• Q: How am I protected from outgoing transmissions that may take me to an infected web site?

    A:  As an added layer of security, Netsurion’s centrally managed firewall network allows control over outbound network traffic by checking actual Internet addresses. It also actively monitors credit card processing activity to ensure card data is not circumventing the firewall or being re-routed. These all work together to prevent data from being sent to malicious sites and countries, as well as denying traffic requests containing other potential vulnerabilities.
  • Q: How do I request an exception for my external vulnerability scans?

    A: 
    1. Log in to the PCI Compliance Manager.
    2. Select the location in question.
    3. Select the failed scan.
    4. Click on the "Scanned Host".
    5. Select “Show Details” for the failure you’d like to negate.
    6. Next to “Details” tab, select tab “Exception Request”
    7. Select the category that most closely fits your situation:
      • Invalid Finding - You believe the result is incorrect (traditionally known as a "false positive") and the result is not an accurate vulnerability on this system.
      • Vulnerability Patched - The result is due to a version check and you have previously applied the patch (also known as a "backport") prior to the start of this scan.
      • Out of Scope - The result is on a port/service that is forwarded to a network outside of the scope of this test.
      • Compensating Control - The vulnerability exists; however, you have some documented mitigating control in place to compensate against the risk.
    8. Enter a description as to why the result should be marked as an exception.
    9. Check the “I assert…” box.

    The requests will either be approved, or we'll contact you to ask for more information. The scan results will not be altered until the request has been approved.

    In the future, any previously made requests for exceptions will be presented to you upon the completion of future scans. You'll be prompted to confirm those requests again.

  • Q: I don't have a technical staff or IT department. How easy will it be to implement?

    A:  Netsurion works hard to simplify installations by working around our customers’ schedules and minimizing impacts to the business. We use a patented installation methodology that doesn't require a reconfiguration of the network’s IP address structure, thereby saving time and eliminating issues reconnecting printers or other peripheral devices. This means installing our firewall or wireless access points is done around your schedule, quickly, and with minimal impact to your business.
  • Q: How does the Netsurion solution help with protecting customer card numbers and identities?

    A:  Netsurion's overall goal of security includes several capabilities that assist in keeping payment account information safe, but three things really set us apart. First, unlike many others, Netsurion provides outbound traffic restrictions as part of its base configuration. These outbound restrictions were instrumental in stopping Backoff from affecting numerous businesses infected by this malware, for example. Second, Netsurion is the only centrally managed firewall solution that actively monitors traffic patterns to ensure that credit card processing terminals have not been reconfigured to circumvent the firewall. And third, Netsurion is the only provider in the industry that actively monitors clients’ networks and inventories connected devices, discerning allowed devices from potentially harmful devices and informing the location when they are discovered.
  • Q: I heard the PCI 3.0 is the current standard, do I have to do anything differently than I did under PCI 2.0?

    A: 

    While PCI 3.0 should be viewed as a measure to clarify some confusing items in PCI 2.0, there are differences in the standard that should be understood as part of your compliance efforts. Under the new standard:

    1. The requirements for wireless access point detection have been clarified, and it is possible that previous measures will no longer be sufficient under the new standard.
    2. Physical examination and inventory of the point of sale environment is listed with much greater clarity which could cause you to increase your efforts to meet the new standard.
    3. If you use a service provider to manage your point of sale, they must use better security with detailed greater levels of user account management whenever they access your systems remotely.
    4. The network diagram calls for more information and details regarding the flow and storage of credit card data.
    5. Alternative measures for passwords are addressed because some organizations use means that are more secure than passwords, but they would not meet the specifics of the standard.

    For the most part, the standard has not changed substantively, but it provides much more clarity and granularity when it comes to what individual requirements demand.

  • Q: How does the Netsurion solution help with PCI compliance?

    A:  Becoming and staying compliant is a complex and time consuming process. Netsurion's proprietary SAQuick application paired with its managed security solution simplify the compliance process and save merchants significant time by pre-populating as much as 75% of the annual PCI Security Assessment Questionnaire. Simply work through our SAQ wizard, and within 15 questions and less than 5 minutes Netsurion will be able to pre-populate the answers to most questions regarding a merchant’s network environment.
  • Q: How will Point to Point Encryption (P2PE) affect my PCI compliance?

    A:  P2PE is a measure where the credit card is encrypted at the time of the swipe and remains encrypted throughout the whole time that the data is in the point of sale system. It is not decrypted until it arrives at the bank. The benefit of P2PE is that it can drastically reduce the scope of what is necessary for PCI, and it is a strong security measure. However, P2PE does not eliminate the need to be PCI compliant. It has the potential to make some of the elements of PCI not applicable to your environment, but requirements like firewalls, strong security for remote access, hardware inventory, and several other items are still fully required in many P2PE deployments. Theft can be greatly deterred by this technology, but the potential to lose cards to hackers is not completely eliminated, so PCI is still a requirement when P2PE is deployed.
  • Q: Does EMV eliminate my need to become PCI compliant?

    A:  No, EMV (which stands for Europay, Mastercard, and Visa) is a measure that increases the security associated with credit cards. EMV credit cards use an electronic chip and an extra layer of security when the credit card is swiped at a merchant location. The full track data is no longer stored or sent for a transaction, so if a thief intercepts the data, they will not be able to replicate the card. However, credit card data (the account number for example) is still used and potentially stored by the point of sale system. It is harder to replicate credit cards, but EMV does not eliminate all the potential for theft. Therefore, the requirements for PCI compliance are still in full effect after EMV is implemented.
  • Q: How do firewalls play a part in data security?

    A:  The firewall can be thought of as the device that acts as the gatekeeper between the public Internet and the private cardholder data environment. In the typical merchant environment, the firewall is the first line of defense against external threats. It is responsible for blocking inbound Internet traffic, including the attempts of hackers to penetrate the network.

    A properly configured firewall also can help prevent a merchant from accidentally causing an internal issue by blocking access to the Internet from within the POS environment. The problem many businesses face is that not all firewalls are created equal, and the rule set is only as good as the individual — hopefully a security expert — who set up the protection.

    “There is a reason that the PCI standard starts with firewall security,” Cyprus said. “Without good protection at the Internet connection, almost all other measures are irrelevant. Hackers rely on poorly configured firewalls when they begin their attempts to violate network security.”
  • Q: Will the firewall affect my payment processing speeds?

    A:  A properly configured firewall does not slow down transaction processing speeds.
  • Q: Do I need to train my staff about PCI security?

    A:  While implementing security, too many businesses focus on the technical aspect of the network, discounting the importance of user education. People are often the weakest link in a security plan.

    By taking the time to incorporate the elements of PCI security, businesses can increase the protection of their sensitive data without making any additional investment in their infrastructure.

    PCI is clear on the importance of training and specifically acknowledges that card handling employees must receive credit card security policy updates annually.
  • Q: Do I really need to update my software?

    A:  When PCI was first introduced in 2004, POS software companies rewrote their software to comply with the standard and released updates so that merchants would be able to keep their data secure.

    Once compliant software is available, it is up to the merchants to upgrade their systems accordingly. If a location has unsecured software managing credit card transactions, then that business is a prime target for cyber thieves.

    Even with all of the recent industry education efforts and information available about credit card breaches, many merchants have elected to ignore the threat and continue running their stores with unsecured software. It is usually a matter of inconvenience or expense that drives merchants to delay this critical upgrade, but the issue is too important to ignore.

    It is up to the merchants who have the trust of their patrons to do their part and update their out-of-date POS systems with modern ones that take data security seriously.
  • Q: What is Heartbleed, and should I be concerned about it?

    A:  Heartbleed was the name given to a vulnerability discovered in a widely used and freely distributed version of Open SSL. Heartbleed has often been mistakenly called malware, when it is not actually software itself. It is a description of the vulnerability that was discovered. If you used an improperly patched version of Open SSL, then Heartbleed affected you. Many websites, and management consoles on hardware devices used affected version of Open SSL. It is important that you look at your external and internal vulnerability scans to see if you are affected by Heartbleed.

    At the time of the discovery, Netsurion ran a special one time external scan looking for routers that were beyond Netsurion's control and worked with our customers to remediate their issues. None of the systems managed by our firm were ever affected by Heartbleed, so only auxiliary systems were potentially at risk, and our scans are fully capable of detected vulnerable systems, so our customers can respond appropriately and patch their systems.
  • Q: What is two-factor authentication, and how does it help secure remote access?

    A:  In short, two-factor authentication can be thought of as something a user knows and something the user has that will conclusively validate the identity of the person logging into the network. Usually, the part that a user knows, the first factor, is a user name and password. Without the second factor, if that information was ever compromised, someone else could use those credentials to log in.

    The second factor of two-factor authentication ensures that someone accessing the network is actually who they claim to be. The second factor cannot be more information that a user knows. Instead, it should be something physical such as a fingerprint, a token, an individual SSL certificate or something else unique to the individual. Newer approaches involving two-factor authentication use a random six-digit number sent to a cell phone or email account. The number is keyed in to a field below the user name and password and is typically good for two minutes.
  • Q: What should I be thinking about when choosing my data security solution?

    A:  Businesses need to weigh their technology decisions carefully. They should look for flexible, technology-agnostic data security solutions — ones that work with a system regardless of the POS hardware, card association or processing relationship — and solutions that effectively remove data from an environment while allowing access when needed.
  • Q: If my software is PCI compliant, is my operator compliant as well?

    A:  My software is PCI compliant, so my operator is compliant as well? This is a fallacy, and a merchant who makes this erroneous conclusion could be open to any number of vulnerabilities which by themselves would negate the possibility of PCI compliance.

    When describing the requirements for Visa’s Payment Application Best Practices, a Visa-specific standard that was replaced by the Payment Application Data Security (PA DSS) Standard in 2009, Visa states that, “Visa prohibits the retention of full magnetic-stripe (‘track’) data, Card Verification Value 2 (‘CVV2’) and PIN blocks — all critical impediments to achieving PCI DSS compliance.”

    This shows Visa’s own acknowledgement that secure software is required to support PCI, but it is not sufficient by itself. Using secure applications is only a part of the PCI compliant picture.
  • Q: What is Wireless Detection, and why do I need it?

    A:  Wireless detection does not need to include wireless scans or wireless intrusion detection or prevention technology. The method used to look for wireless devices must be appropriate based on the complexity, size and individual circumstances of the cardholder data environment. Using technology to assist in this effort, specifically wireless detection, is a best practice, and it should be highly encouraged, but PCI acknowledges that a physical examination (assuming it is thorough enough to find rogue access points) could be an adequate measure to comply with this part of the standard.
  • Q: What is the difference between an external and an internal vulnerability scan?

    A:  The external vulnerability scan does not include what is necessary for the internal vulnerability scan. They are two completely separate items.

    Even though none of the card brands specifically require the individual internal vulnerability scans to be turned in for validation purposes (unlike the external scans which are often required to be turned in), merchants must still able to show that they are working to resolve any issues that the scans uncover. It is not acceptable to ignore “high” vulnerabilities that are listed in the internal vulnerability scan.
  • Q: Does passing an external scan mean my location has no vulnerabilities?

    A:  Passing an external scan does not necessarily mean that a location has no vulnerabilities. The passing of an external scan simply means that it is not vulnerable to some of the common methods hackers use from the Internet to illegally enter a network without permission.
  • Q: What do I need to do to achieve PCI compliance?

    A:  Much like food safety regulations, PCI requirements are important standards established to protect consumers. To achieve PCI compliance, owner/operators must meet these 12 requirements:

    1. Install and maintain a firewall configuration to protect cardholder data
    2. Do not use vendor-supplied defaults for system passwords
    3. Protect stored cardholder data
    4. Encrypt transmission of cardholder data across open, public networks
    5. Use and regularly update anti-virus software
    6. Develop and maintain secure systems and applications
    7. Restrict access to data on a need-to-know basis
    8. Assign a unique ID to each person with computer access
    9. Restrict physical access to cardholder data
    10. Track and monitor access to network resources and data
    11. Regularly test security systems and processes
    12. Maintain a policy that addresses information security
  • Q: Is Partial Security Better Than No Security?

    A:  “Should we do anything until we can afford to do it all?” Hackers and Thieves tend to go to locations where their efforts will pay off in stealing data. If a thief has to choose between a location with pretty good security and one with no security, most thieves will chose the less secure location (assuming everything else about the locations is equal). Some of the requirements may be beyond the budget, but taking the steps towards compliance will bring you closer to security. We have actually published a white paper that delves into this topic in great detail if anyone wants to get a better grasp of this topic. (See Control Your Security, and PCI Will Follow)
  • Q: Can the Netsurion firewall be used in wired or wireless situations?

    A:  The Netsurion firewall works with both wired and wireless networks. This is essential in today’s “bring your own device” (BYOD) environment, because there are so many employee devices connecting wirelessly.