BUILT-IN PCI EXPERTISE. PROVEN TECHNOLOGY.

We've taken everything we have learned from our successful Network Detective HIPAA Compliance module and worked with top PCI experts to bring you the PCI Compliance module.

This is the first product of its kind that combines automatic collection of network and computer data, with custom-generated worksheets that tell you what additional information to collect on site. Data from the various scans and worksheets are then all automatically analyzed and seamlessly integrated into a set of PCI Compliance reports that you can brand as your own.

THE INITIAL DATA COLLECTION PROCESS

One of the most challenging aspects of ensuring that your clients are in compliance with PCI is gathering and organizing the vast amount of data that must be collected from a variety of sources. Network Detective makes this easy by giving you a central repository to safely and securely collect the information.

The Pre-Scan Questionnaire. This initial questionnaire should be completed before starting any scans. It is used to gather preliminary information regarding the target site.

Network & Local Quick PCI Scans. While you are conducting your Pre-Scan Questionnaire, you'll also want to be running the non-invasive Network Detective Local Quick PCI scanner on the network and on any PCs that your customers are using in association with their credit card data activity. The scanners are run directly from our Inspector which is a small form-factor appliance. It literally takes less than a minute to perform the Quick scan on an individual machine while the network scan could take an hour or more, depending on the size of the network.

External Vulnerability Scan. As part of your evaluation, you'll want to perform an external vulnerability scan. This is something that you can initiate remotely, either before or after the other automated scans.

Internal Vulnerabilities Scan. Expand the scope of your review by including an internal vulnerabilities scan in your assessment. To do this you will need to attach a Network Detective Inspector appliance to the Cardholder Data Environment (CDE).

Whether you do a limited "PCI check-up" or go all-out with a full PCI Data Security Standards assessment, the data collected from the scans that you perform are automatically correlated and seamlessly integrated into your reports. No need to copy and paste the results from different tools into a single document.

THE CARDHOLDER DATA ENVIRONMENT ID AND DEEP SCAN

Once you've gathered the initial data and uploaded it all into the Network Detective application, the tool will generate customized worksheets based on the preliminary data collected that will allow you to identify components of the Cardholder Data Environment:

• Cardholder Data Environment Identification Worksheet

Local Deep PCI Scan. A PCI Deep Scan, which includes a "deep-dive" Primary Account Number (PAN) scan, should be run on all computers identified as belonging to the Cardholder Data Environment (CDE). You will also run the PCI Deep Scan on a sampling of computers outside the CDE to see if credit card data is being stored outside the CDE

THE SECONDARY DATA COLLECTION PROCESS

After completing the deep scan and uploading it into the Network Detective application, the tool will generate six customized worksheets based on the data collected – including:

• External Port Security Worksheet
• User Identification Worksheet
• Antivirus Capability Identification Worksheet
• Server Function Identification Worksheet
• Necessary Function Identification Worksheet
• PCI Verification Questionnaire
• Cardholder Data Environment Identification Worksheet

Once you complete these worksheets, this data will be automatically cross-correlated with the data collected by the Network Detective data collector to identify any anomalies.

DOCUMENTING EXCEPTIONS AND COMPENSATING CONTROLS

The next step in the process is to have the tool generate a Compensating Controls Worksheet, which will list issues that have been identified. You will note any exceptions and add further explanations as well as detail any Compensating Controls that your client has put in place to comply with PCI.

PRODUCING YOUR BRANDED DOCUMENTS

When you are ready to generate your documents for the first time, you'll go into Network Detective's advanced branding tool and set up the formatting for your reports. You can upload your organization's logo, client information, custom colors, report cover images and layouts. Then, simply go to the PCI Compliance tab in your Network Detective application and select the reports you want to generate.

GET STARTED NOW WITH ZERO RISK AND UNLIMITED OPPORTUNITIES

With our 100% 30-day satisfaction guarantee period, there's absolutely no risk to you. You have everything to win and nothing to lose. Go ahead and subscribe to the Network Detective PCI Compliance module right now. Run the scans and follow the process on your own credit card environment (if you have one), or at a client or prospect site. Generate the reports. You'll have a full month to put the tool through its paces. If during that time you decide that this product is not for you, just tell us and we'll cancel your subscription and provide you with a 100% refund.

WE TAKE THE WORK OUT OF DOCUMENTING YOUR WORK

Network Detective makes it so much easier generate all of the documents needed to ensure that your clients are in compliance with all of the security and many of the Cardholder Data Protection and Security provisions of PCI. Not only does it allow you to create the final branded reports that will be your PCI compliance "deliverables," but it also automatically generates customized interim "worksheets" that guide you through the data-collection process

When it comes to PCI compliance, it's all about preventing security breaches and making sure that the policies and procedures are being followed. The Network Detective PCI Compliance documents, combined with the CDE's examination records, is your best defense. You'll have cold hard proof of your ongoing best efforts to comply with PCI to share with your clients' Acquiring Banks.

MAKE OUR REPORTS YOUR REPORTS!

The PCI Compliance module subscription includes our Enhanced Branding Package, giving you the ability to control the overall look-and-feel of the reports you generate. With the Enhanced Branding package, you can:

• Personalize the reports with your company name and logo
• Change the accent colors to match your own company standards
• Select from a number of pre-designed report templates
• Embellish your reports with photos and images from our pre-screened, royalty-free library

CHECK OUT SAMPLES OF THE REQUIRED PCI DOCS YOU CAN GENERATE

	PCI Policies & Procedures Document. The Policy and Procedures are the best practices that our industry experts have formulated to comply with the technical requirements of the PCI DSS. The policies spell out what your organization will do while the procedures detail how you will do it. In the event of a PCI Compliance audit, the first things an auditor will inspect are the Policies and Procedures documentation. This is more than a suggested way of doing business. The Policies and Procedures have been carefully thought out and vetted, referencing specific sections in the PCI DSS Requirements and supported by the other reports include with the PCI Compliance module.
	PCI Risk Analysis Report. PCI is a risk-based security framework and the production of a Risk Analysis is one of primary requirements for PCI compliance. In fact, a Risk Analysis is the foundation for the entire security program. It identifies the locations of electronic stores of, and/or the transmission of Cardholder Data and vulnerabilities to the security of the data, threats that might act on the vulnerabilities, and estimates both the likelihood and the impact of a threat acting on a vulnerability. The Risk Analysis helps Card Processing Merchants and their 3rd party Service Providers to identify the components of the Cardholder Data Environment (CDE), how the data moves within, and in and out of the organization. It identifies what protections are in place and where there is a need for more. The Risk Analysis results in a list of items that must be remediated to ensure the security and confidentiality of Cardholder Data at rest and/or during its transmission. The Risk Analysis must be run or updated at least annually, more often if anything significant changes that could affect one or more system components in the CDE itself.
	PCI Management Plan. Based on the findings in the Risk Analysis, the organization must create a Risk Management Plan with tasks required to minimize, avoid, or respond to risks. Beyond gathering information, Network Detective provides a risk scoring matrix that an organization can use to prioritize risks and appropriately allocate money and resources and ensure that issues identified are issues solved. The Risk Management plan defines the strategies and tactics the organization will use to address its risks.
	Evidence of PCI Compliance. Just performing PCI-compliant tasks is not enough. Audits and investigations require evidence that compliance tasks have been carried out and completed. Documentation must be kept for six years. The Evidence of Compliance includes log-in files, patch analysis, user & computer information, and other source material to support your compliance activities. When all is said and done, the proof to proper documentation is accessibility and the detail to satisfy an auditor or investigator included in this report.
	External Network Vulnerability Scan.. Detailed reports showing security holes and warnings, informational items including CVSS scores as scanned from outside the target network. External vulnerabilities could allow a malicious attacker access to the internal network.
	Internal Network Vulnerability Scan*.. Detailed reports showing security holes and warnings, informational items including CVSS scores as scanned from inside the target network. Closing internal vulnerabilities helps prevent external attackers, once inside a network, and internal users from exploiting weaknesses typically protected by external firewalls. *Requires the Network Detective Inspector appliance.
	PCI Pre-scan Questionnaire. This questionnaire contains a list of questions about physical and technical security that cannot be gathered automatically. The survey includes questions ranging from how facility controls access, firewall information, application development, to authentication and change management standards.
	External Port Security Worksheet. This worksheet allows you to document business justifications for all of the allowed ports, the protocol configured to use a specific port, and the documentation of any insecure configurations implemented and in use for a given protocol.
	Cardholder Data Environment ID Worksheet. The Cardholder Data Environment Worksheet takes the list of computers gathered by the Data Collector and lets you identify those that store or access Cardholder Data. This is an effective tool in developing data management strategies including secure storage and encryption.
	Server Function ID Worksheet. Per PCI DSS Requirement 2.1.1, only one function per server can be implemented in order to prevent functions that require different security levels from co-existing on the same server. The Service Function Identification worksheet enables you to document server roles (web server, database server, DNS server, etc.) and the functions activated on each server (real/physical or virtual) within the Cardholder Data Environment (CDE).
	User Identification Worksheet. The User Identification Worksheet takes the list of users gathered by the Data Collector and lets you identify whether they are an employee or vendor. Users who should have been terminated and should have had their access terminated can also be identified. This is an effective tool to determine if unauthorized users have access to protected information. It also is a good indicator of the efforts the organization goes to so terminated employees and vendors have their access quickly disabled. Another benefit is that you can review the user list to identify generic logins, such as Admin, Billing Office, etc., which are not allowed by PCI since each user is required to be uniquely identified.
	Necessary Functions Worksheet. For each server in the Cardholder Data Environment (CDE), this worksheet presents startup applications, services, and other functions, allowing you to identify functions which are unnecessary for the server to fulfill its primary function.
	Antivirus Capability Identification Worksheet. This worksheet enables the PCI readiness specialist to inspect and document the features and capabilities Antivirus Software deployed on computers throughout network both in and out of the Cardholder Data Environment (CDE).
	PAN Scan Verification Worksheet. The Deep Scan includes a Personal Account Number (PAN) scanner. The results of the PAN scan are presented in this worksheet, allowing you the opportunity to investigate and verify if the detected numbers are truly an identifying account number/credit card.
	Compensating Controls Worksheet. PCI allows compensating controls to be put in place to mitigate potential security issues in the environment. All discovered issues are presented in this worksheet to allow you to document the compensating controls that may be in place.
	PCI Layer 2/3 Diagram*. This diagram shows the various components discovered along with their Layer 2 and Layer 3 connections. Systems and devices that are part of the Cardholder Data Environment (CDE) are highlighted. Having a representation of the components in the CDE along with their connectivity to the global network is a requirement of PCI. *Requires the Network Detective Inspector.

We didn't become the #1 IT assessment company by accident. We work hard to ensure that our software is easy-to-buy, easy-to-use, and does exactly what we promise. If you're not happy, we're not happy. That's why we give you a full month to try the Network Detective PCI Compliance module after purchase. If it doesn't meet your expectations for any reason, return it for a full refund; no questions asked.

OUR REPORTS DELIVER BOTH SECURITY AND OPPORTUNITY!

By performing regular PCI security health checks with Network Detective, you can help your clients protect their customers' private data, guard against data breaches, avoid costly fines, and help them sleep better at night.

The benefits are obvious and so too is the opportunity for you to build a new or expanded PCI Compliance and Security practice with Network Detective. With this powerful module you can provide:

• PCI Assessment Services. Assess their Cardholder Data Environment's (CDE) compliance with PCI security requirements
• PCI Remediation Services. Document the issues they must remediate to address PCI related security vulnerabilities
• PCI Compliance Services. Produce the necessary key documents as "proof" that they comply with PCI.

HOW TO JUSTIFY PCI COMPLIANCE SERVICES TO YOUR CLIENTS AND PROSPECTS

In 2006, MasterCard, Visa, JCB, American Express, and Discover established the PCI Security Standards Council, a 3rd party entity, to manage the Payment Card Industry security standards and to promote the standard's implementation by all companies (i.e. merchants) that accept credit/debit cards, including all businesses that sell products at retail locations, online, and through mail order

The PCI Council lists the following goals to be achieved in order to comply with the PCI Data Security Standard:

• Build and maintain a secure network
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy

PCI COMPLIANCE IS A CONTINUOUS PROCESS

To support your proposal, you can direct your client to see these goals for themselves on the PCI Security Standard Council's web site. This official web site will reinforce for your clients and prospects that PCI Compliance is a continuous process. That means ongoing services provided by you and recurring revenue for your business.

BANKS CAN BE GREAT SOURCES OF REFERRALS FOR NEW CLIENTS

There are usually two financial institutions involved with your client's credit card business. The first is the Commercial Bank where your clients and prospects do their regular banking and have their business bank accounts. The second is the Acquiring Bank, which is the financial institution that has an agreement with your clients and prospects to process and deposit payments made by credit and debit cards in the regular business bank.

It goes without saying that at the end of the day, the financial institution carries the risk if there is a data breach and their clients are incapable of covering the loss and paying the fines. The banks would love it if all of their clients with merchant accounts had a professional IT services firm doing ongoing PCI compliance work.

Start with your own commercial bank. Explain the PCI services that you offer, and see if the bank is willing to refer you to their clients. Try proposing a partnership arrangement whereby you will do a free "preliminary assessment" for the bank's merchant account clients, with the understanding that if issues are discovered that require remediation, the bank will compel their clients to use your remediation services.

Also, keep in mind that the major card issuers -- Visa, MasterCard, JCB, American Express, and Discover Financial Services – require their own PCI Compliance reports so that means your clients likely have more than one Acquiring Bank to deal with.

OVERCOMING THE OBJECTION: "WE CAN DO IT OURSELVES."

Many merchants don't fully understand the requirements and their responsibilities when it comes to maintaining PCI Security Compliance and when they find out, many businesses think they can do it themselves.

The PCI Security Standards Council does permit the merchants to do self-assessments but without a tool like Network Detective, they would find it very difficult to collect all of the data and generate the required reports.

If you come across this objection, send them over to the PCI Security Standards Council official web site to see that the real requirements are. The more they read, the more they will realize that they need help.

Make sure your clients understand that even if they are able to do their own PCI assessment, once that has been completed, a signed Attestation of Compliance must be executed and sent to the Acquiring Bank along with a number of documents that may include:

• Remediation plans detailing how the Merchant plans to address unmet PCI Requirements and in what time-frame
• Compensating controls worksheets
• All Evidence of Compliance documentation either prepared by the Merchant or by the Security Assessor

The Network Detective PCI Compliance module generates all of these documents automatically. Show your clients and prospects sample reports with your branding, and let them sell your services for you!

GET STARTED NOW WITH ZERO RISK AND UNLIMITED OPPORTUNITIES

With our 100% 30-day satisfaction guarantee period, there's absolutely no risk to you. You have everything to win and nothing to lose. Go ahead and subscribe to the Network Detective PCI Compliance module right now. Run the scans and follow the process on your own credit card environment (if you have one), or at a client or prospect site. Generate the reports. You'll have a full month to put the tool through its paces. If during that time you decide that this product is not for you, just tell us and we'll cancel your subscription and provide you with a 100% refund.

(Nearly) Everything You Need To Know About PCI Compliance.

The topic of PCI Compliance is huge, and there are entire web sites that are dedicated to providing all of the details. If you want to get fully educated on this topic, we recommend that you go to the source: The PCI Security Standards Council web site.

The Council is a vendor-neutral organization with the sole mission:
"...to help merchants through maintaining and enhancing the PCI Security Standards, providing education and training about protecting payment card data with the PCI Security Standards, and by serving as a forum for engaging with the industry on developing these standards."

Note that enforcement of merchant compliance is managed by the individual payment brands and not by the Council – the same is true for non-compliance penalties.

Here's a quick summary of some of information available at the PCI Security Standards website:

HOW TO BE COMPLIANT

PCI Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data.

The standards apply to all organizations that store, process or transmit cardholder data – with guidance for software developers and manufacturers of applications and devices used in those transactions.

If you have clients that accept payment cards, they are required to be compliant with the PCI Data Security Standard. Each of the major credit card issuers and acquiring banks have slightly different compliance requirements, but all follow the same general standards.

Here are the links to the web pages that will give you the specific requirements of each of the major credit card brands:

• American Express: www.americanexpress.com/datasecurity
• Discover Financial Services: http://www.discovernetwork.com/merchants/fraud-protection
• JCB International: http://partner.jcbcard.com/security/jcbprogram/index.html
• MasterCard: http://www.mastercard.com/sdp
• Visa Inc: http://www.visa.com/cisp
• Visa Europe: http://www.visaeurope.com/ais

YOUR SMALL MERCHANT CLIENTS NEED TO BE COMPLIANT!

Small merchants are prime targets for data thieves. As their IT consultant it's your job to help your small merchant client protect cardholder data at the point-of-sale.

More than 600 million computer records containing sensitive personal information have been involved in security breaches in the U.S. between 2005-2013, and with the number of recent massive online retailer breaches, that number has easily doubled since then. Now criminals are shifting sights to small merchants because many have lax security for cardholder data. More than 80% of attacks target small merchants. If your clients are at fault for a security breach, business fallout can be severe:

• Fines and penalties
• Termination of ability to accept payment cards
• Lost confidence, so customers go to other merchants
• Lost sales
• Cost of reissuing new payment cards
• Legal costs, settlements and judgments
• Fraud losses
• Higher subsequent costs of compliance
• Going out of business

If cardholder data is stolen – the banks will go after your clients – and your clients, in turn, might be looking to pass the blame on to you! Learn how the PCI Data Security Standard impacts small business here.

Then protect your own business by getting the Network Detective PCI Compliance module and using it with each of your clients.

HOW TO SEPARATE YOURSELF FROM THE CROWD

The beauty of the Network Detective PCI Compliance module is that YOU don't have to be a Qualified Security Assessor to deliver highly professional PCI Data Security Standard documents that will stand up to any audit or review.

But the more you know about PCI, and the more accreditations that your company and/or staff acquire, the more value you will get out of our tool . . . and the easier it will be for you to separate yourself from your competitors.

The PCI Security Standards Council operates an in-depth program for security companies seeking to become Qualified Security Assessors (QSAs). The QSA certification is recognized by all of the main credit card brands. The QSA designation is given to individual employees, and takes about three months to attain.

Before anyone in your organization can apply to become a QSA, your company must first submit the required documentation, including certifications, business license, insurance certificates and the registration fee, which is credited against the initial enrollment fee if your firm becomes approved as a Qualified Security Assessor Company (QSAC). Once that step is completed, any of your staff who will be involved in your PCI Compliance service must undergo and pass the Council's training course and receive official certification.

GET STARTED NOW WITH ZERO RISK AND UNLIMITED OPPORTUNITIES

Whether or not you decide to get certified, you can begin offering incredibly valuable PCI compliance services today with the Network Detective PCI Compliance module.

In fact, getting a few PCI assessments under your belt BEFORE you apply for the costly and time-consuming accreditation will help insure that your people pass the rigorous training courses the first time.

With our 100% 30-day satisfaction guarantee period, there's absolutely no risk to you. You have everything to win and nothing to lose. Go ahead and subscribe to the Network Detective PCI Compliance module right now. Run the scans and follow the process on your own credit card environment (if you have one), or at a client or prospect site. Generate the reports. You'll have a full month to put the tool through its paces. If during that time you decide that this product is not for you, just tell us and we'll cancel your subscription and provide you with a 100% refund.

TRY IT NOW

The PCI Compliance Module is sold separately but may be purchased at a discount when combined with our HIPAA Compliance module and purchased at the same time.

Please note that the PCI Compliance Module requires a subscription to Inspector for Network Detective (our add-on appliance). Inspector allows you to perform deep-dive internal vulnerabilities scans and Layer 2/3 Diagram both of which are required aspects of an acceptable PCI assessment. Inspector can be moved from one customer site to another to perform internal vulnerability scans and layer 2/3 network maps. Or it can be left on-site to remotely schedule and retrieve network scans and to store reports. Click here to learn more about Network Detective Inspector.

If you are an existing Network Detective customer and you currently subscribe to one or more Inspectors or already have a HIPAA Compliance module subscription log-in to your Network Detective application and click on the Upgrade button to order. If you are a new customer, you order from the website now.

Whether you are a new or existing customer, our 100% satisfaction guarantee applies. So go ahead and subscribe to the PCI Compliance Module right now. Run the scan on your own credit card environment (if you accept credit cards) or on a few of your client sites. Generate the reports. You'll have a full month to put the tool through its paces. If during that time you decide that this product is not for you, just tell us and we'll cancel your subscription and provide you with a 100% refund.