PCI Security Standards Council

Privacy Policy

Add Comment

Privacy Policy Last Updated: 18 January 2023 Your privacy is important to us. Our goal is to provide you with a personalized online experience that provides you with the information, resources, and services that are most relevant and helpful to you. This Privacy Policy (the “Privacy Policy”) has been written to describe the privacy-related terms and conditions under which PCI Security Standards Council (“PCI SSC”, “we”, “us” or “our”) makes its web sites, web pages, domains, portals, registries, mobile apps, other events and online resources, and corresponding materials (collectively, the “Web site”) available to you, including but not limited to resources used to provide or in connection with our online meetings, events and other services. The Privacy Policy discusses, among other things, how data obtained in connection with your use of the Web site may be collected and used. We strongly recommend that you read the Privacy Policy carefully. By using the Web site, you agree to be bound by the terms of the Privacy Policy (including its appendices, which are hereby incorporated into the Privacy Policy). If you do not accept the terms of the Privacy Policy, you are directed to discontinue accessing or otherwise using the Web site. If you are dissatisfied with the Web site, please feel free to contact us at dataprivacy@pcisecuritystandards.org The process of maintaining the Web site is an evolving one, and we may modify the terms of this Privacy Policy without notice. Your continued use of the Web site after such change indicates your assent to the modified terms as of the effective date of the change. The effective Privacy Policy will be posted on the Web site, and you should check upon every visit for any changes. 1. Sites and Resources Covered by this Privacy Policy This Privacy Policy applies to all PCI SSC web sites, web pages, domains, portals, registries, mobile apps, and other online resources, including but not limited to resources used to provide or in connection with our online meetings and events.&nbsp. Notwithstanding the foregoing, we may from time to time require users of specific web pages, portals, or resources to agree to corresponding additional terms and conditions (“Additional Terms”), and such Additional Terms shall govern to the extent necessary to resolve any express conflicts with this Privacy Policy. 2. Children’s Privacy We are committed to protecting the privacy needs of children, and we encourage parents and guardians to take an active role in their children’s online activities and interests. We do not intentionally collect information from children under the age of 13, and do not target the Web site to children. 3. Links to Non-PCI Security Standards Council Web Sites The Web site may provide links to third-party web sites or mobile apps for the convenience of our users. If you access those links or apps, you will leave our Web site. We do not control these third-party web sites and apps and cannot represent that their policies and practices will be consistent with this Privacy Policy. For example, other web sites or mobile apps may collect or use personal information about you in a manner different from that described in this document. Therefore, you should use other web sites and mobile apps with caution, and you do so at your own risk. We encourage you to review the privacy policy of any web site or mobile app before submitting personal information. 4. Types of Information We Collect Non-Personal Information Non-personal information is data about usage and service operation that is not directly associated with a specific personal identity. We may collect and analyze non-personal information to evaluate how users use the Web site. Aggregate Information We may gather aggregate information, which refers to information your computer automatically provides to us and which cannot be tied back to you as a specific individual. Examples include referral data (the web sites you visited just before our Web site), the pages viewed, and time spent at our Web site.&nbsp. You may control the non-essential information we collect by utilizing the cookie control settings that appear when you first access the Web site, and that is accessible via controls visible on every page of our Web site. Logs Every time you request or download a file from the Web site, we may store data about these events and your IP address in a log. We may use this information to analyze trends, administer the Web site, track users’ movements, and gather broad demographic information for aggregate use or for other business purposes. Cookies Our Web site may use a feature of your browser to set a “cookie” on your computer. Cookies are small packets of information that a Web site’s computer stores on your computer. The Web site can then read the cookies whenever you visit. We may use cookies in a number of ways, such as to save information so you don’t have to re-enter it each time you visit our site, to deliver content specific to your interests and to track the pages you’ve visited. These cookies allow us to use the information we collect to customize your Web site experience so that your visit to our site is as relevant and as valuable to you as possible. For additional information regarding cookies and how we use them, please review our Cookie Notice at Appendix A hereto. Personal Data “Personal Data” is information that is associated with your personal identity and may include your name or other personal information that can be used to uniquely identify you as an individual. In general, we use Personal Data to better understand your needs and interests and to provide you with better service. The specific uses for Personal Data that we collect are described when or on the pages where such data is collected.&nbsp. The types of Personal Data you provide to us through the Web site may include name, address, phone number, email address, user IDs, passwords, IP address, and billing information.&nbsp. Providing this information may be required or requested in order to enable you to request and/or download information or materials, subscribe to mailing lists, participate in corresponding online or in person discussions or events, collaborate on documents, provide feedback, submit information into registries, register for or participate in programs, meetings or events, apply for participation or membership, or join technical committees, working groups or initiatives.&nbsp. We collect this information so we can contact you or send you requested materials (such as with requested documents or subscriptions to mailing lists), enable participation in corresponding events and activities, and to identify you to us or others (such as in applications to register for or participate in meetings or events or join committees, to participate in programs or online discussions, or to download materials from the Website and execute corresponding licenses), and to bill you for requested services or materials. You may always elect not to provide your Personal Data to us, but that will limit your ability to participate in these activities or benefit from these services.  Personal Data will not be kept for longer than is necessary for the purpose (s) for which it was collected, and in general, we will retain Personal Data for a period of 3 years, or if you have any qualification or contractual relationship with us, for a period of 3 years after cessation of that qualification or relationship.&nbsp. In some cases it is not possible for us to specify in advance the periods for which your Personal Data will be retained. Notwithstanding this, we may retain, process and use your Personal Data where such is necessary for compliance with a legal or contractual obligation to which we are subject, in order to protect your vital interests or the vital interests of another person, or for other applicable legitimate interests. 5. Restricted Web Sites and Portals Information you provide in connection with applying for participation or membership may be used to create a corresponding participant or member profile, or enable participation in corresponding activities, and may be shared with other PCI SSC member or participant representatives and organizations. Such information may be provided to other participants or members securely to encourage and facilitate collaboration, online discussion, research, and the free exchange of information. PCI SSC participants and members automatically are added to applicable PCI SSC mailing lists. From time to time, participant and member information may be shared with event organizers and/or other organizations that provide additional benefits to our participants or members. When you provide us with your personal information in connection with events PCI SSC is organizing or hosting, we use that data to comply with our contractual obligations to event organizers and other parties in connection with those events. Where appropriate, we also expressly obtain your consent at the time of its collection. 6. Meetings and Events Information you provide in connection with events or initiatives or registering for events or initiatives, such as our Community Meetings, Town Halls, Work Groups, Task Forces, Special Interest Groups, requests for comments, and similar events and initiatives, whether held in person or online, may include name, email address, company name, and company type.&nbsp. This information is used to comply with our contractual obligations to the event or initiative organizers or operators and other parties in connection with those events and initiatives, including to operate such events and facilitate your participation, and may be used and shared with our contractors or other event participants for such purpose and as described under “Restricted Web Sites and Portals” above.&nbsp. Additionally, at the time you provide us with such information, we will where appropriate request your consent to our storing, processing, distributing, and use of such data for the purposes for which it is being provided.&nbsp. In connection with such events, we may also request additional information such as address, company affiliate, number of company employees, and other company information, which may be used for marketing purposes, and may be distributed to event sponsors. Consent to such use of such additional information is requested at the time the information is collected.&nbsp. All information collected in connection with such events is retained in accordance with the applicable provisions of this Privacy Policy. 7. Company Information Company information is information that is associated with the name and address of our participant, member and other stakeholder or user organizations and may include data about usage and service operation. The primary representative of any such organization may request limited usage reports to gauge the extent of their employees’ involvement in our activities. You should be aware that information regarding your participation in technical committees, working groups, and online discussions and events, for example, may be made available to your company’s primary representative and to PCI SSC staff members. 8. How We Use Your Information We may use non-personal data that is aggregated for reporting about the Web site activity, usability, performance, effectiveness, or participation. It may be used to improve the experience, usability, and content of the Web site or future activities. We may use personal information to offer or provide services that support our activities or those of our participants, members, stakeholders or other users, and their collaboration with us, or to provide you with electronic newsletters, announcements, surveys or other information. When accessing restricted PCI SSC Web pages, portals or activities, your personal user information may be used or tracked in order to support collaboration, ensure authorized access, and enable communication among participants or members. 9. Information Sharing We do not sell, rent, or lease any individual’s personal information or lists of email addresses to any third parties for marketing purposes, and we take commercially reasonable steps to maintain the security of this information. We will not do any of the foregoing in the future without providing you with notice and an opportunity to opt-out or opt-in, as required by law.&nbsp. Similarly, we do not offer financial incentives associated with our collection, use, or disclosure of your personal information.&nbsp. However, we reserve the right to supply any such information to any organization into which PCI SSC may merge in the future or to which it may make any transfer in order to enable a third party to continue part or all of our mission or activities. We also reserve the right to release personal information to protect our systems or business, if we reasonably believe you to be in violation of applicable terms of use, or if we reasonably believe you to have initiated or participated in any illegal activity. In addition, please be aware that in certain circumstances, we may be obligated to release your personal information pursuant to judicial or other government subpoenas, warrants, or other orders. In keeping with our open process, we may maintain publicly accessible archives for the vast majority of our activities. For example, posting an email message to any PCI SSC-hosted mail list or discussion forum, providing request for comment feedback, or registering for one of our public or other meetings may result in your personal information becoming part of corresponding publicly accessible archives. If you are a PCI Security Standards Council participant or member, you should be aware that some items of your personal information may be visible to other such participants and members, and to the public. Our participant and member databases may retain information about your name, email address, company affiliation and such other personal address, identifying data, and any previously-supplied such data, as you choose to supply. That data may be generally visible to other such participants or members, and to the public. Your name, email address, and other information you may supply also may be included in publicly accessible records of our various committees, working groups, online events and discussions, and similar activities that you join, in various places, including: (i) the permanently-posted attendance and other records of those activities. (ii) documents generated by the activity, which may be permanently archived. and, (iii) along with message content, in the permanent archives of our email lists, which also may be public. Please remember that any information (including personal information) that you disclose in public areas of the Web site or in connection with public or broad participation activities, such as forums (in person or online), message boards, news groups, and other activities, may become publicly or broadly available information that others may collect, circulate, and use. Because we cannot and do not control the acts of others, you should exercise caution when deciding to disclose information about yourself or others in forums or other activities such as these. Given the international scope of the PCI Security Standards Council, personal information may be visible to persons outside your country of residence, including to persons in countries that your own country’s privacy laws and regulations deem deficient in ensuring an adequate level of protection for such information. If you are unsure whether this Privacy Policy is in conflict with applicable local rules, you should not submit your information. Your Personal Data will never be used for direct marketing purposes, although we may contact you to follow up on a request you made for information about a service, event or activity we provide. If you do not want your personal information collected and used by the PCI Security Standards Council, please do not visit or use our Web site, apply for participant or member status, or engage in PCI SSC activities 10. Access to and Accuracy of Information We are committed to keeping the personal information of our participating and member organizations and other Web site users accurate. All the information you have submitted to us can be verified, changed and deleted (consistent with legal data retention requirements). In order to do this, please email us a request at dataprivacy@pcisecuritystandards.org. We may provide participants, members and/or others with online access to their own personal profiles, enabling them to update or delete information at any time. To protect your privacy and security, we also may take reasonable steps to verify identity, such as requiring a user ID and password, before access to modify personal profile data. Certain areas of the Web site may limit access to specific individuals through the use of passwords or other personal identifiers. a password prompt is your indication that a restricted resource is being accessed. 11. Security We use a variety of means to protect personal information provided by users of the Web site, including using firewalls and other security measures on its servers. No server, however, is 100% secure, and you should take this into account when submitting personal or confidential information about yourself or others on the Web site or elsewhere. Much of the personal information we collect is used in conjunction with participation and/or member-level services such as collaboration and discussion, so some types of personal information such as your name, company affiliation, and email address will be visible to other PCI Security Standards Council participants or members, and to the public. We assume no liability for the interception, alteration, use or misuse of the information you provide. You alone are responsible for maintaining the secrecy of your personal information. Please use care when you access the Web site and otherwise provide personal information. 12. Opting Out From time to time we may email you electronic newsletters, announcements, surveys or other information. If you prefer not to receive any or all of these communications, you may opt out by following the directions provided within the electronic newsletters and announcements. 13. California Privacy Rights Under the California Consumer Privacy Act of 2018 (“CCPA”), the California Privacy Rights and Enforcement Act (“CPRA”), and other California privacy laws, California residents have certain rights relating to collection, use, and sharing of their personal information for companies that meet applicable requirements.&nbsp. For example, if you are a resident of California, you have the right to request to know what personal information we have collected about you, and to access that information. You also have the right to request deletion of your personal information, though exceptions under the law may allow us to retain and use certain personal information notwithstanding your deletion request.&nbsp. For additional information regarding such rights and laws, please review our Privacy Notice for California Residents at Appendix B hereto. 14. Data Privacy Laws Depending on the state, country or region where you are located or reside (your “Jurisdiction”), you may have certain rights under the General Data Protection Regulation (“GDPR”) or other laws of your Jurisdiction relating to the privacy and protection of Personal Data, in addition to those described in this Privacy Policy.&nbsp. Personal Data you provide on or through the Web site or otherwise in connection with our activities is only collected with your consent or to comply with our contractual obligations, and may be transmitted outside of the your Jurisdiction to the PCI Security Standards Council (or computer servers maintained for the benefit of the PCI Security Standards Council) pursuant to that consent. In general, under the GDPR, if you live in the European Economic Area (“EEA”), or the United Kingdom, you may: <ul> <li>request access to your Personal Data</li> <li>have incomplete or incorrect Personal Data corrected</li> <li>have your Personal Data deleted</li> <li>suspend or restrict our use of your Personal Data, or withdraw your consent, and if that request is not respected, then to object</li> <li>request a copy of your Personal Data</li> <li>complain to a supervisory authority if you believe your rights under the GDPR are not being respected</li> <li>request to refuse automated decision-making of your personal data to make decisions about you, if such decision-making significantly affects you or produces legal effects</li> </ul> Should you request a copy of your Personal Data, we will provide you a copy. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee.&nbsp. Should you request the deletion of your Personal Data, PCI Security Standards Council will generally do so as soon as practicable, although your right to have your Personal Data deleted is subject to exceptions, such as, for example, compliance with a legal obligation or for the establishment, exercise or defense of legal claims.  If you consider that our processing of your Personal Data infringes applicable data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the UK or EEA member state of your habitual residence, your place of work or the place of the alleged infringement. You should note that our servers are located in the United States, which is deemed by the European Union to have inadequate data protection.&nbsp. Accordingly, when you provide information to us through the Web site, you are providing that information to us in the United States.&nbsp. You should also note that, if you are in a country outside the United States (including but not limited to in the UK or EEA), your Personal Data may be transferred to and/or collected, stored, processed, and/or used outside of your country, including in the United States.&nbsp. By way of example, this may happen if Personal Data of an individual in the UK or EEA is transferred to our servers located in the United States or in another country outside of the UK or EEA. Such countries may not have similar data protection laws to the UK or EEA or your country. If we transfer your information outside of the UK or EEA in this way, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this policy, including the following: <ul> <li>Data sent to our Website or Portal is protected by TLS and strong cryptographic algorithms when transmitted across open, public networks;</li> <li>Data at rest on our Website or Portal is protected by full disk encryption and strong access controls. In addition, sensitive customer files uploaded to our portal are separately encrypted using unique encryption keys per file. All encryption keys use strong cryptography and are protected using role-based access controls;</li> <li>We run vulnerability scans against our infrastructure (including our Website and Portal), at a minimum at least quarterly and after any significant change;</li> <li>We conduct penetration tests against our infrastructure (including our Website and Portal),  at least annually and after any significant change.</li> </ul> 15. Contacting Us If you have any questions or concerns regarding this policy or your Personal Data, or wish to exercise any of the above rights, please contact the PCI Security Standards Council through its Data Protection Program at: Toll Free Phone #: Email: Postal Address: 1-888-241-3525 dataprivacy@pcisecuritystandards.org PCI Security Standards Council 401 Edgewater Place Suite 600 Wakefield, MA USA 01880 Attn: Director, Technology, Infrastructure, &amp. Privacy Appendix A and B follow. Appendix A COOKIE NOTICE This cookie notice provides you with information about how we use “cookies”, or, similar technologies, in connection with our Web site, other online resources, and each element of the foregoing (each, a “Service”), to enable us to understand how you interact with the Services, improve your experience, and allow you to use certain related features.&nbsp. This notice also provides information about how third parties may use such technologies in association with the operation of our Services. 1. About this Cookie Notice This cookie notice applies when you use any of our Services and may be supplemented by additional cookie notices or terms provided on certain areas of the Services or during our interactions with you. 2. Use of Cookies Cookies are small pieces of data (text files) that are placed on your computer or device by websites that you visit or applications you use. Cookies are widely used in order to make websites and applications work, or work more efficiently, and help them remember certain information about you, either for the duration of your visit (using a “session” cookie) or for repeat visits (using a “persistent” cookie). Below provides an overview of the first party and third-party cookies we use within our Services, and the purposes for which we use them.&nbsp. First party cookies are cookies that our website asks your browser to store on your device when you visit, in order to remember information about you, such as your language preference or login information. Third-party cookies are cookies from a domain different than the domain of the website you are visiting, and are used for managing login information, managing cookie preferences, as well as our advertising and marketing efforts. We provide controls to allow you to manage our cookie usage on our Web site. We classify cookies in the categories noted in section 3 below. 3. The categories of cookies used on this website are as follows: <ul> <li> Essential / Strictly Necessary cookies: These cookies do not store any personally identifiable information. However, they are necessary for the Service to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but without these cookies, some or all of the services you have asked for may not function properly.</li> </ul> <ul> <li> Performance cookies: These are analytics and research cookies that allow us to count visits and measure traffic, so we can measure and improve the performance of our Services. They also help us to know which pages are the most and least popular, and see how visitors move around the site or application. This helps us to improve the way our Services work and improve user experience. All information collected through these cookies will be processed in an aggregated and anonymous form. You can disable these cookies using the controls provided to you. Blocking these cookies will not affect the service provided you.</li> </ul> <ul> <li> Functionality cookies: These cookies allow our Services to provide enhanced functionality and personalization such as remembering the choices you make and your account preferences and to provide enhanced, more personal features. These cookies may be set by us or by third-party providers whose services we have added to our pages. You can disable these cookies, but without them, some or all of the services you have asked for may not function fully.</li> </ul> <ul> <li> Targeting Cookies: These files or code may be included, either directly or from our advertising partners, social media functions, on our website, in our emails, or, mobile applications to record how you interact with us, to help us better analyze and improve our services to you, and will use this information to make the website, and, any advertising displayed to you more relevant to your interests. You can disable these cookies. Blocking these cookies will not affect the service provided you, but may limit the targeted advertising that you will see, or limit our ability to tailor the website experience to your needs.</li> </ul> Specific cookies that we currently use in connection with the Services are listed at the end of this cookie notice. 4. How to refuse the use of cookies You can manage each cookie category (except essential / strictly necessary cookies) when using the PCI SSC website (www.pcisecuritystandards.org), by clicking on the cookie control icon in the bottom left of our homepage. You can also prevent your browser from accepting certain cookies, have the browser require your consent before a new cookie is placed in your browser, or block cookies altogether by selecting the appropriate settings on your browser privacy preferences menu. 5. Changes We may update this cookie notice from time to time. Any changes will be posted on this page with an updated revision date. 6. Contact For more information on our collection and use of personal information, including details regarding your rights or contact details, please refer to our Privacy Policy. If you have any questions or concerns regarding this cookie notice, please contact us through our Data Protection Program at: Toll Free Phone #: Email: Postal Address: 1-888-241-3525 dataprivacy@pcisecuritystandards.org PCI Security Standards Council 401 Edgewater Place Suite 600 Wakefield, MA USA 01880 Attn: Director, Technology, Infrastructure, &amp. Privacy Where it applies, you may also lodge a complaint with the data protection authority in the applicable jurisdiction.   COOKIE LIST Essential / Strictly Necessary Cookies www.pcisecuritystandards.org <ul> <li>PHPSESSID: Session cookie</li> </ul> programs.pcissc.org <ul> <li>ASP.NET_SessionId: Session Cookie</li> <li>pciAdmin: Session Cookie</li> <li>AWSALB: AWS Load Balancer cookie</li> <li>AWSALBCORS: AWS Load Balancer cookie</li> </ul> Functional Cookies www.pcisecuritystandards.org <ul> <li>cookiecontrol: tracks acceptance/rejection of privacy notice and usage of targeting cookies</li> <li>notification_bar: tracks closing the notification bar</li> </ul> programs.pcissc.org <ul> <li>session-timeout-cookie: tracks session timeout</li> </ul> auth.pcissc.org <ul> <li>auth0: Used to implement the Auth0 Single Sign-on session layer.</li> <li>auth0_compat: Fallback cookie for single sign-on on browsers that don’t support the sameSite=None attribute.</li> <li>auth0-mf: Used to establish the trust level for a given device.</li> <li>auth0-mf_compat: Fallback cookie for multi-factor authentication on browsers that don’t support the sameSite=None attribute.</li> <li>a0_users:sess: Used for CSRF protection in Classic Universal Login flows.</li> <li>a0_users:sess.sig: Used for CSRF protection in Classic Universal Login flows.</li> <li>did: Device identification for attack protection.</li> <li>did_compat: Fallback cookie for anomaly detection on browsers that don’t support the sameSite=None attribute.</li> </ul> Targeting Cookies www.pcisecuritystandards.org <ul> <li>_ga = Google Analytics, only if targeting cookies accepted</li> <li>_gid = Google Analytics, only if targeting cookies accepted</li> <li>_parsely_visitor, only if targeting cookies accepted</li> <li>_parsely_session, only if targeting cookies accepted</li> </ul> DATE: 20 January 2023 Appendix B PRIVACY SUPPLEMENT FOR CALIFORNIA RESIDENTS This PRIVACY SUPPLEMENT FOR CALIFORNIA RESIDENTS (the “Privacy Notice”) supplements the information contained in our Privacy Policy and applies solely to visitors and others who reside in the State of California (“users” or “you”). We adopt this notice in connection with the California Consumer Privacy Act of 2018 (“CCPA”), the California Privacy Rights and Enforcement Act (“CPRA”),  and other California privacy laws.&nbsp. Any terms defined in the those laws have the same meaning when used in this notice. Information We Collect We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or device (“Personal Information”). In particular, we have collected the following categories of Personal Information from users within the last 12 months: Category Examples Collected A. Identifiers. A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers. YES B. Personal Information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some Personal Information included in this category may overlap with other categories. YES C. Protected classification characteristics under California or federal law. Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). YES D. Commercial information. Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. YES E. Biometric information. Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. NO F. Internet or other similar network activity. Browsing history, search history, information on a user’s interaction with a website, application, or advertisement. YES G. Geolocation data. Physical location or movements. NO H. Sensory data. Audio, electronic, visual, thermal, olfactory, or similar information. NO I. Professional or employment-related information. Current or past job history or performance evaluations. YES J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)). Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. YES K. Inferences drawn from other Personal Information. Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. NO Personal Information does not include: <ul> <li>Publicly available information from government records.</li> <li>De-identified or aggregated user information.</li> <li>Information excluded from the CCPA’s and CPRA’s scope, like:</li> </ul> <ul> <li> <ul> <li>health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;</li> <li>Personal Information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.</li> </ul> </li> </ul> We obtain the categories of Personal Information listed above from the following categories of sources: <ul> <li>Directly from our visitors, participants, members, assessors, labs and others involved in our activities, our programs, or accessing our website (“Stakeholders”). For example, from documents provided to us related to the programs and other services we provide to Stakeholders (“Services”).</li> <li>Indirectly from our representatives or their agents. For example, through information our agents collect from Stakeholders in the course of providing Services.</li> <li>Directly and indirectly from activity or events on our website (www.pcisecuritystandards.org) or through our other online resources. For example, from submissions through our website portal, website usage details collected automatically, or participation in online events.</li> <li>From third-parties that interact with us in connection with our Services. For example, from business partners who work with our Stakeholders to facilitate our Services.</li> </ul> Use of Personal Information We may use or disclose the Personal Information we collect for one or more of the following business purposes (collectively, the “Business Purposes”): <ul> <li>To fulfill or provide the Services for which the information is provided. For example, we will use contact information (name, phone number, email and address) provided by a Qualified Security Assessor to communicate with their contact personnel in connection with corresponding program activity and participation.</li> <li>To provide you with information, products or Services that you request from us.</li> <li>To provide you with email alerts, event registrations and other notices concerning our products or services, or events or news, that may be of interest to you.</li> <li>To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collections.</li> <li>To improve our website and present its contents to you.</li> <li>For testing, research, analysis and Services development.</li> <li>As necessary or appropriate to protect the rights, property or safety of us, our Stakeholders or others.</li> <li>To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.</li> <li>As described to you when collecting your Personal Information or as otherwise set forth in the CCPA or CPRA.</li> <li>To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Information held by us is among the assets transferred.</li> <li>As otherwise specified in the Privacy Policy.</li> </ul> We will not collect additional categories of Personal Information or use the Personal Information we collected for materially different, unrelated, or incompatible purposes without providing you notice. Sharing Personal Information We may disclose your Personal Information to a third party for a business purpose.&nbsp. When we disclose Personal Information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that Personal Information confidential and not use it for any purpose except performing the contract. In the preceding 12 months, we have disclosed the following categories of Personal Information for a business purpose: Category A:  &nbsp. Identifiers. Category B:   &nbsp. Personal Information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). Category C:   &nbsp. Protected classification characteristics under California or federal law. Category D:  &nbsp. Commercial information. Category F:   &nbsp. Internet or other similar network activity. Category I:    &nbsp. Professional or employment-related information. Category J:    &nbsp. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)). We disclose your Personal Information for one or more of the Business Purposes to the following categories of third parties (collectively, “Specified Third-Parties”): <ul> <li>Our affiliates and business partners.</li> <li>Service providers.</li> <li>Third parties to whom you or your agents authorize us to disclose your Personal Information in connection with products or services we provide to you.</li> </ul> In the preceding 12 months, we have not sold or shared any Personal Information, other than with the Specified Third-Parties for the Business Purposes. Your Rights and Choices  The law provides users (California residents) with specific rights regarding their Personal Information. This section describes your CCPA and CPRA rights and explains how to exercise those rights. Access to Specific Information and Data Portability Rights You have the right to request that we disclose certain information to you about our collection and use of your Personal Information. Once we receive and confirm your verifiable user request, we will disclose to you: <ul> <li>The categories of Personal Information we collected about you.</li> <li>The categories of sources for the Personal Information we collected about you.</li> <li>Our business or commercial purpose for collecting or selling that Personal Information.</li> <li>The categories of third parties with whom we share that Personal Information.</li> <li>The specific pieces of Personal Information we collected about you (also called a data portability request).</li> <li>If we sold or disclosed your Personal Information for a business purpose, two separate lists disclosing:</li> </ul> <ul> <li> <ul> <li>sales, identifying the Personal Information categories that each category of recipient purchased. and</li> <li>disclosures for a business purpose, identifying the Personal Information categories that each category of recipient obtained.</li> </ul> </li> <li>You may request that the foregoing information be provided to you or a third party you designate in a structured, commonly used, machine-readable format, to the extent technically feasible.</li> </ul> Deletion Request and Opt-out Rights  You have the right to request that we delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable user request, we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies. You also have the right to request that we not share, disclose, disseminate, make available or otherwise transfer your Personal Information with third parties for advertising or similar purposes. We may deny your request if retaining the information is necessary for us or our service providers to: <ol> <li>Complete the transaction for which we collected the Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.</li> <li>Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.</li> <li>Debug products to identify and repair errors that impair existing intended functionality.</li> <li>Exercise free speech, ensure the right of another user to exercise their free speech rights, or exercise another right provided for by law.</li> <li>Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).</li> <li>Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.</li> <li>Enable solely internal uses that are reasonably aligned with user expectations based on your relationship with us.</li> <li>Comply with a legal obligation.</li> <li>Make other internal and lawful uses of that information that are compatible with the context in which you provided it. </li> </ol> Right to Correct Information You have the right to request that we correct inaccurate Personal Information about you, by identifying the erroneous information and providing corrected information Right to Limit Use and Disclosure of Sensitive Personal Information You have the right to limit the use and disclosure of “Sensitive Personal Information” (which includes PINS, social security, driver’s license, passport, or state ID card numbers. account or debit or credit card numbers combined with passwords or codes that would enable access to the accounts, exact geolocation information, information regarding racial origin, religious beliefs, or union membership, your email or text content (unless intentionally sent to us), and genetic data) to only those situations where it is necessary for us to provide requested products or services to you, and requires us to inform you before such data is used for any other reason. Automatic Decision Making You have the right to request information about the logic involved in automatic decision making processes we use involving your Personal Information, and to request that you not be subject to such automated decision making. Exercising Your Personal Information Rights To exercise the rights described above, please submit a verifiable user request to us by contacting us as described under “Contact Information” below. Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable user request related to your Personal Information. You may also make a verifiable user request on behalf of your minor child. You may only make a verifiable user request for access or data portability twice within a 12-month period. The verifiable user request must: <ul> <li>Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative.</li> <li>Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.</li> </ul> We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you.&nbsp. Making a verifiable user request does not require you to create an account with us.&nbsp. We will only use Personal Information provided in a verifiable user request to verify the requestor’s identity or authority to make the request. Response Timing and Format We endeavor to respond to a verifiable user request within 45 days of its receipt.&nbsp. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing.&nbsp. If you have an account with us, we will deliver our written response to that account.&nbsp. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.&nbsp. Any disclosures we provide will only cover the 12-month period preceding the verifiable user request’s receipt.&nbsp. The response we provide will also explain the reasons we cannot comply with a request, if applicable.&nbsp. For data portability requests, we will select a format to provide your Personal Information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance. We do not charge a fee to process or respond to your verifiable user request unless it is excessive, repetitive, or manifestly unfounded.&nbsp. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request. Separate from the CCPA and CPRA, California’s Shine the Light law gives California residents the right to ask companies what Personal Information they share with third parties for those third parties’ direct marketing purposes. We do not disclose your Personal Information to third parties for the purpose of directly marketing their goods or services to you unless you request such disclosure.&nbsp. Also, California Civil Code Section 1798.83 permits customers who are California residents and who have provided us with “personal information” (as that term is defined in Section 1798.83) to request certain information about the disclosure of that information to third parties for their direct marketing purposes. If you are a California resident with questions regarding the above, please contact us in the manner set forth under the heading “Contacting Us” in the Privacy Policy. Non-Discrimination We will not discriminate against you for exercising any of your data rights. Unless permitted by law, we will not, as a result of your exercising any of these rights: <ul> <li>Deny you goods or services.</li> <li>Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.</li> <li>Provide you a different level or quality of goods or services.</li> <li>Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.</li> </ul> Changes to Our Privacy Notice We reserve the right to amend this Privacy Notice at our discretion at any time. When we make changes to this Privacy Notice, we will notify you through a notice on our website homepage, or by posting updated terms. Contact Information If you have any questions or comments about this Privacy Notice, our Privacy Policy, the ways in which we collect and use your Personal Information, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at: Toll Free Phone #: Email: Postal Address: 1-888-241-3525 dataprivacy@pcisecuritystandards.org PCI Security Standards Council 401 Edgewater Place Suite 600 Wakefield, MA USA 01880 Attn: Director, Technology, Infrastructure, &amp. Privacy DATE: 20 January 2023