Common use of Required Agreements and Procedures Clause in Contracts

Required Agreements and Procedures. Vendor shall execute an appropriate written agreement with each entity that it engages as an Assessor, governing the performance of such Assessor's Contracted Assessments of Vendor or Vendor's Products (as applicable) and, in connection with such Assessments, the delivery of the corresponding Vendor Products (if any) and all necessary information to such Assessors for purposes of enabling such Assessors to both review Vendor and/or such Products (as applicable) in accordance with the applicable Program Documents and comply with all applicable Program Requirements and legal requirements (including without limitation, obtaining applicable export licenses and permissions and complying with the terms of this Agreement and all applicable Program Requirements generally applicable to Assessors participating in the relevant Program). To the extent any Product of Vendor for which Vendor is seeking validation or Acceptance under any Program incorporates and/or references any TPP, Vendor shall ensure through a rider in the form attached as Appendix B hereto (the “TPP Rider”) or other written agreement consistent with the terms of the TPP Rider that (i) the applicable TPP Provider has adopted and implemented, and maintains and adheres to Vulnerability Handling Policies consistent with the requirements of Section 2(a)(i)(C)) below, (ii) in the event such TPP Provider becomes aware of any TPP Security Issue (as defined in the TPP Rider) associated with such TPP, such TPP Provider complies with such Vulnerability Handling Policies, and (iii) such TPP Provider notifies Vendor of such TPP Security Issue in accordance with the TPP Rider, has authorized Vendor to notify PCI SSC of each Security Issue, and is otherwise required to comply with the obligations set forth in the TPP Rider. Vendor shall: (1) on or before the date of submission to PCI SSC of the first Assessment Report regarding a Vendor Product that occurs on or after the Effective Date, adopt and implement documented security vulnerability handling programs and processes consistent with industry best practices (“Vulnerability Handling Policies”), including without limitation, programs and detailed processes regarding detection, receipt, triage, prioritization and repair of (and creation of a corresponding Fix (defined below) or Fixes for) Security Issues, provisions requiring Vendor to provide its Vendor Customers with prompt notification of all identified Security Issues and permitting disclosure of Security Issues and related information to PCI SSC in accordance with this Agreement, and, upon release of associated Product fixes, patches or other mitigations or modifications (each a “Fix”), prompt disclosure and dissemination of such Fixes and information needed to prioritize and implement such Fixes to Vendor Customers and (2) promptly following each reasonable request by PCI SSC, provide (or ensure that its Assessor provides) to PCI SSC a copy of (or access to) Vendor’s then current Vulnerability Handling Policies. Access to such Vulnerability Handling Policies (or portions thereof) may be provided to PCI SSC via one or more links to corresponding Vendor web pages, and all Vulnerability Handling Policies (or portions, copies or summaries thereof) that Vendor considers to be and treats as confidential information (a) shall only be provided to PCI SSC in encrypted format and (b) notwithstanding anything to the contrary in this Section, may be provided to PCI SSC in summary or redacted form, but only to the extent reasonably necessary to avoid detailed disclosure of the portions thereof that Vendor considers to be and treats as confidential and proprietary or trade secret information. While this Agreement is in effect, Vendor shall maintain and comply with all adopted Vulnerability Handling Policies; provided that Vendor may modify such Vulnerability Handling Policies from time to time (as long as the same, as so modified, remain in compliance with the requirements specified in Section 2(a)(i)(C) above), and that promptly following each material modification thereof, Vendor shall notify (or ensure that its Assessor notifies) PCI SSC of such modification and, if reasonably requested by PCI SSC, provide (or ensure that its Assessor provides) to PCI SSC a copy of Vendor’s then current Vulnerability Handling Policies as so modified, in accordance with the last sentence of Section 2(a)(i)(C) above. Vendor shall ensure that, upon completion (and, in the case of a Contracted Assessment, receipt from the Assessor) of each acceptable Assessment Report, the following are submitted to PCI SSC (by Vendor in the case of Self-Assessments, or by the Assessor in the case of Contracted Assessments): (1) a copy of such Assessment Report in accordance with Section 4(a)(i) below, (2) a written attestation executed by an officer of Vendor on or about the date of such submission, attesting that Vendor is and will remain in compliance with its Vulnerability Handling Policies and that Vendor’s Vulnerability Handling Policies comply with the requirements of Section 2(a)(i)(C) above, and (3) if reasonably requested by or not previously provided to PCI SSC, copies of all then current Vendor Vulnerability Handling Policies, in accordance with the last sentence of Section 2(a)(i)(C) above. Assessor Authorization. By signing this Agreement, Vendor hereby grants (and agrees to grant) Appropriate Access Privileges to all Assessors engaged to perform Assessments of Vendor or its Products and authorizes (and agrees to authorize) all such Assessors to release to (and discuss with) PCI SSC, subject to the terms and conditions set out in this Agreement, the results of and all work papers associated with all Assessments performed by such Assessors with respect to Vendor and each of Vendor’s Products for which an Assessment Report has been provided to PCI SSC (including without limitation, the encrypted and decrypted Assessment Reports themselves) (collectively, "Assessment Reports and Work Papers"), as well as Vendor’s executed copy of this Agreement, Vendor’s implementation and/or other instruction guides (as described in the applicable Program Documents) for each such Product, and such other information and materials that are required pursuant to this Agreement or applicable Program Requirements, or that PCI SSC may reasonably request from time to time in accordance with applicable Program Requirements.

Required Agreements and Procedures. Vendor shall execute an appropriate written agreement with each entity that it engages as an Assessor, governing the performance of such Assessor's Contracted Assessments of Vendor or Vendor's Products (as applicable) and, in connection with such Assessments, the delivery of the corresponding Vendor Products (if any) and all necessary information to such Assessors for purposes of enabling such Assessors to both review Vendor and/or such Products (as applicable) in accordance with the applicable Program Documents and comply with all applicable Program Requirements and legal requirements (including without limitation, obtaining applicable export licenses and permissions and complying with the terms of this Agreement and all applicable Program Requirements generally applicable to Assessors participating in the relevant Program). To the extent any Product of Vendor for which Vendor is seeking validation or Acceptance under Vendor's Products (including but not limited to any Program of Vendor’s Components, but excluding Rebranded Products (defined in Section A.11 of Appendix A hereto)) incorporates and/or references any TPPTPS other than a Component then appearing on the applicable list of validated Components on the Website, Vendor shall ensure through a rider in or other written agreement consistent with the form attached as Appendix B hereto (the “TPP Rider”) or other written agreement consistent with the terms of the TPP Rider means acceptable to Vendor that (i) the applicable TPP such TPS Provider has adopted and implemented, and maintains and adheres to Vulnerability Handling Policies in a manner consistent with the requirements of Section 2(a)(i)(C)) below, (ii) in the event such TPP TPS Provider becomes aware of any TPP Security Issue (as defined which term, solely for purposes of this Section 2(a)(i)(B), shall have the meaning ascribed to it in the TPP RiderAppendix B) associated with such TPPTPS, such TPP TPS Provider complies with such Vulnerability Handling Policies, and (iii) such TPP TPS Provider notifies Vendor of such TPP Security Issue in accordance with the TPP RiderAppendix B, has authorized Vendor to notify PCI SSC of each Security Issue, and is otherwise required to comply with the obligations set forth in the TPP Rider. Appendix B. Vendor shall: (1) on or before the date of submission to PCI SSC of the first Assessment Report regarding a Vendor Product that occurs on or after the Effective Date, adopt and implement documented security vulnerability handling programs and processes consistent with industry best practices (“Vulnerability Handling Policies”), including without limitation, programs and detailed processes regarding detection, receipt, triage, prioritization and repair of (and creation of a corresponding Fix (defined below) or Fixes for) Security Issues, provisions requiring Vendor to provide its Vendor Customers with prompt notification of all identified Security Issues and permitting disclosure of Security Issues and related information to PCI SSC in accordance with this Agreement, and, upon release of associated Product fixes, patches or other mitigations or modifications (each a “Fix”), prompt disclosure and dissemination of such Fixes and information needed to prioritize and implement such Fixes to Vendor Customers and (2) promptly following each reasonable request by PCI SSC, provide (or ensure that its Assessor provides) to PCI SSC a copy of (or access to) Vendor’s then current Vulnerability Handling Policies. Access to such Vulnerability Handling Policies (or portions thereof) may be provided to PCI SSC via one or more links to corresponding Vendor web pages, and all Vulnerability Handling Policies (or portions, copies or summaries thereof) that Vendor considers to be and treats as confidential information (a) shall only be provided to PCI SSC in encrypted format and (b) notwithstanding anything to the contrary in this Section, may be provided to PCI SSC in summary or redacted form, but only to the extent reasonably necessary to avoid detailed disclosure of the portions thereof that Vendor considers to be and treats as confidential and proprietary or trade secret information. While this Agreement is in effect, Vendor shall maintain and comply with all adopted Vulnerability Handling Policies; provided that Vendor may modify such Vulnerability Handling Policies from time to time (as long as the same, as so modified, remain in compliance with the requirements specified in Section 2(a)(i)(C) above), and that promptly following each material modification thereof, Vendor shall notify (or ensure that its Assessor notifies) PCI SSC of such modification and, if reasonably requested by PCI SSC, provide (or ensure that its Assessor provides) to PCI SSC a copy of Vendor’s then current Vulnerability Handling Policies as so modified, in accordance with the last sentence of Section 2(a)(i)(C) above. Vendor shall ensure that, upon completion (and, in the case of a Contracted Assessment, receipt from the Assessor) of each acceptable Assessment Report, the following are submitted to PCI SSC (by Vendor in the case of Self-Assessments, or by the Assessor in the case of Contracted Assessments): (1) a copy of such Assessment Report in accordance with Section 4(a)(i) below, (2) a written attestation executed by an officer of Vendor on or about the date of such submission, attesting that Vendor is and will remain in compliance with its Vulnerability Handling Policies and that Vendor’s Vulnerability Handling Policies comply with the requirements of Section 2(a)(i)(C) above, and (3) if reasonably requested by or not previously provided to PCI SSC, copies of all then current Vendor Vulnerability Handling Policies, in accordance with the last sentence of Section 2(a)(i)(C) above. Assessor Authorization. By signing this Agreement, Vendor hereby grants (and agrees to grant) Appropriate Access Privileges to all Assessors engaged to perform Assessments of by Vendor or its Products and authorizes (and agrees to authorize) all such Assessors to release to (and discuss with) PCI SSC, subject to the terms and conditions set out in this Agreement, the results of and all work papers associated with all Assessments performed by such Assessors with respect to Vendor and each of Vendor’s Products for which an Assessment Report has been provided to PCI SSC (including without limitation, the encrypted and decrypted Assessment Reports themselves) (collectively, "Assessment Reports and Work Papers"), as well as Vendor’s executed copy of this Agreement, Vendor’s implementation and/or other instruction guides (as described in the applicable Program Documents) for each such Product, and such other information and materials that as are required pursuant to this Agreement or applicable Program Requirements, or that PCI SSC may reasonably request from time to time in accordance with applicable Program Requirements.

Required Agreements and Procedures. Vendor shall execute an appropriate written agreement with each entity that it engages as an Assessor, governing the performance of such Assessor's Contracted Assessments of Vendor or Vendor's Products (as applicable) and, in connection with such Assessments, the delivery of the corresponding Vendor Products (if any) and all necessary information to such Assessors for purposes of enabling such Assessors to both review Vendor and/or such Products (as applicable) in accordance with the applicable Program Documents and comply with all applicable Program Requirements and legal requirements (including without limitation, obtaining applicable export licenses and permissions and complying with the terms of this Agreement and all applicable Program Requirements generally applicable to Assessors participating in the relevant Program). To the extent any Product of Vendor for which Vendor is seeking validation or Acceptance under Vendor's Products (including but not limited to any Program of Vendor’s Components) incorporates and/or references any TPPTPS other than a Component then appearing on the applicable list of validated Components on the Website, Vendor shall ensure through a rider in or other written agreement consistent with the form attached as Appendix B hereto (the “TPP Rider”) or other written agreement consistent with the terms of the TPP Rider means acceptable to Vendor that (i) the applicable TPP such TPS Provider has adopted and implemented, and maintains and adheres to Vulnerability Handling Policies in a manner consistent with the requirements of Section 2(a)(i)(C)) below, (ii) in the event such TPP TPS Provider becomes aware of any TPP Security Issue (as defined which term, solely for purposes of this Section 2(a)(i)(B), shall have the meaning ascribed to it in the TPP RiderAppendix B) associated with such TPPTPS, such TPP TPS Provider complies with such Vulnerability Handling Policies, and (iii) such TPP TPS Provider notifies Vendor of such TPP Security Issue in accordance with the TPP RiderAppendix B, has authorized Vendor to notify PCI SSC of each Security Issue, and is otherwise required to comply with the obligations set forth in the TPP Rider. Appendix B. Vendor shall: (1) on or before the date of submission to PCI SSC of the first Assessment Report regarding a Vendor Product that occurs on or after the Effective Date, adopt and implement documented security vulnerability handling programs and processes consistent with industry best practices (“Vulnerability Handling Policies”), including without limitation, programs and detailed processes regarding detection, receipt, triage, prioritization and repair of (and creation of a corresponding Fix (defined below) or Fixes for) Security Issues, provisions requiring Vendor to provide its Vendor Customers with prompt notification of all identified Security Issues and permitting disclosure of Security Issues and related information to PCI SSC in accordance with this Agreement, and, upon release of associated Product fixes, patches or other mitigations or modifications (each a “Fix”), prompt disclosure and dissemination of such Fixes and information needed to prioritize and implement such Fixes to Vendor Customers and (2) promptly following each reasonable request by PCI SSC, provide (or ensure that its Assessor provides) to PCI SSC a copy of (or access to) Vendor’s then current Vulnerability Handling Policies. Access to such Vulnerability Handling Policies (or portions thereof) may be provided to PCI SSC via one or more links to corresponding Vendor web pages, and all Vulnerability Handling Policies (or portions, copies or summaries thereof) that Vendor considers to be and treats as confidential information (a) shall only be provided to PCI SSC in encrypted format and (b) notwithstanding anything to the contrary in this Section, may be provided to PCI SSC in summary or redacted form, but only to the extent reasonably necessary to avoid detailed disclosure of the portions thereof that Vendor considers to be and treats as confidential and proprietary or trade secret information. While this Agreement is in effect, Vendor shall maintain and comply with all adopted Vulnerability Handling Policies; provided that Vendor may modify such Vulnerability Handling Policies from time to time (as long as the same, as so modified, remain in compliance with the requirements specified in Section 2(a)(i)(C) above), and that promptly following each material modification thereof, Vendor shall notify (or ensure that its Assessor notifies) PCI SSC of such modification and, if reasonably requested by PCI SSC, provide (or ensure that its Assessor provides) to PCI SSC a copy of Vendor’s then current Vulnerability Handling Policies as so modified, in accordance with the last sentence of Section 2(a)(i)(C) above. Vendor shall ensure that, upon completion (and, in the case of a Contracted Assessment, receipt from the Assessor) of each acceptable Assessment Report, the following are submitted to PCI SSC (by Vendor in the case of Self-Assessments, or by the Assessor in the case of Contracted Assessments): (1) a copy of such Assessment Report in accordance with Section 4(a)(i) below, (2) a written attestation executed by an officer of Vendor on or about the date of such submission, attesting that Vendor is and will remain in compliance with its Vulnerability Handling Policies and that Vendor’s Vulnerability Handling Policies comply with the requirements of Section 2(a)(i)(C) above, and (3) if reasonably requested by or not previously provided to PCI SSC, copies of all then current Vendor Vulnerability Handling Policies, in accordance with the last sentence of Section 2(a)(i)(C) above. Assessor Authorization. By signing this Agreement, Vendor hereby grants (and agrees to grant) Appropriate Access Privileges to all Assessors engaged to perform Assessments of by Vendor or its Products and authorizes (and agrees to authorize) all such Assessors to release to (and discuss with) PCI SSC, subject to the terms and conditions set out in this Agreement, the results of and all work papers associated with all Assessments performed by such Assessors with respect to Vendor and each of Vendor’s Products for which an Assessment Report has been provided to PCI SSC (including without limitation, the encrypted and decrypted Assessment Reports themselves) (collectively, "Assessment Reports and Work Papers"), as well as Vendor’s executed copy of this Agreement, Vendor’s implementation and/or other instruction guides (as described in the applicable Program Documents) for each such Product, and such other information and materials that as are required pursuant to this Agreement or applicable Program Requirements, or that PCI SSC may reasonably request from time to time in accordance with applicable Program Requirements.