Security Issue Procedures. In the event Vendor becomes aware of a Security Issue with respect to a given Listed Product of Vendor (or TPS or Component incorporated into such Listed Product), Vendor shall comply with its Vulnerability Handling Policies and, promptly (but in any event within 90 days of so becoming aware) provide written notice of such Security Issue to PCI SSC (each a “Security Issue Notice”), including in such notice: (1) the names, PCI SSC approval numbers and any other relevant identifiers of each Listed Product of Vendor that Vendor reasonably believes may be impacted by such Security Issue; (2) a description of the general nature of the Security Issue; (3) Vendor’s good faith assessment, to Vendor’s knowledge at the time, as to the severity of the vulnerability or vulnerabilities associated with the Security Issue (using CVSS scoring or an alternative industry accepted standard that is reasonably acceptable to PCI SSC) (a “Severity Assessment”); and (4) Vendor’s good faith determination, based on Vendor’s knowledge at the time, as to whether the Security Issue is a Unique Security Issue (a “Uniqueness Determination”). Upon receipt of any Security Issue Notice, PCI SSC may, in its sole discretion and without any further action: (1) Revoke the Listed Product(s) identified therein and (2) take any or all other action(s) permitted under this Agreement or the Program Documents in connection with a Security Issue. A Listed Product delisted (and/or with respect to which Acceptance has been Revoked) in connection with a Security Issue will not be reinstated or re-listed until all of the following conditions have been satisfied to PCI SSC’s satisfaction: (1) Vendor has released and made available to all users of such Product an appropriate Fix resolving such Security Issue; (2) Vendor has fully executed all of its responsibilities to communicate regarding such Security Issue with all applicable Vendor Customers in accordance with Vendor's Vulnerability Handling Policies; (3) Vendor has engaged an Assessor to perform a Contracted Assessment of such Product as corrected by the Fix (or, if approved by PCI SSC, a Contracted Assessment of the Fix in conjunction with such Product) in accordance with the applicable Program Requirements; (4) Vendor has fully apprised such Assessor of such Security Issue prior to such Assessor commencing such Contracted Assessment; (5) as a result of such Contracted Assessment, such Assessor has delivered to PCI SSC, and PCI SSC has Accepted, a co...
Security Issue Procedures. (A) In the event Vendor becomes aware of a Security Issue with respect to a given Listed Product of Vendor (or TPP incorporated into or referenced by any such Listed Product), Vendor shall comply with its Vulnerability Handling Policies and, promptly (but in any event within 90 days of so becoming aware) provide written notice of such Security Issue to PCI SSC (each a “Security Issue Notice”), including in such notice: (1) the names, PCI SSC approval numbers and any other relevant identifiers of each Listed Product of Vendor (and any TPPs incorporated therein or referenced thereby) that Vendor reasonably believes may be impacted by such Security Issue; (2) a description of the general nature of the Security Issue; (3) Vendor’s good faith assessment, to Vendor’s knowledge at the time, as to the severity of the vulnerability or vulnerabilities associated with the Security Issue (using CVSS scoring or an alternative industry accepted standard that is reasonably acceptable to PCI SSC) (a “Severity Assessment”); and (4) Vendor’s good faith determination, based on Vendor’s knowledge at the time, as to whether the Security Issue is a Unique Security Issue (a “Uniqueness Determination”).
Security Issue Procedures. (A) In the event Vendor becomes aware of a Security Issue with respect to a given Product of Vendor, Vendor shall promptly (but in any event within 24 hours) provide written notice of such Security Issue to PCI SSC (each a “Security Issue Notice”), including in such notice: (1) the name, PCI SSC approval number and any other relevant identifiers of the Product; (2) a description of the general nature of the Security Issue; (3) Vendor’s good faith assessment, to Vendor’s knowledge at the time, as to the severity of the vulnerability or vulnerabilities associated with the Security Issue (using CVSS scoring or an alternative industry accepted standard that is reasonably acceptable to PCI SSC) (a “Severity Assessment”); and (4) Vendor’s good faith determination, based on Vendor’s knowledge at the time, as to whether the Security Issue is a Unique Security Issue (a “Uniqueness Determination”).
