory language:

“THIS DOCUMENT AND THE CONTENT THEREOF (COLLECTIVELY, THE “STANDARD”) IS BEING OFFERED WITHOUT ANY WARRANTY WHATSOEVER, AND IN PARTICULAR, ANY WARRANTY OF NON-INFRINGEMENT IS EXPRESSLY DISCLAIMED. ANY USE OF THIS STANDARD SHALL BE MADE ENTIRELY AT THE IMPLEMENTER’S OWN RISK, AND NEITHER THE COUNCIL, NOR ANY OF ITS MEMBERS OR THEIR RELATED PARTIES, SHALL HAVE ANY LIABILITY WHATSOEVER TO ANY IMPLEMENTER OR THIRD PARTY FOR ANY DAMAGES OF ANY NATURE WHATSOEVER, DIRECTLY OR INDIRECTLY, ARISING FROM THE USE OF THIS STANDARD. FURTHERMORE, ANY USE OF THIS STANDARD SHALL BE SUBJECT TO THE TERMS AND CONDITIONS OF THE COUNCIL’S THEN-CURRENT IMPLEMENTATION LICENSE AGREEMENT.”

3.3.3 Notation when Necessary Claims or other IPR are Identified

(a) When Necessary Claims or other IPR subject to a corresponding Non-Assertion Commitment have been identified for Draft Standards, or thereafter with respect to already published Standards, a notice substantially as follows shall instead be included in the introductory language:

“The Council draws attention to the fact that it is claimed that compliance with this standard or specification (the “Standard”) may involve the use of a patent or other intellectual property right (collectively, “IPR”) concerning [Subject Matter] given in [Subclause]. The Council takes no position concerning the accuracy of such claims or the evidence, validity, enforceability or scope of this IPR.

“The holder of this IPR has irrevocably covenanted and agreed that it will not seek to enforce any IPR it owns and any third party IPR it has the right to sublicense which might be infringed by any implementation of this Standard against the Council and those Members and non-Members that desire to implement this Standard and have made a reciprocal commitment.  Prior to implementing those portions of the Standard claimed to be subject to the identified IPR, each implementer shall be solely responsible for evaluating the impact of such IPR on their respective implementation. The Council makes no representations or warranties on whether any particular implementation may or may not infringe the identified IPR. The IPR and the holder of the IPR making such claims is as follows:
[Name of Holder of Right] [Address]

[Identification of IPR]

“Attention is also drawn to the possibility that some of the elements of this Standard may be the subject of IPR other than those identified above. The Council shall not be responsible for identifying any or all such IPR.

“THIS STANDARD IS BEING OFFERED WITHOUT ANY WARRANTY WHATSOEVER, AND IN PARTICULAR, ANY WARRANTY OF NON-INFRINGEMENT IS EXPRESSLY DISCLAIMED. ANY USE OF THIS STANDARD SHALL BE MADE ENTIRELY AT THE IMPLEMENTER’S OWN RISK, AND NEITHER THE COUNCIL, NOR ANY OF ITS MEMBERS OR THEIR RELATED PARTIES, SHALL HAVE ANY LIABILITY WHATSOEVER TO ANY IMPLEMENTER OR THIRD PARTY FOR ANY DAMAGES OF ANY NATURE WHATSOEVER, DIRECTLY OR INDIRECTLY, ARISING FROM THE USE OF THIS STANDARD. FURTHERMORE, ANY USE OF THIS STANDARD SHALL BE SUBJECT TO THE TERMS AND CONDITIONS OF THE COUNCIL’S THEN-CURRENT IMPLEMENTATION LICENSE AGREEMENT.”

(b) In the event that the owner of any IPR has asserted that infringement would result from the implementation of a Draft Standard or Standard, and such owner has refused to grant a Non-Assertion Commitment under the terms of this Policy, then the second paragraph of the above notice shall be replaced or supplemented, as appropriate, with the following:

“The holder of such IPR has refused a request by the Council that it agree to make a covenant not to assert patent claims available for the purpose of implementing this standard or specification. Information may be obtained from:

[Name of Holder of Right] [Address]”

3.4 Patent Searches; Duty to Disclose

(a) In no event shall the Council or any Technical Participant be obligated to conduct any patent searches regarding any Necessary Claims that may be infringed by any implementation of a Draft Standard or Standard.

(b) Subject to clause (a) above, to the extent a Technical Participant becomes aware of any IPR that it believes would be infringed by the implementation of the current version of a Draft Standard under development by a Work Group in which such a Technical Participant is enrolled (excluding IPR Owned by such Technical Participant), it shall disclose such claims to the chair of the Work Group.

3.5 Patent Claims Revealed After Publication

In the event that a Necessary Claim is first revealed by a third party following adoption and publication of a Standard, the Owner thereof will be asked to grant a Non-Assertion Commitment to the Necessary Claim in the manner outlined in Section 3.2 above. If such request is refused, the Standard in question shall be referred back to the Management Committee for further consideration, as appropriate.

3.6 Transfers of Necessary Claims

(a)  Each Technical Participant agrees that it will not transfer, and has not transferred, patents or patent applications having Necessary Claims solely for the purpose of circumventing such Technical Participant’s obligations under this IPR Policy.

(b)  No party bound by this Policy shall transfer any patent or patent application having Necessary Claims, except to a successor that agrees in writing to (i) be bound by all commitments previously made by the direct or indirect transferor(s) under this Policy with respect to such patent or patent application, and (ii) include the obligations set forth in this Section 3.6 in any document of transfer relating to such patent or application in the event that it later transfers the same.

4. Copyrights

4.1 Copyright in Standards

The copyright for all Standards and Other Work Product shall belong to the Council.

4.2 Contributions of Copyrighted Materials

Each Technical Participant that contributes copyrighted materials to the Council shall retain copyright ownership of its original work, while at the same time granting the Council, on its own behalf and on behalf of its Related Parties, a non-exclusive, irrevocable, worldwide, perpetual, sublicensable royalty-free, fully paid license under the contributor’s and its Related Parties’ copyrights in its contribution to reproduce, distribute, publish, display, perform, and create derivative works of the contribution based on that original work for the purpose of developing Draft Standards, Standards, or Other Work Product under the Council’s own copyright, reviewing and studying such Draft Standards, Standards, or Other Work Product and using such Standards for purposes of making, having made, using, reproducing, marketing, importing, offering to sell, selling, and otherwise distributing Compliant Products . The Council shall be free to sublicense such copyrights to Implementers of a Standard as may be necessary to fully implement a Standard.

5. Trade Secrets

No Technical Participant will be expected to reveal trade secret information in the course of participation in any Work Group. The Council will not be held responsible for the disclosure of any Technical Participant’s trade secrets, regardless of the circumstances. Except as otherwise agreed in writing, the identity of the Technical Participant disclosing such information may be incorporated into a Draft Standard or a Standard and distributed or published freely.

6. Trademarks

6.1 Council Trademarks

Trademarks created by the Council, registered or otherwise, are the property of the Council. Use of Council trademarks shall be governed by such policies, procedures and guidelines as may be established and approved by the Council from time to time, and applicable law.

6.2 Non-Council Trademarks

The Council’s use of third-party trademarks, registered or otherwise, shall be governed by such policies, procedures and guidelines as may be established and approved by the owners of such trademarks, and applicable law, or as specified in an applicable separate agreement between the Council and such third-party.

7. Irrevocability and Binding Nature of Commitments

All commitments made under this Policy shall be irrevocable, except that the Owner of a Necessary Claim may revoke the Non-Assertion Commitment granted with respect to a given Implementer if that Implementer asserts a Necessary Claim (without first offering a Non-Assertion Commitment to such Necessary Claim) against that Owner in connection with the implementation or use of the same Standard.

8. Survival of Obligations

(a)  Any Non-Assertion Commitment and other obligations that a Technical Participant incurs under this Policy shall continue in force after the Technical Participant for any reason ceases to be a Member or (in the case of a non-Member) ceases participation in the applicable Work Group or Council technical process. However, no Technical Participant shall become subject to any new Non-Assertion Commitment or other obligations under this Policy after it ceases to be a Member or (in the case of a non-Member) ceases participation in the applicable Work Group or Council technical process.

(b)  The Council shall have the right to assign all of its rights under this Policy, and the right to enforce all obligations incurred by Technical Participants under this Policy, to any successor to the mission of the Council.

(c)  All persons and entities that are intended third party beneficiaries of rights and obligations incurred under this Policy shall remain entitled to enforce the same, notwithstanding any termination, dissolution or winding up of the Council.

 

 

EXHIBIT A
PCI SECURITY STANDARDS COUNCIL, LLC
LICENSE AGREEMENT

 

This License Agreement (the “Agreement”) is a legal agreement between you and PCI Security Standards Council, LLC with a place of business at 401 Edgewater Place, Suite 600, Wakefield, MA 01880 (“Licensor”), which is the owner of the copyright in the standards, specifications or other documents accessible by clicking on the “ACCEPT” button below (each a “Standard”). As used in this Agreement, “you” and “Licensee” mean the company, entity or individual that is acquiring a license under this Agreement.

By clicking on the “ACCEPT” button below, you are agreeing that you will be bound by and are becoming a party to this Agreement. If you are an entity, and an individual is entering into this Agreement on your behalf, then you will be bound by this Agreement when that individual clicks on the “ACCEPT” button. When they do so, it will also constitute a representation by the individual that s/he is authorized to bind you as a party to this Agreement. If you do not agree to all of the terms of this Agreement, click the “DO NOT ACCEPT” button at the end of this Agreement.

I.        Read and Copy License. If your use of a given Standard is limited to study purposes, then only the provisions of this Section I and the provisions of Section III will apply to you and your use of that Standard. Licensor hereby grants you the right, without charge, to download, copy (for internal purposes only) and share the Standard with your employees for study purposes only. This license grant does not include the right to sublicense or modify the Standard.

II.       Implementation License. If you wish to implement any Standard, then the following provisions will also apply to you:

1. Definitions:

“Compliant Product” means a product or service that implements all Required Elements of the Standard.  For the avoidance of doubt, where more than one option for implementing a given Required Element is included in the Standard, implementation of any such option is regarded as implementation of such Required Element for purposes of this definition.

“End User” means a company, entity or individual that is the ultimate purchaser or licensee from Licensee of a Compliant Product.

“Policy” means the then current version of Licensor’s Intellectual Property Rights Policy as available on Licensor’s web site.

“Implementer” means any person or entity who desires to use or implement the Standard and, with respect to that Standard, either (i) has entered into this Agreement or a separate Non-Assertion Commitment, or (ii) is legally bound to comply with the terms of the Policy.

Necessary Infringement ” means infringement by an implementation of any Required Element or Other Element of the Standard in a Compliant Product, there being no commercially and technically reasonable alternative way to implement that element of the Standard without resulting in such infringement. For the avoidance of doubt, where more than one option for implementing a given element is included in the Standard, infringement by either option is regarded as Necessary Infringement.

“Necessary Claims” means those claims under patents, patent applications, continuations, divisionals, reexaminations, reissues and continuations-in-part, and foreign equivalents of the foregoing, anywhere in the world now or in the future that would be subject to Necessary Infringement as a result of the implementation of the Standard in a Compliant Product. Necessary Claims do not include (i) claims covering reference implementations or implementation examples; (ii) claims that would be infringed only by any enabling technology that may be necessary to make or use any implementation of the Standard, but are not expressly set forth in the Standard; and (iii) claims that would be infringed only by an implementation that complies with a specification, requirement or standard not developed by or on behalf of Licensor but which are merely incorporated by reference into the Standard.

“Non-Assertion Commitment” means a commitment irrevocably covenanting and agreeing not to seek to enforce any of the committer’s Necessary Claims under the Standard anywhere in the world at any time now or in the future against (i) the Council for any use, implementation, or Necessary Infringement of such claims resulting from compliance with such Standard or any version thereof, or (ii) any Implementers of such Standard or any version thereof with respect to those portions of any Compliant Products that implement any version of such Standard, provided that such Compliant Product has been developed by a person or entity that has also entered into, and is in compliance with, a corresponding Non-Assertion Commitment or agreement with Licensor relating to such Standard substantially in the form of this Agreement, as amended by Licensor from time to time.  For the avoidance of doubt and without limiting the foregoing, if such Standard is amended in the future, any patent claim Owned by the Implementer that was a Necessary Claim under such Standard and is still a Necessary Claim under the amended version of such Standard shall remain subject to Implementer’s Non-Assertion Commitment.

“Owned” includes, with respect to any Necessary Claim(s): (i) ownership of all right, title and interest in any Necessary Claim(s), and (ii) Necessary Claim(s) that are controlled but not owned by the Licensee, provided that the Licensee is entitled to sublicense such Necessary Claim(s) on a royalty-free basis.

“Required Element” means any element of the Standard that has not been identified as “Optional.” .

2. Grant of License. Licensor hereby grants without charge to Licensee and its End Users, for so long as Licensor continues to generally provide new licenses to the Standard on similar terms, and on a non-exclusive and worldwide basis, the right under Licensor’s copyrights and Licensor’s copyright license rights in the Standard to utilize the Standard for the purpose of making, having made, using, reproducing, marketing, importing, offering to sell, selling, and otherwise distributing Compliant Products, in all cases subject to the conditions set forth in this Agreement and any relevant patent and other intellectual property rights of third parties (which may include members of Licensor and others).

3. Covenant not to Assert Patent Claims. Licensee acknowledges that, in accordance with the Policy, all Implementers enjoy the benefits of a “covenant not to assert patent claims” made by the developers of the Standard and such Implementers.  In consideration of such benefits, and as a precondition to implementing any Standard, the Licensee hereby enters into the following covenant not to assert:

Licensee irrevocably covenants and agrees that it will not seek to enforce any of its Necessary Claims under such Standard anywhere in the world at any time now or in the future against (a) Licensor for any use, implementation, or Necessary Infringement of such claims resulting from compliance with such Standard, or (b) any Implementers of such Standard with respect to those portions of any Compliant Products that implement such Standard, provided that such Compliant Product has been developed by a person or entity that has entered into, and is in compliance with, a Non-Assertion Commitment with Licensor. No other rights of Licensee, except those expressly stated in this covenant not to assert, shall be deemed to have been granted, waived, or received by implication, estoppel, or otherwise; provided, however, that nothing in this Agreement shall limit, or be construed to limit in any way, any obligation or covenant of Licensee separately arising under the Policy.  

III.      Provisions Applicable to All Licensees. The following provisions apply to all Licensees
(the definitions in Section II are hereby incorporated by reference):

1. Restrictions.

1.1 No Sublicensing. Licensee shall not sublicense any Standard or any of its rights under this Agreement, except to the extent necessary to exercise its rights under Section II.2 above.

1.2 No Modification. Licensee shall not modify any Standard.

2. Intellectual Property. Licensee acknowledges and agrees that each Standard shall at all times be the exclusive property of Licensor and/or any third parties of which Licensor is a licensee, as the case may be, and nothing in this Agreement shall be construed to convey to Licensee any ownership interest in any Standard or any rights other than those expressly granted herein. No rights are conveyed in this Agreement to create any derivative work of any Standard, or any portion thereof.

3. Support and Maintenance. Licensor shall have no obligation to Licensee or to any End User to support or maintain any Standard.

4. No Warranties. EACH STANDARD IS PROVIDED “AS IS,” WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL LICENSOR, ITS MEMBERS OR ITS CONTRIBUTORS BE LIABLE FOR ANY CLAIM, OR ANY DIRECT, SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF ANY STANDARD.

5. Third Party Rights. Without limiting the generality of Section III.4 above, LICENSOR ASSUMES NO RESPONSIBILITY TO COMPILE, CONFIRM, UPDATE OR MAKE PUBLIC ANY THIRD PARTY ASSERTIONS OF PATENT OR OTHER INTELLECTUAL PROPERTY RIGHTS THAT MIGHT BE INFRINGED BY THE USE OR IMPLEMENTATION OF ANY STANDARD. IF ANY SUCH RIGHTS ARE DESCRIBED IN ANY STANDARD OR DISPLAYED AT LICENSOR’S WEBSITE, LICENSOR TAKES NO POSITION AS TO THE VALIDITY OR INVALIDITY OF SUCH ASSERTIONS, OR THAT ALL SUCH ASSERTIONS THAT HAVE OR MAY BE MADE ARE SO LISTED.

6. Termination of License.

6.1 Breach. In the event of a breach of this Agreement by Licensee, Licensor shall have the right to give Licensee written notice and an opportunity to cure. If the breach is not cured within thirty (30) days after written notice, or if the breach is of a nature that cannot be cured, then Licensor may immediately or thereafter terminate the licenses granted in this Agreement upon written notice; provided, however, that Licensee and its End Users shall be permitted to continue to use Compliant Products created or obtained prior to such termination.

6.2 Other than for Breach.

(a) In the event that Licensor believes that implementation of any Required Element(s) or Other Element(s) of any Standard infringes or may infringe the intellectual property rights (“IPR”) of an IPR owner that is not willing to make such IPR available under terms satisfactory to Licensor, then Licensor may (i) notify Licensee that it has amended the Standard, following which Licensee’s rights under this Agreement shall be limited to the Standard, as so amended, or (ii) terminate this Agreement immediately upon notice.
(b) In the event that Licensor believes that the continuation of this Agreement in full force and effect shall cause Licensor to violate any applicable law, statute, regulation, order or rule of any governmental authority, Licensor may terminate this Agreement immediately upon notice.

(c) Licensee may immediately terminate this Agreement upon written notice to Licensor.
(d) Notwithstanding the foregoing, no termination of this Agreement shall terminate any obligation incurred by Licensee hereunder with respect to any Standard; provided, that if any term of this Agreement conflicts with any term of the Policy, the conflicting term of the Policy shall govern to the extent necessary to resolve such conflict.

7. Indemnification. Licensee shall indemnify, defend and hold harmless Licensor and its members, and the officers, directors, employees and agents of the same (each, an “Indemnified Party”) from all losses, costs, damages, claims and other expenses (including reasonable attorneys’ fees) arising out of any claim by any third party in connection with use by Licensee of any Standard, including, without limitation, claims asserting that any Standard or any portion thereof infringes the patent, copyright, trade secret or other intellectual property anywhere in the world of such third party.

8. Export Regulations. None of the Standards or Draft Standards may be downloaded or otherwise exported or re-exported, to the extent prohibited by applicable United States sanctions, laws, regulations and administrative acts (“U.S. Law”): (i) into (or to a national or resident of) any country or region to which the United States has embargoed goods; (ii) to any person or entity on the United States Treasury Department’s list of Specially Designated Nationals and Blocked Persons or the United States Commerce Department’s Table of Denial Orders, and/or (iii) otherwise in breach of U.S. Law.  By downloading or using any of the Standards or Draft Standards, you agree to the foregoing and represent and warrant that you are not located in, under the control of, or a national or resident of any country or region, or on a list, in breach of this Section.  In addition, you are responsible for complying with any local laws in your jurisdiction which may impact your right to import, export or use the Standards or Draft Standards, and you represent that you have complied with any regulations or registration or license procedures required by applicable law to make this license enforceable.”

9. Government Restrictions. Each Standard, Draft Standard, and component thereof is a “commercial item,” consisting of “commercial products” and/or “commercial computer software,” “commercial computer software documentation,” and “commercial software documentation,” as such terms are defined 48 C.F.R. 2.101 (Oct. 2016), and the Department of Defense Federal Acquisition Regulations Sections 252.227-7014(a)(1), (5) (Fed. 2014).  Consistent with 48 C.F.R. 12.102 (1/30/2022), 48 C.F.R. 12.212 (Oct. 2010) and 48 C.F.R. 227.7202-1 through 227.7202-4 (Oct. 2011), all U.S. Government End Users acquire the Standards and Draft Standards with only those rights set forth in this Agreement.  The contractor/manufacturer is PCI Security Standards Council, LLC, 401 Edgewater Place, Suite 600, Wakefield, MA 01880.

10. Miscellaneous.

10.1 Notices. All notices required under this Agreement shall be in writing, and shall be deemed effective five days from deposit in the mails, and if sent by Licensor, upon transmission if delivered by electronic mail. Alternatively, notices from Licensor may be posted to Licensor’s website and shall be deemed to be in writing and effective thirty (30) days after posting.  Subject to the preceding sentence, notices and correspondence (a) to Licensor must be sent to the street address shown above, and (b) to Licensee shall be sent to the street address or email address identified by Licensee in connection with accepting the terms of this Agreement.

10.2 Governing Law. This Agreement shall be construed and interpreted under the internal laws of the United States and the State of Delaware, without giving effect to its principles of conflict of law.

10.3 Entire Agreement. Subject to the terms of the Policy, this Agreement constitutes the entire agreement and understanding between Licensor and Licensee regarding the subject matter contained herein, and supersedes any and all prior agreements between Licensor and Licensee regarding Licensee’s right to use any Standard.  No modification or waiver of this Agreement shall be binding unless it is in writing and signed by both parties, and no waiver of any breach of this Agreement shall be deemed to be a waiver of any other or subsequent breach. If any provision of this Agreement is held by a court of competent jurisdiction to be invalid, illegal or unenforceable, such provision shall be omitted and the remaining terms shall remain in full force and effect.