Terms and Conditions

General Terms of Business of usd AG for the use of services of the "usd PCI DSS platform" and supplementary services

Section 1Subject-matter of the agreement; area of validity
1.1usd AG (for provider data please refer to the legal notice) offers IT security checks and supplementary services according to the Payment Card Industry Data Security Standard (PCI DSS) for companies. usd AG (provider) accordingly operates the business-to-business internet platform "usd PCI DSS platform" (platform). The platform offers customers access to applications and services in order to enable an evaluation of the safety level of the customer's IT infrastructure accessible by the internet and if necessary to acquire PCI DSS certification.
1.2These General Terms of Business (Platform General Terms of Business) shall apply to all customers upon initial access of the internet services made available on the platform and/or upon initial use of services for the evaluation of the safety level of the customer's IT infrastructure accessible by the internet. These Platform General Terms of Business are supplemented by the data protection notice in its currently valid version on the platform.
1.3Objection is hereby raised to any counter-confirmation by customers with reference to their own Terms of Business and/or Purchasing Terms. Individual agreements shall remain unaffected.
1.4The customers are entitled to use the internet services available at https://pci.usd.de and the offered services according to the following provisions.

Section 2Services; Costs
2.1Within the scope of the offered IT security checks customers shall check their IT infrastructure accessible by the internet with regard to the requirements stipulated by the PCI DSS standard. They shall accordingly use the applications provided on the platform and the supplementary services offered by the provider.

Results and conclusions of the IT security checks and of the supplementary services shall be put at the customer's disposal by means of a report which can be downloaded from the platform.

If the customer desires to achieve PCI DSS certification and has acquired corresponding services from the provider, the provider shall make the PCI DSS certificate and the seal available provided the requirements of the standard are met.

The applications and offered services made available by access to the platform shall consist, among other things, of the following performance:


  • Provision of the usage facilities of the PCI DSS Platform after admission of the customer in accordance with Section 3
  • Online self-assessment questionnaires
  • External PCI DSS security scans
  • Auditing services according to the PCI DSS and PCI PA-DSS standards
  • Provision of reports, certificates and seals
  • Support services of the usd PCI Competence Center
  • Consulting, support and other services for customers in accordance with a separate agreement concluded with the provider
2.3The prices and terms of payment for individual services which are to be ordered are stated in the respective product description. The time that the respective service is ordered from the provider shall be authoritative for determining the price.

Section 3Prerequisites for use; registration and admission
3.1The prerequisite for using the platform and for the availment of the offered services is the conclusion of this agreement. The customer shall accordingly submit a proposed agreement by sending the registration form online to the provider, having duly filled in the required minimum details and having acknowledged the validity of these Platform General Terms of Business by mouse click. Business persons and companies are entitled to register as customers. These persons and entities shall exclusively be natural or legal persons or partnerships having legal capacity that when using the applications and the offered services provided on the platform are acting by way of performance of their commercial or self-employed professional activity.
3.2The provider shall check the plausibility of the company data stated by the customer and shall decide on the basis of the registration process on the acceptance (admission) of the proposal submitted by the customer for the conclusion of this agreement in accordance with Subsection 3.1. The admission enables the customer to gain access to the non-public area of the platform for ordering, scheduling and using services.
3.3A claim to admission for using the platform and for utilisation of services shall not exist.

Section 4IT security checks and supplementary services according to PCI DSS; classification of customers; data transmission and synchronisation; ordering, scheduling and utilisation of services
4.1The provider shall render its services irrespective of whether customers are obliged according to PCI DSS to achieve PCI DSS certification.
4.2If the customer desires to achieve certification according to PCI DSS, then the manner, scope and frequency of the certification measures which are to be undertaken shall be determined according to the customer's classification and categorisation. Upon or after the customer's registration, the customer shall stipulate all data required for classification and categorisation on the platform or shall transmit this data to the provider for processing and use for the specified purpose. 
4.3Upon admission, the customer can order individual services on the platform according to the product description and within the scope of a desired PCI DSS certification in accordance with the customer's classification and categorisation and can schedule the undertaking of these services depending on the available capacities and time limitations.
Section 5Customer's rights and obligations
5.1 Customers are entitled to use the services and applications of the platform in a due and orderly manner and on their own responsibility . Customers are obliged to comply with all security regulations of the provider and to refrain from undertaking any illegal acts as well as from misusing access facilities to the applications and services provided on the platform .
5.2 Within the scope of their registration and when entering or transmitting information relevant to certification, customers are obliged to make true statements and to continually check the factual correctness of these statements or update them .
5.3 Customers are obliged to solely scan IT systems if they are entitled to do so . This entitlement shall generally exist if the customer is the holder of the IP addresses and if the customer is either the owner of the IT systems belonging to the IP addresses or has obtained permission in writing from the owner of the IT systems to conduct the security scans .
5.4If customers desire to achieve certification according to PCI DSS, then they are obliged to state the IP addresses of all their IT systems which may potentially save, process or forward credit card data and which are accessible via the internet . Such systems are, for example, web servers, application servers, routers, firewalls and load balancers .
5.5 Customers are obliged to configure their IDS /IPS( Intrusion Detection Systems / Intrusion Prevention Systems) in such a manner for the period of the security scan that the provider's IT systems conducting the PCI DSS security scan have unrestricted access to the customer's components which are to be scanned.
5.6If claims are made on the provider by third parties or by a customer due to an infringement stated in Subsections 5.1, 5.2, 5.3, 5.4 and 5.5, then the customer responsible for the infringement shall undertake to indemnify the provider against any claims. The indemnification obligation shall refer to all expenses necessarily incurred by the provider resulting from any claims made by a third party. The provider expressly reserves the right to assert more extensive damages.

Section 6Provider's rights and obligations
6.1The provider undertakes to check its own services with regard to stipulated standards, completeness and security.
6.2Within the scope of the certification process, the assessment whether the actual state of the IT system which is to be checked complies with the required target state shall be solely incumbent on the provider. The customer shall have no entitlement to the issuing of the certificate if there are any negative deviations of the actual state from the target state.
6.3The provider is entitled to check all statements made by the customer with regard to their factual and actual correctness and accordingly, if required, to obtain separate written assurances from the customer as well as information from third parties.
In the case of serious doubts concerning the correctness of the statements made by the customer, the provider is entitled to withdraw access to the platform in whole or in part and to terminate the agreement for exceptional reasons. The same shall apply to infringements by customers of their obligations according to Section 5, Subsections 5.1, 5.2, 5.3, 5.4 and 5.5 and to other fundamental breaches of contract by customers. The provider's right to assert claims for damages shall remain unaffected.
6.4The provider shall allocate the times when PCI DSS security scans will be undertaken on the basis of the chronological order of the receipt of the schedules received from the customer with due consideration of the provider's available capacities. The customer shall have no entitlement to the undertaking of certification measures at a fixed time if the provider has no free capacities available at this specific point in time.
6.5The design regarding content and technology, particularly the form and content of the platform, are exclusively subject to the provider's discretion. In this respect the provider reserves the right to discontinue, restrict, expand, supplement or improve at any time all free offered services.

Section 7Availability of the platform and services
The platform and the services offered via the platform are made available without any guarantee of availability. Scheduled certification measures occurring during a system failure shall be subsequently performed by the provider at the next possible time in coordination with the customer.

Section 8Term of the agreement; termination
8.1The agreement forming the basis of these Platform General Terms of Business is concluded for an indefinite period. It shall commence with the admission of the customer by the provider in accordance with Section 3 of these Platform General Terms of Business.
8.2Both the customer and the provider may terminate this agreement at any time in a due and orderly manner with a one-month period of notice to the end of a year. The provider's right to withdraw the customer's access to the platform in whole or in part in accordance with Section 6 shall remain unaffected .
8.3 The term of the agreement for charged services as well as the possible right to effect due and orderly termination of charged services are stipulated in the provider's product description .
8.4 Both the customer and the provider shall have the right to terminate the agreement for good cause without observing a period of notice . Good cause for the provider shall especially be:
  • the serious infringement by a customer of the provisions of these Platform General Terms of Business
  • tortious action by a customer or the attempt at such action
  • the institution of insolvency proceedings in respect of a customer's assets or the rejection of such an application for the institution of insolvency proceedings due to a lack of assets .
8.5 Every termination notice must be made in writing . Termination notices sent by fax or e -mail( to the provider: pci@usd . de) shall be deemed to meet the requirement of the written form .

Section 9 System time
9.1 The system time stated on the platform of https://pci.usd.de shall apply exclusively to the scheduling and undertaking of certification measures, especially of PCI DSS security scans.
9.2The system time shall be determined according to the coordinated world time UTC (Universal Time Coordinated), but may, however, deviate from the official time in individual cases.

Section 10 Liability and limitation of liability of the provider
10.1The provider is liable without limitation for intent and gross negligence. In the case of infringements of fundamental contractual obligations within the scope of this agreement caused by slight negligence on the part of the provider or its legal representatives or its vicarious agents, the provider's liability in respect of customers is limited to the foreseeable, typical contractual, direct average loss. Liability is limited to a maximum total of 25,000.00 euros (in words: twenty-five thousand euros) for each case of liability. Liability is excluded in all other cases.
10.2The provider shall guarantee and ensure that the security scanner made available as an application is in compliance with the Payment Card Industry Data Security Standard stipulated by the credit card organisations. This is necessary in order to certify the analysed IT system which is in compliance with the standard and at the same time guarantees that the scanning merely has minimal influence on the analysed IT system. A more extensive obligation or liability of the provider shall not exist. The provider shall not be liable for any losses resulting from reduced integrity and/or availability of the analysed IT systems in the case of due and orderly security scans in accordance with the Payment Card Industry Data Security Standard. In other respects, Subsection 10.1 shall apply mutatis mutandis.
10.3Should the platform make access possible to other websites via links, the provider is not responsible for the external contents contained on these sites. The provider shall assume no ownership of these external contents. Liability for external contents is excluded. If the provider acquires knowledge of illegal contents on external websites, the provider shall remove the link to such websites without delay.
10.4The above limitations of liability and exclusions shall not affect claims on the part of the customer resulting from product liability. In addition, the limitations of liability shall not apply to physical injury and damage to health suffered by customers for which the provider is responsible.

Section 11 Data protection and protection of secrets
11.1The provider has taken extensive technical and organisational precautions to ensure that data and trade secrets are treated confidentially and are used only for their intended purpose. Misuse resulting from illegal acts by third parties can, however, not be ruled out entirely.
11.2The provider undertakes to use the data saved during the registration and utilisation processes only for its own purposes and not to forward this data to external third parties, unless there is an obligation in this respect decreed by the authorities or customers have expressly given their consent to do so. This provision concerning the treatment of data is expressed in more concrete terms and supplemented by the data protection notice.
11.3The provider undertakes to maintain secrecy on all trade and business secrets of which it has become aware in connection with the performance of this agreement and not to make them available to third parties. Excluded from the above is information designed for publication or which the customer has agreed may be transmitted.
11.4The provider undertakes to commit all employees entrusted with the performance of the agreement to strictly comply with the statutory data protection provisions and to strictly safeguard the customer's trade secrets .

Section 12  Copyrights and industrial property rights
12.1 The provider is the owner of all proprietary and industrial property rights and all copyrights with regard to its own contributions and other contents of its own .
12.2 The customer undertakes to neither remove nor make illegible the copyright notices or other references to such rights contained on the platform .

Section 13  Information in electronic business transactions; exclusion of Article 312g, Paragraph 1, Sentence 1, Nos . 1 - 3, Sentence 2 of the German Civil Code (BGB)
13.1 Customers shall have the possibility at all times to download and save these Platform General Terms of Business from the platform in reproducible form as a file .
13.2 Customers have extensive information at their disposal on the platform about the utilisation possibilities and the manner of use of the platform, such as FAQs and PCI Competence Center . In other respects, the application of Article 312g, Paragraph 1, Sentence 1, Nos . 1 - 3, Sentence 2 of the German Civil Code( BGB ) is excluded .

Section 14  Miscellaneous provisions
14.1 The laws of the Federal Republic of Germany shall be exclusively applicable to the exclusion of the United Nations Convention on the International Sale of Goods( CISG ) . The exclusive place of jurisdiction is Frankfurt am Main in the Federal Republic of Germany, provided the user is a merchant as defined by German Law . The provider is additionally also entitled to raise an action at the user's general place of jurisdiction .
14.2    The German text of the agreement of these Platform General Terms of Business and their components shall take precedence over translations into other languages in cases of doubt .
14.2 The German text of the agreement of these Platform General Terms of Business and their components shall take precedence over translations into other languages in cases of doubt .
14.3 The ineffectiveness of one or several provisions of this agreement shall not affect the effectiveness of this agreement in other respects .
14.4 These Platform General Terms of Business and their supplementary components may be retrieved, printed out and saved in their entirety from the platform .
14.5 These Platform General Terms of Business shall supersede and replace all previous Platform General Terms of Business . The provider shall inform the customer of any further changes to these Platform General Terms of Business in writing by e - mail . If the customer does not raise objection to such changes within a period of 14 days after receipt of the notification, then the changes shall be deemed agreed if the customer continues to use the provider's services made available at https://pci.usd.de. The customer shall be informed separately of the right to raise objection and of the legal consequences of maintaining silence in the case of an alteration to these Platform General Terms of Business.

usd AG
As at: May 2010

Download Terms & Conditions