VeriSign Inc. Contracts
Sample Business Contracts
Private Label Agreement - VeriSign Inc. and VISA International Service Associaton
Services Forms
[CONFIDENTIAL TREATMENT REQUESTED] PLA Number:____________________ Date of Agreement: ____________ VERISIGN PRIVATE LABEL AGREEMENT (Customer Root Key) Customer: VISA International Service Association, a Delaware ------------------------------------------------------------ corporation ------------------------------------------------------------ Customer Address: 900 Metro Center Boulevard, Foster City California 94404 or ------------------------------------------------------------ P.O. Box 8999, San Francisco, California 94128-8999 ------------------------------------------------------------ Customer Contact: Peter R. Hill ------------------------------------------------------------ Effective Date: April 2. 1996 ------------------------------------------------------------ Term of Agreement: Two and one half (2.5) years from the earlier of the ---------------------------------------------------- Commencement of Pilot Program or April 1, 1997. ---------------------------------------------- Exhibits Attached: Exhibit "A": Definitions Exhibit "B": Fees Exhibit "C": Logo Usage Guide Exhibit "D": Project Plan Elements Exhibit "E": System Design Specifications Exhibit "F": Customer Requirements for ECS Exhibit "G": Acceptance Test Procedures Exhibit "H": VeriSign Marketing Rights and Royalty Obligations Exhibit "I": Escrow Agreement Exhibit "J": License Agreement Exhibit "K": Service Level Specification Exhibit "L": Support Levels Exhibit "M": Timetable for Resolution of Outstanding Issues THIS VERISIGN PRIVATE LABEL AGREEMENT ("AGREEMENT"), effective as of the --------- Effective Date set forth above, is entered into by and between VeriSign, Inc., a Delaware corporation, having its principal place of business at 2593 Coast Avenue, Mountain View, California 94043 ("VERISIGN"), and the party identified -------- above ("CUSTOMER"), having a principal address as set forth above. -------- RECITAL VeriSign provides Certificate-issuing and certain other services to members of both public and private hierarchies. Customer wishes VeriSign to design, build and operate a Private Label Certificate System based on Customer's Root Key for the use by Customer to provide certificate registration, issuing and management functions to its member banks, all on the terms and subject to the conditions set forth in this Agreement. NOW, THEREFORE, the parties hereto agree as follows: <PAGE> VeriSign Private Label Agreement Page 2 AGREEMENT 1. DEFINITIONS ----------- Capitalized terms shall have the meanings shown in Exhibit "A" hereto. 2. VERISIGN SERVICES TO CUSTOMER ----------------------------- 2.1 DEVELOPMENT OF PRIVATE LABEL CERTIFICATE SYSTEM. VeriSign will design and develop a Private Label Certificate System based on Customer's Root Keys, a Protocol specified by Customer and specifications agreed upon by VeriSign and Customer in accordance with Section 4.1 below. The Private Label Certificate System will include Certificate servers, custom enrollment and verification processes for each Certificate type specified for use by Subscribers, management of the Certificate repository and renewal process, and procedures for operation of the system. 2.2 OWNERSHIP AND LICENSE OF PRIVATE LABEL CERTIFICATE SYSTEM. VeriSign will acquire and assemble the components of the Private Label Certificate System, consisting of hardware, software and telecommunications equipment. All right, title and interest to the Private Label Certificate System shall belong solely and exclusively to VeriSign, and Customer shall have no right, title or ownership interest therein. VeriSign shall have the right to obtain and hold in its name copyrights, registrations, patents and any similar protection which may be available for the Private Label Certificate System or components thereof and any derivative works thereof. In the event that any technology included in the VSE as delivered to Customer by VeriSign (the "VSE Technology") is hereafter covered by a claim of a patent issued to or assigned to VeriSign, VeriSign shall grant to Customer a nonexclusive, worldwide, perpetual, irrevocable, royalty- free license under the relevant claim(s) to make, use, have made and sell any product incorporating technology included in the VSE as delivered by VeriSign, provided that such license shall extend only to the VSE Technology and not to any other technology incorporated in any such product. In the event that any technology included in the Private Label Certificate System as delivered to Customer by VeriSign is hereafter covered by a claim of a patent issued to or assigned to VeriSign, VeriSign shall grant to Customer a nonexclusive, worldwide, royalty-free license under the relevant claim(s) to the extent necessary for Customer to use the Private Label Certificate System as provided in this Agreement. Commencing April 1, 1998, Customer on ninety (90) days' prior written notice shall have the right to license the Private Label Certificate System pursuant to a license agreement substantially in the form of Exhibit "J". To the extent portions of the Private Label Certificate System are not owned by VeriSign, VeriSign will arrange to obtain the right to use such items by Customer or arrange for Customer to obtain the right to purchase or otherwise license such items. 2.3 ASSISTANCE IN DEFINING PROTOCOL. VeriSign will assist Customer in defining a workable Protocol for secure management and handling of Certificates in Customer's Private Hierarchy. VeriSign will provide Customer with a copy of VeriSign's Certification Practice Statement which governs Certificate operations in the VeriSign Public Hierarchies and a copy of the VeriSign Public Key Infrastructure (PKI) specification, which details management and <PAGE> VeriSign Private Label Agreement Page 3 handling of Certificates under a policy-based delegation of operating authority. VeriSign will also recommend a set of operating and security practices and procedures to mitigate risks associated with Private Key compromise and Root Key distribution and to protect Customer's confidential authorization information. 2.4 MAINTENANCE OF PRIVATE LABEL CERTIFICATE SYSTEM AT VERISIGN SITE. VeriSign will provide a high-security facility on VeriSign's premises in Mountain View, California for operation of the Certificate server(s) and for storage of Certificate Signing Units containing Customer's Private Keys when not in use in a secure vault. VeriSign shall be responsible for maintaining the security on its premises and shall be liable for any damages that arise out of a breach of its security. VeriSign may move the Private Label Certificate System to another location under VeriSign's control which provides a comparable level of security, and VeriSign shall provide notice to Customer in advance of such relocation. VeriSign shall establish a secure backup site at a mutually agreeable location that ensures continued operation in the event of a technical failure, natural disaster or any other event that disables the Mountain View (or relocated) facility. 2.5 CERTIFICATE MANAGEMENT SERVICES. VeriSign will provide to Customer the following services for Certificate management and operations: 2.5.1 SCOPE OF SERVICES. In accordance with Customer's specified Protocol, VeriSign will provide the following services with respect to the Certificate server(s): maintain adequate Certificate-issuing capacity to meet Customer's reasonable forecast requirements, provide firewall security for all appropriate portions of the Private Label Certificate System, maintain such firewall security for the portion of the Private Label Certificate System located on VeriSign premises, maintain a Certificate repository. renew, revoke and suspend Certificates. and provide Certificate status services. 2.5.2 ENROLLMENT AND RENEWAL SERVICES. Using an enrollment process based on security-enhanced HTML or e-mail with interfaces to Certificate Signing Units and authorization systems, VeriSign will issue Certificates under Customer's name and containing Customer's Root Keys to Subscribers in Customer's Private Hierarchy in accordance with the Protocol. VeriSign will process renewals of Certificates in accordance with the Protocol. Within ten (10) days after the end of each month, VeriSign will provide Customer with a monthly report on the number of Certificates issued and renewed. 2.5.3 CERTIFICATE REPOSITORY, REVOCATION AND STATUS SERVICES. VeriSign will maintain a repository of Certificates issued in Customer's Private Hierarchy. VeriSign will revoke and suspend Certificates in accordance with the Protocol 2.6 CUSTOMER SUPPORT. During the term of this Agreement, VeriSign will supply maintenance for the Private Label Certificate System as described in this Section 2.6 without additional charge to Customer. 2.6.1 TELEPHONE SUPPORT. VeriSign will provide telephone support as is reasonably necessary for Customer to meet the performance criteria for the Private Label <PAGE> VeriSign Private Label Agreement Page 4 Certificate System as provided in Exhibit "K". VeriSign will also provide telephone support for a reasonable volume of calls to Customer-related entities as provided in Exhibit "L". VeriSign shall provide the support specified in this Section 2.6.1 to Customer's employees responsible for developing and maintaining Customer Products. VeriSign will provide the names of employees who will serve as primary points of contact for technical support for Customer. VeriSign may change the names of designated employees at any time by providing written notice to Customer. On VeriSign's request, Customer will provide a list with the names of the employees designated to receive support from VeriSign. Customer may change the names on the list at any time by providing written notice to VeriSign. 2.6.2 ESCALATION PROCEDURES. Customer and VeriSign shall agree upon a procedure for resolution of operating problems in the Private Label Certificate System which provides for escalation of effort based on the problem severity. 2.6.3 REIMBURSEMENT FOR CORRECTION OF CUSTOMER ERRORS. In the event VeriSign is required to take actions to correct an error which is caused by Customer errors, modifications, enhancements, software or hardware, then VeriSign may charge Customer for the correction or repair on a time-and- materials basis at VeriSign's rates then in effect, plus reimbursement for reasonable travel to and from Customer's sites and out-of-pocket expenses. as may be necessary in connection with duties performed under this Section 2.6 by VeriSign. 2.6.4 SYSTEM RELEASES. In the event operating problems in the Private Label Certificate System are not resolved by the escalation procedures, Customer and VeriSign agree to evaluate the desirability of changing to a later available release version of ECS, ECAS, and other applications employed by VeriSign in provision of the Private Label Certificate System. A change to release level in the Private Label Certificate System will also be evaluated at the time new releases are tested. 2.7 ESCROW AGREEMENT. VeriSign will place in escrow pursuant to the Escrow Agreement set forth at Exhibit "I" all information necessary to build. support. maintain and operate the Private Label Certificate System. This information will be released to Customer upon occurrence of the events specified in such Escrow Agreement. 2.8 CUSTOMER MARKETING RIGHTS. VeriSign acknowledges and understands that Customer will be marketing Certificates and Certificate services using the Private Label Certificate Service being produced by VeriSign to Customer hereunder. VeriSign will be entitled to market Customer to Members as a Certification Authority and to sell Certificates issued in Customer's Private Hierarchy at royalty rates specified on Exhibit "H". All pricing of Certificates to Customer Members under the Certificate Authority Service marketed by Customer shall be determined by Customer, independent of any obligation to support and operate the Private Label Certificate Service by VeriSign hereunder. Customer shall charge its Members directly for use of the Private Label Certificate System. 2.9 CUSTOMER PERSONNEL. Customer may, at its own cost, upon reasonable notice and for the purpose of problem resolution, provide personnel to monitor or participate in the <PAGE> VeriSign Private Label Agreement Page 5 operation of the Private Label Certificate Service and provision of Customer service pursuant to Section 2.6. VeriSign agrees to cooperate with Customer personnel to permit them to assist in establishing appropriate levels of Customer service, participate in problem verification and determination, and prepare to transfer operation of the Private Label Certificate Service to Customer pursuant to the license set forth in Exhibit "J". 2.10 FINANCIAL DATA. In the event Customer ceases to have access to financial information concerning VeriSign pursuant to its rights under that certain Investors' Rights Agreement dated February 20, 1996, or pursuant to filings made in accordance with the Securities Exchange Act of 1934, VeriSign shall make available to Customer on a quarterly basis, an unaudited balance sheet and statement of operations. Such information shall be kept confidential by Customer in accordance with Section 6. 3. CUSTOMER OBLIGATIONS TO VERISIGN -------------------------------- 3.1 PROTOCOL. In addition to specifying SET-based functionality as incorporated in the Customer Requirements for ECS and the System Design Specifications, Customer will specify a Protocol, consisting of policies, procedures and resources to control the entire Certificate process for its Private Hierarchy and the transactional use of Certificates within the Private Hierarchy. The Protocol is not required to be consistent with the requirements of VeriSign's Certification Practice Statement for operation of VeriSign Public Hierarchies. 3.2 VERIFICATION OF SUBSCRIBER INFORMATION. Customer will provide VeriSign with verification of enrollment information submitted by a Subscriber who wishes to become a member of Customer's Private Hierarchy prior to VeriSign's issuance of a Certificate to such Subscriber. Customer will provide VeriSign with verification of a Subscriber's identity to the extent required by the Protocol. 3.3 FORECAST. Customer agrees to provide VeriSign on a confidential basis at the end of each calendar quarter with an updated forecast of the volume of Certificates it expects to be required for Customer's Private Hierarchy for the next six (6) months. The forecasts shall be by product line and based upon good faith estimates and assumptions believed by Customer to be reasonable at the time made. 3.4 CUSTOMER PERSONNEL. To the extent Customer personnel are provided or take action pursuant to Sections 2.9, 4.1.5, or 4.2, such personnel shall be provided solely at Customer's cost, and, upon request, Customer shall provide evidence of satisfaction of all state and federal employment laws and worker compensation requirements in connection with such personnel. Such personnel shall execute confidentiality agreements as VeriSign shall reasonably request, and shall agree to abide by all reasonable VeriSign visitor regulations. Customer understands that VeriSign operates a secure facility and that there are portions of such facility that Customer's personnel will not be permitted to enter. In the event that VeriSign determines that any of Customer's personnel has breached a VeriSign visitor regulation, Customer shall immediately cause such person to be removed from VeriSign's facility, and may provide a replacement. <PAGE> VeriSign Private Label Agreement Page 6 4. DEVELOPMENT ----------- 4.1 DEVELOPMENT OF PROJECT PLAN. Attached as Exhibit D is the Project Plan that specifies the major phases of the development of the Customer's Private Label Certificate System, the major tasks to be completed, the deliverables to be produced and their scheduled completion dates. 4.1.1 DEVELOPMENT OF INTERFACE SPECIFICATIONS. In accordance with the Project Plan. Customer will create Interface Specifications for software interface of the Private Label Certificate System to Customer's Subscriber enrollment and authorization information and deliver the Interface Specifications to VeriSign for review and approval. VeriSign shall deliver written acceptance or rejection of the Interface Specifications within fourteen (14) days. VeriSign shall promptly notify Customer of any deficiencies in the Interface Specifications. Such notification shall be in writing and shall contain sufficient detail to allow Customer to resolve such deficiencies. If VeriSign fails to respond within the fourteen (14) days, Customer may submit written notice of such failure. If VeriSign does not respond with written notice of deficiencies as described above within two (2) days of receipt of such notice then such failure to respond shall be deemed an acceptance by VeriSign. Customer shall respond to deficiencies identified by VeriSign by either making modifications or refuting VeriSign's arguments regarding the deficiency. Any modification to the Interface Specifications shall be resubmitted to VeriSign for review and approval in accordance with the procedures outlined in this Section 4.1.1 . 4.1.2 DEVELOPMENT OF PROTOCOL. In accordance with the Project Plan, Customer will create the Protocol and deliver it to VeriSign for review and approval. VeriSign shall deliver written acceptance or rejection of the Protocol within fourteen ( 14) days. VeriSign shall promptly notify Customer of any deficiencies in the Protocol. Such notification shall be in writing and shall contain sufficient detail to allow Customer to resolve such deficiencies. If VeriSign fails to respond within the fourteen (14) days, Customer may submit written notice of such failure. If VeriSign does not respond with written notice of deficiencies as described above within two (2) days of receipt of such notice then such failure to respond shall be deemed an acceptance by VeriSign. Customer shall respond to deficiencies identified by VeriSign by either making modifications or refuting VeriSign's arguments regarding the deficiency. Any modification to the Protocol shall be resubmitted to VeriSign for review and approval in accordance with the procedures outlined in this Section 4.1.2. 4.1.3 DEVELOPMENT OF SYSTEM DESIGN SPECIFICATIONS. In accordance with the Project Plan, VeriSign will create System Design Specifications for the Private Label Certificate System and deliver the System Design Specifications to Customer to determine material conformity to Exhibit "F" and the Protocol and for Customer acceptance. Customer shall deliver written acceptance or rejection of the System Design Specifications within fourteen (14) days. Customer shall promptly notify VeriSign of any deficiencies in the System Design Specifications. Such notification shall be in writing and shall contain sufficient detail to allow VeriSign to resolve such deficiencies. If Customer fails to respond within the fourteen (14) days, VeriSign may submit written notice of such failure. If Customer does not respond with written <PAGE> VeriSign Private Label Agreement Page 7 notice of deficiencies as described above within two (2) days of receipt of such notice then such failure to respond shall be deemed an acceptance by Customer. VeriSign shall respond to deficiencies identified by Customer by either making modifications or refuting Customer' s arguments regarding the deficiency. Any modification to the System Design Specifications shall be resubmitted to Customer for review and approval in accordance with the procedures outlined in this Section 4.1.3. 4.1.4 DEVELOPMENT OF ACCEPTANCE TEST PROCEDURES. In accordance with the Project Plan, Customer shall create the Acceptance Test Procedures and deliver them to VeriSign for review and approval. VeriSign shall deliver written acceptance or rejection of the Acceptance Test Procedures within fourteen (14) days. VeriSign shall promptly notify Customer of any deficiencies in the Acceptance Test Procedures. Such notification shall be in writing and shall contain sufficient detail to allow Customer to resolve such deficiencies. If VeriSign tails to respond within the fourteen (14) days, Customer may submit written notice of such failure. If VeriSign does not respond with written notice of deficiencies as described above within two (2) days of receipt of such notice then such failure to respond shall be deemed an acceptance by VeriSign. Customer shall respond to deficiencies identified by VeriSign by either making modifications or refuting VeriSign's arguments regarding the deficiency. Any modification to the Acceptance Test Procedures shall be resubmitted to VeriSign for review and approval in accordance with the procedures outlined in this Section 4.1.4. 4.1.5 DEVELOPMENT OF PRIVATE LABEL CERTIFICATE SYSTEM. In accordance with the Project Plan, VeriSign will develop the Private Label Certificate System in material conformity to the Interface Specifications and the System Design Specifications. Development of the Private Label Certificate System will take place at VeriSign's facility located in Mountain View, California or such other place as VeriSign shall reasonably select. VeriSign will deliver notice to Customer that the Private Label Certificate System is in material conformity to the Interface Specifications and the System Design Specifications and ready for acceptance testing on or before the date set forth in the Project Plan. Customer shall have the option to place two Customer employees on VeriSign's development team for the Private Label Certificate System. Such Customer personnel will be fully integrated into the development process and have access to all project information. Such personnel shall be subject to Sections 3.4 and 6 of this Agreement. 4.1.6 DEVELOPMENT OF SERVICE LEVEL SPECIFICATION. Customer and VeriSign have specified a preliminary set of performance criteria against which to measure the adequacy of the Private Label Certificate System in Exhibit "K" hereto, which is acceptable at the Effective Date of this Agreement. Customer and VeriSign recognize that after completion of the major phases of development of the Private Label Certificate System some modification of the Service Level Specification may be desirable. After the Acceptance Test Procedures have been approved by VeriSign, Customer and VeriSign shall cooperate in evaluating whether the Service Level Specification should be amended by Change Order in accordance with Section 4.1.8 and shall negotiate in good faith with respect to this Exhibit K. <PAGE> VeriSign Private Label Agreement Page 8 4.1.7 ACCEPTANCE. Acceptance testing of the Private Label Certificate System in accordance with the Acceptance Test Procedures shall take place at VeriSign's facility located in Mountain View, California, or such other place as VeriSign shall reasonably select, using test data supplied by Customer and supplemented and approved by VeriSign, and shall establish material conformity of the Private Label Certificate System with the Interface Specifications and the System Design Specifications. VeriSign shall be entitled, but not obligated, to have a representative present at all such tests. Customer shall promptly notify VeriSign of any failure of the Private Label Certificate System discovered in testing, and any retesting required will be performed after redelivery of a modified version of the Private Label Certificate System to Customer by VeriSign. Customer shall deliver written acceptance of the Private Label Certificate System after establishment of material conformance to the Interface Specifications and the System Design Specifications and material satisfaction of the Acceptance Test Procedures within fourteen (14) days of the completion of the testing. Such notification acceptance shall be in writing. If Customer fails to respond within the fourteen (14) days, VeriSign may submit written notice of such failure. If Customer does not respond with written notice of acceptance as described above within two (2) days of receipt of such notice then such failure to respond shall be deemed an acceptance by Customer. 4.1.8 CHANGE ORDERS. Any amendment to a Program Document after its acceptance, shall only be effected by a change order ("CHANGE ORDER") approved ------------ as follows: 4.1.8.1 CUSTOMER INITIATED. Customer may initiate a Change Order by delivering to VeriSign a writing signed by Customer's Program Manager requesting VeriSign to prepare a proposed Change Order. Such writing shall specify the requested change and cross-reference to Sections of the Program Documents that are proposed to be amended. 4.1.8.2 VERISIGN INITIATED. VeriSign may initiate a Change Order by delivering to Customer a proposed Change Order meeting the requirements of Section 4.1.8.3. 4.1.8.3 PREPARATION. Upon receipt of a written request as set forth above in this Section 4. 1.8, VeriSign shall, on or before fifteen (15) days after receipt of such request, prepare for Customer's review a proposed Change Order. Such proposed Change Order shall contain: (i) a detailed description of the proposed amendments to the Program Documents; (ii) the change, if any, to scheduled delivery of any item; (iii) change in amounts due VeriSign under Exhibit "B" as a result of such Change Order. It is the expectation of the parties that enhancements, over and above the work initially specified in the Program Documents, which both parties deem necessary to permit reasonable implementation of the Private Label Certificate System, will be jointly funded in a spirit of cooperation between VeriSign and Customer. Those changes specifically requested by Customer, which are considered out of the scope of the original Program Documents, will be provided by VeriSign at its then-current time and materials rates. <PAGE> VeriSign Private Label Agreement Page 9 4.1.8.4 EVALUATION. Customer shall evaluate, and respond to VeriSign with respect to, any proposed Change Order on or before the fifteenth (15) business day after receipt. 4.1.8.5 APPROVAL. Change Orders shall become effective and shall act as amendments to this Agreement and to portions of the Program Documents specified in such Change Orders only upon their execution by an officer or the Program Manager of VeriSign and by an officer or the Program Manager of Customer. 4.1.8.6 TECHNICAL SERVICES. In the event that a Change Order alters the scope of the project as originally defined, VeriSign will provide the following technical services to Customer at VeriSign's then standard rates: 4.1.8.6.1 Engineering assistance in developing interfaces for Certificate services to Customer's proprietary databases containing authorization and enrollment information regarding Subscribers. 4.1.8.6.2 Training of up to five (5) days for Customer's employee responsible for training other employees in customer technical support, marketing, and sales. Training shall occur at VeriSign's facility in Mountain View, California, or at such other location as the parties may agree. 4.2 PROJECT AUDITS. Customer shall have the right to perform a project audit to ensure adherence by VeriSign to this Agreement subject to limitations set forth below. Customer shall give reasonable prior notice to VeriSign of its desire to audit VeriSign's performance under this Agreement. Customer shall have the right to review VeriSign's progress on development of the Private Label Certificate System and after implementation of such system, Customer shall have the right to audit operational performance and execution of VeriSign in connection with the Private Label Certificate System. VeriSign agrees to cooperate with Customer personnel to permit them to assure themselves that VeriSign is performing its obligations in a reasonable manner under this Agreement. Such Customer personnel shall be subject to the requirements of Sections 3.4 and 6 of this Agreement. Customer shall perform such audits only at reasonable intervals. 5. FEES AND PENALTIES ------------------ 5.1 DEVELOPMENT FEES. As consideration for the development of a Private Label Certificate System for Customer, provision of the hardware and software components of the system, and assistance in developing a Protocol for operation of the Private Label Certificate System as set forth in Sections 2.1, 2.2 and 2.3 above, Customer shall pay to VeriSign the amount set forth as Development Fees on Exhibit "B" according to the terms contained therein. 5.2 SET-UP FEES. As consideration for operation of the Private Label Certificate System as set forth in Sections 2.4, 2.5, 2.6 and 2.7 above Customer shall pay to VeriSign the amount set forth as Set-Up Fees on Exhibit "B" according to the terms contained therein. <PAGE> VeriSign Private Label Agreement Page 10 5.3 SUBSCRIBER FEES. Customer will pay to VeriSign as Subscriber Fees amounts for each Subscriber initially enrolled or renewed in Customer's Private Hierarchy through Customer the prices set forth on Exhibit "B". 5.4 TERMS OF PAYMENT. Subscriber Fees shall accrue upon issuance. VeriSign will furnish Customer with a monthly invoice accompanied by the report required by Section 2.5.2 above of the number and type of Certificates requested and the number and type of Certificates issued and renewed during the prior month. Customer will pay Subscriber Fees as set forth in Exhibit "B" for the period therein. Subscriber Fees due VeriSign hereunder shall be paid by Customer to VeriSign's address set forth on Page 1 above on or before the thirtieth (30th) day after the invoice date. A late payment penalty on any undisputed Subscriber Fees not paid when due shall be assessed at the rate of one percent (1%) per thirty (30) days, beginning on the thirty-first (31st) day after the day the unpaid Subscriber Fees are due. 5.5 TAXES. All taxes, duties, fees and other governmental charges of any kind (including sales and use taxes, but excluding taxes based on the gross revenues or net income of VeriSign) which are imposed by or under the authority of any government or any political subdivision thereof on the Development Fees or Set-Up Fees, Subscriber Fees or any aspect of this Agreement shall be borne by Customer and shall not be considered a part of, a deduction from or an offset against such fees. 5.6 DELAY PENALTY. In the event VeriSign does not operate on Visa's behalf a Private Label Certificate System materially meeting the System Design Specifications within four (4) weeks after the date specified as the "Commencement of Pilot" in the Project Plan ("Penalty Date"), Customer shall be entitled to liquidated delay damages as follows: One Thousand Dollars ($1,000) per day for each day past the Penalty Date. VeriSign shall be entitled to an automatic extension for any deadline that is equal in length to that of any delay caused by any party other than VeriSign or entities controlled by VeriSign. 5.7 DEGRADATION PENALTY. After thirty (30) days prior notice of failure to meet the minimum service standard set forth in Exhibit "K" Service Level Specifications, Customer shall be entitled to degradation penalties as defined in Exhibit K. 5.8 INCENTIVE FOR EARLY COMPLETION. Both parties agree to work in good faith to complete all tasks necessary to offer the Private Label Certificate System as soon as possible. To provide an incentive for completion, Customer agrees to pay VeriSign a bonus of One Thousand Dollars ($1,000) per day for every day that it is operating a Private Label Certificate System for the Pilot before the date of the Commencement Pilot currently listed in Project Plan. In the event that VeriSign operates a Private Label Certificate System for Customer on or before January 1, 1997, Customer shall pay VeriSign a bonus of Fifty Thousand Dollars ($50,000), this bonus shall be in lieu of the One Thousand Dollars ($1,000) per day bonus. 6. CONFIDENTIALITY --------------- 6.1 CONFIDENTIALITY. The parties acknowledge that in their performance of their duties hereunder either party may communicate to the other (or its designees) certain confidential <PAGE> VeriSign Private Label Agreement Page 11 and proprietary information concerning the Customer Products, VeriSign products, the know-how, technology, techniques or marketing plans related thereto (collectively, the "Proprietary Information") all of which are confidential and proprietary to, and trade secrets of, the disclosing party. Each party agrees to hold all Proprietary Information within its own organization and shall not, without specific written consent of the other party or as expressly authorized herein, utilize in any manner, publish, communicate or disclose any part of the Proprietary information to third parties. This Section 6.1 shall impose no obligation on either party with respect to any Proprietary Information which: (i) is in the public domain at the time disclosed by the disclosing party; (ii) enters the public domain after disclosure other than by breach of the receiving party's obligations hereunder or by breach of another party's confidentiality obligations; or (iii) is shown by documentary evidence to have been known by the receiving party prior to its receipt from the disclosing party. Each party will take such steps as are consistent with its protection of its own confidential and proprietary information (but will in no event exercise less than reasonable care) to ensure that the provisions of this Section 6.1 are not violated by its end user customers, distributors, employees, agents or any other person. 6.2 INJUNCTIVE RELIEF. Both parties acknowledge that the restrictions contained in this Section 6 are reasonable and necessary to protect their legitimate interests and that any violation of these restrictions will cause irreparable damage to the other party within a short period of time, and each party agrees that the other party will be entitled to injunctive relief against each violation. 7. OBLIGATIONS OF CUSTOMER ----------------------- 7.1 PROPRIETARY MARKINGS; COPYRIGHT NOTICES. The Customer agrees not to remove or destroy any proprietary, trademark or copyright markings or notices placed upon or contained within any VeriSign materials or documentation. The Customer further agrees to insert and maintain: (i) within every Customer Product and any related materials or documentation a copyright notice in the name of VeriSign; and (ii) within the splash screens, user documentation, printed product collateral, product packaging and advertisements for the Customer Product, a statement that the Customer Product contains the VeriSign technology. The Customer shall not take any action which might adversely affect the validity of VeriSign's proprietary, trademark or copyright markings or ownership by VeriSign thereof, and shall cease to use the markings, or any similar markings, in any manner on the expiration of this Agreement. The placement of a copyright notice on any of the VeriSign materials or documentation shall not constitute publication or otherwise impair the confidential or trade secret nature of the VeriSign materials or documentation. 7.2 VERISIGN'S INDEMNITY. CUSTOMER EXPRESSLY INDEMNIFIES AND HOLDS HARMLESS VERISIGN, ITS SUBSIDIARIES, AGENTS AND AFFILIATES FROM: (i) ANY AND ALL LIABILITY OF ANY KIND OR NATURE WHATSOEVER TO SUBSCRIBERS IN CUSTOMER'S PRIVATE HIERARCHY AND TO THIRD PARTIES WHICH MAY ARISE FROM ACTS OF CUSTOMER OR FROM THE USE OF CERTIFICATES IN CUSTOMER'S PRIVATE HIERARCHY, USE OF ANY CUSTOMER PRODUCT, OR ANY DOCUMENTATION, SERVICES OR ANY OTHER ITEM <PAGE> VeriSign Private Label Agreement Page 12 FURNISHED BY THE CUSTOMER TO SUBSCRIBERS IN CUSTOMER'S PRIVATE HIERARCHY, OTHER THAN LIABILITY ARISING FROM THE VERISIGN PRODUCTS AND VERISIGN DOCUMENTATION (UNLESS SUCH LIABILITY WOULD NOT HAVE ARISEN IN THE ABSENCE OF MODIFICATIONS TO ANY OF THE FOREGOING BY THE CUSTOMER OR ITS EMPLOYEES, AGENTS OR CONTRACTORS) OR FROM THE ACTS OF VERISIGN; AND (ii) ANY LIABILITY ARISING IN CONNECTION WITH AN UNAUTHORIZED REPRESENTATION OR ANY MISREPRESENTATION OF FACT MADE BY THE CUSTOMER OR ITS AGENTS, EMPLOYEES OR DISTRIBUTORS TO ANY PARTY WITH RESPECT TO THE VERISIGN PRODUCTS OR VERISIGN DOCUMENTATION. 7.3 CUSTOMER'S INDEMNITY. VERISIGN EXPRESSLY INDEMNIFIES AND HOLDS HARMLESS CUSTOMER, ITS SUBSIDIARIES, AGENTS AND AFFILIATES FROM: (i) ANY AND ALL LIABILITY OF ANY KIND OR NATURE WHATSOEVER TO ANY THIRD PARTIES THAT MAY ARISE FROM ACTS OF VERISIGN OR FROM USE OF VERISIGN SOURCE CODE, VERISIGN'S OBJECT CODE OR VERISIGN'S USER MANUALS (UNLESS SUCH LIABILITY WOULD NOT HAVE ARISEN IN THE ABSENCE OF MODIFICATIONS TO ANY OF THE FOREGOING BY CUSTOMER OR ITS EMPLOYEES, AGENTS OR CONTRACTORS); AND (ii) ANY LIABILITY ARISING IN CONNECTION WITH AN UNAUTHORIZED REPRESENTATION OR ANY MISREPRESENTATION OF FACT MADE BY VERISIGN OR ITS AGENTS OR EMPLOYEES TO ANY PARTY WITH RESPECT TO CUSTOMER PRODUCTS, OR ANY VERISIGN SOFTWARE. 7.4 NOTICES. The Customer shall immediately advise VeriSign of any legal notices served on the Customer which might affect VeriSign. 8. LIMITED WARRANTY: DISCLAIMER OF WARRANTIES; LIMITATION OF LIABILITY; -------------------------------------------------------------------- INDEMNITIES ----------- 8.1 Limited Warranty. During the term of this Agreement, VeriSign warrants that 8.1.1 to VeriSign's knowledge, Customer's Private Keys have not been compromised so long as VeriSign has not provided notice to Customer to the contrary, 8.1.2 VeriSign has used best efforts to maintain the security at its facilities and to maintain the security of any of Customer's private keys in its possession or control, 8.1.3 VeriSign has substantially complied with the Protocol in issuing a Certificate to a Subscriber in Customer's Private Hierarchy, 8.1.4 VeriSign has substantially complied with the Protocol in renewing, revoking or suspending a Certificate, and 8.1.5 the Private Label Certificate System materially conforms to the Interface Specifications and the System Design Specifications. <PAGE> VeriSign Private Label Agreement Page 13 8.2 DISCLAIMER. EXCEPT FOR THE EXPRESS LIMITED WARRANTY PROVIDED IN SECTION 8.1, VERISIGN'S PRODUCTS AND SERVICES ARE PROVIDED "AS IS" WITHOUT ANY WARRANTY WHATSOEVER. VERISIGN DISCLAIMS ALL WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO ANY MATTER WHATSOEVER, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY VERISIGN OR ITS EMPLOYEES OR REPRESENTATIVES SHALL CREATE A WARRANTY OR IN ANY WAY INCREASE THE SCOPE OF VERISIGN'S OBLIGATIONS. CUSTOMER IS RESPONSIBLE FOR THE SECURITY, COMMUNICATION OR USE OF ITS PRIVATE KEY, EXCEPT TO THE EXTENT SUCH PRIVATE KEY IS IN THE CUSTODY OR CONTROL OF VERISIGN. VERISIGN SHALL NOT BE RESPONSIBLE FOR THE THEFT OR ANY OTHER FORM OF COMPROMISE OF CUSTOMER'S PRIVATE KEY, WHICH MAY OR MAY NOT BE DETECTED EXCEPT WHEN SUCH PRIVATE KEY IS IN THE CUSTODY OR CONTROL OF VERISIGN. VERISIGN SHALL NOT BE LIABLE FOR ANY USE OF A KEY STOLEN OR COMPROMISED WHILE IN CUSTOMER'S CUSTODY OR CONTROL UNLESS CUSTOMER HAS PROVIDED NOTICE TO VERISIGN IN ACCORDANCE WITH THE PROTOCOL, AND VERISIGN HAS FAILED SUBSTANTIALLY TO COMPLY WITH THE PROTOCOL OR UNLESS CUSTOMER CAN ESTABLISH THAT SUCH THEFT OR KEY COMPROMISE OCCURRED WHILE THE SOLE COPY OF THE KEY WAS IN THE CUSTODY OR CONTROL OF VERISIGN OR WHILE THE KEY WAS IN THE CUSTODY OR CONTROL OF VERISIGN AND THAT THE COPY OF THE KEY IN VERISIGN'S CUSTODY OR CONTROL WAS STOLEN OR COMPROMISED. EACH SUBSCRIBER IS RESPONSIBLE FOR THE SECURITY, COMMUNICATION OR USE OF HIS, HER OR ITS PRIVATE KEY. VERISIGN SHALL NOT BE RESPONSIBLE FOR THE THEFT OR ANY OTHER FORM OF COMPROMISE OF ANY SUBSCRIBER'S PRIVATE KEY, WHICH MAY OR MAY NOT BE DETECTED. VERISIGN SHALL NOT BE LIABLE FOR ANY USE OF A STOLEN OR COMPROMISED KEY TO FORGE A SUBSCRIBER'S DIGITAL SIGNATURE TO A DOCUMENT UNLESS THE SUBSCRIBER OR CUSTOMER HAS PROVIDED NOTICE TO VERISIGN IN ACCORDANCE WITH THE PROTOCOL AND VERISIGN HAS FAILED TO COMPLY WITH THE PROTOCOL. 8.3 LIMITATION OF LIABILITY. NEITHER PARTY WILL BE LIABLE TO THE OTHER PARTY, TO A SUBSCRIBER OR TO ANY THIRD PARTY FOR ANY CONSEQUENTIAL, INDIRECT, SPECIAL, INCIDENTAL OR EXEMPLARY DAMAGES WHETHER FORESEEABLE OR UNFORESEEABLE (INCLUDING, BUT NOT LIMITED TO, GOODWILL. PROFITS, INVESTMENTS, USE OF MONEY OR USE OF FACILITIES; INTERRUPTION IN USE OR AVAILABILITY OF DATA; STOPPAGE OF OTHER WORK OR IMPAIRMENT OF OTHER ASSETS; OR LABOR CLAIMS, EVEN IF VERISIGN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES), ARISING OUT OF BREACH OF ANY EXPRESS OR IMPLIED WARRANTY, BREACH OF CONTRACT, <PAGE> VeriSign Private Label Agreement Page 14 NEGLIGENCE, EXCEPT ONLY IN THE CASE OF DEATH OR PERSONAL INJURY WHERE AND TO THE EXTENT THAT APPLICABLE LAW REQUIRES SUCH LIABILITY. UNDER NO CIRCUMSTANCES SHALL EITHER PARTY'S LIABILITY TO THE OTHER PARTY OR ANY SUBSCRIBER OR ANY THIRD PARTY ARISING OUT OF OR RELATED TO THIS AGREEMENT, EXCLUDING LIABILITY FOR MONEY ACTUALLY OWED TO A PARTY AS ROYALTY FEES, DEVELOPMENT FEES, SET-UP FEES, OR SUBSCRIBER FEES, EXCEED $100,000.00 WITH RESPECT TO A SINGLE OCCURRENCE OR $1,000,000.00 IN THE AGGREGATE REGARDLESS OF WHETHER ANY ACTION OR CLAIM IS BASED ON WARRANTY, CONTRACT, TORT OR OTHERWISE. THE LIMITATION SET FORTH IN THIS SECTION 8.3 SHALL NOT APPLY TO INDEMNITIES OR RIGHTS GRANTED BY SECTION 8.5 OR 8.6. 8.4 INDEMNITIES. Subject to the limitations set forth below and the limitations in Section 8.3, VeriSign, at its own expense, shall (i) defend, or at its option settle, any claim, suit or proceeding against Customer on the basis of VeriSign's breach of any limited warranty in this Agreement in connection with use of a Certificate in Customer's Private Hierarchy; and (ii) pay any final judgment entered or settlement against company on such issue in any such suit or proceedings defended by VeriSign. VeriSign shall have no obligation to Customer pursuant to this Section 8.4 unless (a) Customer gives VeriSign prompt written notice of the claim; (b) VeriSign is given the right to control and direct the investigation, preparation, defense and settlement of the claim; and (c) Customer has complied with the Protocol. 8.5 PROPRIETARY RIGHTS INFRINGEMENT BY VERISIGN. 8.5.1 Subject to the limitations set forth in this Section 8.5, VeriSign, at its own expense, shall: (i) defend, or at its option settle, any claim, suit or proceeding against Customer on the basis of infringement of any United States copyright, patent, trade secret or any other intellectual property right ("Proprietary Rights") by the unmodified Private Label Certificate System as delivered by VeriSign or any claim that VeriSign has no right to provide the Private Label Certificate System hereunder; and (ii) pay any final judgment entered or settlement against Customer on such issue in any such suit or proceeding defended by VeriSign. VeriSign shall have no obligation to Customer pursuant to this Section 8.5.1 unless: (A) Customer gives VeriSign prompt written notice of the claim; (B) VeriSign is given the right to control and direct the investigation, preparation, defense and settlement of the claim; and (C) the claim is based on Customer's use of the most recent version of the Relatively Unmodified Private Label Certificate System in accordance with this Agreement. A Relatively Unmodified Private Label Certificate System shall mean a wholly unmodified Private Label Certificate System or a Private Label Certificate System that has been modified but such modifications are not relevant to the claim. 8.5.2 If VeriSign receives notice of an alleged infringement described in Section 8.5.1, VeriSign shall have the right, at its sole option, to obtain the right to continue use of the Private Label Certificate System or to replace or modify the Private Label Certificate System so that it is no longer infringing. If neither of the foregoing options is reasonably available to VeriSign, then use of the Private Label Certificate System may be terminated at the option of VeriSign without further obligation or liability except as provided in Sections 8.5.1 and 9.3 and <PAGE> VeriSign Private Label Agreement Page 15 in the event of such termination, VeriSign shall refund the Development Fees paid by Customer hereunder less depreciation for use assuming straight line depreciation over a five (5)-year useful life. 8.5.3 THE RIGHTS AND REMEDIES SET FORTH IN SECTIONS 8.5.1 AND 8.5.2 CONSTITUTE THE ENTIRE OBLIGATION OF VERISIGN AND THE EXCLUSIVE REMEDIES OF CUSTOMER CONCERNING PROPRIETARY RIGHTS INFRINGEMENT BY THE VERISIGN SOFTWARE. 8.6 PROPRIETARY RIGHTS INFRINGEMENT BY CUSTOMER. 8.6.1 Subject to the limitations set forth in this Section 8.6, Customer, at its own expense, shall: (i) defend, or at its option settle, any claim, suit or proceeding against VeriSign on the basis of infringement of any Proprietary Right by the Customer Product (except to the extent arising from a Relatively Unmodified Private Label Certificate System); and (ii) pay any final judgment entered or settlement against VeriSign on such issue in any such suit or proceeding defended by Customer. Customer shall have no obligation to VeriSign pursuant to this Section 8.6.1 unless: (A) VeriSign gives Customer prompt written notice of the claim; and (B) Customer is given the right to control and direct the investigation, preparation, defense and settlement of the claim. 8.6.2 If Customer receives notice of an alleged infringement described in Section 8.6.1, Customer shall have the right, at its sole option, to obtain the right to continued use of the Private Label Certificate System or the Customer Product or to replace or modify the Private Label Certificate System or the Customer Product so that they are no longer infringing. If neither of the foregoing options in this Section 8.6.2 is reasonably available to Customer, then use of the Private Label Certificate System or the Customer Product may be terminated at the option of Customer without further obligation or liability except as provided in Sections 8.6.1 and 9.3, and in the event of such termination, VeriSign shall retain all Development Fees, Set-Up Fees and Subscriber Fees paid by Customer hereunder. 8.6.3 THE RIGHTS AND REMEDIES SET FORTH IN SECTIONS 8.6.1 AND 8.6.2 CONSTITUTE THE ENTIRE OBLIGATION OF CUSTOMER AND THE EXCLUSIVE REMEDIES OF VERISIGN CONCERNING CUSTOMER'S PROPRIETARY RIGHTS INFRINGEMENT. 9. TERM AND TERMINATION -------------------- 9.1 TERMINATION. This Agreement shall terminate on the earliest of: 9.1.1 The end of the term set forth on the first page hereof; 9.1.2 Failure by either party to perform any of its material obligations under this Agreement and the Exhibits hereto if such breach is not cured within sixty (60) days after receipt of written notice thereof from the other party; <PAGE> VeriSign Private Label Agreement Page 16 9.1.3 Notice from VeriSign to the Customer after the occurrence of a purported assignment of this Agreement in violation of Section 10.2; or 9.1.4 Notice from either party to the other if the other party is adjudged insolvent or bankrupt, or the institution of any proceedings by or against the other party seeking relief, reorganization or arrangement under any laws relating to insolvency, or any assignment for the benefit of creditors, or the appointment of a receiver, liquidator or trustee of any of the other party's property or assets, or the liquidation, dissolution or winding up of the other party's business. 9.1.5 Customer shall have the right to terminate this Agreement upon sixty (60) days notice if the Customer support obligations provided by VeriSign pursuant to Section 2.6 are consistently not provided, or if agreement cannot be reached on the cost of service at the time of any annual review. 9.1.6 Upon Customer's execution of the License Agreement set forth at Exhibit "J". 9.2 EXTENSION OF TERM. This Agreement may be renewed by the written consent of the parties for an additional term upon expiration of the term provided in Section 9.1.1, under VeriSign's then-current standard terms and conditions. Subscriber Fees and Set-Up Fees shall be renegotiated annually during any extended term. 9.3 EFFECT OF TERMINATION. Upon expiration or termination of this Agreement for any reason except for VeriSign's breach pursuant to Section 9.1.2 or if VeriSign fulfills any of the conditions stated in Section 9.1.4, all use of the Private Label Certificate System by Customer shall cease, and Customer shall pay to VeriSign any Subscriber Fees which have accrued in accordance with Section 5.4 unless the termination occurred pursuant to Section 9.1.2 because of breach by VeriSign. Such expiration or termination shall not affect Sections 6, 7, 8, and 10 of this Agreement which shall continue in full force and effect to the extent necessary to permit the complete fulfillment thereof. 10. MISCELLANEOUS PROVISIONS ------------------------ 10.1 GOVERNING LAWS; VENUE; WAIVER OF JURY TRIAL. THE LAWS OF THE STATE OF CALIFORNIA, U.S.A. (IRRESPECTIVE OF ITS CHOICE OF LAW PRINCIPLES) SHALL GOVERN THE VALIDITY OF THIS AGREEMENT, THE CONSTRUCTION OF ITS TERMS, AND THE INTERPRETATION AND ENFORCEMENT OF THE RIGHTS AND DUTIES OF THE PARTIES HERETO. THE PARTIES AGREE THAT THE UNITED NATIONS CONVENTION ON CONTRACTS FOR THE INTERNATIONAL SALE OF GOODS SHALL NOT APPLY TO THIS AGREEMENT. THE PARTIES HEREBY AGREE THAT ANY SUIT TO ENFORCE ANY PROVISION OF THIS AGREEMENT OR ARISING OUT OF OR BASED UPON THIS AGREEMENT OR THE BUSINESS RELATIONSHIP BETWEEN THE PARTIES HERETO SHALL BE BROUGHT IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF CALIFORNIA OR THE SUPERIOR OR MUNICIPAL COURT IN AND FOR THE COUNTY OF SANTA CLARA, <PAGE> VeriSign Private Label Agreement Page 17 CALIFORNIA, U.S.A. Each party hereby agrees that such courts shall have exclusive in personam jurisdiction and venue with respect to such party, and each party hereby submits to the exclusive in personam jurisdiction and venue of such courts. The parties hereby waive any right to jury trial with respect to any action brought in connection with this Agreement. 10.2 BINDING UPON SUCCESSORS AND ASSIGNS. Except as otherwise provided herein, this Agreement shall be binding upon, and inure to the benefit of, the successors, executors, heirs, representatives, administrators and assigns of the parties hereto. This Agreement shall not be assignable by either party, by operation of law (including as a result of a merger involving a party or a transfer of a controlling interest in a party's voting securities) or otherwise without the prior written authorization of the nonassigning party, except that either party may assign its rights and obligations under this Agreement to its Affiliates, provided that the assigning party receives the nonassigning party's prior written consent, which shall not be unreasonably withheld. Any such purported assignment or delegation shall be void and of no effect and shall permit non-assigning party to terminate this Agreement pursuant to Section 9.1.3. 10.3 SEVERABILITY. If any provision of this Agreement, or the application thereof, shall for any reason and to any extent, be invalid or unenforceable, the remainder of this Agreement and application of such provision to other persons or circumstances shall be interpreted so as best to reasonably effect the intent of the parties hereto. IT IS EXPRESSLY UNDERSTOOD AND AGREED THAT EACH AND EVERY PROVISION OF THIS AGREEMENT WHICH PROVIDES FOR A LIMITATION OF LIABILITY, DISCLAIMER OF WARRANTIES OR EXCLUSION OF DAMAGES IS INTENDED BY THE PARTIES TO BE SEVERABLE AND INDEPENDENT OF ANY OTHER PROVISION AND TO BE ENFORCED AS SUCH. 10.4 ENTIRE AGREEMENT. This Agreement, the Appendices hereto and all agreements referred to therein constitute the entire understanding and agreement of the parties hereto with respect to the subject matter hereof and supersede all prior and contemporaneous agreements or understandings between the parties. 10.5 AMENDMENT AND WAIVERS. Except as otherwise expressly provided in this Agreement, any term or provision of this Agreement may be amended, and the observance of any term of this Agreement may be waived, only by a writing signed by the party to be bound thereby. 10.6 ATTORNEYS' FEES. Should suit be brought to enforce or interpret any part of this Agreement, the prevailing party shall be entitled to recover, as an element of the costs of suit and not as damages, reasonable attorneys' fees to be fixed by the court (including without limitation, costs, expenses and fees on any appeal). 10.7 NOTICES. Whenever any party hereto desires or is required to give any notice, demand, or request with respect to this Agreement, each such communication shall be in writing and shall be effective only if it is delivered sent by a courier service that confirms delivery in writing or mailed, certified or registered mail, postage prepaid, return receipt requested, addressed as follows: <PAGE> VeriSign Private Label Agreement Page 18 VeriSign: To the address set forth on page 1 Attention: Stratton Sclavos, President & CEO The Customer: To the address set forth on page 1 Attention: Peter R. Hill Such communications shall be effective when they are received. Any party may change its address for such communications by giving notice thereof to the other party in conformity with this Section. 10.8 FOREIGN RESHIPMENT LIABILITY. THIS AGREEMENT IS EXPRESSLY MADE SUBJECT TO ANY LAWS, REGULATIONS, ORDERS OR OTHER RESTRICTIONS ON THE EXPORT FROM THE UNITED STATES OF AMERICA OF TECHNICAL INFORMATION, SOFTWARE OR INFORMATION ABOUT SUCH SOFTWARE WHICH MAY BE IMPOSED FROM TIME TO TIME BY THE GOVERNMENT OF THE UNITED STATES OF AMERICA. NOTWITHSTANDING ANYTHING CONTAINED IN THIS AGREEMENT TO THE CONTRARY, THE CUSTOMER SHALL NOT EXPORT OR RE-EXPORT, DIRECTLY OR INDIRECTLY, ANY TECHNICAL INFORMATION, SOFTWARE OR INFORMATION ABOUT SUCH SOFTWARE TO ANY COUNTRY FOR WHICH SUCH GOVERNMENT OR ANY AGENCY THEREOF REQUIRES AN EXPORT LICENSE OR OTHER GOVERNMENTAL APPROVAL AT THE TIME OF EXPORT OR RE-EXPORT WITHOUT FIRST OBTAINING SUCH LICENSE OR APPROVAL. 10.9 PUBLICITY. Neither party will disclose to third parties, other than its agents and representatives on a need-to-know basis, the terms of this Agreement or any exhibits hereto without the prior written consent of the other party, except (i) either party may disclose such terms to the extent required by law; and (ii) either party may disclose the existence of this Agreement. 10.10 NO WAIVER. Failure by either party to enforce any provision of this Agreement will not be deemed a waiver of future enforcement of that or any other provision. 10.11 COUNTERPARTS. This Agreement may be executed in one or more counterparts, each of which will be deemed an original, but which collectively will constitute one and the same instrument. 10.12 HEADINGS AND REFERENCES. The headings and captions used in this Agreement are used for convenience only and are not to be considered in construing or interpreting this Agreement. 10.13 DUE AUTHORIZATION. The Customer hereby represents and warrants to VeriSign that the individual executing this Agreement on behalf of the Customer is duly authorized to execute this Agreement on behalf of the Customer and to bind the Customer hereby. 10.14 INDEPENDENT CONTRACTOR. The relationship of VeriSign and the Customer is that of independent contractors. Neither the Customer nor the Customer's employees, consultants, <PAGE> VeriSign Private Label Agreement Page 19 contractors or agents are agents, employees or joint venturers of VeriSign, nor do they have any authority to bind VeriSign by contract or otherwise to any obligation. They will not represent to the contrary, either expressly, implicitly, by appearance or otherwise 10.15 PUBLICITY. VeriSign grants Customer the right to disclose that VeriSign is a vendor of Customer and to name publicly-announced Customer Products that provide access to Certificates issued by VeriSign. VeriSign also grants the Company the right to display VeriSign's logo on the Customer's WWW site in one of the forms shown on Exhibit "C" attached to this Agreement. Customer shall not acquire any other rights of any kind in VeriSign's trade names, trademarks, product name or logo by use authorized in this Section. Customer grants VeriSign the right to disclose that Customer is a vendee of VeriSign and to name publicly announced Customer Products that provide access to Certificates issued by VeriSign. Customer also grants VeriSign the right to display Customer's logo on VeriSign's WWW site. VeriSign shall not acquire any other rights of any kind in Customer's trade names, trademarks, product name or logo by use authorized in this Section. IN WITNESS WHEREOF, the parties have executed this Agreement as of the day and year first written above. CUSTOMER: VISA INTERNATIONAL SERVICE ASSOCIATION By: /s/ F. Dutray ------------------------------------------- Its: Group Executive Vice President ------------------------------------------ VERISIGN, INC. By: /s/ Stratton Sclavos -------------------------------------------- Its: President and CEO ------------------------------------------ <PAGE> VeriSign Private Label Agreement Page 20 EXHIBIT "A" DEFINITIONS 1. ACCEPTANCE means that the Acceptance Test Procedures have been ---------- performed to demonstrate that the Private Label Certificate System conforms to the Interface Specifications and the System Design Specifications. ACCEPTED -------- means that Acceptance has occurred. 2. ACCEPTANCE TEST PROCEDURES means the acceptance test procedures to be -------------------------- created by Customer and approved by VeriSign pursuant to Section 4.1.4. The Acceptance Test Procedures shall include (1) the criteria against which the Private Label Certificate System is to be measured in order to verify conformance to the Interface Specifications and the System Design Specifications and (2) the testing procedures to be used to establish conformance of the Private Label Certificate System to the Interface Specifications and the System Design Specifications. Upon approval by Customer, the Acceptance Test Procedures shall be attached as Exhibit "G". 3. ACQUIRER means a Member financial institution that establishes an -------- account with a Merchant and processes bank card authorizations and payments. 4. CARDHOLDER means a consumer or corporate purchaser who uses a bank card ---------- issued by an Issuer to make a purchase from a Merchant. 5. CERTIFICATE means a collection of electronic data consisting of a ----------- Public Key, identifying information which contains information about the owner of the Public Key, and validity information, which (or a string of bits derived from the Public Key) has been encrypted by a third party who is the issuer of the Certificate with such third party Certificate issuer's Private Key. This collection of electronic data collectively serves the function of identifying the owner of the Public Key and verifying the integrity of the electronic data. "CERTIFY" or "CERTIFICATION" means the act of generating a Certificate. "CERTIFIED" means the condition of having been issued a valid Certificate by a Certifier, which Certificate has not been revoked. 6. CERTIFICATE SIGNING UNIT ("CSU") means a hardware unit or software -------------------------------- designed for use in signing Certificates and key storage. The BBN SafeKeyper(TM) manufactured by BBN Communications, Inc. is one hardware implementation of a CSU. 7. CERTIFICATION AUTHORITY ("CA") means VeriSign and any entity, group, ------------------------------ division, department, unit or office which is Certified by VeriSign to, and has accepted responsibility to, issue Certificates to specified Subscribers in a Hierarchy in accordance with the CPS or a Protocol. 8. CERTIFICATION PRACTICE STATEMENT ("CPS") means the VeriSign --------------------------------------- specification of policies, procedures and resources to control the entire Certificate process and transactional use of Certificates within the VeriSign Public Hierarchies. <PAGE> VeriSign Private Label Agreement Page 21 9. CHANGE ORDER has the meaning set forth in Section 4.1.8. ------------ 10. CUSTOMER AFFILIATES shall mean Visa's Subsidiaries and Related ------------------- Entities. A "Subsidiary" shall mean a company in which on a class-by-class basis, more than fifty percent (50%) of the stock entitled to vote for the election of directors is owned or controlled by Customer, but only so long as such ownership or control exists. A "Related Entity" shall mean an entity (A) at least fifty percent (50%) of whose stock or other equity is owned by Customer's member banks and that has the authority to process Visa payment transactions, but only so long as such ownership exists; (B) has an equity interest in Customer and is owned in whole by Member banks or financial institutions (e.g., national or regional group Members); or (C) is exclusively managed by Visa or a national or group Member of Visa for the purpose of processing Visa payment transactions, but only so long as such exclusive management exists. Notwithstanding anything to the contrary set forth above, however, Subsidiaries or Related Entities do not include any Acquirer, Issuer or individual bank or like financial institution. Customer Affiliates include, for example, without limitation, Visa USA, Inc, ViTAL, Inc, Plus and Interlink. 11. CUSTOMER BRAND KEY means the set of key pairs for signature and ------------------ exchange that are used by the Customer in its capacity of CA. The Customer Brand Keys will be used as the "Root" for portions of the Private Label Certificate System. 12. CUSTOMER PRODUCT means any product developed by Customer for use by a ---------------- Subscriber in Customer's Private Hierarchy with a Certificate issued by VeriSign which incorporates Customer's Root Keys. 13. DIGITAL SIGNATURE means information encrypted with a Private Key which ----------------- is appended to information to identify the owner of the Private Key and to verify the integrity of the information. "DIGITALLY SIGNED" shall refer to ---------------- electronic data to which a Digital Signature has been appended. 14. ELECTRONIC CERTIFICATION SYSTEM ("ECS") means the Customer's name for --------------------------------------- the Private Label Certification System. 15. ELECTRONIC COMMERCE AUTHENTICATION SYSTEM ("ECAS") means VeriSign's ------------------------------------------------- proprietary software product marketed and developed under the name "Electronic Commerce Authentication System" providing secure on-line Certificate issuance as presently in existence and as developed and enhanced in the future by VeriSign. 16. FULLY AUTOMATED MERCHANT CERTIFICATE ISSUANCE means merchant --------------------------------------------- authentication is achieved by passing the authentication information to either Visa or a Visa Member who will then respond electronically with a confirmation or rejection of the authentication. This method does not require human intervention. 17. HIERARCHY means a domain consisting of a system of chained --------- Certificates leading from the Primary Certification Authority through one or more Certification Authorities to Subscribers. <PAGE> VeriSign Private Label Agreement Page 22 18. INTERFACE SPECIFICATIONS means the interface specifications to be ------------------------ created by Customer and approved by VeriSign pursuant to Section 4.1.1. 19. INTERNET means the global computer network. -------- 20. ISSUER means a Member financial institution that establishes an ------ account for a Cardholder, issues a bank card to the Cardholder, and guarantees payment for authorized transactions using the bank card in accordance with association regulations and local laws. 21. MEMBER means a member of the VISA International Service Association. ------ All Issuers and Acquirers are Members. 22. MERCHANT means one who offers goods or services in exchange for -------- payment, who accepts bank cards for payment, and who has a relationship with an Acquirer. 23. PAYMENT GATEWAY shall mean the computer system as further defined in --------------- SET that provides an interface between open networks, such as the Internet, and existing payment systems, such as VisaNet. 24. PRIMARY CERTIFICATION AUTHORITY "PCA" means an entity that establishes ------------------------------------- policies for all Certification Authorities and Subscribers within its domain. 25. PRIVATE HIERARCHY means a domain consisting of a chained Certificate ----------------- hierarchy which is entirely self-contained within an organization or network and not designed to be interoperable with or intended to interact through public channels with any external organizations, networks, and public hierarchies. 26. PRIVATE KEY means a mathematical key which is kept private to the ----------- owner and which is used through public key cryptography to encrypt electronic authenticity data and create a Digital Signature which will be decrypted with the corresponding Public Key. 27. PRIVATE LABEL CERTIFICATE SYSTEM means the system developed by -------------------------------- VeriSign for Customer as more fully described in Section 2, which incorporates the SET Module and VSE. 28. PROCESSOR means a third party which has been assigned the processing --------- of bank card transactions by one or more Issuers or Acquirers. 29. PROGRAM DOCUMENTS means each of the Project Plan, Interface ----------------- Specifications, Protocol, System Design Specifications, Acceptance Test Procedures, and Service Level Specification. 30. PROTOCOL means Customer's specification of policies, procedures and -------- resources to control the entire Certificate process and transactional use of Certificates within Customer's Private Hierarchy. 31. PUBLIC HIERARCHY means a domain consisting of a system of chained ---------------- Certificates leading from VeriSign as the Primary Certification Authority through one or more Certification <PAGE> VeriSign Private Label Agreement Page 23 Authorities to Subscribers in accordance with the VeriSign Certification Practice Statement. Certificates issued in a Public Hierarchy are intended to be interoperable among organizations, allowing Subscribers to interact through public channels with various individuals, organizations, and networks. 32. PUBLIC KEY means a mathematical key which is available publicly and ---------- which is used through public key cryptography to decrypt electronic authenticity data which was encrypted using the matched Private Key and to verify Digital Signatures created with the matched Private Key. 33. PUBLIC KEY INFRASTRUCTURE ("PKI") means the VeriSign specification for --------------------------------- the architecture, techniques, practices, and procedures that collectively support the implementation and operation of Certificate-based public key cryptographic systems. 34. ROOT KEY means one or more public root key(s) published by the -------- organization which generated and is entitled to use such keys as the public components of its key pair(s) in issuing Certificates in a hierarchy over which such organization has responsibility. 35. SECOND TIER CA means an entity in the business of selling or issuing -------------- Certificates in Customer's Private Hierarchy Digitally Signed by such Second Tier CA to Subscribers using the Private Label Certificate System as operated by VeriSign directly or by sublicensing the Private Label Certificate System from VeriSign. 36. SECURE ELECTRONIC TRANSACTIONS ("SET") means the specification -------------------------------------- published by Customer and MasterCard International and made available to all developers wishing to implement secure payments over the Internet and other public and private networks. 37. SEMI-AUTOMATED MERCHANT CERTIFICATE ISSUANCE means Merchant -------------------------------------------- authentication is achieved by comparing information provided electronically by the Customer or Member to information provided electronically by a Merchant where human intervention is substantially reduced as compared with the Manual Merchant Certificate Issuance method. 38. SERVICE LEVEL SPECIFICATION means the specification attached hereto as --------------------------- Exhibit "K" approved by Customer and VeriSign pursuant to Section 4.1.6. 39. SET MODULE shall mean the software module created by VeriSign in ---------- connection with this Agreement to implement the SET. The SET Module shall include all software elements necessary to implement all aspects of the SET specification, but shall not include the VISA SET Enhancements. 40. SUBSCRIBER means an individual, a device or a role/office that has ---------- requested a Certifier to issue him, her or it a Certificate. 41. SYSTEM DESIGN SPECIFICATIONS means the system design specifications to ---------------------------- be created by VeriSign in connection with the Private Label Certificate System for acceptance testing in accordance with Section 4.1.3. The System Design Specifications shall contain, at <PAGE> VeriSign Private Label Agreement Page 24 minimum, the items listed on the outline presently attached as Exhibit "E" and the Requirements Documents attached as Exhibit "F". Upon acceptance by Customer, the System Design Specifications shall be attached, in lieu of such outline, as Exhibit "E". 42. "VERISIGN AFFILIATES" shall mean a company in which, on a class by --------------------- class basis, more than fifty percent (50%) of the stock entitled to vote for the election of directors is owned or controlled by VeriSign, but only so long as such ownership or control exists. 43. VISA SET ENHANCEMENTS ("VSE") shall mean the software module created ----------------------------- by VeriSign under this Agreement which interfaces with the SET Module to provide enhanced functionality and features unique to Customer as specified in the Requirements Document, a current copy of which is attached as Exhibit "F," but not necessary to fully implement the SET. 44. WWW means the system currently referenced as the "World Wide Web" for --- organizing multi-media information distributed across network(s) such that it can be navigated and accessed via cross linking mechanisms, and any successor to such system, and any parallel system which uses at least all the same communication protocols as the system currently referenced as the "World Wide Web" or to the successor to such system, even if the administrators of such systems choose to call them by different names. <PAGE> VeriSign Private Label Agreement Page 25 EXHIBIT "B" FEES 1. DEVELOPMENT FEES. ---------------- Customer shall pay as Development Fees the amount of * for development and testing, less the $100,000.00 already paid pursuant to the Consulting Services Agreement between VeriSign and Customer dated _______________, will be payable in four equal installments due at the execution of this Agreement, Test I, Test II, and Pilot as detailed in Exhibit "D". 2. SET-UP FEES. ----------- A one-time Set-up Fee of * will be paid by Customer for operation and set- up of redundant dedicated sites of the Private Label Certificate System. The Set-up Fee shall be in two portions: an Operation Fee of * and a Back-Up Site Operations Fee of *. One half of the Operation Fee will be payable October 1, 1996 and the other half shall be payable on December 31, 1996. The Back-Up Site Operations Fee shall be payable upon implementation of the back-up system specified pursuant to the Project Plan, but not earlier than January 1, 1997. 3. SUBSCRIBER FEES. For the initial Term of this Agreement, Prepaid Subscriber --------------- Fees shall be as follows: Prepaid Subscriber Fee* Period 1997 1998 1999 Prepaid Subscriber Fees for 1997 and 1998 shall be paid on a quarterly basis and shall be due within thirty (30) days of the end of the calendar quarter. Prepaid Subscriber Fees for 1999 shall be made in two equal installments, payable within thirty (30) days after the end of the first two (2) calendar quarters of 1999. One hundred percent (100%) of the Fees accrued and payable on a monthly basis under this Section 3 shall be offset against such Prepaid Subscriber Fees until the total annual prepayment is exhausted. All Subscriber Fees from every type of Certificate shall be offset in the specified manner, whether Cardholder, Merchant, Payment Gateway or Member. Prepaid Subscriber Fees in a year not offset in such year shall be earned by VeriSign and shall not be subject to future offset, however, Prepaid Subscriber Fees for 1997 shall be used as an offset for Subscriber Fees incurred in the first year commencing on the First Date of Operations, as defined below. Similarly, Prepaid Subscriber Fees for 1998 and 1999 shall be used as an _______________________ * Confidential treatment has been requested with respect to certain portions of this exhibit. Confidential portions have been omitted from the public filing and have been separately filed with the Securities and Exchange Commission. <PAGE> VeriSign Private Label Agreement Page 26 offset for Subscriber Fees for the second year and the first half of the third year respectively from the First Date of Operation. The "First Date of Operation" shall be either the actual date that VeriSign operates the Private Label Certificate System on behalf of Customer in the Pilot, as defined in the Project Plan, or April 1, 1997, whichever comes first. FEES PER CERTIFICATE REQUEST: Issuer CA Certificates* Acquirer Certificates* Payment Gateway CA Certificates* Quantity Cardholder Certificates* Quantity Manual Merchant Certificates* Semi-Automated Merchant Certificates Manual Payment Gateway Certificates Semi-Automated Payment Gateway Certificates The parties intend to create a Fully Automated Merchant Certificate. Parties agree to negotiate in good faith lower pricing for Fully Automated Merchant Certificates when such Certificates are made available. 4. MOST FAVORED PRICING. VeriSign agrees that it shall offer to Customer and -------------------- Customer's Subscribers the best pricing it offers to any other customer or Subscriber of a customer purchasing services or Certificates through any Certificate system offering Subscriber Certificates through the use of the VSE. VeriSign agrees to renegotiate any of its pricing if at any time VeriSign pricing becomes noncompetitive with the pricing of other parties offering similar services. 5. U.S. CURRENCY. All payments hereunder shall be made in lawful United States ------------- Currency. ______________________ * Confidential treatment has been requested with respect to certain portions of this exhibit. Confidential portions have been omitted from the public filing and have been separately filed with the Securities and Exchange Commission. <PAGE> VeriSign Private Label Agreement Page 27 EXHIBIT "C" LOGOS AND TRADEMARKS VeriSign encourages its customers to use VeriSign logos, trademarks and service marks on customer product data sheets, packaging, Web pages and advertising, but it is important to use them properly. When using VeriSign trademarks and service marks in ads, product packaging, documentation or collateral materials, be sure to use the correct trademark designator: (R) for registered trademarks, (TM) for claimed or pending trademarks and sm for claimed or pending service marks. VeriSign trademarks and their correct designators are depicted below. To ensure proper usage, please allow VeriSign marketing to review any materials using or mentioning VeriSign trademarks prior to general release. Using these VeriSign logos does not require written permission; in fact, we encourage you to use them on your product packaging, Web pages and marketing collateral! VeriSign will update this Logos and Trademarks Usage Guide on a regular basis. To check for most current information on logo and trademark usage, check VeriSign's Web site at http:/www.verisign.com. VeriSign(TM) Digital ID (sm) Digital ID Center (sm) <PAGE> VeriSign Private Label Agreement Page 28 EXHIBIT "D" PROJECT PLAN ELEMENTS The VeriSign Deliverables to Customer for Test I will be ready for Acceptance Test I on or before the date agreed to by the Customer/VeriSign Joint Project Team. Terms for delivery of development deliverables for Test II and Test III, Pilot, and General Availability production will be specified in the Project Plan. VeriSign will provide full production, operational facilities in accordance with time scales agreed with Customer. The operation and support will be implemented in phases as defined in the Project Plan (i.e. Test I, II, III, Pilot, General Availability). <PAGE> VeriSign Private Label Agreement Page 29 EXHIBIT "E" SYSTEM DESIGN SPECIFICATIONS The Private Label Certificate System will be based upon the VeriSign product Electronic Commerce Authentication System plus enhancements specified by Customer. The parties contemplate that development, testing and implementations of all Private Label Certificate system component will be implemented in three phases. The Private Label Certificate System will consist of three basic module: ECAS, SET Module and VSE. The System Design Specifications will implement the following requirements documents attached in this Exhibit. <PAGE> Electronic Certification Services Brand Certificate Authority Business Policies, Procedures and Requirements Version 1.0 April 30, 1996 <PAGE> TABLE OF CONTENTS 1. Overview.......................................................... 1 1.1 Focus........................................................ 1 1.2 Purpose...................................................... 1 1.3 Availability/Phase........................................... 1 2. Operations......................................................... 2 2.1 Start of CA Operations....................................... 2 2.2 Operating Guidelines......................................... 2 2.3 Service Level Agreement...................................... 2 2.4 Termination of CA Operations................................. 3 2.5 Backup Requirements.......................................... 3 2.6 Archival and Retrieval....................................... 3 2.7 Contingency Requirements..................................... 3 3. Keys and Certificates............................................. 4 3.1 Certificate Formats.......................................... 4 3.2 Certificate Issuance Policies................................ 4 3.3 Brand CA Key Pairs and Corresponding CeHiScates.............. 4 3.3.1 Brand CA Geo-political Certificate Signature (T3).... 4 3.3.2 Brand CA Geo-political Key Exchange (T3)............. 4 3.3.3 Brand CA Geo-political Message Signature (T3)........ 5 3.3.4 Brand CA Issuer Certificate Signature (T2)........... 5 3.3.5 Brand CA Issuer Key Exchange (T2).................... 5 3.3.6 Brand CA Issuer Message Signature (T2)............... 5 3.3.7 Brand CA Acquirer Certificate Signature (T2)......... 5 3.3.8 Brand CA Acquirer Key Exchange (T2).................. 6 3.3.9 Brand CA Acquirer Message Signature (T2)............. 6 3.3.11 Brand CA Payment Gateway Key Exchange (T2)........... 6 3.3.12 Brand CA Payment Gateway Message Signature (T2)...... 6 3.3.13 Brand CA Root Key Exchange (GA)...................... 7 3.3.14 Brand CA Root Message Signature (GA)................. 7 3.3.15 Brand CA Backup Signature/Encryption (P)............. 7 3.3.16 Brand CA Archival Signature/Encryption (P)........... 7 3.4 External Certificates........................................ 7 3.4.1 Root CA Brand Certificate Signature (T2)............. 7 3.4.2 Root CA Brand Key Exchange (GA)...................... 8 3.4.3 Root CA Brand Message Signature (GA)................. 8 3.5 Key and Certificate Management............................... 8 3.5.1 Key Security......................................... 8 3.5.2 Key Generation....................................... 9 3.5.3 Key Expiration and Renewal........................... 9 3.5.4 Brand Key Compromise................................. 9 3.5.5 Key Backup...........................................10 i <PAGE> 3.5.6 Key Recovery.........................................10 3.5.7 Key Transport........................................11 3.5.8 Key Archival (P).....................................11 3.5.9 Key Retrieval (P)....................................12 3.6 Underlying Cryptography......................................12 3.7 Certificate Revocation Lists (CRL) (V2)......................12 4. Interface with the Root CA........................................12 4.1 Registering with Root CA.....................................12 4.2 Certificate Request..........................................12 4.3 Certificate Renewal..........................................13 4.4 Certificate Revocation.......................................13 4.5 Root Certificates............................................13 4.6 Root Key Compromise Procedures...............................13 4.7 Messages.....................................................14 5. Interface with Geo-political CAs (T3)..............................14 5.1 Registering a Geo-political CA...............................14 5.2 Certificate Issuance Policies................................15 5.3 Certificate Revocation.......................................15 5.4 Messages.....................................................16 6. Interface with Cardholder CAs.....................................16 6.1 Registering a Cardholder CA..................................16 6.2 Certificate Issuance Policies................................17 6.3 Certificate Revocation.......................................17 6.4 Messages.....................................................18 7. Interface with Merchant CAs.......................................18 7.1 Registering a Merchant CA....................................18 7.2 Certificate Issuance Policies................................19 7.3 Certificate Revocation.......................................19 7.4 Messages.....................................................19 8. Interface with Payment Gateway CA.................................20 8.1 Registering a Payment Gateway CA.............................20 8.2 Certificate Issuance Policies................................21 8.3 Certificate Revocation.......................................21 8.4 Messages.....................................................21 9. Interface with VisaNet............................................22 10. Security (P)......................................................22 10.1 Physical Security............................................22 10.2 Network Security.............................................23 10.3 System Security..............................................24 10.4 Personnel Security Requirements..............................24 11. Auditing (P)......................................................24 12. Reporting.........................................................26 13. Outstanding Issues................................................26 ii <PAGE> 1. OVERVIEW This document defines the business policies, procedures and requirements governing the design, implementation and operation of the Brand Certificate Authority (CA). It addresses all aspects of the Brand Certificate Authority including operations, key and certificate management, interaction with other entities, security, auditing and reporting. 1.1 Focus ----- This document focuses on the Brand Certificate Authority policies procedures and requirements needed to support Visa's Secure Electronic Commerce (SEC) Services. All CA functions are collectively known as Visa's Electronic Certification Services (ECS). 1.2 Purpose ------- The Brand CA (BCA) issues SEC compliant digital certificates to Brand members (Issuers and Acquirers or their processors) that wish participate in Visra Secure Electronic Commerce (SEC) Services. The Brand CA issues Cardholder CA (CCA) certificates for use in issuing certificates to their cardholders and Merchant CA (MCA) certificates for use in issuing certificates to their merchants. In addition the Brand CA will issue certificates to Brand operated Payment Gateway CAs (PCA) for use in issuing certificates to Acquirer Payment Gateways. The Brand CA will also issue certificates to Geo-political CAs (GCA). The Brand CA issues three types of certificates for each of their members: certificate signature certificates, key exchange certificates and message signature certificates. The Brand CA will only directly interact with the Root CA (RCA), Geopolitical CAs, Cardholder CAs, Merchant CAs, and Payment Gateway CAs. The Brand CA is also responsible for establishing and publishing policies and procedures that clearly define the purpose, usage, value and guidelines of certificates that it issues. It also establishes policies, procedures and requirements that govern the design, implementation and operation of subordinate CAs within the Brand CA's domain. 1.3 Availability/Phase ------------------ The policies, procedures and requirements identified and defined within this document are expected to be in operation and/or the deliverable met for acceptance testing of Test 1. Exceptions to this are identified by "(xx)" where xx represents the acceptance test of the phase upon which it must be in operation and/or the deliverable met. Test 1 will be based on the April/May 1996 release of the SET specifications. Pilot will be based on Version 1.0 of SET. For additional or specific schedule information refer to the overall Visa SEC Service project plan. 1 <PAGE> 2. OPERATIONS This section defines the business policies, procedures and requirements related to the operation of the BCA. 2.1 Start of CA Operations ---------------------- To be determined. 1. Prior to the start of the BCA operations, all acceptance testing, audits, backup and contingency procedures must be completed and have "sign off' by the appropriate Brand officials. 2.2 Operating Guidelines -------------------- 1. The BCA will operate on GMT time. The BCA clock shall be kept accurate within one (1) minute of actual GMT time as provided by a source that is mutually agreed upon by Visa and VeriSign. (T2) 2. The BCA time will be synchronized with all other components of ECS. 3. The BCA will be able to support resent messages from CCAs, MCAs, PCAs and Payment Gateways. (V2) 4. Responses to resent messages (duplicates) will rewrap the reply contents and forward the reply to the requester. (V2) 5. The BCA shall log all incoming and response messages. 6. All transactions defined within the SET Specification document must be supported. 7. The BCA shall maintain a database of all registration information linked to a certificate and/or member. (T2) 8. No data that has reached the ECS domain can be lost . Refer to the SLA for more details. (T2) 2.3 Service Level Agreement ----------------------- 1. The BCA shall be available as defined in the Service Level Agreement. (GA) 2. The BCA shall be able to process a certain number of certificates requests per time period (peak load) as defined in the Service Level Agreement. (GA) 2 <PAGE> 2.4 Termination of CA Operations ---------------------------- To be determined. 2.5 Backup Requirements ------------------- 1. The BCA shall be backed up on a scheduled basis as defined in SLA. (T2) 2. The BCA shall back up the basic system components. (T1) 3. The BCA shall back up all elements of the CA as defined in a design document that is mutually agreed upon by Visa and VeriSign. (T2) 4. Backup copies of the BCA archives must be stored in encrypted and signed format as defined in a design document that is mutually agreed upon by Visa and VeriSign. (GA) 5. All backup media must be stored offsite in secure manner. (T2) 6. System backups must be performed as defined in SLA. (T2) 2.6 Archival and Retrieval ---------------------- 1. All certificates issued by the BCA and the associated registration information, will be placed in archives. (GA) 2. The BCA archives shall be kept on read-only media (optical disk). (GA) 3. The BCA will have a mechanism to read/recall information that is stored in archives as defined in a design document that is mutually agreed upon by Visa and VeriSign. (GA) 2.7 Contingency Requirements ------------------------ 1. The BCA must be able to recover from a RCA or BCA key compromise as defined in the SLA. (P) 2. The BCA shall have a fully functional and secure contingency site in the event that the primary site becomes unavailable. (P) 3. In case of disaster, the BCA must have appropriate backup facilities operable within the time frame described within the SLA. 4. If the BCA servers or cryptographic materials become inoperable, business resumption plans must allow the BCA services to resume within the time frame described within the SLA. 3 <PAGE> 3. KEYS AND CERTIFICATES This section defines the business policies, procedures and requirements related to keys and certificates used within the BCA. 3.1 Certificate Formats ------------------- 1. All RCA certificates will formatted as described in the SET Specification document and must include any SEC specific information. 2. All BCA certificates will formatted as described in the SET Specification document and must include any SEC specific information. 3. All GCA certificates will formatted as described in the SET Specification document and must include any SEC specific information. 4. All CCA certificates will formatted as described in the SET Specification document and must include any SEC specific information. 5. All MCA certificates will formatted as described in the SET Specification document and must include any SEC specific information. 6. All PCA certificates will formatted as described in the SET Specification document and must include any SEC specific information. 3.2 Certificate Issuance Policies ----------------------------- 1. The BCA will only issue certificates to CCAs, MCAs, GCAs and PCAs. 3.3 Brand CA Key Pairs and Corresponding Certificates ------------------------------------------------- This subsection defines the key pairs and corresponding certificates generated and used within the BCA. 3.3.1 BRAND CA GEO-POLITICAL CERTIFICATE SIGNATURE (T3) * Usage: Used to sign certificates issued to GCAs Key Size: 1024 bits Certificate/Public Key Expiration: 6 years Private Key Expiration: 1 year. Issued By: RCA 3.3.2 BRAND CA GEO-POLITICAL KEY EXCHANGE (T3) * Usage: Used by the GCA to encrypt messages sent to BCA * Key Size: 1024 bits. Certificate/Public Key Expiration: 1 year * Private Key Expiration: 2 years. Issued By: RCA 4 <PAGE> 3.3.3 BRAND CA GEO-POLITICAL MESSAGE SIGNATURE (T3) * Usage: Used to sign messages sent to GCAs * Key Size: 1024 bits * Certificate/Public Key Expiration: 2 years. Private Key Expiration: 1 year * Issued By: RCA 3.3.4 BRAND CA ISSUER CERTIFICATE SIGNATURE (T2) * Usage: Used to sign certificates issued to CCAs * Key Size: 1024 bits * Certificate/Public Key Expiration: 5 years Private Key Expiration: 1 year. Issued By: RCA 3.3.5 BRAND CA ISSUER KEY EXCHANGE (T2) * Usage: Used by the CCA to encrypt messages sent to BCA * Key Size: 1024 bits * Certificate/Public Key Expiration: 1 year * Private Key Expiration: 2 years * Issued By: RCA 3.3.6 BRAND CA ISSUER MESSAGE SIGNATURE (T2) * Usage: Used to sign messages sent to CCAs * Key Size: 1024 bits * Certificate/Public Key Expiration: 2 years Private Key Expiration: 1 year * Issued By: RCA 3.3.7 BRAND CA ACQUIRER CERTIFICATE SIGNATURE (T2) * Usage: Used to sign certificates issued to MCAs * Key Size: 1024 bits 5 <PAGE> * Certificate/Public Key Expiration: 4 years * Private Key Expiration: 1 year * Issued By: RCA 3.3.8 BRAND CA ACQUIRER KEY EXCHANGE (T2) * Usage: Used by CCA to encrypt messages sent to BCA * Key Size: 1024 bits * Certificate/Public Key Expiration: 1 year * Private Key Expiration: 2 years * Issued By: RCA 3.3.9 BRAND CA ACQUIRER MESSAGE SIGNATURE (T2) * Usage: Used to sign messages sent to CCAs Key Size: 1024 bits * Certificate/Public Key Expiration: 2 years * Private Key Expiration: 1 year Issued By: RCA 3.3.10 BRAND CA PAYMENT * Gateway Certificate Signature (T2) * Usage: Used to sign certificates issued to PCAs * Key Size: 1024 bits * Certificate/Public Key Expiration: 2 years. Private Key Expiration: 1 year * Issued By: RCA 3.3.11 BRAND CA PAYMENT GATEWAY KEY EXCHANGE (T2) * Usage: Used by PCAs to encrypt messages sent to BCA * Key Size: 1024 bits * Certificate/Public Key Expiration: 1 year * Private Key Expiration: 2 years. Issued By: RCA 3.3.12 BRAND CA PAYMENT GATEWAY MESSAGE SIGNATURE (T2) * Usage: Used to sign messages sent to PCAs 6 <PAGE> * Key Size: 1024 bits * Certificate/Public Key Expiration: 2 years * Private Key Expiration: 1 year. * Issued By: RCA 3.3.13 BRAND CA ROOT KEY EXCHANGE (GA) * Usage: Used by RCA to encrypt messages sent to BCA . Key Size: 2048 bits * Certificate/Public Key Expiration: 1 year Private Key Expiration: 2 years. I * Issued By: RCA 3.3.14 BRAND CA ROOT MESSAGE SIGNATURE (GA) * Usage: Used to sign messages sent to the RCA * Key Size: 2048 bits * Certificate/Public Key Expiration: 2 years * Private Key Expiration: 1 year * Issued By:RCA 3.3.15 BRAND CA BACKUP SIGNATURE/ENCRYPTION (P) * Usage: Used to sign and encrypt BCA backup data * Key Size: 1024 bits Certificate/Public Key Expiration: n/a . * Private Key Expiration: n/a * Issued By: BCA 3.3.16 BRAND CA ARCHIVAL SIGNATURE/ENCRYPTION (P) * Usage: Used to sign and encrypt BCA archival data * Key Size: 1024 bits * Certificate/Public Key Expiration: n/a * Private Key Expiration: n/a * Issued By: BCA 3.4 External Certificates --------------------- This subsection defines the certificates used by the BCA that were issued externally to the BCA. 3.4.1 ROOT CA BRAND CERTIFICATE SIGNATURE (T2) * Usage: Used to authenticate certificates issued by the RCA to the BCA * Key Size: 2048 bits * Certificate/Public Key Expiration: * Private Key Expiration: 7 <PAGE> * Issued By: RCA 3.4.2 ROOT CA BRAND KEY EXCHANGE (GA) * Usage: Used to encrypt messages sent by the BCA to the RCA * Key Size: 2048 bits * Certificate/Public Key Expiration: * Private Key Expiration: * Issued By: RCA 3.4.3 ROOT CA BRAND MESSAGE SIGNATURE (GA) * Usage: Used to authenticate messages sent by the RCA to the BCA * Key Size: 2048 bits * Certificate/Public Key Expiration: * Private Key Expiration: * Issued By: RCA 3.5 Key and Certificate Management ------------------------------ This section defines the business policies, procedures and requirements related to key and certificate management of the BCA. Note: Key management requirements are based on the use of a BBN cryptographic module. Similar methods must be used for non-BBN cryptographic modules. Visa will review and approve methods used for non-BBN cryptographic modules prior to implementation. 3.5.1 KEY SECURITY 1. All BCA cryptographic functions will be performed in tamper proof and detectable hardware that complies to FIPS 140 level 3 requirements. (T2) 2. Hardware security devices shall be able to indicate failure, error condition and evidence of tamper. 3. The PPK pair must be generated within the hardware security device in which that key will be used. The only exception to this is in generating backup cryptographic devices that require the same keying information. 4. The BCA private keys shall never appear outside of the hardware security device in any form. The only exception to this is in generating backup cryptographic devices that require the same keying information. 8 <PAGE> 5. All BCA private keys must be kept in a single tamper evident hardware security device. 3.5.2 KEY GENERATION 1. The BCA keys must be generated according to Visa's direction as defined in a policy document that is mutually agreed upon by Visa and VeriSign. 2. The BCA public and private key (PPK) pairs must be generated using random (RNG) or pseudo-random (PRNG) techniques. 3. Any RNG/PRNG technique used to generate PPK pairs must have a low correlation value of results to ensure unpredictability. Correlation values must be documented and may be reviewed by Visa at its discretion. 4. The generation of each PPK pair must be conducted within a secure room rated for tempest security. The equipment may, if tempest rated, suffice. 5. Authorized BCA personnel only may generate PPK pairs. 6. Before generating each PPK pair, the hardware device must be made secure by guidelines as described by Visa International. 7. An audit control log must be kept for each PPK pair generated. 8. Brand CIK token holders may not also be Member CIK token holders. 3.5.3 KEY EXPIRATION AND RENEWAL 1. 30 days prior to expiration of existing BCA certificates, the BCA will generate new key pairs for the corresponding application. Following key generation, the BCA shall request a new certificate from the RCA. The new certificate will be distributed to all the GCA, CCA, MCA, PCAs within a message that is signed using the private key that corresponds to the valid BCA message signature certificate. (GA) 3.5.4 BRAND KEY COMPROMISE 1. Upon the compromise of a BCA key exchange key pair, the corresponding BCA key exchange certificate will be revoked. A new key pair will be generated and the BCA shall request a new certificate from the RCA. The BCA will distribute the new certificate to GCA, CCA, MCA, and PCAs within a message that is signed using the private key that corresponds to the valid BCA message signature certificate. (P) 2. Upon the compromise of a BCA message signature key pair, the corresponding BCA message signature certificate will be revoked. A new key pair will be generated and the BCA shall request a new certificate from the RCA. The BCA will distribute the new certificate to GCA, CCA, MCA, and PCAs within a message that is signed using the private key that corresponds to the new BCA message signature certificate. (P) 9 <PAGE> 3. Upon the compromise of a BCA certificate signature key pair, the corresponding BCA certificate signature certificate will be revoked. A new key pair will be generated and the BCA shall request a new certificate from the RCA. All GCA, CCA, MCA, and PCA certificates signed by the compromised key will be revoked. New certificates will be issued and signed using the newly generated key pair. The new certificates along with the new BCA certificate signature certificate will be sent to all GCA, CCA, MCA, and PCAs who's certificates were revoked. These certificates will be sent within a message that is signed using the private key that corresponds to the valid BCA message signature certificate. In addition, all other GCA, CCA, MCA, and PCAs will receive the new certificate within a similar message. (P) 4. Upon the compromise of a BCA Root key exchange key pair, the corresponding BCA Root key exchange certificate will be revoked. A new key pair will be generated and the BCA shall request a new certificate from the RCA. (GA) 5. Upon the compromise of a BCA Root message signature key pair, the corresponding BCA Root message signature certificate will be revoked. A new key pair will be generated and the BCA shall request a new certificate from the RCA in a trusted, off-line manner. (GA) 3.5.5 KEY BACKUP 1. Each BCA private key will have a corresponding backup housed within a fill device; each fill device must be kept in a separate location known only to authorized CA personnel; access to backup key must be under dual control. 2. Backup facilities are subject to same key management requirements as the primary facilities. 3.5.6 KEY RECOVERY 1. In the event that the BCA's private key is lost in a manner free of compromise where equipment failure, corruption of the keying data, or passwords are forgotten, it may be possible to restore the keying material from a secure backup, i.e., removable storage device. 2. The secure backup process includes a datakey or token where the private key is secured by both the physical security proprieties of the removable storage medium and by a secret DES key that is unique to the device that originally contained the Private Key. The latter requirement is important to assure that the authority is restored only on the device that contained the original DES key and that a duplicate authority is not created. 3. The DES key protecting the Private Key when secured in the removable storage device is to be a double length key and triple encryption is to be used to protect the Private 10 <PAGE> Key. The encryption process is defined in Visa's Card Technologies Standards Manual. 4. The process of removing the device from storage is to be performed under the principle of dual control. 5. Re-initialization of the authority is to be managed, using the same procedures as when the authority was created. 3.5.7 KEY TRANSPORT 1. Private Keys are never to be transported outside the physical protection of the security module containing that private key during its active, useful life. 2. The Private Key may, for purposes of recovery, exist in the protected memory of removable storage only if protected by a double length DES key that is known only to the device were the actual Private Key is resident. 3. Transport of the data token, with the encrypted Private Key, is to be under dual control, i.e., never to be managed under the single custody of the transporting parties. 4. Custodians for the removable memory component are never to be holders of the Cryptographic Ignition Keys (CIKs). 5. Every access of the removable memory component is to be logged and a verifiable audit trail maintained by the CA. 6. When Public Keys are transported, steps must be taken to assure that the integrity of the key is maintained. There must be no chance for the substitution of other values. Therefore, Public Keys received by the CA for the purposes certification, are to be protected either using the DES Algorithm or Diffie- Hillman Exponential Key Exchange. 3.5.8 KEY ARCHIVAL (P) 1. Archival refers to the off-line, long term storage of keys that are no longer operational. 2. The purpose of archiving is to settle disputes involving non-repudiation, i.e., the evidence of the validity of an old digital signature. 3. To be able to establish the validity of a claim requires that any achieved keying data be secured so that the integrity of the original key is assured. 4. The archival of a Private Key requires either the secure, long term storage of the removable memory device or the complete storage of the physical device used by the CA for certificate creation. In those situations where the removable memory device can be archived, the physical device to which the removable memory was a part must contain a single authority. 11 <PAGE> 5. For the purposes of the BCA, the archival of the private key requires the secure storage of the removable memory of the security device used by the authority for that Private Key. This device will contain the archived Private Key encrypted under the secret, double length DES key known only to the security module containing the active Private Key and distributed across the Cryptographic Ignition Keys (CIKs) unique to that device. 6. If the device contains multiple authorities, the archival of all Private Keys will, most likely have to be accomplished at the same time because, at no time is a CA to archive Private Keys outside the physical device of which they were created, protected by a DES key that is being used to protect another archived Private Key, except by chance. 3.5.9 KEY RETRIEVAL (P) 1. For the purposes of non-repudiation, the archived Private Keys are to be managed as if they were valid. 2. Key retrieval from an archival domain is to be accomplished using the same care and procedures as originally used for its creation. 3.6 Underlying Cryptography ----------------------- 1. The BCA will support the RSA algorithm for public-key cryptography, SHA (1) for hashing and DES for data encryption. Refer to the SEC Specification document for details. 3.7 Certificate Revocation Lists (CRL) (V2) --------------------------------------- Not applicable for of General Availability. 4. INTERFACE WITH THE ROOT CA This subsection defines the business policies, procedures and requirements related to the BCA's interaction with the RCA. 4.1 Registering with Root CA ------------------------ To be determined. 4.2 Certificate Request ------------------- 1. Initial BCA root certificate requests will be obtained by the RCA in a trusted, off-line manner. (P) 2. Delivery of the Initial BCA root certificate requests will be handled as described in a 12 <PAGE> policy document that is mutually agreed upon by Visa and VeriSign. (P) 3. Subsequent BCA certificate requests will be obtained by the RCA via online electronic means. (GA) 4.3 Certificate Renewal ------------------- 1. 30 days prior to expiration of existing BCA certificates, the BCA will generate new key pairs for the corresponding application. Following key generation, the BCA shall request a new certificate from the RCA. 4.4 Certificate Revocation ---------------------- 1. Upon the compromise of any BCA key pair, the BCA must notify the RCA to revoke the corresponding BCA certificate. A new key pair will be generated and the BCA shall request a new certificate from the RCA. 4.5 Root Certificates ----------------- 1. All initial RCA certificates will obtained in a trusted manner. (P) 2. All initial RCA certificates will be authenticated using the public keys contained within the RCA certificates and the associated hash values as defined in the SEC Specification document. (P) 3. All non-initial RCA certificates will be authenticated using the public key contained within the previous Root usage certificates. (P) 4. All RCA certificates will be stored in a tamper proof and detectable manner. (P) 5. All certificates issued by the RCA to the BCA will be authenticated using the public key contained within the valid RCA brand certificate signature certificate. (P) 4.6 Root Key Compromise Procedures ------------------------------ 1. Upon compromise of a RCA key pair, new RCA certificates shall be treated as initial RCA certificates and the appropriate procedures will be applied. (P) 2. Upon the compromise of a RCA brand certificate signature key pair, the corresponding RCA brand signature certificate and any certificates issued with the corresponding key will not be accepted. The RCA will distribute the new RCA brand key exchange certificate to the BCA within a message that is signed using the private key that corresponds to the valid RCA brand message signature certificate. All BCA certificates signed by the compromised key will be revoked. New BCA certificates will be requested from the RCA. All CCA, MCA, GCA, PCA and Registration Server certificates signed by BCA certificates issued by the compromised RCA key will be revoked. New CCA, MCA, 13 <PAGE> GCA, PCA and Registration Server certificates will be issued and signed using newly generated BCA key pairs. The new certificates along with the new RCA and BCA certificate signature certificates will be sent, in a trusted manner, to all CCA, MCA, GCA, PCA and Registration Server whose certificates were revoked. (P) 3. Upon the compromise of a RCA brand key exchange key pair, the corresponding RCA brand key exchange certificate will not be used to encrypt messages sent to the RCA. The RCA will distribute the new RCA brand key exchange certificate to the BCA within a message that is signed using the private key that corresponds to the valid RCA brand message signature certificate. (P) 4. Upon the compromise of a RCA brand message signature key pair, the corresponding RCA brand message signature certificate and any messages signed by the compromised key pair will not be accepted. The RCA will distribute the new RCA brand message signature certificate to the BCA within a message that is signed using the private key that corresponds to the new RCA brand message signature certificate. (P) 4.7 Messages -------- 1. All messages sent by the BCA to the RCA will be encrypted using the public key contained within the valid RCA brand key exchange certificate. (GA) 2. All messages sent by the RCA to the BCA will be encrypted using the public key contained within the valid BCA Root key exchange certificate. (GA) 3. All messages sent by the BCA to the RCA will be signed using the private key corresponding to the valid BCA Root message signature certificate. (GA) 4. All messages sent by the RCA to the BCA will be authenticated using the public key contained within the valid RCA brand message signature certificate. (GA) 5. All requests for BCA certificates sent to the RCA will be formatted as described in ??? (GA) 6. All responses to BCA certificate requests by the RCA will be formatted as described in ??? (GA) 5. INTERFACE WITH GEO-POLITICAL CAS (T3) This subsection defines the business policies, procedures and requirements related to the BCA's interaction with a GCA. 5.1 Registering a Geo-political CA ------------------------------ 1. The GCA entity must register with the Brand prior to issuing certificates to it's members. 14 <PAGE> 2. The GCA entity must complete a GCA Registration Contract prior to being issued a certificate by the Brand. 3. The GCA Registration Contract must be signed by authorized members of the GCA entity. 4. The authorized members of the GCA entity must present proof of the existence of the Geo-political entity (i.e. letter of incorporation). 5. The authorized members of the GCA entity must present proof of their own identity (i.e. passport). 6. The authorized members of the GCA entity must present proof of their relationship to GCA entity (i.e. badge). 7. The authorized members of the GCA entity must present proof of their authorization to act on behalf of the GCA entity (i.e. letter granting authority with appropriate letter head and signature of entity executives). 5.2 Certificate Issuance Policies ----------------------------- 1. Initial GCA certificate requests will be obtained by the BCA in a trusted, off-line manner. This must include requests for GCA Brand (message and encryption) certificates. 2. Subsequent GCA certificate requests will be obtained by the BCA via electronic means. 3. All certificates issued to GCAs will be signed using the private key that corresponds to the valid BCA Geo-political certificate signature certificate. 4. The BCA will only issue certificates to GCA certificate requests that have passed the business constraints and edit routines as defined in a policy document that is mutually agreed upon by Visa and VeriSign. 5. The BCA shall send a certificate request rejection response to GCA certificate requests that have not passed the business constraints and edit routines. 5.3 Certificate Revocation ---------------------- 1. The BCA shall retain the right to revoke a GCA certificate based on guidelines outline within the Geo-political Registration Contract. 2. Upon the compromise of a GCA Brand key exchange key pair, the GCA must revoke the corresponding GCA Brand key exchange certificate. A new key pair will be generated and the GCA shall request a new certificate from the BCA. 3. Upon the compromise of a GCA Brand message signature key pair, the GCA must 15 <PAGE> revoke the corresponding GCA Brand message signature certificate. A new key pair will be generated and the GCA shall request a new certificate from the BCA in a trusted, off-line manner. 4. Upon the compromise of any other GCA key pair, the GCA must revoke the corresponding GCA certificate. A new key pair will be generated and the GCA shall request a new certificate from the BCA. 5.4 Messages -------- 1. All requests for GCA certificates sent to the BCA will be formatted as described in ??? 2. All responses to GCA certificate requests by the BCA will be formatted as described in ??? 3. All messages sent by the GCA to the BCA will be encrypted using the public key contained within the valid BCA Geo-political key exchange certificate. 4. All messages sent by the BCA to the GCA will be encrypted using the public key contained within the valid GCA brand key exchange certificate. 5. All request messages sent to the BCA by GCAs will be authenticated using the public key contained within the valid GCA brand message signature certificate. 6. All response messages sent to GCAs will be signed using the private key that corresponds to the valid BCA Geo-political message signature certificate. 6. INTERFACE WITH CARDHOLDER CAS This subsection defines the business policies, procedures and requirements related to the BCA's interaction with a CCA. 6.1 Registering a Cardholder CA --------------------------- 1. The CCA entity must register with the Brand prior to issuing certificates to it's cardholders. 2. The CCA entity must complete a CCA Registration Contract prior to being issued a certificate by the Brand. 3. The CCA Registration Contract must be signed by authorized members of the CCA entity. 4. The authorized members of the CCA entity must present proof of the existence of the CCA entity (i.e. letter of incorporation). 16 <PAGE> 5. The authorized members of the CCA entity must present proof of their own identity (i.e. passport). 6. The authorized members of the CCA entity must present proof of their relationship to CCA entity (i.e. badge). 7. The authorized members of the CCA entity must present proof of their authorization to act on behalf of the CCA entity (i.e. letter granting authority with appropriate letter head and signature of entity executives). 6.2 Certificate Issuance Policies ----------------------------- 1. Initial CCA certificate requests will be obtained by the BCA in a trusted, off-line manner. This must include requests for CCA Brand (message and encryption) certificates. 2. Subsequent CCA certificate requests will be obtained by the BCA via electronic means. (GA) 3. All certificates issued to CCAs will be signed using the private key that corresponds to the valid BCA issuer certificate signature certificate. 4. The BCA will only issue certificates to CCA certificate requests that have passed the business constraints and edit routines as defined in a policy document that is mutually agreed upon by Visa and VeriSign. 5. The BCA shall send a certificate request rejection response to CCA certificate requests that have not passed the business constraints and edit routines. 6.3 Certificate Revocation ---------------------- 1. The BCA shall retain the right to revoke a CCA certificate based on guidelines outline within the CCA Registration Contract. 2. Upon the compromise of a CCA Brand key exchange key pair, the CCA must revoke the corresponding CCA Brand key exchange certificate. A new key pair will be generated and the CCA shall request a new certificate from the BCA. 3. Upon the compromise of a CCA Brand message signature key pair, the CCA must revoke the corresponding CCA Brand message signature certificate. A new key pair will be generated and the CCA shall request a new certificate from the BCA in a trusted, off-line manner. 4. Upon the compromise of any other CCA key pair, the CCA must revoke the corresponding CCA certificate. A new key pair will be generated and the CCA shall request a new certificate from the BCA. 17 <PAGE> 6.4 Messages -------- 1. All requests for CCA certificates sent to the BCA will be formatted as described in ??? (GA) 2. All responses to CCA certificate requests by the BCA will be formatted as described in ??? (GA) 3. All messages sent by the CCA to the BCA will be encrypted using the public key contained within the valid BCA issuer key exchange certificate. (GA) 4. All messages sent by the BCA to the CCA will be encrypted using the public key contained within the valid CCA brand key exchange certificate. (GA) 5. All request messages sent to the BCA by CCAs will be authenticated using the public key contained within the valid CCA brand message signature certificate. (GA) 6. All response messages sent to CCAs will be signed using the private key that corresponds to the valid BCA issuer message signature certificate. (GA) 7. INTERFACE WITH MERCHANT CAS This subsection defines the business policies, procedures and requirements related to the BCA's interaction with an MCA. 7.1 Registering a Merchant CA ------------------------- 1. The MCA entity must register with the Brand prior to issuing certificates to it's merchants. 2. The MCA entity must complete an MCA Registration Contract prior to being issued a certificate by the Brand. 3. The MCA Registration Contract must be signed by authorized members of the MCA entity. 4. The authorized members of the MCA entity must present proof of the existence of the MCA entity (i.e. letter of incorporation). 5. The authorized members of the MCA entity must present proof of their own identity (i.e. passport). 6. The authorized members of the MCA entity must present proof of their relationship to MCA entity (i.e. badge). 7. The authorized members of the MCA entity must present proof of their 18 <PAGE> authorization to act on behalf of the MCA entity (i.e. letter granting authority with appropriate letter head and signature of entity executives). 7.2 Certificate Issuance Policies ----------------------------- 1. Initial MCA certificate requests will be obtained by the BCA in a trusted, off-line manner. This must include requests for MCA Brand (message and encryption) certificates. 2. Subsequent MCA certificate requests will be obtained by the BCA via online electronic means. (GA) 3. All certificates issued to MCAs will be signed using the private key that corresponds to the valid BCA acquirer certificate signature certificate. 4. The BCA will only issue certificates to MCA certificate requests that have passed the business constraints. 5. The BCA shall send a certificate request rejection response to MCA certificate requests that have not passed the business constraints. 7.3 Certificate Revocation ---------------------- 1. The BCA shall retain the right to revoke a MCA certificate based on guidelines outline within the MCA Registration Contract. 2. Upon the compromise of a MCA Brand key exchange key pair, the MCA must revoke the corresponding MCA Brand key exchange certificate. A new key pair will be generated and the MCA shall request a new certificate from the BCA. 3. Upon the compromise of a MCA Brand message signature key pair, the MCA must revoke the corresponding MCA Brand message signature certificate. A new key pair will be generated and the MCA shall request a new certificate from the BCA in a trusted, off-line manner. 4. Upon the compromise of any other MCA key pair, the MCA must revoke the corresponding MCA certificate. A new key pair will be generated and the MCA shall request a new certificate from the BCA. 7.4 Messages -------- 1. All requests for MCA certificates sent to the BCA will be formatted as described in ??? (GA) 2. All responses to MCA certificate requests by the BCA will be formatted as described in ??? (GA) 19 <PAGE> 3. All messages sent by the Acquirer CA to the BCA will be encrypted using the public key contained within the valid BCA acquirer key exchange certificate. (GA) 4. All messages sent by the BCA to the MCA will be encrypted using the public key contained within the valid MCA brand key exchange certificate. (GA) 5. All request messages sent to the BCA by MCAs will be authenticated using the public key contained within the valid MCA brand message signature certificate. (GA) 6. All response messages sent to MCAs will be signed using the private key that corresponds to the valid BCA acquirer message signature certificate. (GA) 8. INTERFACE WITH PAYMENT GATEWAY CA This subsection defines the business policies, procedures and requirements related to the BCA's interaction with a PCA. 8.1 Registering a Payment Gateway CA -------------------------------- 1. The Acquirer operating the Payment Gateway must register with the Brand prior to accepting SEC transactions. 2. The Acquirer operating the Payment Gateway must complete an MCA Registration Contract prior to being issued a certificate by the Brand. 3. The MCA Registration Contract must be signed by authorized members of the MCA entity. 4. The authorized members of the MCA entity must present proof of the existence of the MCA entity (i.e. letter of incorporation). 5. The authorized members of the MCA entity must present proof of their own identity (i.e. passport). 6. The authorized members of the MCA entity must present proof of their relationship to MCA entity (i.e. badge). 7. The authorized members of the MCA entity must present proof of their authorization to act on behalf of the MCA entity (i.e. letter granting authority with appropriate letter head and signature of entity executives). 8. The Acquirer must have a Visa approved Payment Gateway in order to be eligible for an MCA certificate. 20 <PAGE> 8.2 Certificate Issuance Policies 1. Initial Payment Gateway certificate requests will be obtained by the BCA in a trusted manner. This must include requests for Payment Gateway Brand (message and encryption) certificates. 2. Subsequent Payment Gateway certificate requests will be obtained by the BCA via online electronic means. 3. All certificates issued to Payment Gateway will be signed using the private key that corresponds to the valid BCA payment gateway certificate signature certificate. 4. The BCA will only issue certificates to Payment Gateway certificate requests that have passed the business constraints. 5. The BCA shall send a certificate request rejection response to Payment Gateway certificate requests that have not passed the business constraints. 8.3 Certificate Revocation ---------------------- 1. The BCA shall retain the right to revoke a Payment Gateway certificate based on guidelines outline within the MCA Registration Contract. 2. Upon the compromise of a Payment Gateway Brand key exchange key pair, the Payment Gateway must revoke the corresponding Payment Gateway Brand key exchange certificate. A new key pair will be generated and the Payment Gateway shall request a new certificate from the BCA. 3. Upon the compromise of a Payment Gateway Brand message signature key pair, the Payment Gateway must revoke the corresponding Payment Gateway Brand message signature certificate. A new key pair will be generated and the Payment Gateway shall request a new certificate from the BCA in a trusted manner. 4. Upon the compromise of any other Payment Gateway key pair, the Payment Gateway must revoke the corresponding Payment Gateway certificate. A new key pair will be generated and that Payment Gateway shall request a new certificate from the BCA. 8.4 Messages -------- 1. All requests for Payment gateway certificates sent to the BCA will be formatted as described in ??? (GA). 2. All responses to Payment gateway certificate requests by the BCA will be formatted as described in ??? (GA). 3. All messages sent by the Payment gateway to the BCA will be encrypted using 21 <PAGE> the public key contained within the valid BCA payment gateway key exchange certificate (GA). 4. All messages sent by the BCA to the Payment gateway will be encrypted using the public key contained within the valid Payment gateway brand key exchange certificate (GA). 5. All request messages sent to the BCA by Payment gateways will be authenticated using the public key contained within the valid Payment gateway brand message signature certificate (GA). 6. All response messages sent to Payment gateways will be signed using the private key that corresponds to the valid BCA payment gateway message signature certificate (GA). 9. INTERFACE WITH VISANET There is no interface between the BCA and VisaNet. Future interface may be implemented to facilitate the automation of registration and management of member certificates. 10. SECURITY (P) This section identifies the physical, electronic and personnel security policies and procedures to which the BCA must comply. 10.1 Physical Security ----------------- 1. All BCA servers and cryptographic materials shall reside in a secure facility used solely for BCA purposes; no other business activities may be performed within the same facility. 2. The BCA facility must provide protection of the BCA servers and cryptographic materials from unauthorized access, modification, substitution, insertion and deletion. 3. The BCA facility will provide protection such that attempts described above will not be successful or will have a high probability of being detected. 4. All access to the BCA servers and cryptographic materials shall be only by authorized personnel. 5. No unauthorized personnel shall be allowed access to secure areas where the BCA servers or cryptographic materials are maintained. 6. No guests or "piggy backers" of authorized personnel shall be allowed access to secure areas where the BCA servers or cryptographic materials are maintained. 22 <PAGE> 7. An audit control log of all access to room with the BCA server and cryptographic materials must be kept and reviewed by designated BCA management; this may be an electronic audit log. 8. Physical modification or movement of the BCA servers or cryptographic materials must be under dual control and require prior notification. Visa may oversee such modification or movement at its discretion. 9. An audit control log of all physical modifications or movements of the BCA servers or cryptographic materials must be strictly enforced. 10. The BCA facility will be protected with an intrusion alarm system and 24 hour guard; camera surveillance is recommended. 11. The BCA facility will have auxiliary power to ensure uninterrupted operation in the event of a central power failure. 12. Designated BCA management personnel will routinely inspect alarm system and auxiliary power source at least once every two weeks. 13. Records of alarm and auxiliary power inspections must be maintained. 14. Unauthorized access or potential compromise must be immediately reported to Visa International. 15. Backup facilities are subject to same physical security requirements as the primary facilities. 10.2 Network Security ---------------- 1. The BCA must not be connected to a network that serves non-BCA functions. 2. Electronic access to the BCA must be restricted to data that is to be used only by authorized users. 3. CA network must be thoroughly researched, analyzed and tested to ensure adequate security before deployment. 4. CA network must respect the International Organization for Standardization (ISO) Open Systems Interconnection (ISO) seven layer model. Those seven are: Physical Link Network Transport Session Presentation Application 5. CA network must be implemented securely to mitigate exposures within each of the seven levels of the ISO model. 6. CA network must be implemented securely to mitigate exposure to cracking, sniffing, spoofing and denial of service attacks. 23 <PAGE> 7. CA network architecture must be reviewed every six months to ensure exposures within each layer are mitigated. 8. CA network architecture must be modified immediately upon receipt of generally available information or notification by Visa International regarding weaknesses discovered within any of the seven layers. 9. Access to CA network shall be only by authorized personnel; each of the seven network layers shall be secured to ensure only authorized personnel have access to the CA network. 10. CA server administrators will continually monitor for unauthorized access, performance tuning and other network administrative tasks. Unauthorized access will be immediately reported to Visa International. 11. At its discretion Visa may analyze and/or test a CA network implementation to ensure known attack points do not present exposure to unauthorized access. 12. Backup facilities are subject to same network security requirements as the primary facilities. 10.3 System Security --------------- 1. User ID's are to be used to maintain individual accountability, tracking what a user is doing within the system. 2. Passwords are to be assigned by the system and changed every other month on a rotating basis, i.e., half of password changed on a monthly basis. 3. Passwords are never to be stored on the system except as cryptograms. 4. Passwords are to managed consistent with the guidelines set forth in the Department of Defense Password Management Guideline, i.e., the Green Book and FIPS PUB 112 - Password Usage. 10.4 Personnel Security Requirements ------------------------------- 1. All personnel with access to the BCA servers and cryptographic materials shall be subject to a thorough background check as approved by Visa International; Visa, at its sole discretion, may modify background check procedures as it deems appropriate. 11. AUDITING (P) 1. All auditing processes and procedures are to be consistent with the recording, examining and reviewing of security related functions of a trusted system, where a security related activity is any activity or event that relates to the access of an object. 24 <PAGE> Typical events that will require logging include: * Logons (successful and unsuccessful) * Logouts * Remote System Access * File Opens, Closes, Renames and Deletions * Changes in Privileges or Security Attributes 2. All auditable actions/events are to be associated to an authenticated ID. Audit trails produced by the system must show the ID of the user who initiated each action. 3. Each time that an audit event occurs, the system is to write, at least, the following information: * Date and time of the event * Unique ID of the user who initiated the event * Type of event * Success or failure * Origin of the request ( e.g., terminal ID) . Name of object involved (e.g., file being created/deleted) * Description of modifications to security database 4. Audit procedures are to be consistent with the requirements as set forth in the Orange Book (Trusted Computer Systems Evaluation Criteria; DOD 520.28-STD) for security protection of level B2. 5. Audit confirmation is to be provided to confirm that passwords are being protected consistent with B2 Levels of security of the Orange Book and as set forth in the Department of Defense Password Management Guideline, i.e., the Green Book and FIPS PUB 112 - Password Usage. 6. An annual EDP audit report at a SAS 70 level of review is to be performed annually and the results of that audit made available to Visa International. 7. All audit control logs must be reviewed by management on a monthly basis and retained for up to three years. 25 <PAGE> 8. All Acquirer CA audit control logs, policies or procedures may be subject to inspection by Visa International at anytime. 12. REPORTING To be defined. 13. OUTSTANDING ISSUES The following are outstanding issues that need to be resolved. Each issue includes a brief description, group that identified the issue and the time frame by which it must be resolved. 1. What if an Issuer/Acquirer cert must be revoked? - Visa (T2) 2. Key Archival/Key Retrieval - VISA has asked us to archive private keys for the purposes of validating old digital signatures. I have recommended that they revisit this requirement, because archival of public keys would make more sense. This issue remains open. - VeriSign (P) 3. Physical Security - VISA has requested that their CA services be housed in a facility separate from VeriSign's CA operations. VeriSign will fulfill this requirement at GA physically separating VISA CA operations from VeriSign operations. This separation will not include the customer service department. - VeriSign (P) 4. System Security - VISA has made reference to a DOD Publication in managing user passwords. If this mandates O.S. security higher than C2, this may be an issue. - VeriSign (P) 5. Auditing - VISA has made reference to DOD Publications and B2 security in the April 26 version of the CA requirements. VeriSign needs to analyze cost and sizing impacts of such a requirement. This issue remains open. VeriSign (P) 6. VeriSign to Visa interface documents need to be finalized. - Visa (T1) 26 <PAGE> VeriSign Private Label Agreement Page 30 EXHIBIT "F" INTERFACE SPECIFICATIONS These specifications are contained in the VAP Interface Specifications, Release 10.2, dated August 1995. This document has already been delivered to VeriSign by Customer. <PAGE> VerSign Private Label Agreement Page 31 EXHIBIT "G" ACCEPTANCE TEST PROCEDURES [POST CLOSING ITEM] <PAGE> VerSign Private Label Agreement Page 32 EXHIBIT "H" VERISIGN MARKETING RIGHTS AND ROYALTY OBLIGATIONS VeriSign shall have the right to market the VSE only as set forth on this Exhibit "H". 1. MARKETING RIGHTS. VeriSign shall have the right to license to Eligible ---------------- Customers ECS pursuant to a license substantially in the form of Exhibit "J" or to provide Certificate registration, issuing and management functions to Eligible Customers using ECS. "Eligible Customers" shall mean: any Member of Visa and any entity providing Financial Services. "Financial Services" shall mean any of the following: banking, savings and loans, thrifts, insurance, lending, EDI, credit card issuance and service, commercial network transactions, companies facilitating commercial transactions over networks (e.g. CyberCash, DigiCash, and VeriFone), deposit taking, financial intermediaries and the like. 2. CHARGES. VeriSign shall determine the fees it charges for licensing of ECS ------- or operation of ECS on behalf of the Second Tier CA in its sole discretion. 3. VERISIGN RESERVED RIGHTS. VeriSign shall be entitled to create a software ------------------------ module with the functionality of the VSE provided that VeriSign does not make use of the source code to the VSE or the System Design Specifications, Interface Specifications and Customer Requirements that are confidential or proprietary to Customer in creation of its own product. This Section shall not limit VeriSign's use for any purpose of residuals resulting from access to such source code. The term "residuals" means information in non-tangible form which may be retained by persons who have had access to such source code, including ideas, concepts, know-how or techniques contained therein. 4. ROYALTIES. VeriSign will pay Customer a seven percent (7%) royalty on (i) --------- all revenues from sales of any ECAS System to a Visa Member or Visa Processor and (ii) all revenues from sales of ECS or any derivative work created from ECS which shall not include any derivative works generated from the ECAS System alone. This royalty shall be paid on a quarterly basis and due within thirty (30) days of the end of the calendar quarter in which such revenue was received. This royalty shall terminate when Customer has been paid, either through the royalty defined above or through cash payment to Customer or a combination of both methods, its Initial Development Investment ("IDI") of * ("Date of Recoupment"). In the event that any obligation of Visa or VeriSign is modified via an amendment to this Agreement or the Change Order defined in Section 4.1.8 and such amendment or modification changes a royalty obligation, the IDI or any other aspect of this Section 4, such amendment or change request shall include an explicit statement of the effect of such modification on the IDI. "All revenues from sales" means the gross amount of all cash, in-kind or other consideration receivable by VeriSign at any time in ______________________ * Confidential treatment has been requested with respect to certain portions of this exhibit. Confidential portions have been omitted from the public filing and have been separately filed with the Securities and Exchange Commission. <PAGE> VerSign Private Label Agreement Page 33 consideration of the licensing of the relevant system, excluding any amounts receivable by VeriSign for sales and used taxes, shipping, insurance and duties, and reduced by all discounts, refunds or allowances granted in the ordinary course of business. VeriSign will pay Customer a seven percent (7%) royalty on all revenue received from issuance of certificates by any system defined in this Section 4(i) and 4(ii) above ("Customer Related Certificates"). This royalty shall be due quarterly and paid within thirty (30) days after the end of the calendar quarter in which such revenue was received. This royalty shall terminate on the fifth (5th) anniversary of the Date of Recoupment or ten (10) years after the first publicly available pilot of the ECS System, whichever comes first. 5. U.S. CURRENCY. All payments hereunder shall be made in lawful United -------------- States Currency. If VeriSign receives payment in foreign currencies, the amount of its license fees due to Customer shall be calculated using the closing exchange rate published in the Wall Street Journal, Western Edition, on the last business day such journal is published in the calendar quarter immediately preceding the date of payment. 6. TERMS OF PAYMENT. License fees shall accrue with respect to ECS licensed ---------------- or otherwise distributed by VeriSign or on the date that VeriSign receives the revenue from the Second Tier CA or Subscriber therefor. License fees due Customer hereunder shall be paid by VeriSign to the attention of Peter R. Hill at Customer's address set forth above on or before the thirtieth (30th) day after the close of the calendar quarter during which the license fees accrued. A late payment penalty on any undisputed license fees not paid when due shall be assessed at the rate of one percent (1%) per thirty (30) days beginning on the thirty-first (31st) day after the day the unpaid license fees are due. 7. LICENSE REPORT. A report in reasonably detailed form setting forth the -------------- calculation of license fees due from VeriSign and signed by a responsible officer of VeriSign shall be delivered to Customer on or before the thirtieth (30th) day after the close of each calendar quarter, regardless of whether license fee payments are required to be made pursuant to Section 4. The report shall include, at a minimum, the following information (if applicable to VeriSign's designated method of calculating license fees) with respect to the relevant quarter: (i) the total number of ECS licensed or otherwise distributed by VeriSign (indicating the names and versions thereof), (ii) the total revenue from sales of such ECS, (iii) the number and class of Certificates issued for which a royalty is due; and (iv) total license fees accrued. 8. AUDIT RIGHTS. Customer shall have the right, at its sole cost and expense, ------------ to have an independent certified public accountant conduct during normal business hours not more frequently than annually, an audit of the appropriate records of VeriSign to verify the number of copies of ECS licensed or otherwise distributed by VeriSign, the number and class of Certificates issued, and if relevant to VeriSign's designated method of calculating license fees, the amount of revenues from sales therefor. Such certified public accountant shall adhere to any nondisclosure provisions committed to by VeriSign to a Second Tier CA or subscriber. If such amounts are found to be different than those reported or the license fees accrued are different than those reported, VeriSign will be invoiced or credited for the difference, as applicable. Any additional <PAGE> VerSign Private Label Agreement Page 34 license fees, along with the late payment penalty assessed in accordance with Section 6, shall be payable within thirty (30) days of such invoice. If a deficiency in license fees paid by VeriSign is greater than five percent (5%) of the license fees reported by VeriSign for any quarter, VeriSign will pay the reasonable expenses associated with such audit, in addition to the deficiency. 9. EVALUATION COPIES. VeriSign may deliver copies of ECS to prospective ----------------- Second Tier CAs on a trial basis for evaluation purposes only (each, an "Evaluation Copy") provided that each such prospective Second Tier CA has received a written or electronic trial license prohibiting the Second Tier CA from copying, modifying, reverse engineering, decompiling or disassembling the code for the VSE code or any part thereof. No royalties on income from licensing ECS shall be reportable or payable with respect to Evaluation Copies. Per copy Certificate charges will accrue if applicable. 10. VOLUME CREDIT. Each Certificate issued by a Second Tier CA using ECS, and ------------- each Certificate issued by VeriSign while operating ECS on behalf of a Second Tier CA, shall be counted as a Certificate issued by Customer or on behalf of Customer by VeriSign for purposes of calculating royalties and license fees due from Customer under Exhibit "B" or the License Agreement when and if executed in the form of Exhibit "J" with Customer. Customer shall receive one hundred percent (100%) volume credit for all Customer Related Certificates. The cumulative total for certificates generated by Customer and Customer Related Certificates shall be used in determining the volume pricing available for Customer under Exhibit B. This cumulative total shall not be reset annually or at any time during this Agreement. <PAGE> VeriSign Private Label Agreement Page 35 EXHIBIT "I" ESCROW AGREEMENT MASTER PREFERRED ESCROW AGREEMENT Master Number ________________ This Agreement is effective ______________, 19__ among Data Securities International, Inc. ("DSI"), ________________________________________ ("_______") and any party signing the Acceptance Form attached to this Agreement ("_____"), who collectively may be referred to in this Agreement as "the parties." A. Depositor and Preferred Beneficiary have entered or will enter into a license agreement, development agreement, and/or other agreement regarding certain proprietary technology of Depositor (referred to in this Agreement as "the license agreement"). B. Depositor desires to avoid disclosure of its proprietary technology except under certain limited circumstances. C. The availability of the proprietary technology of Depositor is critical to Preferred Beneficiary in the conduct of its business and, therefore, Preferred Beneficiary needs access to the proprietary technology under certain limited circumstances. D. Depositor and Preferred Beneficiary desire to establish an escrow with DSI to provide for the retention, administration and controlled access of certain proprietary technology materials of Depositor. E. The parties desire this Agreement to be supplementary to the license agreement pursuant to 11 United States [Bankruptcy] Code, Section 365(n). ARTICLE 1 -- DEPOSITS 1.1 Obligation to Make Deposit. Upon the signing of this Agreement by the -------------------------- parties, including the signing of the Acceptance Form, Depositor shall deliver to DSI the proprietary information and other materials ("deposit materials") required to be deposited by the license agreement or, if the license agreement does not identify the materials to be deposited with DSI, then such materials will be identified on an Exhibit A. If Exhibit A is applicable, it is to be prepared and signed by Depositor and Preferred Beneficiary. DSI shall have no obligation with respect to the preparation, signing or delivery of Exhibit A. 1.2 Identification of Tangible Media. Prior to the delivery of the deposit -------------------------------- materials to DSI, Depositor shall conspicuously label for identification each document, magnetic tape, disk, or other tangible media upon which the deposit materials are written or stored. Additionally, Depositor shall complete Exhibit B to this Agreement by listing each such tangible media by the item label description, the type of media and the quantity. The Exhibit B must be signed by <PAGE> VeriSign Private Label Agreement Page 36 Depositor and delivered to DSI with the deposit materials. Unless and until Depositor makes the initial deposit with DSI, DSI shall have no obligation with respect to this Agreement, except the obligation to notify the parties regarding the status of the deposit account as required in Section 2.2 below. 1.3 Deposit Inspection. When DSI receives the deposit materials and the ------------------ Exhibit B, DSI will conduct a deposit inspection by visually matching the labeling of the tangible media containing the deposit materials to the item descriptions and quantity listed on the Exhibit B. In addition to the deposit inspection, Preferred Beneficiary may elect to cause a verification of the deposit materials in accordance with Section 1.6 below. 1.4 Acceptance of Deposit. At completion of the deposit inspection, if DSI --------------------- determines that the labeling of the tangible media matches the item descriptions and quantity on Exhibit B, DSI will date and sign the Exhibit B and mail a copy thereof to Depositor and Preferred Beneficiary. If DSI determines that the labeling does not match the item descriptions or quantity on the Exhibit B, DSI will (a) note the discrepancies in writing on the Exhibit B; (b) date and sign the Exhibit B with the exceptions noted; and (c) provide a copy of the Exhibit B to Depositor and Preferred Beneficiary. DSI's acceptance of the deposit occurs upon the signing of the Exhibit B by DSI. Delivery of the signed Exhibit B to Preferred Beneficiary is Preferred Beneficiary's notice that the deposit materials have been received and accepted by DSI. 1.5 Depositor's Representations. Depositor represents as follows: --------------------------- a. Depositor lawfully possesses all of the deposit materials deposited with DSI; b. With respect to all of the deposit materials, Depositor has the right and authority to grant to DSI and Preferred Beneficiary the rights as provided in this Agreement; c. The deposit materials are not subject to any lien or other encumbrance; and d. The deposit materials consist of the proprietary information and other materials identified either in the license agreement or Exhibit A, as the case may be. 1.6 Verification. Preferred Beneficiary shall have the right, at Preferred ------------ Beneficiary's expense, to cause a verification of any deposit materials. A verification determines, in different levels of detail, the accuracy, completeness, sufficiency and quality of the deposit materials. If a verification is elected after the deposit materials have been delivered to DSI, then only DSI, or at DSI's election an independent person or company selected and supervised by DSI, may perform the verification. 1.7 Deposit Updates. Unless otherwise provided by the license agreement, --------------- Depositor shall update the deposit materials within 60 days of each release of a new version of the product which is subject to the license agreement. Such updates will be added to the existing deposit. All deposit updates shall be listed on a new Exhibit B and the new Exhibit B shall be signed by Depositor. Each Exhibit B will be held and maintained separately within the escrow account. <PAGE> VeriSign Private Label Agreement Page 37 An independent record will be created which will document the activity for each Exhibit B. The processing of all deposit updates shall be in accordance with Sections 1.2 through 1.6 above. All references in this Agreement to the deposit materials shall include the initial deposit materials and any updates. 1.8 Removal of Deposit Materials. The deposit materials may be removed and/or ---------------------------- exchanged only on written instructions signed by Depositor and Preferred Beneficiary, or as otherwise provided in this Agreement. ARTICLE 2 -- CONFIDENTIALITY AND RECORD KEEPING 2.1 Confidentiality. DSI shall maintain the deposit materials in a secure, --------------- environmentally safe, locked receptacle which is accessible only to authorized employees of DSI. DSI shall have the obligation to reasonably protect the confidentiality of the deposit materials. Except as provided in this Agreement, DSI shall not disclose, transfer, make available, or use the deposit materials. DSI shall not disclose the content of this Agreement to any third party. If DSI receives a subpoena or other order of a court or other judicial tribunal pertaining to the disclosure or release of the deposit materials, DSI will immediately notify the parties to this Agreement. It shall be the responsibility of Depositor and/or Preferred Beneficiary to challenge any such order; provided, however, that DSI does not waive its rights to present its position with respect to any such order. DSI will not be required to disobey any court or other judicial tribunal order. (See Section 7.5 below for notices of requested orders.) 2.2 Status Reports. DSI will issue to Depositor and Preferred Beneficiary a -------------- report profiling the account history at least semi-annually. DSI may provide copies of the account history pertaining to this Agreement upon the request of any party to this Agreement. 2.3 Audit Rights. During the term of this Agreement, Depositor and Preferred ------------ Beneficiary shall each have the right to inspect the written records of DSI pertaining to this Agreement. Any inspection shall be held during normal business hours and following reasonable prior notice. ARTICLE 3 -- GRANT OF RIGHTS TO DSI 3.1 Title to Media. Depositor hereby transfers to DSI the title to the media -------------- upon which the proprietary information and materials are written or stored. However, this transfer does not include the ownership of the proprietary information and materials contained on the media such as any copyright, trade secret, patent or other intellectual property rights. 3.2 Right to Make Copies. DSI shall have the right to make copies of the -------------------- deposit materials as reasonably necessary to perform this Agreement. DSI shall copy all copyright, nondisclosure, and other proprietary notices and titles contained on the deposit materials onto any copies made by DSI. With all deposit materials submitted to DSI, Depositor shall provide any and all instructions as may be necessary to duplicate the deposit materials including but not limited to the hardware and/or software needed. <PAGE> VeriSign Private Label Agreement Page 38 3.3 Right to Sublicense Upon Release. As of the effective date of this -------------------------------- Agreement, Depositor hereby grants to DSI a non-exclusive, irrevocable, perpetual, and royalty-free license to sublicense the deposit materials to Preferred Beneficiary upon the release, if any, of the deposit materials in accordance with Section 4.5 below. Except upon such a release, DSI shall not sublicense or otherwise transfer the deposit materials. ARTICLE 4 -- RELEASE OF DEPOSIT 4.1 Release Conditions. As used in this Agreement, "Release Conditions" shall ------------------ mean the following: a. Depositor's failure to carry out obligations imposed on it pursuant to the license agreement; or b. Depositor's failure to continue to do business in the ordinary course. 4.2 Filing For Release. If Preferred Beneficiary believes in good faith that a ------------------ Release Condition has occurred, Preferred Beneficiary may provide to DSI written notice of the occurrence of the Release Condition and a request for the release of the deposit materials. Upon receipt of such notice, DSI shall provide a copy of the notice to Depositor, by certified mail, return receipt requested, or by commercial express mail. 4.3 Contrary Instructions. From the date DSI mails the notice requesting --------------------- release of the deposit materials, Depositor shall have ten business days to deliver to DSI Contrary Instructions. "Contrary Instructions" shall mean the written representation by Depositor that a Release Condition has not occurred or has been cured. Upon receipt of Contrary Instructions, DSI shall send a copy to Preferred Beneficiary by certified mail, return receipt requested, or by commercial express mail. Additionally, DSI shall notify both Depositor and Preferred Beneficiary that there is a dispute to be resolved pursuant to the Dispute Resolution section of this Agreement (Section 7.3). Subject to Section 5.2, DSI will continue to store the deposit materials without release pending (a) joint instructions from Depositor and Preferred Beneficiary, (b) resolution pursuant to the Dispute Resolution provisions, or (c) order of a court. 4.4 Release of Deposit. If DSI does not receive Contrary Instructions from the ------------------ Depositor, DSI is authorized to release the deposit materials to the Preferred Beneficiary or, if more than one beneficiary is registered to the deposit, to release a copy of the deposit materials to the Preferred Beneficiary. However, DSI is entitled to receive any fees due DSI before making the release. This Agreement will terminate upon the release of the deposit materials held by DSI. 4.5 Use License Following Release. Unless otherwise provided in the license ----------------------------- agreement, upon release of the deposit materials in accordance with this Article 4, Preferred Beneficiary shall have a non-exclusive, non-transferable, irrevocable right to use the deposit materials for the sole purpose of continuing the benefits afforded to Preferred Beneficiary by the license agreement. Preferred Beneficiary shall be obligated to maintain the confidentiality of the released deposit materials. <PAGE> VeriSign Private Label Agreement Page 39 ARTICLE 5 -- TERM AND TERMINATION 5.1 Term of Agreement. The initial term of this Agreement is for a period of ----------------- one year. Thereafter, this Agreement shall automatically renew from year-to-year unless (a) Depositor and Preferred Beneficiary jointly instruct DSI in writing that the Agreement is terminated; or (b) the Agreement is terminated by DSI for nonpayment in accordance with Section 5.2. If the Acceptance Form has been signed at a date later than this Agreement, the initial term of the Acceptance Form will be for one year with subsequent terms to be adjusted to match the anniversary date of this Agreement. If the deposit materials are subject to another escrow agreement with DSI, DSI reserves the right, after the initial one year term, to adjust the anniversary date of this Agreement to match the then prevailing anniversary date of such other escrow arrangements. 5.2 Termination for Nonpayment. In the event of the nonpayment of fees owed to -------------------------- DSI, DSI shall provide written notice of delinquency to all parties to this Agreement. Any party to this Agreement shall have the right to make the payment to DSI to cure the default. If the past due payment is not received in full by DSI within one month of the date of such notice, then DSI shall have the right to terminate this Agreement at any time thereafter by sending written notice of termination to all parties. DSI shall have no obligation to take any action under this Agreement so long as any payment due to DSI remains unpaid. 5.3 Disposition of Deposit Materials Upon Termination. Upon termination of ------------------------------------------------- this Agreement by joint instruction of Depositor and Preferred Beneficiary, DSI shall destroy, return, or otherwise deliver the deposit materials in accordance with such instructions. Upon termination for nonpayment, DSI may, at its sole discretion, destroy the deposit materials or return them to Depositor. DSI shall have no obligation to return or destroy the deposit materials if the deposit materials are subject to another escrow agreement with DSI. 5.4 Survival of Terms Following Termination. Upon termination of this --------------------------------------- Agreement, the following provisions of this Agreement shall survive: a. Depositor's Representations (Section 1.5). b. The obligations of confidentiality with respect to the deposit materials. c. The licenses granted in the sections entitled Right to Sublicense Upon Release (Section 3.3) and Use License Following Release (Section 4.5), if a release of the deposit materials has occurred prior to termination. d. The obligation to pay DSI any fees and expenses due. e. The provisions of Article 7. f. Any provisions in this Agreement which specifically state they survive the termination or expiration of this Agreement. <PAGE> VeriSign Private Label Agreement Page 40 ARTICLE 6 -- DSI'S FEES 6.1 Fee Schedule. DSI is entitled to be paid its standard fees and expenses ------------ applicable to the services provided. DSI shall notify the party responsible for payment of DSI's fees at least 90 days prior to any increase in fees. For any service not listed on DSI's standard fee schedule, DSI will provide a quote prior to rendering the service, if requested. 6.2 Payment Terms. DSI shall not be required to perform any service unless the ------------- payment for such service and any outstanding balances owed to DSI are paid in full. All other fees are due upon receipt of invoice. If invoiced fees are not paid, DSI may terminate this Agreement in accordance with Section 5.2. Late fees on past due amounts shall accrue at the rate of one and one-half percent per month (18% per annum) from the date of the invoice. ARTICLE 7 -- LIABILITY AND DISPUTES 7.1 Right to Rely on Instructions. DSI may act in reliance upon any ----------------------------- instruction, instrument, or signature reasonably believed by DSI to be genuine. DSI may assume that any employee of a party to this Agreement who gives any written notice, request, or instruction has the authority to do so. DSI shall not be responsible for failure to act as a result of causes beyond the reasonable control of DSI. 7.2 Indemnification. DSI shall be responsible to perform its obligations under --------------- this Agreement and to act in a reasonable and prudent manner with regard to this escrow arrangement. Provided DSI has acted in the manner stated in the preceding sentence, Depositor and Preferred Beneficiary each agree to indemnify, defend and hold harmless DSI from any and all claims, actions, damages, arbitration fees and expenses, costs, attorney's fees and other liabilities incurred by DSI relating in any way to this escrow arrangement. 7.3 Dispute Resolution. Any dispute relating to or arising from this Agreement ------------------ shall be resolved by arbitration under the Commercial Rules of the American Arbitration Association. Unless otherwise agreed by Depositor and Preferred Beneficiary, arbitration will take place in San Diego, California, U.S.A. Any court having jurisdiction over the matter may enter judgment on the award of the arbitrator(s). Service of a petition to confirm the arbitration award may be made by First Class mail or by commercial express mail, to the attorney for the party or, if unrepresented, to the party at the last known business address. 7.4 Controlling Law. This Agreement is to be governed and construed in --------------- accordance with the laws of the State of California, without regard to its conflict of law provisions. 7.5 Notice of Requested Order. If any party intends to obtain an order from ------------------------- the arbitrator or any court of competent jurisdiction which may direct DSI to take, or refrain from taking any action, that party shall: a. Give DSI at least two business days' prior notice of the hearing; <PAGE> VeriSign Private Label Agreement Page 41 b. Include in any such order that, as a precondition to DSI's obligation, DSI be paid in full for any past due fees and be paid for the reasonable value of the services to be rendered pursuant to such order; and c. Ensure that DSI not be required to deliver the original (as opposed to a copy) of the deposit materials if DSI may need to retain the original in its possession to fulfill any of its other escrow duties. ARTICLE 8 -- GENERAL PROVISIONS 8.1 Entire Agreement. This Agreement, which includes the Acceptance Form and ---------------- the Exhibits described herein, embodies the entire understanding between all of the parties with respect to its subject matter and supersedes all previous communications, representations or understandings, either oral or written. No amendment or modification of this Agreement shall be valid or binding unless signed by all the parties hereto, except Exhibit A need not be signed by DSI and Exhibit B need not be signed by Preferred Beneficiary. 8.2 Notices. All notices, invoices, payments, deposits and other documents and ------- communications shall be given to the parties at the addresses specified in the attached Exhibit C and Acceptance Form. It shall be the responsibility of the parties to notify each other as provided in this Section in the event of a change of address. The parties shall have the right to rely on the last known address of the other parties. Unless otherwise provided in this Agreement, all documents and communications may be delivered by First Class mail. 8.3 Severability. In the event any provision of this Agreement is found to be ------------ invalid, voidable or unenforceable, the parties agree that unless it materially affects the entire intent and purpose of this Agreement, such invalidity, voidability or unenforceability shall affect neither the validity of this Agreement nor the remaining provisions herein, and the provision in question shall be deemed to be replaced with a valid and enforceable provision most closely reflecting the intent and purpose of the original provision. 8.4 Successors. This Agreement shall be binding upon and shall inure to the ---------- benefit of the successors and assigns of the parties. However, DSI shall have no obligation in performing this Agreement to recognize any successor or assign of Depositor or Preferred Beneficiary unless DSI receives clear, authoritative and conclusive written evidence of the change of parties. _________________________ Data Securities International, Inc. By:______________________ By: _______________________________ Name: ___________________ Name: _____________________________ Title: __________________ Title: ____________________________ Date: ___________________ Date: _____________________________ <PAGE> VeriSign Private Label Agreement Page 42 Custom Certificate System License Agreement Number: _______________ Date of Agreement: ________________________________________________ EXHIBIT "J" CUSTOM CERTIFICATE SYSTEM LICENSE AGREEMENT THIS CUSTOM CERTIFICATE SYSTEM LICENSE AGREEMENT ("Agreement") effective as of the last date of execution, is entered into by and between VeriSign, Inc., a Delaware corporation ("VeriSign"), having a principal mailing address at 2593 Coast Avenue, Mountain View, California 94043, and the entity named below as "Customer" ("Customer"), having a principal address as set forth below. Customer: VISA International Service Association -------------------------------------- (Name and jurisdiction of incorporation) Customer Address: ______________________________________ ______________________________________ ______________________________________ Customer Legal Contact: ______________________________________ (name, telephone and title) Customer Billing Contact: ______________________________________ (name, telephone and title) Customer Technical Contact: ______________________________________ (name, telephone and title) Customer Commercial Contact: ______________________________________ (name, telephone and title) <PAGE> VeriSign Private Label Agreement Page 43 1. DEFINITIONS ----------- The following terms when used in this Agreement shall have the following meanings: 1.1 "CERTIFICATE" means a collection of electronic data consisting of a Public Key, identifying information which contains information about the owner of the Public Key, and validity information, which (or a string of bits derived from the Public Key) has been encrypted by a third party who is the issuer of the Certificate with such third party Certificate issuer's Private Key. This collection of electronic data collectively serves the function of identifying the owner of the Public Key and verifying the integrity of the electronic data. "CERTIFY" or "CERTIFICATION" means the act of generating a Certificate. "CERTIFIED" means the condition of having been issued a valid Certificate by a Certifier, which Certificate has not been revoked. 1.2 "CERTIFICATE MANAGEMENT SYSTEM ('CMS')" means VeriSign's proprietary software product marketed and developed under the name "Certificate Management System" providing secure off-line certificate issuance as presently in existence and as developed and enhanced in the future by VeriSign. 1.3 "CERTIFICATE SIGNING UNIT ('CSU')" means a hardware unit or software designed for use in signing Certificates and key storage. The BBN SafeKeyper(TM) manufactured by BBN Communications, Inc. is one hardware implementation of a CSU. 1.4 "CERTIFICATE SUBSCRIPTION SERVICE" means the operation of the Licensed Software to provide Certificate registration, issuing and management functions on behalf of Second Tier CAs. 1.5 "CERTIFICATION AUTHORITY" OR "CA" means VeriSign and any entity, group, division, department, unit or office which is Certified by VeriSign to, and has accepted responsibility to, issue Certificates to specified Subscribers in a Hierarchy in accordance with the CPS or a Protocol. 1.6 "CERTIFICATION PRACTICE STATEMENT" OR "CPS" means the VeriSign specification of policies, procedures and resources to control the entire Certificate process and transactional use of Certificates within the VeriSign Public Hierarchies. 1.7 "CUSTOMER AFFILIATES" shall mean Visa's Subsidiaries and Related Entities. A "Subsidiary" shall mean a company in which on a class-by-class basis, more than fifty percent (50%) of the stock entitled to vote for the election of directors is owned or controlled by Customer, but only so long as such ownership or control exists. A "Related Entity" shall mean an entity (A) at least fifty percent (50%) of whose stock or other equity is owned by Customer's member banks and that has the authority to process Visa payment transactions, but only so long as such ownership exists; (B) has an equity interest in Customer and is owned in whole by Member banks or financial institutions (e.g., national or regional group Members); or (C) is exclusively --- managed by Visa or a national or group Member of Visa for the purpose of processing Visa payment transactions, but only so long as such exclusive management exists. <PAGE> VeriSign Private Label Agreement Page 44 Notwithstanding anything to the contrary set forth above, however, Subsidiaries or Related Entities do not include any Acquirer, Issuer or individual bank or like financial institution. Customer Affiliates include, for example, without limitation, Visa USA, Inc, ViTAL, Inc, Plus and Interlink. 1.8 "CUSTOMER PRODUCT" means any product including some or all of the Licensed Software developed by Customer for use by a Subscriber in VISA's Private Hierarchy with a Certificate issued by VISA or by a Second Tier CA to VISA which incorporates VISA's Root Keys. 1.9 "DIGITAL SIGNATURE" means information encrypted with a Private Key which is appended to information to identify the owner of the Private Key and to verify the integrity of the information. "DIGITALLY SIGNED" shall refer to ---------------- electronic data to which a Digital Signature has been appended. 1.10 "ELECTRONIC COMMERCE AUTHENTICATION SYSTEM ('ECAS')" means VeriSign's proprietary software product marketed and developed under the name "Electronic Commerce Authentication System" providing secure on-line certificate issuance as presently in existence and as developed and enhanced in the future by VeriSign. 1.11 "HIERARCHY" means a domain consisting of a system of chained Certificates leading from the Primary Certification Authority through one or more Certification Authorities to Subscribers. 1.12 "INTERNET" means the global computer network commonly known as "Internet". 1.13 "LICENSED SOFTWARE" means the object code and source code of the VeriSign Software as specified on Exhibit "A" (License and Maintenance Fees) hereto as having been licensed by Customer. Only those portions of the VeriSign Software specified as having been licensed are included in the Licensed Software. 1.14 "NEW RELEASE" means a version of the VeriSign Software which shall generally be designated by a new version number which has changed from the prior number only to the right of the decimal point (e.g., Version 2.2 to Version 2.3). 1.15 "NEW VERSION" means a version of the VeriSign Software which shall generally be designated by a new version number which has changed from the prior number to the left of the decimal point (e.g., Version 2.3 to Version 3.0). 1.16 "PRIMARY CERTIFICATION AUTHORITY" OR "PCA" means an entity that establishes policies for all Certification Authorities and Subscribers within its Private Hierarchy. 1.17 "PRIVATE HIERARCHY" means a domain consisting of a chained Certificate hierarchy which is entirely self-contained within an organization or network and not designed to be interoperable with or intended to interact through public channels with any external organizations, networks, and public hierarchies. [I am not sure whether this definition correctly <PAGE> VeriSign Private Label Agreement Page 45 describes an SET CA - while the hierarchy is self-contained, it is intended to interact with an "external organization" and on any network.] 1.18 "PRIVATE KEY" means a mathematical key which is kept private to the owner and which is used through public key cryptography to encrypt electronic authenticity data and create a Digital Signature which will be decrypted with the corresponding Public Key. 1.19 "PUBLIC HIERARCHY" means a domain consisting of a system of chained Certificates leading from VeriSign as the Primary Certification Authority through one or more Certification Authorities to Subscribers in accordance with the VeriSign Certification Practice Statement. Certificates issued in a Public Hierarchy are intended to be interoperable among organizations, allowing Subscribers to interact through public channels with various individuals, organizations, and networks. 1.20 "PUBLIC KEY" means a mathematical key which is available publicly and which is used through public key cryptography to decrypt electronic authenticity data which was encrypted using the matched Private Key and to verify Digital Signatures created with the matched Private Key. 1.21 "PUBLIC KEY INFRASTRUCTURE (PKI)" means the VeriSign specification for the architecture, techniques, practices, and procedures that collectively support the implementation and operation of Certificate-based public key cryptographic systems. 1.22 "ROOT KEY" means one or more public root key(s) published by the organization which generated and is entitled to use such keys as the public components of its key pair(s) in issuing Certificates in a hierarchy over which such organization has responsibility. 1.23 "SECOND TIER CA" means an entity in the business of selling or issuing Certificates in VISA's Private Hierarchy digitally signed by such Second Tier CA to Subscribers, by virtue of authority of Customer and using VISA's Certificate Subscription Service directly or by sublicensing the Licensed Software from Customer. 1.24 "SECURE ELECTRONIC TRANSACTIONS ('SET')" means the specification published by Visa International Service Association and MasterCard International and made available to all developers wishing to implement secure payments over the Internet and other public and private networks. 1.25 "SET MODULE" shall mean the software module created by VeriSign to implement the SET. The SET Module shall include all software elements necessary to implement all aspects of the SET specification, but shall not include the VSE. 1.26 "SUBSCRIBER" means an individual, a device or a role/office that has requested a Certifier to issue him, her or it a Certificate. 1.27 "USER MANUAL" means the most current version of the user or operating manual customarily supplied by VeriSign to customers who license the VeriSign Object Code, if any. <PAGE> VeriSign Private Label Agreement Page 46 1.28 "VERISIGN AFFILIATES" shall mean a company in which, on a class by class basis, more than fifty percent (50%) of the stock entitled to vote for the election of directors is owned or controlled by VeriSign, but only so long as such ownership or control exists. 1.29 "VERISIGN OBJECT CODE" means the Licensed Software in machine- readable, compiled object code form. 1.30 "VERISIGN SOFTWARE" means VeriSign proprietary software known as Certificate Management System, Electronic Commerce Authentication System, SET Module and VSE as described in the User Manuals associated therewith. "VeriSign Software" shall also include all modifications and enhancements (including all New Releases and New Versions) to such programs as provided by VeriSign to Customer pursuant to Sections 4.3 and 4.4. 1.31 "VISA" means VISA International Service Association and its Affiliates. 1.32 "VSE SOURCE CODE" means the mnemonic, high level statement versions of the VSE written in the source language used by programmers. 1.33 "VSE ('VISA SET ENHANCEMENTS')" shall mean the software module created by VeriSign under contract from VISA which interfaces with the SET Module to provide enhanced functionality and features unique to VISA, but not necessary to fully implement the SET. 1.34 "WWW" means the system currently referenced as the "World Wide Web" for organizing multi-media information distributed across network(s) such that it can be navigated and accessed via cross linking mechanisms, and any successor to such system, and any parallel system which uses at least all the same communication protocols as the system currently referenced as the "World Wide Web" or to the successor to such system, even if the administrators of such systems choose to call them by different names. 2. GRANT OF LICENSES; LIMITATIONS ------------------------------ 2.1 VSE SOURCE CODE LICENSE. If a VSE Source Code license is specified in ----------------------- Exhibit "A", VeriSign hereby grants Customer a non-exclusive, non-transferable, non-assignable, perpetual worldwide license to: (i) modify the VSE Source Code (all such modifications to the VSE Source Code referenced collectively as "Customer Modifications"); and (ii) maintain Customer Products and support Subscribers . 2.2 VERISIGN SOFTWARE OBJECT CODE LICENSE. VeriSign hereby grants ------------------------------------- Customer a worldwide non-exclusive, non-transferable, non-assignable, perpetual license to use the Licensed Software to provide Certificate Subscription Services; and sublicense the VeriSign Object Code to Second Tier CAs to permit such Second Tier CAs to provide Certificate Subscription Services. 2.3 LIMITATIONS ON LICENSES. The licenses granted in Sections 2.1 and 2.2 ----------------------- shall be limited as follows: <PAGE> VeriSign Private Label Agreement Page 47 2.3.1 LIMITATION ON DISTRIBUTEES. The VeriSign Object Code shall be -------------------------- sublicensed or otherwise distributed only to Second Tier CAs. Second Tier CAs shall be prohibited from redistributing or licensing the VeriSign Object Code or any portion of the Licensed Software. 2.3.2 LICENSE RESTRICTED TO LICENSED SOFTWARE. Customer may not use, --------------------------------------- modify, sublicense or incorporate into any Customer Product any software module or other technology component derived from the VeriSign Software which is not designated as Licensed Software on Exhibit "A". 2.3.3 VERISIGN ROOT KEYS. Any Customer Product and Licensed Software ------------------ must include VISA's Private Hierarchy Root Key and may include VeriSign's Root Keys. 2.3.4 RESTRICTION ON COPYING. Customer may not copy or reproduce the ---------------------- VeriSign Software or any part, version or form thereof, except as expressly permitted in Section 2.2. 2.4 TITLE. ----- 2.4.1 IN VERISIGN. Except for the limited licenses granted in ----------- Sections 2.1 and 2.2, VeriSign shall at all times retain full and exclusive right, title and ownership interest in and to the VeriSign Software and in any and all related patents, trademarks, copyrights and proprietary and trade secret rights. 2.4.2 IN CUSTOMER. Customer shall at all times retain full and ----------- exclusive right, title and ownership interest in and to the Customer Modifications representing incremental modifications to the VeriSign Software (but not in any part of the VeriSign Software, either as a component of a derivative work or otherwise) and in any and all related patents, copyrights and proprietary and trade secret rights; provided, however, that Customer hereby agrees that it will not assert against VeriSign any of such patents, copyrights or proprietary or trade secret rights with respect to any software or products developed by VeriSign without reference to the source code for the Customer Modifications. 3. LICENSE FEES ------------ 3.1 LICENSE FEES. In consideration of VeriSign's grant to Customer of the ------------ limited license rights hereunder, Customer shall pay to VeriSign the amounts set forth below (the "License Fees"): 3.1.1 SOURCE CODE LICENSE FEES. If VeriSign is granting to Customer ------------------------ VSE Source Code license rights as indicated on Exhibit "A", Customer shall pay to VeriSign the source code License Fees specified on Exhibit "A" upon execution of this Agreement. 3.1.2 OBJECT CODE LICENSE FEES. In consideration of VeriSign's grant ------------------------ to Customer of the VeriSign Object Code license rights, Customer shall pay to VeriSign the object code License Fees specified on Exhibit "A" subject to the following: <PAGE> VeriSign Private Label Agreement Page 48 3.1.2.1 ONE-TIME PAID-UP LICENSE FEE. If a one-time paid-up License ---------------------------- Fee is specified on Exhibit "A", a License Fee in the amount specified on Exhibit "A" shall be due upon execution of this Agreement. 3.1.2.2 PER CERTIFICATE, FIXED DOLLAR LICENSE FEE. If a per ----------------------------------------- Certificate, fixed dollar License Fee is specified on Exhibit "A", a License Fee shall be due for each Certificate issued by Customer or a Second Tier CA using the Licensed Software or a Customer Product, in the amount specified on Exhibit "A". 3.2 TAXES. All taxes, duties, fees and other governmental charges of any ----- kind (including sales and use taxes, but excluding taxes based on the gross revenues or net income of VeriSign) which are imposed by or under the authority of any government or any political subdivision thereof on the License Fees or any aspect of this Agreement shall be borne by Customer and shall not be considered a part of, a deduction from or an offset against License Fees. 3.3 TERMS OF PAYMENT. Per Certificate License Fees shall accrue upon the ---------------- issuance of a Certificate by Customer or Second Tier CA using the Licensed Software or any Customer Product. One time paid up License Fees are due upon execution of this Agreement. License Fees due VeriSign hereunder shall be paid by Customer to the attention of the Software Licensing Department at VeriSign's address set forth above on or before the thirtieth (30th) day after the close of the calendar quarter during which the License Fees accrued. A late payment penalty on any undisputed License Fees not paid when due shall be assessed at the rate of one percent (1%) per thirty (30) days, beginning on the thirty-first (31st) day after the last day of the calendar quarter to which the delayed payment relates. 3.4 U.S. CURRENCY. All payments hereunder shall be made in lawful United ------------- States currency. 3.5 LICENSING REPORT. A report in reasonably detailed form setting forth ---------------- the calculation of License Fees due from Customer and signed by a responsible officer of Customer shall be delivered to VeriSign on or before the thirtieth (30th) day after the close of each calendar quarter during the term of this Agreement, regardless of whether License Fee payments are required to be made pursuant to Section 3.3. The report shall include, at a minimum, the following information (if applicable to Customer's designated method of calculating License Fees) with respect to the relevant quarter: (i) the total number of copies/units of Customer Products licensed or otherwise distributed by Customer (indicating the names and versions thereof); (ii) total License Fees accrued; and (iii) the total number and type of Certificates issued. 3.6 AUDIT RIGHTS. VeriSign shall have the right, at its sole cost and ------------ expense, to have an independent certified public accountant conduct during normal business hours and not more frequently than annually, an audit of the appropriate records of Customer to verify the number of copies/units of Customer Products licensed or otherwise distributed by Customer, the number and class of Certificates issued, and, if relevant to Customer's designated method of calculating License Fees. If such amounts are found to be different than those reported, or the License Fees <PAGE> VeriSign Private Label Agreement Page 49 accrued are different than those reported, Customer will be invoiced or credited for the difference, as applicable. Any additional License Fees, along with the late payment penalty assessed in accordance with Section 3.3, shall be payable within thirty (30) days of such invoice. If the deficiency in License Fees paid by Customer is greater than five percent (5%) of the License Fees reported by Customer for any quarter, Customer will pay the reasonable expenses associated with such audit, in addition to the deficiency. 3.7 EVALUATION COPIES. Customer may deliver copies of Customer Products ----------------- to prospective Second Tier CAs on a trial basis for evaluation purposes only (each, an Evaluation Copy") provided that each such prospective Second Tier CA has received a written or electronic trial license prohibiting the Second Tier CA from copying, modifying, reverse engineering, decompiling or disassembling the VeriSign Object Code or any part thereof. 3.8 MFN PRICING. VeriSign agrees to provide Customer with Most Favored ----------- Nation ("MFN") pricing on all License Fees, excluding maintenance fees and upgrade charges related to the Licensed Software but including any customer discount. MFN pricing shall mean that Customer receives the best pricing offered by VeriSign to any third party under similar terms and conditions. In the event that VeriSign offers better pricing to a third party under different terms and conditions, VeriSign agrees to offer such better pricing to Customer under terms and conditions similar to those offered to the third party. Under no circumstances will the License Fee charged in Section 3.1.2.1 above, after any Customer Discount offered pursuant to Section 3.9 below, exceed One Million Dollars ($1,000,000). 3.9 CUSTOMER DISCOUNT. VeriSign agrees to offer Customer the following ----------------- discount on the License Fee charged pursuant to Section 3.1.2.1: Discount* Date License Executed* ----------------------------------- 4. SUPPORT AND MAINTENANCE ----------------------- 4.1 OPTIONAL MAINTENANCE. For the year commencing upon the date of this -------------------- Agreement and for each year thereafter commencing on the anniversary of such expiration, Customer may elect to purchase annual maintenance, as described in Section 4.3, by paying the then-current annual maintenance fee. Such amount shall be payable for the first year upon the execution of this Agreement and for each subsequent year in advance of the commencement of such year. VeriSign may cease to offer maintenance for future maintenance terms by notice delivered to Customer twelve (12) months or more before the end of the then-current maintenance term. VeriSign shall not be obligated to provide maintenance for versions older than the next most current version. For the purpose of this Section 4.1, "versions" shall refer to the integer portion of the release of a product (i.e., the "version" of Release 1.2 of a product is 1, therefore, when ---- Release 3.0 of that product is introduced, VeriSign would not be required to support any Release 1.x). 4.2 ADDITIONAL CHARGES. In the event VeriSign is required to take actions ------------------ to correct a difficulty or defect which is traced to Customer errors, modifications, enhancements, software or hardware, then Customer shall pay to VeriSign its time and materials charges at VeriSign's rates then in effect. In the event VeriSign's personnel must travel to perform maintenance or on-site support, Customer shall reimburse VeriSign for any reasonable out-of-pocket expenses incurred, ______________________ * Confidential treatment has been requested with respect to certain portions of this exhibit. Confidential portions have been omitted from the public filing and have been separately filed with the Securities and Exchange Commission. <PAGE> VeriSign Private Label Agreement Page 50 including travel to and from Customer's sites, lodging, meals and shipping, as may be necessary in connection with duties performed under this Section 4 by VeriSign. 4.3 MAINTENANCE PROVIDED BY VERISIGN. For periods for which Customer has -------------------------------- paid an annual maintenance fee, VeriSign will provide Customer with the following services: 4.3.1 TELEPHONE SUPPORT. VeriSign will provide telephone support to ----------------- Customer during VeriSign's normal business hours. VeriSign may provide on-site support reasonably determined to be necessary by VeriSign at Customer's location specified on page 1 hereof. VeriSign shall provide the support specified in this Section 4.3.1 to Customer's employees responsible for developing Customer Products, maintaining Customer Products, and providing support to Second Tier CAs. VeriSign will provide the name of an employee who will serve as a single point of contact for support to Customer. VeriSign may change the name at any time by providing written notice to Customer. On VeriSign's request, Customer will provide a list with the names of the employees designated to receive support from VeriSign. Customer may change the names on the list at any time by providing written notice to VeriSign. 4.3.2 ERROR CORRECTION. In the event Customer discovers an error in ---------------- the Licensed Software which causes the Licensed Software not to operate in material conformance to VeriSign's published specifications therefor, Customer shall submit to VeriSign a written report describing such error in sufficient detail to permit VeriSign to reproduce such error. Upon receipt of any such written report, VeriSign will use its reasonable business judgment to classify a reported error as either: (i) a "Level 1 Severity" error, meaning an error that causes the Licensed Software to fail to operate in a material manner or to produce materially incorrect results and for which there is no workaround or only a difficult workaround; or (ii) a "Level 2 Severity" error, meaning an error that produces a situation in which the Licensed Software is usable but does not function in the most convenient or expeditious manner, and the use or value of the Licensed Software suffers no material impact. VeriSign will acknowledge receipt of a conforming error report within two (2) business days and (A) will use its continuing best efforts to provide a correction for any Level I Severity error to Customer as early as practicable; and (B) will use its reasonable efforts to include a correction for any Level 2 Severity error in the next release of the VeriSign Software. 4.3.3 NEW RELEASES AND NEW VERSIONS. VeriSign will provide Customer ----------------------------- information relating to New Releases and New Versions of the VeriSign Software during the term of this Agreement. New Releases will be provided at no additional charge. New Versions will be provided at VeriSign's standard upgrade charges in effect at the time. Any New Releases or New Versions acquired by Customer shall be governed by all of the terms and provisions of this Agreement. 4.4 LAPSED MAINTENANCE. In the event Customer has not purchased optional ------------------ maintenance with respect to any Licensed Software, Customer may obtain a license of a New Release of such Licensed Software or any service which is provided as a part of maintenance by paying the maintenance fees which would otherwise have been due from the expiration of <PAGE> VeriSign Private Label Agreement Page 51 maintenance provided pursuant to Section 4.1 to the date such New Release is licensed or such service is provided. 5. MASTER COPY ----------- As soon as practicable, but not later than five (5) business days after the date of execution of this Agreement, VeriSign shall deliver to Customer one (1) copy of each of the VeriSign Object Code, the VSE Source Code (if licensed hereunder) and the User Manual in the manner designated on Exhibit "A". 6. ADDITIONAL OBLIGATIONS OF CUSTOMER ---------------------------------- 6.1 CUSTOMER PRODUCT MARKETING. Customer is authorized to represent to -------------------------- Second Tier CAs and Subscribers only such facts about the VeriSign Software as VeriSign states in its published product descriptions, advertising and promotional materials or as may be stated in other non-confidential written material furnished by VeriSign. 6.2 CUSTOMER SUPPORT. Customer shall, at its expense, provide all support ---------------- for the Licensed Software, Customer Products to Second Tier CAs and Subscribers. 6.3 LICENSE AGREEMENTS. Customer shall cause to be delivered to each ------------------ Second Tier CA a license agreement which shall contain, at a minimum, substantially all of the limitations of rights and the protections for VeriSign which are contained in Sections 2.3, 6.4.2, 6.5, 7.2, 7.3, 9.8 and 9.9 of this Agreement and shall prohibit Second Tier CAs pursuant to written agreements from modifying, reverse engineering, decompiling or disassembling the VeriSign Object Code or any part thereof, to the extent permitted by applicable law. Customer shall use commercially reasonable efforts to ensure that all Second Tier CAs abide by the terms of such agreements. 6.4 CONFIDENTIALITY; PROPRIETARY RIGHTS. ----------------------------------- 6.4.1 CONFIDENTIALITY. .The parties acknowledge that in their --------------- performance of their duties hereunder the parties will communicate to each other (or its designees) certain confidential and proprietary information concerning their respective businesses and products, and know-how, technology, techniques or marketing plans related thereto (collectively, the "Know-How") all of which are confidential and proprietary to, and trade secrets of that party. Each party agrees to hold all the Know-How within its own organization and shall not, without specific written consent of the other party or as expressly authorized herein, utilize in any manner, publish, communicate or disclose any part of the Know-How to third parties. This Section 6.4.1 shall impose no obligation on either party with respect to any Know-How which: (i) is in the public domain at the time disclosed by the party owning such Know-How; (ii) enters the public domain after disclosure other than by breach of the receiving party's obligations hereunder or by breach of another party's confidentiality obligations; or (iii) is shown by documentary evidence to have been known by the receiving party prior to its receipt from the disclosing party. Each party will take such steps as are consistent with that party's protection of its own confidential and proprietary information (but will in no event exercise less than reasonable care) to ensure that the provisions of this Section 6.4.1 are not violated by any third <PAGE> VeriSign Private Label Agreement Page 52 party including each party's, employees, agents, Customer's Second Tier CA's, or any other person. 6.4.2 PROPRIETARY MARKINGS; COPYRIGHT NOTICES. Customer agrees not --------------------------------------- to remove or destroy any proprietary, trademark or copyright markings or notices placed upon or contained within the VeriSign Source Code, VeriSign Object Code, User Manuals or any related materials or documentation. Customer further agrees to insert and maintain: (i) within every Customer Product and any related materials or documentation a copyright notice in the name of Customer; and (ii) within the splash screens, user documentation, printed product collateral, product packaging and advertisements for the Customer Product, a statement that the Customer Product contains the VeriSign Software. Customer shall not take any action which might adversely affect the validity of VeriSign's proprietary, trademark or copyright markings or ownership by VeriSign thereof, and shall cease to use the markings, or any similar markings, in any manner on the expiration or other termination of the license rights granted pursuant to Section 2. 6.4.3 SOURCE CODE. Customer acknowledges the extreme importance of ----------- the confidentiality and trade secret status of the VSE Source Code and Customer agrees, in addition to complying with the requirements of Sections 6.4.1 and 6.4.2 as they relate to the VSE Source Code, to: (i) inform any employee that is granted access to all or any portion of the VSE Source Code of the importance of preserving the confidentiality and trade secret status of the VSE Source Code; and (ii) maintain a controlled, secure environment for the storage and use of the VSE Source Code. 6.4.4 NO PUBLICATION. The placement of a copyright notice on any of -------------- the VeriSign Software shall not constitute publication or otherwise impair the confidential or trade secret nature of the VeriSign Software. 6.4.5 INJUNCTIVE RELIEF. Both parties acknowledge that the ----------------- restrictions contained in this Section 6.4 are reasonable and necessary to protect both parties' legitimate interests and that any violation of these restrictions will cause irreparable damage to the other party within a short period of time and each party agrees that the other party will be entitled to injunctive relief against each violation. 6.5 FEDERAL GOVERNMENT SUBLICENSE. Any sublicense of a Customer Product ----------------------------- acquired from Customer under a United States government contract shall be subject to restrictions as set forth in subparagraph (c)(l)(ii) of Defense Federal Acquisition Regulations Supplement (DFARS) Section 252.227-7013 for Department of Defense contracts and as set forth in Federal Acquisition Regulations (FARs) Section 52.227-19 for civilian agency contracts or any successor regulations. Customer agrees that any such sublicense shall set forth all of such restrictions and the tape or diskette label for the Customer Product and any documentation delivered with the Customer Product shall contain a restricted rights legend conforming to the requirements of the current, applicable DFARS or FARs. <PAGE> VeriSign Private Label Agreement Page 53 6.6 NOTICES. Each party shall immediately advise the other party of any ------- legal notices served on that party which might affect the other party. 6.7 VERISIGN'S INDEMNITY. CUSTOMER EXPRESSLY INDEMNIFIES AND HOLDS -------------------- HARMLESS VERISIGN, ITS SUBSIDIARIES, AGENTS AND AFFILIATES FROM: (i) ANY AND ALL LIABILITY OF ANY KIND OR NATURE WHATSOEVER TO CUSTOMER'S SECOND TIER CAs OR SUBSCRIBERS AND THIRD PARTIES WHICH MAY ARISE FROM ACTS OF CUSTOMER OR FROM THE LICENSE OF CUSTOMER PRODUCTS BY CUSTOMER OR ANY DOCUMENTATION, SERVICES OR ANY OTHER ITEM FURNISHED BY CUSTOMER TO ITS SECOND TIER CAs, OTHER THAN LIABILITY ARISING FROM THE VERISIGN SOURCE CODE, THE VERISIGN OBJECT CODE OR THE USER MANUALS (UNLESS SUCH LIABILITY WOULD NOT HAVE ARISEN IN THE ABSENCE OF MODIFICATIONS TO ANY OF THE FOREGOING BY CUSTOMER OR ITS EMPLOYEES, AGENTS OR CONTRACTORS) OR FROM THE ACTS OF VERISIGN; AND (ii) ANY LIABILITY ARISING IN CONNECTION WITH AN UNAUTHORIZED REPRESENTATION OR ANY MISREPRESENTATION OF FACT MADE BY CUSTOMER OR ITS AGENTS OR EMPLOYEES TO ANY PARTY WITH RESPECT TO THE VERISIGN SOFTWARE OR ANY CUSTOMER PRODUCTS. 6.8 CUSTOMER'S INDEMNITY. VERISIGN EXPRESSLY INDEMNIFIES AND HOLDS -------------------- HARMLESS CUSTOMER, ITS SUBSIDIARIES, AGENTS AND AFFILIATES FROM: (i) ANY AND ALL LIABILITY OF ANY KIND OR NATURE WHATSOEVER TO ANY THIRD PARTIES THAT MAY ARISE FROM ACTS OF VERISIGN OR FROM USE OF VERISIGN SOURCE CODE, VERISIGN'S OBJECT CODE OR VERISIGN'S USER MANUALS (UNLESS SUCH LIABILITY WOULD NOT HAVE ARISEN IN THE ABSENCE OF MODIFICATIONS TO ANY OF THE FOREGOING BY CUSTOMER OR ITS EMPLOYEES, AGENTS OR CONTRACTORS); AND (ii) ANY LIABILITY ARISING IN CONNECTION WITH AN UNAUTHORIZED REPRESENTATION OR ANY MISREPRESENTATION OF FACT MADE BY VERISIGN OR ITS AGENTS OR EMPLOYEES TO ANY PARTY WITH RESPECT TO CUSTOMER PRODUCTS, OR ANY VERISIGN SOFTWARE. 7. LIMITED WARRANTY; DISCLAIMER OF WARRANTIES; LIMITATION OF LIABILITY; -------------------------------------------------------------------- INTELLECTUAL PROPERTY INDEMNITIES --------------------------------- 7.1 LIMITED WARRANTY. During the initial ninety (90)-day term of this ---------------- Agreement VeriSign warrants that the Licensed Software specified in this Agreement will operate in material conformance to VeriSign's published specifications for such Licensed Software. VeriSign does not warrant that the VeriSign Software or any portion thereof is error-free. Customer's exclusive remedy, and VeriSign's entire liability in tort, contract or otherwise, shall be correction of any warranted nonconformity as provided in Section 4.3.2. This limited warranty and any obligations of VeriSign under Section 4.1 shall not apply to any Customer Modifications or any nonconformities caused thereby and shall terminate immediately if Customer makes any modification to the VeriSign Software other than Customer Modifications. <PAGE> VeriSign Private Label Agreement Page 54 7.2 DISCLAIMER. EXCEPT FOR THE EXPRESS LIMITED WARRANTY PROVIDED IN ---------- SECTION 7.1, VERISIGN'S PRODUCTS AND SERVICES ARE PROVIDED "AS IS" WITHOUT ANY WARRANTY WHATSOEVER. VERISIGN DISCLAIMS ALL WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO ANY MATTER WHATSOEVER, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY VERISIGN OR ITS EMPLOYEES OR REPRESENTATIVES SHALL CREATE A WARRANTY OR IN ANY WAY INCREASE THE SCOPE OF VERISIGN'S OBLIGATIONS. 7.3 LIMITATION OF LIABILITY. NEITHER PARTY WILL BE LIABLE TO THE OTHER ----------------------- PARTY, TO A SUBSCRIBER OR TO ANY THIRD PARTY FOR ANY CONSEQUENTIAL, INDIRECT, SPECIAL, INCIDENTAL OR EXEMPLARY DAMAGES, WHETHER FORESEEABLE OR UNFORESEEABLE (INCLUDING, BUT NOT LIMITED TO, GOODWILL, PROFITS, INVESTMENTS, USE OF MONEY OR USE OF FACILITIES; INTERRUPTION IN USE OR AVAILABILITY OF DATA; STOPPAGE OF OTHER WORK OR IMPAIRMENT OF OTHER ASSETS; OR LABOR CLAIMS, EVEN IF VERISIGN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES), ARISING OUT OF BREACH OF ANY EXPRESS OR IMPLIED WARRANTY, BREACH OF CONTRACT, NEGLIGENCE, EXCEPT ONLY IN THE CASE OF DEATH OR PERSONAL INJURY WHERE AND TO THE EXTENT THAT APPLICABLE LAW REQUIRES SUCH LIABILITY. UNDER NO CIRCUMSTANCES SHALL EITHER PARTY'S LIABILITY TO THE OTHER PARTY OR ANY SUBSCRIBER OR ANY THIRD PARTY ARISING OUT OF OR RELATED TO THIS AGREEMENT, EXCLUDING LIABILITY FOR LICENSE FEES, MAINTENANCE FEES OR UPGRADE FEES ACTUALLY OWED TO A PARTY, EXCEED $100,000 WITH RESPECT TO A SINGLE OCCURRENCE OR $1,000,000 IN THE AGGREGATE REGARDLESS OF WHETHER ANY ACTION OR CLAIM IS BASED ON WARRANTY, CONTRACT, TORT OR OTHERWISE. THE LIMITATION SET FORTH IN THIS SECTION 7.3 SHALL NOT APPLY TO INDEMNITIES OR RIGHTS GRANTED BY SECTION 7.4 OR 7.5. 7.4 PROPRIETARY RIGHTS INFRINGEMENT BY VERISIGN. ------------------------------------------- 7.4.1 OBLIGATION TO DEFEND. VeriSign, at its own expense, shall: (i) -------------------- defend, or at its option settle, any claim, suit or proceeding against Customer on the basis of infringement or misappropriation of any United States patent, copyright, trade secret or any other intellectual property right by the Licensed Software as delivered by VeriSign (excluding the Customer Modifications) or any claim that VeriSign has no right to license the Licensed Software hereunder; and (ii) pay any final judgment entered or settlement against Customer on such issue in any such suit or proceeding defended by VeriSign. VeriSign shall have no obligation to Customer pursuant to this Section 7.4.1 unless: (A) Customer gives VeriSign prompt written notice of the claim; (B) VeriSign is given the right to control and direct the investigation, preparation, defense and settlement of the claim; and (C) the claim is based on Customer's use of the most recent version or the immediately preceding version of the Licensed Software in accordance with this Agreement. <PAGE> VeriSign Private Label Agreement Page 55 7.4.2 VERISIGN OPTIONS. If VeriSign receives notice of an alleged ---------------- infringement, VeriSign shall have the right, at its sole option, to obtain the right to continue use of the Licensed Software or to replace or modify the Licensed Software so that it is no longer infringing. If neither of the foregoing options is reasonably available to VeriSign, then the license rights granted pursuant to Section 2 may be terminated at the option of either party hereto without further obligation or liability except as provided in Sections 7.4.1 and 8.3 and in the event of such termination, VeriSign shall refund the License Fees paid by Customer hereunder ("Refunded Fees") less depreciation for use assuming straight line depreciation over a five (5)-year useful life. Alternatively, if VeriSign is unable to obtain the necessary rights to permit Customer to continue use of the Licensed Software, Customer may obtain a license permitting its use of the Licensed Software. Customer may seek reimbursement for any such fees up to the amount of Refunded Fees. If Customer obtains such a license from a third party, then this Agreement shall continue with both parties' rights and obligations unchanged. 7.4.3 EXCLUSIVE REMEDIES. THE RIGHTS AND REMEDIES SET FORTH IN ------------------ SECTIONS 7.4.1 AND 7.4.2 CONSTITUTE THE ENTIRE OBLIGATION OF VERISIGN AND THE EXCLUSIVE REMEDIES OF CUSTOMER CONCERNING VERISIGN'S PROPRIETARY RIGHTS INFRINGEMENT. 7.5 PROPRIETARY RIGHTS INFRINGEMENT BY CUSTOMER. ------------------------------------------- 7.5.1 OBLIGATION TO DEFEND. Subject to the limitations set forth -------------------- below, Customer, at its own expense, shall: (i) defend, or at its option settle, any claim, suit or proceeding against VeriSign on the basis of infringement or misappropriation of any United States patent, copyright, trade secret or any other intellectual property right by any Customer Product (excluding the unmodified VeriSign Software) or the Customer Modifications; and (ii) pay any final judgment entered or settlement against VeriSign on such issue in any such suit or proceeding defended by Customer. Customer shall have no obligation to VeriSign pursuant to this Section 7.5.1 unless: (A) VeriSign gives Customer prompt written notice of the claim; and (B) Customer is given the right to control and direct the investigation, preparation, defense and settlement of the claim. 7.5.2 EXCLUSIVE REMEDIES. THE RIGHTS AND REMEDIES SET FORTH IN ------------------ SECTION 7.5.1 CONSTITUTE THE ENTIRE OBLIGATION OF CUSTOMER AND THE EXCLUSIVE REMEDIES OF VERISIGN CONCERNING CUSTOMER'S PROPRIETARY RIGHTS INFRINGEMENT. 8. TERM AND TERMINATION -------------------- 8.1 TERM. The license rights granted pursuant to Section 2 shall be ---- effective as of the date hereof and shall continue in full force and effect for each item of Licensed Software for the period set forth on Exhibit "A" unless sooner terminated pursuant to the terms of this Agreement. Either party shall be entitled to terminate all the license rights granted pursuant to this Agreement at any time on written notice to the other in the event of a default by the other party and a failure <PAGE> VeriSign Private Label Agreement Page 56 to cure such default within a period of thirty (30) days following receipt of written notice specifying that a default has occurred. 8.2 INSOLVENCY. Upon the institution of any proceedings by or against ---------- either party seeking relief, reorganization or arrangement under any laws relating to insolvency, or upon any assignment for the benefit of creditors, or upon the appointment of a receiver, liquidator or trustee of any of either party's property or assets, or upon the liquidation, dissolution or winding up of either party's business, then and in any such events all the license rights granted pursuant to this Agreement may immediately be terminated by the other party upon giving written notice. 8.3 DISPOSITION OF VERISIGN SOFTWARE AND USER MANUALS ON TERMINATION. ---------------------------------------------------------------- Upon the termination of this Agreement pursuant to a breach by Customer, the remaining provisions of this Agreement shall remain in full force and effect, and Customer shall cease making copies of, using or licensing the VeriSign Software, User Manual and Customer Products, excepting only such copies of Customer Products necessary to fill orders placed with Customer prior to such expiration or termination. Customer shall destroy all copies of the VeriSign Software, User Manual and Customer Products not subject to any then-effective license agreement with a Second Tier CA and all information and documentation provided by VeriSign to Customer (including all Know-How), other than such copies of the VeriSign Object Code, the User Manual and the Customer Products as are necessary to enable Customer to perform its continuing support obligations in accordance with Section 6.2, if any, and except as provided in the next following sentence. If Customer has licensed VeriSign Source Code hereunder, for a period of one (1) year after the date of expiration or termination of the license rights granted under this Agreement for any reason other than as a result of default or breach by Customer, Customer may retain one (1) copy of the VeriSign Source Code and is hereby licensed for such term to use such copy solely for the purpose of supporting Second Tier CAs and Subscribers. Upon the expiration of such one (l)-year period, Customer shall return such single copy of the VeriSign Source Code to VeriSign or certify to VeriSign that the same has been destroyed. In the event that this Agreement is terminated because of VeriSign's breach, Customer's rights under Section 2 shall continue indefinitely. 9. MISCELLANEOUS PROVISIONS ------------------------ 9.1 GOVERNING LAWS. THE LAWS OF THE STATE OF CALIFORNIA, U.S.A. -------------- (IRRESPECTIVE OF ITS CHOICE OF LAW PRINCIPLES) SHALL GOVERN THE VALIDITY OF THIS AGREEMENT, THE CONSTRUCTION OF ITS TERMS, AND THE INTERPRETATION AND ENFORCEMENT OF THE RIGHTS AND DUTIES OF THE PARTIES. THE PARTIES AGREE THAT THE UNITED NATIONS CONVENTION ON CONTRACTS FOR THE INTERNATIONAL SALE OF GOODS SHALL NOT APPLY TO THIS AGREEMENT. THE PARTIES AGREE THAT ANY SUIT TO ENFORCE ANY PROVISION OF THIS AGREEMENT OR ARISING OUT OF OR BASED UPON THIS AGREEMENT OR THE BUSINESS RELATIONSHIP BETWEEN THE PARTIES SHALL BE BROUGHT IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF CALIFORNIA OR THE SUPERIOR OR MUNICIPAL COURT IN AND FOR THE COUNTY OF SANTA CLARA, CALIFORNIA, U.S.A. Each party agrees that such <PAGE> VeriSign Private Label Agreement Page 57 courts shall have exclusive in personam jurisdiction and venue with respect to such party, and each party submits to the exclusive in personam jurisdiction and venue of such courts. 9.2 BINDING UPON SUCCESSORS AND ASSIGNS. Except as otherwise provided ----------------------------------- herein, this Agreement shall be binding upon, and inure to the benefit of, the successors, representatives, administrators and assigns of the parties hereto. This Agreement shall not be assignable by either party, by operation of law or otherwise, without the prior written consent of the other party, which shall not be unreasonably withheld. Any such purported assignment or delegation without the other party's written consent shall be void and of no effect. 9.3 SEVERABILITY. If any provision of this Agreement is found to be ------------ invalid or unenforceable, the remainder of this Agreement shall be interpreted so as best to reasonably effect the intent of the parties hereto. IT IS EXPRESSLY UNDERSTOOD AND AGREED THAT EACH AND EVERY PROVISION OF THIS AGREEMENT WHICH PROVIDES FOR A LIMITATION OF LIABILITY, DISCLAIMER OF WARRANTIES OR EXCLUSION OF DAMAGES IS INTENDED BY THE PARTIES TO BE SEVERABLE AND INDEPENDENT OF ANY OTHER PROVISION AND TO BE ENFORCED AS SUCH. 9.4 ENTIRE AGREEMENT. This Agreement and the exhibits and schedules ---------------- hereto constitute the entire understanding and agreement of the parties hereto with respect to the subject matter hereof and supersede all prior and contemporaneous agreements, representations and understandings between the parties. 9.5 AMENDMENT AND WAIVERS. Any term or provision of this Agreement may be --------------------- amended, and the observance of any term of this Agreement may be waived, only by a writing signed by the party to be bound. 9.6 ATTORNEYS' FEES. The prevailing party in any action or proceeding to --------------- enforce or interpret any part of this Agreement shall be entitled to recover its reasonable attorneys' fees (including fees on any appeal). 9.7 NOTICES. Any notice, demand, or request with respect to this ------- Agreement shall be in writing and shall be effective only if it is delivered by hand or mailed, certified or registered mail, postage prepaid, return receipt requested, addressed to the appropriate party at its address set forth on page 1. Such communications shall be effective when they are received by the addressee; but if sent by certified or registered mail in the manner set forth above, they shall be effective not later than ten (10) days after being deposited in the mail. Any party may change its address for such communications by giving notice to the other party in conformity with this Section. 9.8 FOREIGN RESHIPMENT LIABILITY. THIS AGREEMENT IS EXPRESSLY MADE ---------------------------- SUBJECT TO ANY LAWS, REGULATIONS, ORDERS OR OTHER RESTRICTIONS ON THE EXPORT FROM THE UNITED STATES OF AMERICA OF THE VERISIGN SOFTWARE OR CUSTOMER PRODUCTS OR OF INFORMATION ABOUT THE VERISIGN SOFTWARE OR CUSTOMER PRODUCTS WHICH MAY BE IMPOSED FROM TIME TO TIME BY THE GOVERNMENT OF THE UNITED STATES OF AMERICA. <PAGE> VeriSign Private Label Agreement Page 58 NOTWITHSTANDING ANYTHING CONTAINED IN THIS AGREEMENT TO THE CONTRARY, CUSTOMER SHALL NOT EXPORT OR REEXPORT, DIRECTLY OR INDIRECTLY, ANY VERISIGN SOFTWARE OR CUSTOMER PRODUCTS OR INFORMATION PERTAINING THERETO TO ANY COUNTRY FOR WHICH SUCH GOVERNMENT OR ANY AGENCY THEREOF REQUIRES AN EXPORT LICENSE OR OTHER GOVERNMENTAL APPROVAL AT THE TIME OF EXPORT OR REEXPORT WITHOUT FIRST OBTAINING SUCH LICENSE OR APPROVAL. 9.9 TRADEMARKS. By reason of this Agreement or the performance hereof, ---------- Customer shall acquire no rights of any kind in any VeriSign trademark, trade name, logo or product designation under which the VeriSign Software was or is marketed and Customer shall not make any use of the same for any reason except as expressly authorized by this Agreement or otherwise authorized in writing by VeriSign. 9.10 PUBLICITY. Neither party will disclose to third parties, other than --------- its agents and representatives on a need-to-know basis, the terms of this Agreement or any exhibits hereto (including without limitation any License/Product Schedule) without the prior written consent of the other party, except (i) either party may disclose such terms to the extent required by law, (ii) either party may disclose the existence of this Agreement; and (iii) VeriSign shall have the right to disclose that Customer is a Customer of the VeriSign Software and that any publicly-announced Customer Product incorporates the VeriSign Software. Customer shall provide to VeriSign, solely for VeriSign's display purposes, one (I) working copy of each Customer Product which consists solely of computer software and one (1) working or non-working unit of any hardware product in which is incorporated a Customer Product which consists of an integrated circuit or other hardware. 9.11 REMEDIES NON-EXCLUSIVE. Except as otherwise expressly provided, any ---------------------- remedy provided for in this Agreement is deemed cumulative with, and not exclusive of, any other remedy provided for in this Agreement or otherwise available at law or in equity. The exercise by a party of any remedy shall not preclude the exercise by such party of any other remedy. <PAGE> VeriSign Private Label Agreement Page 59 IN WITNESS WHEREOF, the parties have executed this Agreement as of the date of the last signature below, unless a different effective date is specified on the first page of this Agreement. CUSTOMER: VISA INTERNATIONAL SERVICE ASSOCIATION By: __________________________________________ Printed Name: ________________________________ Title: _______________________________________ Date: ________________________________________ <PAGE> VeriSign Private Label Agreement Page 60 EXHIBIT "K" SERVICE LEVEL AGREEMENT* Secure Electronic Commerce Services (SEC) Electronic Certification Services (ECS) Service Level Agreement Review Copy Visa International / VeriSign -------------------------------------------------------------------------------- Version 1.0 1 __________________________ * Confidential treatment has been requested with respect to certain portions of this exhibit. Confidential portions have been omitted from the public filing and have been separately filed with the Securities and Exchange Commission. <PAGE> Page 2 Visa SEC Service REVIEW COPY Electronic Certification Services (ECS) April 17, 1996 Visa /VeriSign Service Level Agreement -------------------------------------------------------------------------------- April 1996 2 <PAGE> Visa SEC Service Page i Electronic Certification Services (ECS) REVIEW COPY Visa / VeriSign Service Level Agreement April 18, 1996 -------------------------------------------------------------------------------- TABLE OF CONTENTS I. OVERVIEW 1 II. ECS SYSTEM DESCRIPTION 1 1. Brand Certificate Authority 2 2. Cardholder Certificate Authority 2 3. Merchant Certificate Authority 2 4. Payment Gateway Certificate Authority 2 III. SCOPE 3 A. WITHIN SCOPE 3 B. OUTSIDE OF SCOPE 3 IV. ECS SERVICE LEVELS 4 A. SERVICE AVAILABILITY 4 1. Definition 4 2. Measurement 5 3. Minimum Service Level Requirement 5 B. RESPONSE TIME 6 1. Definition 6 2. Measurement 6 3. Minimum Service Level Requirement 7 7 C. THROUGHPUT 7 1. Definition 7 2. Measurement 8 3. Minimum Service Level Requirement 8 D. DATA MANAGEMENT 9 3 <PAGE> 1. Definition 9 2. Measurement 9 3. Minimum Service Level Requirement 9 E. SYSTEM MONITORING AND OUTAGE REPORTING 9 1. Definition 9 2. Measurement 10 3. Minimum Service Level Requirement 10 F. SCHEDULED DOWN TIME 10 1. Definition 10 2. Measurement 11 3. Minimum Service Level Requirement 11 G. BACKUP 11 1. Definition 11 2. Measurement 11 3. Minimum Service level Requirement 11 H. KEY COMPROMISE 12 1. Definition 12 2. Measurement 12 3. Minimum Service Level Requirement 12 I. CONTINGENCY OPERATIONS / RECOVERY 12 1. Definition 12 2. Measurement 13 3. Minimum Service Level Requirement 13 J. REPORTING 13 K. PENALTIES 14 1. Access to Service 14 2. On-line Certification Processing Service 15 3. Off-line Certification Processing Service 16 V. VERISIGN ECS CUSTOMER SUPPORT SERVICE LEVELS 17 A. Availability 17 4 <PAGE> B. RESPONSE TIME 17 C. CUSTOMER SUPPORT CALLBACK TIMEFRAMES AND DEFINITIONS 17 5 <PAGE> I. OVERVIEW This Service Level Agreement (SLA) between Visa International (Visa) and VeriSign, Inc. (VeriSign) details the terms for the supply of services by VeriSign to Visa for the operation of the Visa Electronic Certification Services (ECS). It specifically addresses the service levels that will be in effect for the ECS pilot as defined in the project plan,. Service levels for the test phases of ECS will be addressed separately. This SLA is comprised of two components. The first addresses service levels for ECS. The second addresses service levels for VeriSign ECS customer support. II. ECS SYSTEM DESCRIPTION A logical depiction of the ECS system is presented below: [DIAGRAM DEPICTING A "CERTIFICATE REQUESTER" CONNECTED TO A CLOUD DEPICTING THE INTERNET, CONNECTED TO A USER INTERFACE WHICH IS CONNECTED TO A PAYMENT GATEWAY CERTIFICATE AUTHORITY, MERCHANT CERTIFICATE AUTHORITY AND A CARDHOLDER CERTIFICATE AUTHORITY WHICH ARE THEN CONNECTED TO AN ACQUIRING BANK, VISA AND AN ISSUING BANK.] The logical components that are specifically addressed by this service level agreement are described below: 1. BRAND CERTIFICATE AUTHORITY The Brand CA issues SEC compliant digital certificates to Brand members (Issuers and Acquirers or their processors) that wish participate in Visa's Secure Electronic Commerce (SEC) Service. The Brand CA issues Issuer certificates for use in issuing certificates to the Issuer's cardholders and Acquirer certificates for use in issuing certificates to the Acquirer's merchants. In addition the Brand CA will issue certificates to Brand or Geo-political operated Payment Gateway CAs for use in issuing certificates to Acquirer Payment Gateways. The Brand CA will also issue certificates to Geo-political CAs The Brand CA issues three types of certificates for each of their members: certificate signature certificates, key exchange certificates and message signature certificates. 2. CARDHOLDER CERTIFICATE AUTHORITY The Cardholder CA issues SEC compliant digital certificates to the Issuer's cardholders that wish to participate in Visa's Secure Electronic Commerce (SEC) Service. The Cardholder CA issues a signature certificate to each cardholder. 3. MERCHANT CERTIFICATE AUTHORITY The Merchant CA issues SEC compliant digital certificates to the Acquirer's merchants that wish to participate in Visa's Secure Electronic Commerce (SEC) Service. The Merchant CA issues two types of certificates to each merchant: key exchange certificates and message signature certificates. 4. PAYMENT GATEWAY CERTIFICATE AUTHORITY The Payment Gateway CA issues SEC compliant digital certificates to the Payment Gateway's that wish to participate in Visa's Secure Electronic Commerce (SEC) 6 <PAGE> Service. The Payment Gateway CA issues two types of certificates to each Payment Gateway: key exchange certificates and message signature certificates. III. SCOPE VeriSign will be developing and operating a Certificate Authority on behalf of Visa. A. WITHIN SCOPE The following components of ECS are addressed within the scope of this service level agreement: . Brand Certificate Authority (BCA) . Payment Gateway Certificate Authority (PCA) . Cardholder Certificate Authority (CCA) . Merchant Certificate Authority (MCA) B. OUTSIDE OF SCOPE The following components of ECS are not addressed within the scope of this service level agreement: . Visa Access Point (VAP) . VisaNet components (systems and network) . Issuer components . Acquirer components . Geo-political Certificate Authority IV. ECS SERVICE LEVELS For the purpose of this SLA, ECS is considered to have two major operational components: 1. Access to Service This is the ability to receive a certificate transaction from a requesting entity (e g., cardholder, merchant, payment gateway), provide an appropriate signed response to the requester, and either forward the certificate transaction to the appropriate CA for immediate processing or queue it for subsequent processing (if the CA is not available at that time). 2. Certification Processing Service This is the ability to fully process the certificate transaction (e.g., certificate request, 7 <PAGE> certificate query, certificate response) and return an appropriate signed response to the requester. A. SERVICE AVAILABILITY 1. Definition Access to Service Access to ECS must be available, seven (7) days a week, twenty-four (24) hours a day, 365 days a year. On-line Certification Processing Service All of the 'on-line' certificate authorities (CCA, MCA and PCA) must be available for processing certificate transactions and performing administrative functions such as regenerating keys seven (7) days a week, twenty-four (24) hours a day, 365 days a year with the exception of scheduled down time Off-line Certification Processing Service Initially, the brand certificate operations require manual procedures, are performed off-line and require the presence of authorized Visa and VeriSign personnel. The Brand certificate authority must be available during the normal hours of operation, as well as after hours by prior arrangement. Normal hours of operation for the Brand CA are 0600 - 1800 PT. Visa will normally provide VeriSign with a twenty-four (24) hour advance notice of any required Brand CA operation. In the event of extreme conditions, such as disaster recovery or key compromise, Visa may require Brand CA operations outside of the normal operating periods. Under such circumstances, Visa shall provide VeriSign with a two (2) hour advance notice of the required Brand CA operations. Therefore, the Brand CA must be available for issuing Cardholder CA, Merchant CA, Payment Gateway CA and Geo- political CA certificates and performing administrative functions such as generating keys seven (7) days a week, twenty-four (24) hours a day, 365 days a year with the exception of scheduled downtime. 2. Measurement Access to Service The measurement for service availability is the amount of time that the certificate processing service is capable of receiving and responding to incoming certificate transactions in an appropriate manner, even if it is not capable of certification processing. Nonavailability is the amount of time that the requesting entity cannot access the service at all. Certification Processing Service The measurement for service availability is the amount of time that the CA is capable of receiving, processing and responding to incoming certificate transactions from the requesting entity (e.g., merchant, acquirer, issuer, cardholder, payment gateway). Nonavailability is the amount of time that 8 <PAGE> the CA is not capable of receiving, processing and responding to incoming certificate transactions from the requesting entity (e.g., merchant, acquirer, issuer, cardholder, payment gateway). 3. Minimum Service Level Requirement Access to Service Access to Service availability must be *. Certification Processing Service The Brand CA must be available to process * of the certificate requests and perform administrative functions such as generating keys. All other CAs must be available to process certificate transactions and perform administrative functions such as generating keys * of the time. Specifically, for the on-line CAs (i.e., CCA, MCA, PCA), the total unscheduled downtime per month must not exceed *;no single CA type can exceed * unscheduled downtime per month; no single unscheduled outage of any CA can exceed *. B. Response Time 1. Definition Access to Service The requesting entity must be able to submit a transaction and receive an appropriate signed response within *. On-line Certification Processing Service On-line CAs must respond to all certificate transactions within one (1) minute. Off-line Certification Processing Service There are two components of response time for the Brand CA. 1. The amount of time that it takes VeriSign to respond to a Visa request for Brand CA operations VeriSign must respond to a Visa request for Brand CA operations within * during normal operating hours. Under extreme conditions, VeriSign must respond to a Visa request for Brand CA operations within *. 2. The amount of time that the actual Brand CA operation requires All Brand CA operations must be processed and validated within hour(s) of the start of the operation. The specification timeframe will be determined at a later date. * Confidential treatment has been requested with respect to certain portions of this exhibit. Confidential portions have been omitted from the public filing and have been filed separately with the Securities and Exchange Commission. 9 <PAGE> 2. Measurement Access to Service The measurement for response time is based upon the time elapsed from when a certificate transaction reaches VeriSign's Internet access point until the corresponding response message leaves VeriSign's Internet access point. On-line Certification Processing Service The measurement for response time is based upon the time elapsed from when a certificate transaction reaches VeriSign's Internet access point until the corresponding response message leaves VeriSign's Internet access point. Off-line Certification Processing Service The measurement for response to requests for Brand CA operations is based upon the time elapsed from when Visa contacts VeriSign to inform them of the intent to perform a Brand CA operation until VeriSign confirms their availability to perform a Brand CA operation. The measurement for performing Brand CA operations is based upon the time elapsed from when the operation starts until it is completed and verified. 3. Minimum Service Level Requirement Access To Service Access to Service response times must be met * of the time. Certification Processing Service For the on-line CAs, * of the certificate transactions must be responded to within the required time. For the Brand CA, * of the requests for Brand CA operations must be responded to within the required time and * of the Brand CA operations must be performed within the required time. C. Throughput 1. Definition Access to Service The facilities that are providing Access to Service must be capable of meeting the response time criteria identified above while supporting the following peak certificate transaction per hour loads: * Confidential treatment has been requested with respect to certain portions of this exhibit. Confidential portions have been omitted from the public filing and have been filed separately with the Securities and Exchange Commission. 10 <PAGE> 1996 1997 1998 1999 All certificate transactions (peak per hour). * On-line Certification Processing Service On-line CAs must be capable of meeting the response time criteria identified above while supporting the following peak certificate transaction per hour loads: Review Copy Electronic Certification Services (ECS) a) Cardholder Certificate Authority 1996 1997 1998 1999 Cardholder certificate transactions (peak per hour) * b) Merchant Certificate Authority 1996 1997 1998 1999 Merchant certificate transactions (peak per hour) * c) Payment Gateway Certificate Authority 1996 1997 1998 1999 Payment gateway certificate transactions (peak per hour) * Off-line Certification Processing Throughput is not a factor for the Brand CA because all operations will be performed sequentially and are dependent upon manual processes. 2. Measurement The measurement for throughput is based upon the actual volumes of certificate transactions that are processed by the various ECS system components while meeting response time criteria. 3. Minimum Service Level Requirement Throughput requirements must be met * of the time. D. Data Management 1. Definition ECS data, which includes system logs, transaction history, certificate registration data and certificates, must be available to support various legal, billing and customer service requirements. The on-line access, archive retention and retrieval requirements for the ECS data will vary by data type as described below: * Confidential treatment has been requested with respect to certain portions of this exhibit. Confidential portions have been omitted from the public filing and have been filed separately with the Securities and Exchange Commission. 11 <PAGE> Registration data and certificates This data will be kept on-line for 90 days prior to being archived. Archived data will be maintained for seven (7) years and must be retrievable, on-line and / or on hard copy, within six (6) hours of request. System logs and transaction history This data will be kept on-line for 90 days prior to being archived. Archived data will be maintained for one year and must be retrievable, either on-line and / or on hard copy, within twenty-four (24) hours of request. 2. Measurement The measurement for data management is based upon the data being available, either on-line or retrieved from archive, within the periods specified above. 3. Minimum Service Level Requirement The data management requirements must be met * of the time. E. System Monitoring and Outage Reporting 1. Definition Monitoring The key storage units for all of the CAs must be checked for tampering on a daily basis. The applications and/or systems for the Access to Service facilities and Certification Processing Service must be monitored continually and a status check taken every 30 minutes. Outage Reporting All ECS hardware and/or software faults shall be logged, tracked and reported using a suitable computer-based system and provided to Visa within two (2) hours of occurrence. All ECS system hardware, network, and software failures, their impact on ECS operations and any actions taken to correct the problem, including an event log shall be reported to Visa according to the schedule listed in Section V.C - Customer Callback Timeframes and Definitions. In addition, Visa shall be notified within one hour of any major failure that affects the normal operation of ECS. 2. Measurement The status checks must be recorded on a status log and signed by the VeriSign system operator. This status log must be available for review by Visa at any time. Problem / event logs and system logs will record outages and causes (if known). These also must be made available to Visa for review at any time. * Confidential treatment has been requested with respect to certain portions of this exhibit. Confidential portions have been omitted from the public filing and have been filed separately with the Securities and Exchange Commission. 12 <PAGE> 3. Minimum Service Level Requirement Compliance with the monitoring, logging and reporting requirements must be *. F. Scheduled Down Time 1. Definition Access to Service There is no scheduled down time for the Access to Service facility. Certification Processing Service There will be a scheduled down time period weekly to perform maintenance, backup and upgrade functions for the CAs. This period will not exceed * and will be at the same time each week as agreed to by Visa and VeriSign. If a longer down time window is needed, it must be agreed to in advance by Visa and VeriSign. 2. Measurement The measurement for scheduled down time for any CA is based on the time elapsed from when the CA is not capable of performing operations until it becomes available for performing operations. During this down time period, certificate transactions intended for the CA must be accepted, an appropriate signed response message returned to the requester, and the transaction queued for processing when the CA becomes available again for performing operations. Daily system logs will indicate system down time and the cause (if known) and can be used to track outages. 3. Minimum Service Level Requirement * of the down times must be within the required period. In addition, the access to the service (i.e., the receipt of certificate transactions, return of appropriate signed response, queuing of transaction for subsequent processing) must be available * of the time. G. Backup 1. Definition At a minimum, all data related to the CAs, including application files and databases, system tables, log files, etc., will be backed up on a scheduled, daily basis. In addition, the CA application and all system components will be backed up on a weekly basis. All backups must be done non-disruptively without adversely impacting normal ECS operations. The backup files must be stored in a secure off-site facility as agreed upon by VeriSign and Visa. 2. Measurement Daily system logs will indicate time and location of backup files, backup media identification and any other relevant information needed for recovery of backup files. * Confidential treatment has been requested with respect to certain portions of this exhibit. Confidential portions have been omitted from the public filing and have been filed separately with the Securities and Exchange Commission. 13 <PAGE> 3. Minimum Service level Requirement The backup requirements must be met * of the time. H. KEY COMPROMISE 1. Definition On-line Certification Processing Service In the event of a key compromise, an on-line CA must be able to revoke certificates generated with the compromised key or keys, generate new keys, request a new certificate from the appropriate CA, regenerate subordinate certificates with the new keys, and have these certificates available for distribution within twenty-four (24) hours of the time that the compromise is identified for merchants, payment gateways, MCAs, CCAs, GCAs and PCAs. The timeframe for cardholders will be y hours for certificates. In addition, the new public key must be published as specified by Visa. Off-line Certificate Processing Service In the event of a key compromise, the Brand CA must be able to revoke certificates generated with the compromised key or keys, generate new keys and have a new certificate(s) request ready to submit to the Root CA within two hours of the time that the compromise is identified. In addition, the new public key must be published as specified by Visa. 2. Measurement The measurement of recovery from key compromise is the elapsed period of time between the point at which the key compromise is identified and the point in time at which the regenerated certificates are available for distribution (on- line CAs) or a new certificate(s) request is ready for submission to the Root CA (Brand CA). 3. Minimum Service Level Requirement The key compromise recovery time frames must be met * of the time. I. CONTINGENCY OPERATIONS / RECOVERY 1. Definition Access to Service In the event of a failure of the Access to Service facilities, a switch must immediately occur to a backup set of facilities. At no time should a requesting entity not be able to submit a certificate transaction and receive an appropriate signed response. * Confidential treatment has been requested with respect to certain portions of this exhibit. Confidential portions have been omitted from the public filing and have been filed separately with the Securities and Exchange Commission. 14 <PAGE> Certification Processing Service If any single component of the Certification Processing Service (e.g., CA) fails, the component shall be recovered to the point of failure within six (6) hours. In the interim period before normal operations have been restored, Access to Service must be available with certificate transactions accepted and queued for future processing and an appropriate signed response returned to the requesting entity. If at the end of six hours the failed component has not been recovered, operations for that component will be performed at the backup site until such time as the component at the primary site has recovered. In the event of a total Certification Processing Service failure, a switch to a backup facility must occur. Within twenty-four (24) hours, normal operations should begin at the alternate site with recovery to the point of failure for all systems and files. In the interim period before normal operations have begun at the alternate site, Access to Service must be available to receive certificate transactions, queue the transactions for future processing and provide an appropriate signed response to the requesting entity. When the primary site has recovered, upon agreement by Visa and VeriSign, operation of the Certification Processing Service will be switched back to the primary site with no loss of data. 2. Measurement The measurement for recovery of an ECS system component or a total system outage will the length of time between the point that the outage occurs and the point that a full recovery to normal operations has been completed. The ability to satisfy the recovery and / or contingency operations requirements will be demonstrated through periodic scheduled tests. 3. Minimum Service Level Requirement The recovery and contingency operations requirements must be met * of the time. J. REPORTING VeriSign shall provide Visa with reporting on a scheduled basis. This will include both service level and activity reporting and may be either on hard copy or electronic (i.e., report or data files) form as agreed to by Visa and VeriSign. K. PENALTIES All service levels are calculated, and penalties assessed, on a monthly basis. 1. Access to Service Availability Service Level: * availability, 24 hours per day, 7 days per week, 365 days per year * Confidential treatment has been requested with respect to certain portions of this exhibit. Confidential portions have been omitted from the public filing and have been filed separately with the Securities and Exchange Commission. 15 <PAGE> Penalty: * $5,000 $10,000 $15,000 Below $5,000 per percent Considered to be grounds for termination of contract Response Time Service Level: 100% of certificate transactions received, responded to (appropriate signed response) within *. Penalty: * $500 $1,000 $1,500 $2,000 $2,500 Below $500 per percent Considered to be grounds for termination of contract 2. On-line Certification Processing Service Availability Service Level: * availability, 24 hours per day, 7 days per week, 365 days per year with exception of scheduled downtime. Penalty: * $5,000 per CA $10,000 per CA $15,000 per CA Below $5,000 per percent per CA Considered to be grounds for termination of contract Response Time Service Level: * of certificate transactions received, responded to (appropriate signed response) within *. * Confidential treatment has been requested with respect to certain portions of this exhibit. Confidential portions have been omitted from the public filing and have been filed separately with the Securities and Exchange Commission. 16 <PAGE> Penalty: * $500 per CA $1,000 per CA $1,500 per CA $2,000 per CA $2,500 per CA Below $500 per percent per CA Considered to be grounds for termination of contract 3. Off-line Certification Processing Service Availability Service Level: * availability during normal operating hours and upon request with proper notification. Penalty: $10,000 per occurrence of non-availability. Response Time Service Level: * of requests for Brand CA operations must be responded to within * during normal operating hours. Under extreme conditions, VeriSign must respond to a Visa request for Brand CA operations within *. * of Brand CA operations must be processed and validated within * of the start of the operation. V. VERISIGN ECS CUSTOMER SUPPORT SERVICE LEVELS VeriSign will provide support to Visa as described in the customer support requirements section of the contract. The VeriSign interface for customer support will be limited to designated individuals within Visa. A. Availability VeriSign Customer Service must be available to accept and respond to problem calls from Visa seven (7) days a week, twenty-four (24) hours a day. B. Response Time Normal Hours of Operation Between 0600 and 1800 PT, VeriSign Customer Support should respond immediately (i.e., answer the telephone within three rings). Outside of Normal Hours of Operation Between 1800 and 0600 PT, VeriSign Customer Support should respond within fifteen (15) minutes. * Confidential treatment has been requested with respect to certain portions of this exhibit. Confidential portions have been omitted from the public filing and have been filed separately with the Securities and Exchange Commission. 17 <PAGE> C. Customer Support Callback Timeframes and Definitions VeriSign Customer Support will ,at a minimum, initiate a return telephone call to Visa to establish if the problem has been corrected based on the following call reporting criteria: Problem Callback Severity Definition Frequency 1 Entire population of a CA impacted 30 minutes 2 Multiple Member CAs impacted 60 minutes 3 Single Member CA impacted 90 minutes 4 Single cardholder or merchant impacted 120 minutes In every case, if the problem has not been corrected within the callback frequency, VeriSign Customer Support will monitor the problem to determine if any corrective work has begun. If it has, then VeriSign Customer Support will continue to monitor the situation and provide 18 <PAGE> VeriSign Private Label Agreement Page 61 EXHIBIT "L" SUPPORT LEVELS 1. Second-Level Support for Members VeriSign will provide second level telephone support for any problem concerning a Certificate issued to a Member on a twenty-four (24) hour per day, seven (7) day per week basis. In the event that a Member problem is not resolved by the first level good-faith efforts of VISA Member Support, VeriSign will provide second level telephone support for a reasonable volume of calls from VISA Member Support Upon VISA Member Support's providing VeriSign with a clear description of the unresolved problem, VeriSign will verify the problem's existence and determine the conditions under which the problem may recur. After such verification and determination, VeriSign will, at its option, 1.1 use its best efforts to provide an immediate fix for the problem; 1.2 use its best efforts to provide a temporary solution of or workaround to the problem; 1.3 provide a statement that the problem will be corrected in a future release; 1.4 provide a statement that more information about the problem is required (however, after sufficient information, in VeriSign's opinion, is provided to VeriSign, VeriSign will provide to Customer one of the other four support alternatives contained in this Section 1); or 1.5 provide a statement that the Private Label Certificate System operates as described in VeriSign's then current user documentation or that the problem arises when such Private Label Certificate System is used other than in a manner for which it was designed In the case of such second-level support, VeriSign will not contact a Member directly for more information about the problem unless VISA Member Support so requests. 2. THIRD-LEVEL SUPPORT FOR CARDHOLDERS AND MERCHANTS In the event that a Cardholder or Merchant problem has not been resolved by the good-faith efforts of the relevant Member at the first level or by VISA at the second level, VeriSign will provide telephone support for a reasonable volume of calls to VISA as the third level. Upon VISA's providing VeriSign with a clear description of the unresolved problem, VeriSign will verify the problem's existence and determine the conditions under which the problem may recur. After such verification and determination, VeriSign will, at its option, 2.1 use its best efforts to provide an immediate fix for the problem; <PAGE> VeriSign Private Label Agreement Page 62 2.2 use its best efforts to provide a temporary solution of or workaround to the problem; 2.3 provide a statement that the problem will be corrected in a future release; 2.4 provide a statement that more information about the problem is required (however, after sufficient information, in VeriSign's opinion, is provided to VeriSign, VeriSign will provide to Customer one of the other four support alternatives contained in this Section 2); or 2.5 provide a statement that the Private Label Certificate System operates as described in VeriSign's then current user documentation or that the problem arises when such Private Label Certificate System is used other than in a manner for which it was designed. In the case of third level support provided for Cardholder and Merchant problems, VeriSign will not contact the Member directly for more information about the problem unless VISA so requests, and VeriSign will not contact the Merchant or Cardholder directly under any circumstances. The following chart summarizes telephone support provided in this Section: ================================================================================================================ Type of Certificate Entity Supported First level Second level Third level ---------------------------------------------------------------------------------------------------------------- Member Issuers, VISA Member VeriSign N/A Acquirers, Support Processors ---------------------------------------------------------------------------------------------------------------- Cardholder Cardholders Member VISA VeriSign ---------------------------------------------------------------------------------------------------------------- Merchant Merchants Member VISA VeriSign ================================================================================================================ 3. TIMES TELEPHONE SUPPORT IS PROVIDED VeriSign will accept and log all second level support requests received from Customer on a twenty-four (24) hour per day, seven (7) day per week basis, including national holidays. VeriSign will provide regular telephone support for both second level and third level on Monday through Friday 8:00 a.m. to 5:00 p.m., local time, and will provide critical corrective support after hours (outside the hours of 8:00 a.m. to 5:00 p.m., local time) and on national holidays. A problem is considered critical when the Private Label Certificate System will not operate or the Customer cannot perform its business function due to a Private Label Certificate System problem. <PAGE> VeriSign Private Label Agreement Page 63 4. CUSTOMER RESPONSIBILITIES FOR TELEPHONE SUPPORT Customer will (i) identify, document and report to VeriSign each problem with the Private Label Certificate System necessitating telephone support, (ii) supply VeriSign with all documentation and assistance necessary to demonstrate and allow VeriSign to diagnose the problem, and (iii) install each solution to such problem provided by VeriSign. If Customer requests corrective changes to the Private Label Certificate System and VeriSign determines that the reported malfunction is not related to the Private Label Certificate System, VeriSign may charge Customer for its diagnostic services on a time and materials basis. Customer will assure the proper use, management and supervision of any application programs, audit controls, operating methods and office procedures necessary for the intended use of the Private Label Certificate System. Customer will provide the first-level support to Members through VISA Member Support as provided in Section I above. Customer will provide second- level support to Cardholders and Merchants through VISA as provided in Section 2 above. <PAGE> VeriSign Private Label Agreement Page 64 EXHIBIT "M" TIMETABLE FOR RESOLUTION OF OUTSTANDING ISSUES Open Issues Date for Resolution ----------- ------------------- 1. Logo Usage Guide to be attached to Agreement as Exhibit "C June 30, 1996 2. Add description of level of telephone support for Payment Gateway to Exhibit "L" June 30, 1996 3. VISA Requirements for ECS (Exhibit "F') to be finalized as to issues indicated as open therein June 30, 1996 4. System Design Specifications to be attached to Agreement as Exhibit "E" after approval by VISA In accordance with Project Plan 5. Acceptance Test Procedures to be attached to Agreement as Exhibit "G" upon approval by VISA In accordance with Project Plan 6. Service Level Specification to be reevaluated for possible modification after Acceptance Test Procedures have been approved. In accordance with Project Plan