PCI Policies & Procedures

The best practices our experts have come up with to comply with the technical requirements of PCI. The policies are what your organization does while the procedures detail how you do it. In an audit, this is usually the first document request by the examiner.

PCI Risk Analysis

A list of issues to remediate to ensure the security and confidentiality of Cardholder Data. Run the Risk Analysis at least once a year, or when any significant changes could affect one or more system components.

PCI Management Plan

The Management Plan prioritizes tasks, by Risk Score and keeps track of closed and open items to ensure that issues identified are issues resolved.

Evidence of PCI Compliance

Includes log-in files, patch analysis, user & computer information, and other source material to support your compliance activities. When all is said and done, the proof to proper documentation is in the underlying supporting information!

External Vulnerability Scan

Shows security holes and warnings, and informational items including CVSS scores as scanned from outside the target network. External vulnerabilities could allow a malicious attacker access to the internal network.

Internal Vulnerability Scan

Report shows security holes and warnings, and informational items including CVSS scores as scanned from inside the target network. Closing internal vulnerabilities helps prevent external attackers and internal users from exploiting weaknesses typically protected by firewalls. (This report requires a subscription to Network Detective Inspector.)

PCI Pre-scan Questionnaire

A list of questions about physical and technical security that cannot be gathered automatically. The survey includes questions ranging from facility access to firewall information to application development to authentication and change management standards.

External Port Security Worksheet

Document business justifications for all allowed ports, the protocol configured to use a specific port, and any insecure configurations implemented and in use for a given protocol.

Cardholder Data Environment ID Worksheet

This worksheet takes the list of computers gathered by the Data Collector and lets you identify those that store or access Cardholder Data. This is an effective tool in developing data management strategies including secure storage and encryption.

Server Function ID Worksheet

Only one function per server can be implemented to prevent functions that require different security levels from coexisting on the same server. The Service Function Identification documents server roles (web server, database server, DNS server, etc.) and the functions activated on each server (real/physical or virtual) within the Cardholder Data Environment (CDE).

User Identification Worksheet

The User Identification Worksheet takes the list of users gathered by the Data Collector and lets you identify whether they are an employee or vendor. Users who should have had their access terminated can also be identified. Determine whether unauthorized users have access to protected information.

Necessary Functions Worksheet

For each server in the Cardholder Data Environment (CDE), this worksheet presents startup applications, services, and other functions, allowing you to identify functions which are unnecessary for the server to fulfill its primary function.

Antivirus Capability Identification Worksheet

This worksheet enables the PCI readiness specialist to inspect and document the features and capabilities Antivirus Software deployed on computers throughout network both in and out of the Cardholder Data Environment (CDE).

PAN Scan Verification Worksheet

The Deep Scan includes a Personal Account Number (PAN) scanner. The results of the PAN scan are presented in this worksheet, allowing you the opportunity to investigate and verify if the detected numbers are truly an identifying account number/credit card.

Compensating Controls Worksheet

PCI allows compensating controls to be put in place to mitigate potential security issues in the environment. All discovered issues are presented in this worksheet to allow you to document the compensating controls that may be in place.

PCI Layer 2/3 Diagram: Requires the Network Detective Inspector

This diagram shows the various components discovered along with their Layer 2 and Layer 3 connections. Systems and devices that are part of the Cardholder Data Environment (CDE) are highlighted. Having a representation of the components in the CDE along with their connectivity to the global network is a requirement of PCI.

ASV Certified Reports

Generated by an Approved Scan Vendor, the PCI Attestation serves as your certificate or proof that the Host/IP address has passed the PCI-DSS standards for external vulnerabilities. The Attestation is available for a small, additional charge.