Common use of Security Issue Procedures Clause in Contracts

Security Issue Procedures. In the event Vendor becomes aware of a Security Issue with respect to a given Listed Product of Vendor (or TPS or Component incorporated into such Listed Product), Vendor shall comply with its Vulnerability Handling Policies and, promptly (but in any event within 90 days of so becoming aware) provide written notice of such Security Issue to PCI SSC (each a “Security Issue Notice”), including in such notice: (1) the names, PCI SSC approval numbers and any other relevant identifiers of each Listed Product of Vendor that Vendor reasonably believes may be impacted by such Security Issue; (2) a description of the general nature of the Security Issue; (3) Vendor’s good faith assessment, to Vendor’s knowledge at the time, as to the severity of the vulnerability or vulnerabilities associated with the Security Issue (using CVSS scoring or an alternative industry accepted standard that is reasonably acceptable to PCI SSC) (a “Severity Assessment”); and (4) Vendor’s good faith determination, based on Vendor’s knowledge at the time, as to whether the Security Issue is a Unique Security Issue (a “Uniqueness Determination”). Upon receipt of any Security Issue Notice, PCI SSC may, in its sole discretion and without any further action: (1) Revoke the Listed Product(s) identified therein and (2) take any or all other action(s) permitted under this Agreement or the Program Documents in connection with a Security Issue. A Listed Product delisted (and/or with respect to which Acceptance has been Revoked) in connection with a Security Issue will not be reinstated or re-listed until all of the following conditions have been satisfied to PCI SSC’s satisfaction: (1) Vendor has released and made available to all users of such Product an appropriate Fix resolving such Security Issue; (2) Vendor has fully executed all of its responsibilities to communicate regarding such Security Issue with all applicable Vendor Customers in accordance with Vendor's Vulnerability Handling Policies; (3) Vendor has engaged an Assessor to perform a Contracted Assessment of such Product as corrected by the Fix (or, if approved by PCI SSC, a Contracted Assessment of the Fix in conjunction with such Product) in accordance with the applicable Program Requirements; (4) Vendor has fully apprised such Assessor of such Security Issue prior to such Assessor commencing such Contracted Assessment; (5) as a result of such Contracted Assessment, such Assessor has delivered to PCI SSC, and PCI SSC has Accepted, a corresponding new Assessment Report for such Product (or Fix, as applicable), along with the materials described in Section 2(a)(iii)(D) below; and (6) Vendor is in compliance with all applicable Program Requirements. With respect to any Listed Product delisted (and/or with respect to which Acceptance has been Revoked) in connection with a Security Issue and for which Vendor thereafter seeks reinstatement or relisting by PCI SSC and releases a corresponding Fix: (1) the applicable Assessor performing the Contracted Assessment required by Section 2(a)(iii)(C) above shall provide to PCI SSC, prior to such reinstatement or relisting, a joint written attestation signed by an officer of Vendor and the Assessor certifying that Vendor and such Assessor each have complied with their respective obligations pursuant to Section 2(a)(iii)(C) and that the Security Issue has been fully resolved, and setting forth the following: (a) the name, PCI SSC approval number and any other relevant identifiers of the Product; (b) a final joint Severity Assessment by Vendor and such Assessor; (c) a final joint Uniqueness Determination by Vendor and such Assessor; and (d) if such joint Uniqueness Determination is that the Security Issue was not a Unique Security Issue, the following additional information: (i) a detailed description of the Security Issue, and, if applicable, the nature of the data and other information compromised, breached or otherwise put in jeopardy as a result of the Security Issue (as applicable); and (ii) except to the extent prohibited by applicable privacy law, Vendor security personnel names and contact information for purposes of follow-up discussions regarding such Security Issue; and (2) such Assessor and Vendor shall promptly provide to PCI SSC, at no cost or expense to PCI SSC, such additional information and cooperation as PCI SSC may reasonably request from time to time for purpose of understanding in all material respects the nature, scope, severity, and cause(s) of such Security Issue, the nature of the data and other information compromised, breached or otherwise made vulnerable to unauthorized access as a result thereof, and any corresponding impact on applicable PCI Standards, the PCI Standards development process and/or other products or solutions in the market (in each case, redacted to the extent permitted pursuant to Section 2(a)(iv) below).

Security Issue Procedures. In the event Vendor becomes aware of a Security Issue with respect to a given Listed Product of Vendor (or TPS or Component TPP incorporated into or referenced by any such Listed Product), Vendor shall comply with its Vulnerability Handling Policies and, promptly (but in any event within 90 days of so becoming aware) provide written notice of such Security Issue to PCI SSC (each a “Security Issue Notice”), including in such notice: (1) the names, PCI SSC approval numbers and any other relevant identifiers of each Listed Product of Vendor (and any TPPs incorporated therein or referenced thereby) that Vendor reasonably believes may be impacted by such Security Issue; (2) a description of the general nature of the Security Issue; (3) Vendor’s good faith assessment, to Vendor’s knowledge at the time, as to the severity of the vulnerability or vulnerabilities associated with the Security Issue (using CVSS scoring or an alternative industry accepted standard that is reasonably acceptable to PCI SSC) (a “Severity Assessment”); and (4) Vendor’s good faith determination, based on Vendor’s knowledge at the time, as to whether the Security Issue is a Unique Security Issue (a “Uniqueness Determination”). Upon receipt of any Security Issue Notice, PCI SSC may, in its sole discretion and without any further action: (1) Revoke the Listed Product(s) identified therein and (2) take any or all other action(s) permitted under this Agreement or the Program Documents in connection with a Security Issue. A Listed Product delisted (and/or with respect to which Acceptance has been Revoked) in connection with a Security Issue will not be reinstated or re-listed until all of the following conditions have been satisfied to PCI SSC’s satisfaction: (1) Vendor has released and made available to all users of such Product an appropriate Fix resolving such Security Issue; (2) Vendor has fully executed all of its responsibilities to communicate regarding such Security Issue with all applicable Vendor Customers in accordance with Vendor's Vulnerability Handling Policies; (3) Vendor has engaged an Assessor to perform a Contracted Assessment of such Product as corrected by the Fix (or, if approved by PCI SSC, a Contracted Assessment of the Fix in conjunction with such Product) in accordance with the applicable Program Requirements; (4) Vendor has fully apprised such Assessor of such Security Issue prior to such Assessor commencing such Contracted Assessment; (5) as a result of such Contracted Assessment, such Assessor has delivered to PCI SSC, and PCI SSC has Accepted, a corresponding new Assessment Report for such Product (or Fix, as applicable), along with the materials described in Section 2(a)(iii)(D) below; and (6) Vendor is in compliance with all applicable Program Requirements. With respect to any Listed Product delisted (and/or with respect to which Acceptance has been Revoked) in connection with a Security Issue and for which Vendor thereafter seeks reinstatement or relisting by PCI SSC and releases a corresponding Fix: (1) the applicable Assessor performing the Contracted Assessment required by Section 2(a)(iii)(C) above shall provide to PCI SSC, prior to such reinstatement or relisting, a joint written attestation signed by an officer of Vendor and the Assessor certifying that Vendor and such Assessor each have complied with their respective obligations pursuant to Section 2(a)(iii)(C) and that the Security Issue has been fully resolved, and setting forth the following: (a) the name, PCI SSC approval number and any other relevant identifiers of the Product; (b) a final joint Severity Assessment by Vendor and such Assessor; (c) a final joint Uniqueness Determination by Vendor and such Assessor; and (d) if such joint Uniqueness Determination is that the Security Issue was not a Unique Security Issue, the following additional information: (i) a detailed description of the Security Issue, and, if applicable, the nature of the data and other information compromised, breached or otherwise put in jeopardy as a result of the Security Issue (as applicable); and (ii) except to the extent prohibited by applicable privacy law, Vendor security personnel names and contact information for purposes of follow-up discussions regarding such Security Issue; and (2) such Assessor and Vendor shall promptly provide to PCI SSC, at no cost or expense to PCI SSC, such additional information and cooperation as PCI SSC may reasonably request from time to time for purpose of understanding in all material respects the nature, scope, severity, and cause(s) of such Security Issue, the nature of the data and other information compromised, breached or otherwise made vulnerable to unauthorized access as a result thereof, and any corresponding impact on applicable PCI Standards, the PCI Standards development process and/or other products or solutions in the market (in each case, redacted to the extent permitted pursuant to Section 2(a)(iv) below).