Security Issue Procedures Sample Clauses
The Security Issue Procedures clause outlines the steps parties must follow when a security breach or related incident occurs. Typically, it details notification requirements, timelines for reporting the issue, and responsibilities for investigating and mitigating the breach. This clause ensures that all parties respond promptly and consistently to security incidents, minimizing potential damage and clarifying obligations in the event of a security issue.
Security Issue Procedures. In the event Vendor becomes aware of a Security Issue with respect to a given Listed Product of Vendor (or TPS or Component incorporated into such Listed Product), Vendor shall comply with its Vulnerability Handling Policies and, promptly (but in any event within 90 days of so becoming aware) provide written notice of such Security Issue to PCI SSC (each a “Security Issue Notice”), including in such notice: (1) the names, PCI SSC approval numbers and any other relevant identifiers of each Listed Product of Vendor that Vendor reasonably believes may be impacted by such Security Issue; (2) a description of the general nature of the Security Issue; (3) Vendor’s good faith assessment, to Vendor’s knowledge at the time, as to the severity of the vulnerability or vulnerabilities associated with the Security Issue (using CVSS scoring or an alternative industry accepted standard that is reasonably acceptable to PCI SSC) (a “Severity Assessment”); and (4) Vendor’s good faith determination, based on Vendor’s knowledge at the time, as to whether the Security Issue is a Unique Security Issue (a “Uniqueness Determination”). Upon receipt of any Security Issue Notice, PCI SSC may, in its sole discretion and without any further action: (1) Revoke the Listed Product(s) identified therein and (2) take any or all other action(s) permitted under this Agreement or the Program Documents in connection with a Security Issue. A Listed Product delisted (and/or with respect to which Acceptance has been Revoked) in connection with a Security Issue will not be reinstated or re-listed until all of the following conditions have been satisfied to PCI SSC’s satisfaction: (1) Vendor has released and made available to all users of such Product an appropriate Fix resolving such Security Issue; (2) Vendor has fully executed all of its responsibilities to communicate regarding such Security Issue with all applicable Vendor Customers in accordance with Vendor's Vulnerability Handling Policies; (3) Vendor has engaged an Assessor to perform a Contracted Assessment of such Product as corrected by the Fix (or, if approved by PCI SSC, a Contracted Assessment of the Fix in conjunction with such Product) in accordance with the applicable Program Requirements; (4) Vendor has fully apprised such Assessor of such Security Issue prior to such Assessor commencing such Contracted Assessment; (5) as a result of such Contracted Assessment, such Assessor has delivered to PCI SSC, and PCI SSC has Accepted, a co...