Privacy Policy

Last Updated: 12 August 2020

Your privacy is important to us. Our goal is to provide you with a personalized online experience that provides you with the information, resources, and services that are most relevant and helpful to you.

This Privacy Policy (the “Privacy Policy”) has been written to describe the privacy-related terms and conditions under which PCI Security Standards Council (“PCI SSC”, “we”, “us” or “our”) makes its web sites, web pages, domains, portals, registries, other events and online resources, and corresponding materials (collectively, the “Web site”) available to you, including but not limited to resources used to provide or in connection with our online meetings, events and other services.

The Privacy Policy discusses, among other things, how data obtained in connection with your use of the Web site may be collected and used. We strongly recommend that you read the Privacy Policy carefully. By using the Web site, you agree to be bound by the terms of the Privacy Policy (including its appendices, which are hereby incorporated into the Privacy Policy). If you do not accept the terms of the Privacy Policy, you are directed to discontinue accessing or otherwise using the Web site. If you are dissatisfied with the Web site, please feel free to contact us at dataprivacy@pcisecuritystandards.org

The process of maintaining the Web site is an evolving one, and we may modify the terms of this Privacy Policy without notice. Your continued use of the Web site after such change indicates your assent to the modified terms as of the effective date of the change. The effective Privacy Policy will be posted on the Web site, and you should check upon every visit for any changes.

1. Sites and Resources Covered by this Privacy Policy

This Privacy Policy applies to all PCI SSC web sites, web pages, domains, portals, registries and other online resources, including but not limited to resources used to provide or in connection with our online meetings and events.  Notwithstanding the foregoing, we may from time to time require users of specific web pages, portals or resources to agree to corresponding additional terms and conditions (“Additional Terms”), and such Additional Terms shall govern to the extent necessary to resolve any express conflicts with this Privacy Policy.

2. Children’s Privacy

We are committed to protecting the privacy needs of children, and we encourage parents and guardians to take an active role in their children’s online activities and interests. We do not intentionally collect information from children under the age of 13, and do not target the Web site to children.

3. Links to Non-PCI Security Standards Council Web Sites

The Web site may provide links to third-party web sites for the convenience of our users. If you access those links, you will leave our Web site. We do not control these third-party web sites and cannot represent that their policies and practices will be consistent with this Privacy Policy. For example, other web sites may collect or use personal information about you in a manner different from that described in this document. Therefore, you should use other web sites with caution, and you do so at your own risk. We encourage you to review the privacy policy of any web site before submitting personal information.

4. TYPES OF INFORMATION WE COLLECT

Non-Personal Information

Non-personal information is data about usage and service operation that is not directly associated with a specific personal identity. We may collect and analyze non-personal information to evaluate how users use the Web site.

5. Aggregate Information

We may gather aggregate information, which refers to information your computer automatically provides to us and which cannot be tied back to you as a specific individual. Examples include referral data (the web sites you visited just before and just after our Web site), the pages viewed, time spent at our Web site, and Internet Protocol (IP) addresses. An IP address is a number that is automatically assigned to your computer whenever you access the Internet. For example, when you request a page from one of our web sites, our servers log your IP address to create aggregate reports on user demographics and traffic patterns and for purposes of system administration.

6. Log Files

Every time you request or download a file from the Web site, we may store data about these events and your IP address in a log file. We may use this information to analyze trends, administer the Web site, track users’ movements, and gather broad demographic information for aggregate use or for other business purposes.

7. Cookies

Our Web site may use a feature of your browser to set a “cookie” on your computer. Cookies are small packets of information that a Web site’s computer stores on your computer. The Web site can then read the cookies whenever you visit. We may use cookies in a number of ways, such as to save your password so you don’t have to re-enter it each time you visit our site, to deliver content specific to your interests and to track the pages you’ve visited. These cookies allow us to use the information we collect to customize your Web site experience so that your visit to our site is as relevant and as valuable to you as possible.

For additional information regarding cookies and how we use them, please review our Cookie Notice at Appendix A hereto.

8. Web Beacons

The Web site also may use Web beacons to collect non-personal information about your use of our Web site and the web sites of selected sponsors and advertisers, your use of special promotions or newsletters, and other activities. The information collected by Web beacons allows us to statistically monitor how many people are using our Web site and selected sponsors’ sites; how many people open our emails; and for what purposes these actions are being taken. Our Web beacons are not used to track your activity outside of our Web site or those of our sponsors. We do not link non-personal information from Web beacons to personally identifiable information without your permission.

9. Personal Data

“Personal Data” is information that is associated with your name or personal identity. In general, we use Personal Data to better understand your needs and interests and to provide you with better service. The specific uses for Personal Data that we collect are described when or on the pages where such data is collected.  The types of Personal Data you provide to us through the Web site may include name, address, phone number, email address, user IDs, passwords, and billing information.  Providing this information may be required or requested in order to enable you to request and/or download information or materials, subscribe to mailing lists, participate in corresponding online or in person discussions or events, collaborate on documents, provide feedback, submit information into registries, register for or participate in programs, meetings or events, apply for participation or membership, or join technical committees or working groups.  We collect this information so we can contact you or send you requested materials (such as with requested documents or subscriptions to mailing lists), enable participation in corresponding events and activities, and to identify you to us or others (such as applications to register for or participate in meetings or events or join committees, or to participate in programs or online discussions), and to bill you for requested services or materials. You may always elect not to provide your Personal Data to us, but that will limit your ability to participate in these activities or benefit from these services. 

Personal Data will not be kept for longer than is necessary for the purpose (s) for which it was collected, and in general, we will retain Personal Data for a period of 3 years, or if you have any qualification or contractual relationship with us, for a period of 3 years after cessation of that qualification or relationship.  In some cases it is not possible for us to specify in advance the periods for which your Personal Data will be retained. Notwithstanding this, we may retain, process and use your Personal Data where such is necessary for compliance with a legal or contractual obligation to which we are subject, in order to protect your vital interests or the vital interests of another person, or for other applicable legitimate interests.

10. Restricted Web Sites and Portals

Information you provide in connection with applying for participation or membership may be used to create a corresponding participating organization, participant or member profile, or enable participation in corresponding activities, and may be shared with other PCI SSC member or participant representatives and organizations. Such information may be provided to other participants or members on a secure Web site to encourage and facilitate collaboration, online discussion, research, and the free exchange of information. PCI Security Standards Council participants and members automatically are added to applicable PCI SSC mailing lists. From time to time, participant and member information may be shared with event organizers and/or other organizations that provide additional benefits to our participants or members. By providing us with your personal information, you expressly consent to our storing, processing, and distributing such information for these purposes.

11. Meetings and Events

Information you provide in connection with events or registering for events, such as our Community Meetings, Town Halls, and similar events, whether held in person or online, may include name, email address, company name, and company type.  This information is used to operate such events and facilitate your participation, and may be used and shared with our contractors or other event participants for such purpose and as described under “Restricted Web Sites and Portals” above.  At the time you provide us with such information, we will request your consent to our storing, processing, distributing, and use of such data for the purposes for which it is being provided.  In connection with such events, we may also request additional information such as address, company affiliate, number of company employees, and other company information, which may be used for marketing purposes, and may be distributed to event sponsors. Consent to such use of such additional information is requested at the time the information is collected.  All information collected in connection with such events is retained in accordance with the applicable provisions of this Privacy Policy.

12. Company Information

Company information is information that is associated with the name and address of our participant, member and other stakeholder or user organizations and may include data about usage and service operation. The primary representative of any such organization may request usage reports to gauge the extent of their employees’ involvement in our activities. You should be aware that information regarding your participation in technical committees, working groups, and online discussions and events, for example, may be made available to your company’s primary representative and to PCI SSC staff members.

13. HOW WE USE YOUR INFORMATION

We may use non-personal data that is aggregated for reporting about the Web site activity, usability, performance, effectiveness, or participation. It may be used to improve the experience, usability, and content of the Web site or future activities.

We may use personal information to offer or provide services that support our activities or those of our participants, members, stakeholders or other users, and their collaboration with us, or to provide you with electronic newsletters, announcements, surveys or other information. When accessing restricted PCI SSC Web pages, portals or activities, your personal user information may be used or tracked in order to support collaboration, ensure authorized access, and enable communication among participants or members.

14. Information Sharing

We do not sell, rent, or lease any individual’s personal information or lists of email addresses to anyone for marketing purposes, and we take commercially reasonable steps to maintain the security of this information. We will not do any of the foregoing in the future without providing you with notice and an opportunity to opt-out or opt-in, as required by law.  Similarly, we do not offer financial incentives associated with our collection, use, or disclosure of your personal information.  However, we reserve the right to supply any such information to any organization into which PCI SSC may merge in the future or to which it may make any transfer in order to enable a third party to continue part or all of our mission or activities. We also reserve the right to release personal information to protect our systems or business, when we reasonably believe you to be in violation of applicable terms of use, or if we reasonably believe you to have initiated or participated in any illegal activity. In addition, please be aware that in certain circumstances, we may be obligated to release your personal information pursuant to judicial or other government subpoenas, warrants, or other orders.

In keeping with our open process, we may maintain publicly accessible archives for the vast majority of our activities. For example, posting an email message to any PCI SSC-hosted mail list or discussion forum, subscribing to any PCI SSC newsletter or registering for one of our public or other meetings may result in your email address becoming part of corresponding publicly accessible archives.

If you are a PCI Security Standards Council participant or member, you should be aware that some items of your personal information may be visible to other such participants and members, and to the public. Our participant and member databases may retain information about your name, email address, company affiliation and such other personal address and identifying data as you choose to supply. That data may be generally visible to other such participants or members, and to the public. Your name, email address, and other information you may supply also may be included in publicly accessible records of our various committees, working groups, online events and discussions, and similar activities that you join, in various places, including: (i) the permanently-posted attendance and other records of those activities; (ii) documents generated by the activity, which may be permanently archived; and, (iii) along with message content, in the permanent archives of our email lists, which also may be public.

Please remember that any information (including personal information) that you disclose in public areas of the Web site or in connection with public or broad participation activities, such as forums (in person or online), message boards, news groups, and other activities, may become publicly or broadly available information that others may collect, circulate, and use. Because we cannot and do not control the acts of others, you should exercise caution when deciding to disclose information about yourself or others in forums or other activities such as these.

Given the international scope of the PCI Security Standards Council, personal information may be visible to persons outside your country of residence, including to persons in countries that your own country’s privacy laws and regulations deem deficient in ensuring an adequate level of protection for such information. If you are unsure whether this Privacy Policy is in conflict with applicable local rules, you should not submit your information.     

Your Personal Data will never be used for direct marketing purposes, although we may contact you to follow up on a request you made for information about a service, event or activity we provide.

If you do not want your personal information collected and used by the PCI Security Standards Council, please do not visit or use our Web site, apply for participant or member status, or engage in PCI SSC activities

15. Access to and Accuracy of Information

We are committed to keeping the personal information of our participating and member organizations and other Web site users accurate. All the information you have submitted to us can be verified and changed. In order to do this, please email us a request at dataprivacy@pcisecuritystandards.org. We may provide participants, members and/or others with online access to their own personal profiles, enabling them to update or delete information at any time. To protect your privacy and security, we also may take reasonable steps to verify identity, such as requiring a user ID and password, before access to modify personal profile data. Certain areas of the Web site may limit access to specific individuals through the use of passwords or other personal identifiers; a password prompt is your indication that a restricted resource is being accessed.

16. Security

We use a variety of means to protect personal information provided by users of the Web site, including using firewalls and other security measures on its servers. No server, however, is 100% secure, and you should take this into account when submitting personal or confidential information about yourself or others on the Web site or elsewhere. Much of the personal information we collect is used in conjunction with participation and/or member-level services such as collaboration and discussion, so some types of personal information such as your name, company affiliation, and email address will be visible to other PCI Security Standards Council participants or members, and to the public. We assume no liability for the interception, alteration, use or misuse of the information you provide. You alone are responsible for maintaining the secrecy of your personal information. Please use care when you access the Web site and otherwise provide personal information.

17. Opting Out

From time to time we may email you electronic newsletters, announcements, surveys or other information. If you prefer not to receive any or all of these communications, you may opt out by following the directions provided within the electronic newsletters and announcements.

18. California Privacy Rights

Under the California Consumer Privacy Act of 2018 (“CCPA”) and other California privacy laws, California residents have certain rights relating to collection, use, and sharing of their personal information for companies that meet applicable CCPA requirements.  For example, if you are a resident of California, you have the right to request to know what personal information we have collected about you, and to access that information. You also have the right to request deletion of your personal information, though exceptions under the CCPA may allow us to retain and use certain personal information notwithstanding your deletion request.  For additional information regarding such rights and laws, please review our Privacy Notice for California Residents at Appendix B hereto. 

19. General Data Protection Regulation (GDPR) Compliance

If you are a resident of or are located in the European Economic Area (“EEA”), you may have certain rights under the General Data Protection Regulation (“GDPR”).  Personal Data you provide on or through the Web site or otherwise in connection with our activities is only collected with your consent, and may be transmitted outside of the EEA to the PCI Security Standards Council (or computer servers maintained for the benefit of the PCI Security Standards Council) pursuant to that consent.

In general, under the GDPR you may:

• request access to your Personal Data
• have incomplete or incorrect Personal Data corrected
• have your Personal Data deleted
• suspend or restrict our use of your Personal Data, or withdraw your consent
• request a copy of your Personal Data
• complain to a supervisory authority if you believe your rights under the GDPR are not being respected

Should you request a copy of your Personal Data, we will provide you a copy. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee.  Should you request the deletion of your Personal Data, PCI Security Standards Council will generally do so as soon as practicable, although your right to have your Personal Data deleted is subject to exceptions, such as, for example, compliance with a legal obligation or for the establishment, exercise or defense of legal claims. 

If you consider that our processing of your Personal Data infringes applicable data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.

You should note that our servers are located in the United States, which is deemed by the European Union to have inadequate data protection.  Accordingly, when you provide information to us through the Web site, you are providing that information to us in the United States.  You should also note that, if you are in a country outside the United States (including but not limited to in the EEA), your Personal Data may be transferred to and/or collected, stored, processed, and/or used outside of your country, including in the United States.  By way of example, this may happen if Personal Data of an individual in the EEA is transferred to our servers located in the United States or in another country outside of the EEA. Such countries may not have similar data protection laws to the EEA or your country. When we collect such information, we will request your consent to its transfer to and/or storage, processing, distribution and use in the United States or other country, as applicable.  If we transfer your information outside of the EEA in this way, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this policy. 

20. Contacting Us

If you have any questions or concerns regarding this policy or your Personal Data, or wish to exercise any of the above rights, please contact the PCI Security Standards Council through its Data Protection Program at:

Toll Free Phone #: Email: Postal Address:

1-888-241-3525 dataprivacy@pcisecuritystandards.org PCI Security Standards Council 401 Edgewater Place Suite 600 Wakefield, MA USA 01880 Attn: Director, Privacy and Information Security

Appendix A and B follow.

Appendix A

COOKIE NOTICE

This cookie notice provides you with information about how we use “cookies”, or, similar technologies, in connection with our Web site, other online resources, and each element of the foregoing (each, a “Service”), to enable us to understand how you interact with the Services, improve your experience, and allow you to use certain related features.  This notice also provides information about how third parties may use such technologies in association with the operation of our Services.

1. About this Cookie Notice

This cookie notice applies when you use any of our Services and may be supplemented by additional cookie notices or terms provided on certain areas of the Services or during our interactions with you.

2. Use of Cookies

Cookies are small pieces of data (text files) that are placed on your computer or device by websites that you visit or applications you use. Cookies are widely used in order to make websites and applications work, or work more efficiently, and help them remember certain information about you, either for the duration of your visit (using a “session” cookie) or for repeat visits (using a “persistent” cookie).

Below provides an overview of the first party and third party cookies we use within our Services, and the purposes for which we use them.  First party cookies are cookies that our website asks your browser to store on your device when you visit, in order to remember information about you, such as your language preference or login information. Third-party cookies are cookies from a domain different than the domain of the website you are visiting, and are used for our advertising and marketing efforts.

We classify cookies in the categories noted in section 3 below.

 3. The categories of cookies used on this website are as follows:

• Essential / Strictly Necessary cookies:These cookies do not store any personally identifiable information. However, they are necessary for the Service to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but without these cookies, some or all of the services you have asked for may not function properly.

• Performance cookies:These are analytics and research cookies that allow us to count visits and measure traffic, so we can measure and improve the performance of our Services. They also help us to know which pages are the most and least popular, and see how visitors move around the site or application. This helps us to improve the way our Services work and improve user experience. All information collected through these cookies will be processed in an aggregated and anonymous form. You can set your browser to block or alert you about these cookies. Blocking these cookies will not affect the service provided you.

• Functionality cookies:These cookies allow our Services to provide enhanced functionality and personalization such as remembering the choices you make and your account preferences and to provide enhanced, more personal features. These cookies may be set by us or by third-party providers whose services we have added to our pages. You can set your browser to block or alert you about these cookies, but without these cookies, some or all of the services you have asked for may not function properly.

• Targeting Cookies:These files or code may be included, either directly or from our advertising partners, social media functions, on our website, in our emails, or, mobile applications to record how you interact with us, to help us better analyze and improve our services to you, and will use this information to make the website, and, any advertising displayed to you more relevant to your interests. You can set your browser to block or alert you about these cookies. Blocking these cookies will not affect the service provided you, but will limit the targeted advertising that you will see, or limit our ability to tailor the website experience to your needs.

Specific cookies that we currently use in connection with the Services are listed at the end of this cookie notice.

4. How to refuse the use of cookies

You can opt-out of each cookie category (except essential / strictly necessary cookies) when using the PCI SSC website (www.pcisecuritystandards.org), by clicking “DECLINE” in the cookie banner at the bottom of our homepage.

You can also prevent your browser from accepting certain cookies, have the browser require your consent before a new cookie is placed in your browser, or block cookies altogether by selecting the appropriate settings on your browser privacy preferences menu.

The links below will help you find the settings for some common browsers (please note that we are not responsible for the content of external websites):

• Manage cookie settings in Chrome and Chrome Android and Chrome iOS
• Manage cookie settings inSafari and Safari iOS
• Manage cookie settings in Firefox
• Manage cookie settings in Internet Explorer
• Manage cookie settings in Opera

For all other browsers, or, for alternative advice, help may be sought via your device user manual, or by visiting www.allaboutcookies.org, or available online help files.

5. Changes

We may update this cookie notice from time to time. Any changes will be posted on this page with an updated revision date.

6. Contact

For more information on our collection and use of personal information, including details regarding your rights or contact details, please refer to our Privacy Policy.

If you have any questions or concerns regarding this cookie notice, please contact us through our Data Protection Program at:

Toll Free Phone #: Email: Postal Address:

1-888-241-3525 dataprivacy@pcisecuritystandards.org PCI Security Standards Council 401 Edgewater Place Suite 600 Wakefield, MA USA 01880 Attn: Director, Privacy and Information Security

Where it applies, you may also lodge a complaint with the data protection authority in the applicable jurisdiction.

 

COOKIE LIST

Essential / Strictly Necessary Cookies

www.pcisecuritystandards.org

• PHPSESSID: Session cookie
• agreements: tracks license agreement for Document Library 
• pci_doc_agreements = tracks license agreement for Document Library 

programs.pcissc.org

• ASP.NET_SessionId: Session Cookie
• pciAdmin: Session Cookie
• AWSALB: AWS Load Balancer cookie
• AWSALBCORS: AWS Load Balancer cookie

Functional Cookies

www.pcisecuritystandards.org

• gdpr-cookie: tracks acceptance/rejection of privacy notice and usage of targeting cookies
• notification_bar: tracks closing the notification bar
• doc_library: tracks Document Library access
• docleadgen: tracks whether the user filled out the lead generation popup form when accessing Document Library

programs.pcissc.org

• session-timeout-cookie: tracks session timeout

Targeting Cookies

www.pcisecuritystandards.org

• _ga = Google Analytics, only if targeting cookies accepted
• _gid = Google Analytics, only if targeting cookies accepted

DATE: 12 August 2020

 

Appendix B

PRIVACY SUPPLEMENT FOR CALIFORNIA RESIDENTS

This PRIVACY SUPPLEMENT FOR CALIFORNIA RESIDENTS (the “Privacy Notice”) supplements the information contained in our Privacy Policy and applies solely to visitors and others who reside in the State of California (“users” or “you”). We adopt this notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and other California privacy laws.  Any terms defined in the CCPA have the same meaning when used in this notice.

Information We Collect

We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or device (“Personal Information”). In particular, we have collected the following categories of Personal Information from users within the last 12 months:

Category	Examples	Collected
A. Identifiers.	A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.	YES
B. Personal Information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).	A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some Personal Information included in this category may overlap with other categories.	YES
C. Protected classification characteristics under California or federal law.	Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).	YES
D. Commercial information.	Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.	YES
E. Biometric information.	Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.	NO
F. Internet or other similar network activity.	Browsing history, search history, information on a user’s interaction with a website, application, or advertisement.	YES
G. Geolocation data.	Physical location or movements.	NO
H. Sensory data.	Audio, electronic, visual, thermal, olfactory, or similar information.	NO
I. Professional or employment-related information.	Current or past job history or performance evaluations.	YES
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).	Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.	YES
K. Inferences drawn from other Personal Information.	Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.	NO

Personal Information does not include:

• Publicly available information from government records.
• De-identified or aggregated user information.
• Information excluded from the CCPA’s scope, like:

• health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
• Personal Information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

We obtain the categories of Personal Information listed above from the following categories of sources:

• Directly from our visitors, participants, members, assessors, labs and others involved in our activities, our programs, or accessing our website (“Stakeholders”). For example, from documents provided to us related to the programs and other services we provide to Stakeholders (“Services”).
• Indirectly from our representatives or their agents. For example, through information our agents collect from Stakeholders in the course of providing Services.
• Directly and indirectly from activity or events on our website (www.pcisecuritystandards.org) or through our other online resources. For example, from submissions through our website portal, website usage details collected automatically, or participation in online events.
• From third-parties that interact with us in connection with our Services. For example, from business partners who work with our Stakeholders to facilitate our Services.

Use of Personal Information

We may use or disclose the Personal Information we collect for one or more of the following business purposes:

• To fulfill or provide the Services for which the information is provided. For example, we will use contact information (name, phone number, email and address) provided by a Qualified Security Assessor to communicate with their contact personnel in connection with corresponding program activity and participation.
• To provide you with information, products or Services that you request from us.
• To provide you with email alerts, event registrations and other notices concerning our products or services, or events or news, that may be of interest to you.
• To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collections.
• To improve our website and present its contents to you.
• For testing, research, analysis and Services development.
• As necessary or appropriate to protect the rights, property or safety of us, our Stakeholders or others.
• To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
• As described to you when collecting your Personal Information or as otherwise set forth in the CCPA.
• To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Information held by us is among the assets transferred.
• As otherwise specified in the Privacy Policy.

We will not collect additional categories of Personal Information or use the Personal Information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

Sharing Personal Information

We may disclose your Personal Information to a third party for a business purpose.  When we disclose Personal Information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that Personal Information confidential and not use it for any purpose except performing the contract.

In the preceding 12 months, we have disclosed the following categories of Personal Information for a business purpose:

Category A:    Identifiers.

Category B:     Personal Information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).

Category C:     Protected classification characteristics under California or federal law.

Category D:    Commercial information.

Category F:     Internet or other similar network activity.

Category I:      Professional or employment-related information.

Category J:      Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).

We disclose your Personal Information for a business purpose to the following categories of third parties:

• Our affiliates and business partners.
• Service providers.
• Third parties to whom you or your agents authorize us to disclose your Personal Information in connection with products or services we provide to you.

In the preceding 12 months, we have not sold any Personal Information.

Your Rights and Choices 

The CCPA provides users (California residents) with specific rights regarding their Personal Information. This section describes your CCPA rights and explains how to exercise those rights.

Access to Specific Information and Data Portability Rights

You have the right to request that we disclose certain information to you about our collection and use of your Personal Information over the past 12 months. Once we receive and confirm your verifiable user request, we will disclose to you:

• The categories of Personal Information we collected about you.
• The categories of sources for the Personal Information we collected about you.
• Our business or commercial purpose for collecting or selling that Personal Information.
• The categories of third parties with whom we share that Personal Information.
• The specific pieces of Personal Information we collected about you (also called a data portability request).
• If we sold or disclosed your Personal Information for a business purpose, two separate lists disclosing:

• sales, identifying the Personal Information categories that each category of recipient purchased; and
• disclosures for a business purpose, identifying the Personal Information categories that each category of recipient obtained.

Deletion Request Rights 

You have the right to request that we delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable user request, we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies.

We may deny your deletion request if retaining the information is necessary for us or our service providers to:

1. Complete the transaction for which we collected the Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
3. Debug products to identify and repair errors that impair existing intended functionality.
4. Exercise free speech, ensure the right of another user to exercise their free speech rights, or exercise another right provided for by law.
5. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).
6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
7. Enable solely internal uses that are reasonably aligned with user expectations based on your relationship with us.
8. Comply with a legal obligation.
9. Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

Exercising Access, Data Portability, and Deletion Rights

To exercise the access, data portability, and deletion rights described above, please submit a verifiable user request to us by contacting us as described under “Contact Information” below.

Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable user request related to your Personal Information. You may also make a verifiable user request on behalf of your minor child.

You may only make a verifiable user request for access or data portability twice within a 12-month period. The verifiable user request must:

• Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative.
• Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you.  Making a verifiable user request does not require you to create an account with us.  We will only use Personal Information provided in a verifiable user request to verify the requestor’s identity or authority to make the request.

Response Timing and Format

We endeavor to respond to a verifiable user request within 45 days of its receipt.  If we require more time (up to 90 days), we will inform you of the reason and extension period in writing.  If you have an account with us, we will deliver our written response to that account.  If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.  Any disclosures we provide will only cover the 12-month period preceding the verifiable user request’s receipt.  The response we provide will also explain the reasons we cannot comply with a request, if applicable.  For data portability requests, we will select a format to provide your Personal Information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable user request unless it is excessive, repetitive, or manifestly unfounded.  If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Separate from the CCPA, California’s Shine the Light law gives California residents the right to ask companies what Personal Information they share with third parties for those third parties’ direct marketing purposes. We do not disclose your Personal Information to third parties for the purpose of directly marketing their goods or services to you unless you request such disclosure.  Also, California Civil Code Section 1798.83 permits customers who are California residents and who have provided us with “personal information” (as that term is defined in Section 1798.83) to request certain information about the disclosure of that information to third parties for their direct marketing purposes. If you are a California resident with questions regarding the above, please contact us in the manner set forth under the heading “Contacting Us” in the Privacy Policy.

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not, as a result of your exercising any of your CCPA rights:

• Deny you goods or services.
• Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
• Provide you a different level or quality of goods or services.
• Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Changes to Our Privacy Notice

We reserve the right to amend this Privacy Notice at our discretion at any time. When we make changes to this Privacy Notice, we will notify you by email, through a notice on our website homepage, or by posting updated terms.

Contact Information

If you have any questions or comments about this Privacy Notice, our Privacy Policy, the ways in which we collect and use your Personal Information, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:

Toll Free Phone #: Email: Postal Address:

1-888-241-3525 dataprivacy@pcisecuritystandards.org PCI Security Standards Council 401 Edgewater Place Suite 600 Wakefield, MA USA 01880 Attn: Director, Privacy and Information Security

DATE: 12 August 2020