Description of Services

24/7 firewall or CXD status monitoring: An automated service whereby devices deployed by Netsurion to customer locations are regularly monitored to determine their operating status.

Application Control: A secondary filtering mechanism that can either allow or block certain traffic and allowed user actions based on the originating application.

Category-based web filtering: A predefined list of categories of websites to which traffic can be allowed or blocked. Websites that are not included in the predefined categorization are classified as “unknown” and allowed by default. Categories cannot be changed or defined by the customer. 

Cellular backup service: A data-only cellular plan with a defined amount of monthly data included to be used as a backup to a primary WAN connection for business-critical applications only. Should a primary circuit failure occur, the firewall or CXD will automatically route selected data traffic to a cellular network. When the primary circuit connectivity is restored, the firewall or CXD will automatically reroute traffic back through the primary circuit.

Cellular network and data usage alerting: Netsurion monitors connectivity to and usage of the cellular backup service and will notify customers when the cellular backup service is in use and when certain data usage thresholds have been met, or if exceeded, that the customer is now in a data overage situation.

Centralized firewall policy and configuration management: A central repository of configuration, policy management, and administration settings for firewalls or CXD devices. Changes to the central configuration, policy management, or administration settings will change the application function on all connected devices.

Circuit monitor and resolution: Electronic monitoring of the customer’s broadband connection and, if authorized, contact with the customer’s broadband supplier for notification and repair purposes should the customer’s broadband connection be lost. This is conditioned upon the customer providing Netsurion with current account information and appropriate permissions necessary to initiate a trouble ticket with the broadband provider.

Compliance assistance helpdesk: A team of dedicated compliance experts within Netsurion’s support organization who assist customers with PCI compliance support issues.

Critical device monitoring: A system that creates a baseline of all critical devices connected to the network being protected by a Netsurion managed firewall. The system then monitors to ensure that those critical devices stay connected to the network, and alerts specific contacts if any critical device is removed or becomes unresponsive.

Customer-specific security profile configuration (for Managed Services customers only): An optional feature of Netsurion’s CXD platform where policy and configuration management are provided to the customer by Netsurion. Similar to centralized firewall policy and configuration management above.

Data Breach Financial Protection: Netsurion’s reimbursement program for breach-related expenses available for some service types as part of an agreement with Netsurion. The terms and conditions of the Data Breach Financial Protection Program are specified at:

External vulnerability ASV scans (EVS): A PCI-compliance-required scan that examines a public internet address for known vulnerabilities. The results of the scan are provided to the customer for review and compliance. If an issue is found within the customer’s environment, it must be resolved or noted as an exception by the customer before subsequent scans will pass. According to the Payment Card Industry Data Security Standard (PCI DSS), an entity must pass four internal vulnerability scans per year, one each quarter.

Family-friendly Wi-Fi: A specific configuration of the customer’s Wi-Fi network that only allows access to a pre-defined set of category-based-website classifications that are deemed to not be offensive or contain potentially objectionable material.

File integrity monitoring (FIM): Local event logging and file integrity monitoring software used by Netsurion to log critical endpoint events so businesses can review their logs to assist them in meeting certain PCI DSS file integrity monitoring and log management requirements.

Firewall: The network device acting as a barrier between the premise’s local area network and the internet.

Firewall circumvention detection: A service that monitors data traffic flowing through the Netsurion Managed Firewall associated with the network segment that contains a customer’s point-of-sale (POS) traffic. If the volume of POS traffic falls below a certain threshold over a certain time period, an alert is raised to the customer indicating that the firewall may be bypassed.

Firewall log retention: Firewall and CXD device logs are stored in compliance with the PCI DSS 3.2 standards, and per PCI requirements, firewall logs should be reviewed by the customer regularly.

Forced configuration manager: A service that validates that the machine attempting to access the Remote Access with SSL VPN is running appropriate security software (i.e. anti-malware software).

Internal vulnerability scan (IVS): An internal vulnerability scan looks for network vulnerabilities from within a LAN and is required by PCI DSS 3.2. IVSs examine systems in the cardholder data environment for known vulnerabilities. If an issue is found, the customer is notified so they may undertake remediation efforts. Issues resulting in a failed scan must be resolved by the customer before subsequent scans will pass. According to PCI DSS 3.1, an entity must pass four internal vulnerability scans per year, one each quarter.

Intrusion Detection/Prevention System (IPS): Monitors and scans traffic flowing into the network in real-time for malware and suspicious activity.
CXD edge device: Netsurion’s proprietary edge device that delivers on premise and virtualized network services.
Netsurion Connect Orchestrator: A cloud management console utilized by CXD devices to provide real-time access for configuring and monitoring CXD devices and centralized network services.
Network diagram template: A template designed to assist a small merchant who wants to create a PCI DSS compliant network diagram. It includes instructions and a sample diagram.

Network segmentation: A method of creating multiple isolated networks within a single computer network environment to separate sensitive data or systems from less critical and/or public data or systems.

Next-Generation Firewall (NGFW): A virtualized set of functionalities that combine traditional firewall technology such as packet filtering, network- and port-address translation (NAT), stateful inspection, and virtual private network (VPN) support with other network device filtering functionalities, such as an application-based firewall using in-line deep packet inspection (DPI) and an intrusion detection/prevention system (IPS).

Online training – safe credit card handling practices: Video content made available by Netsurion to assist customers in educating their employees on safe credit card handling practices as stipulated by PCI DSS standard.

Payment Card Industry Data Security Standard (PCI DSS): A proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.

PCI compliance management portal: A web portal where Netsurion clients can ease some PCI compliance requirements by having a single location where they can review external vulnerability scan results, various logs, and Self-Assessment Questionnaires (SAQ) in support of their compliance efforts.

Penetration testing guide: A document that describes a penetration test and provides general guidance to help minimize efforts when completing a penetration test, and a form that will assist the customer with tracking the results of the testing.

Power over Ethernet (PoE): Capability of a network device to receive its required power over an Ethernet connection. 

PoE injector: A device that adds power to an Ethernet cable so that PoE equipment can be powered. Typically used in Wi-Fi access point implementations where a PoE supported switch or router is not employed.

Remote access with SSL VPN: A PCI-compliant Virtual Private Network (VPN) service that enables secure remote communication via the internet with a computer at a location protected by a Netsurion managed firewall or CXD. The service includes “two-factor authentication” which utilizes a username and password as the first factor and a one-time password that is sent to an e-mail address and/or a text message as the second factor of authentication. Netsurion’s Remote Access with SSL VPN is the only remote access tool recommended by Netsurion for secure remote access of customer environments behind a Netsurion firewall or CXD.

Remote device provisioning: A deployment strategy for CXD edge devices were the CXD will establish a connection on the local WAN connection or over cellular and download a predetermined configuration, thereby reducing the amount of work needed in remote deployments.

Remote installation: Simplified installation process in which our engineers guide a customer’s staff through the process of installing a firewall or CXD on their network without a Netsurion employee being physically present at the customer’s location.

Rogue device monitoring: A detection system that sends an alert when a new computer is added to the protected segment of a network behind a Netsurion firewall.

Security policy and procedure template: An editable document designed to assist a merchant in their development of a PCI-specific set of policies and procedures, including a checklist template to track hardware and software versions. This template is a best-practices guideline and is not meant to be an exhaustive list of all activities necessary to achieve compliance.

Quality of Service (QoS): A feature of Netsurion’s SD-WAN platform where traffic from certain ports or network segments can be prioritized over other network traffic to ensure transmission quality.

Site-to-site VPN: A specific firewall configuration that enables a location to communicate to another location securely over a VPN.

Splash page: A click-through page displayed to wireless clients the first time the client opens a web browser and makes an HTTP request of the wireless network. Splash pages are typically used to display an acceptable use policy or network announcements. The user is only granted network access after clicking the “Continue” button on the splash page.

Service Set Identifier (SSID):  The technical term for a wireless network name. When you set up a wireless network, you give it a name to distinguish it from other wireless networks.

Third-party contract addendum template: Agencies utilizing a third-party “service provider” to process merchant cards are subject to complying with Requirement 12.8 of the PCI Data Security Standard, which requires a “written agreement” addressing PCI DSS responsibilities. Netsurion provides sample language that is meant ONLY for general suggestion that could be included in an addendum to an existing contract, if the existing contract does not address the matter sufficiently.

URL white or black listing: A list of IP addresses the customer has designated as specifically allowable (white list) or to be blocked (black list) by the firewall or CXD. Once configured, these settings will take priority over category-based web filtering or other policy-specific restrictions.

Wireless Access Point detection: A service that detects Wireless Access Points connected through the Netsurion firewall that were not installed by Netsurion or part of an established network configuration. Customers receive an email alerting them to any unknown or unauthorized wireless access points detected.

Wireless mesh: A network of multiple wireless access points that require only one hard-wired connection. This facilitates the range and capacity expansion of a wireless network without having to install an Ethernet cable to each access point.

Wireless roaming: The ability of a wireless network with multiple access points to seamlessly support the roaming of a connected device from one access point to another. This provides for mobility of connected devices in a greater coverage area.