SLIDE 1 © 2010 netVigilance, Inc. All rights reserved.

Ten Actions Merchants Must Take Immediately

To Avoid PCI Failure

The Impact of the New PCI Compliance RulesIssued on March 15, 2010

SLIDE 2 © 2010 netVigilance, Inc. All rights reserved.

1. Identify & verify out-of-scope components

New discovery rules make formerly out-of-scope components in-scope

Identify & verify before quarterly scan fails

Examples:Spam filters

Mail servers

Web servers that don’t process credit cards

SLIDE 3 © 2010 netVigilance, Inc. All rights reserved.

2. Prove your ISP complies with PCI

Your ISP can pass by itself; or

You need their permission to scan them

Otherwise, get a new ISP

Ultimately, the responsibility is yours, not your ISP’s

SLIDE 4 © 2010 netVigilance, Inc. All rights reserved.

3. Take all secure database servers off the Internet and place them

behind a firewall

If any secure database server remains publicly accessible, you will automatically fail PCI

SLIDE 5 © 2010 netVigilance, Inc. All rights reserved.

4. Scan your website for HTTP response splitting/header injection

Be prepared to remediate all problems found

SLIDE 6 © 2010 netVigilance, Inc. All rights reserved.

5. Verify that your DNS server prohibits zone transfers

Zone transfers allow unaffiliated, unapproved third parties to see and obtain all the servers comprising your domain

If someone else hosts your domain, you are still responsible

Consequence of allowed zone transfers is automatic PCI failure

SLIDE 7 © 2010 netVigilance, Inc. All rights reserved.

6. Ensure your ASV uses a PCI-qualified Professional Security Engineer to review

each and every scan

ASVs often use fully automated processes

These automated processes are never acceptable under the new rules

To pass PCI you must use an ASV that adheres to the new rules

SLIDE 8 © 2010 netVigilance, Inc. All rights reserved.

7. Turn off SSL v2

Next, ensure that servers using TLS v1.0 or newer are not backwards compatible with the weak SSL v2

Use a qualified ASV to verify and remediate

SLIDE 9 © 2010 netVigilance, Inc. All rights reserved.

8. Remove all non-critical uses of all remote access software

Examples:pcAnywhere

VNC

RDP

Even VPN

For critical uses:Ensure strong authentication

SLIDE 10 © 2010 netVigilance, Inc. All rights reserved.

9. Move all POS (Point-of-Sale) systems behind the firewall

ASVs that discover POS systems are now required to pay special attention to them

SLIDE 11 © 2010 netVigilance, Inc. All rights reserved.

10. Named employees must sign and attest to their company’s responsibility

Attestation concerns proper scoping of the external scan

Attestation can no longer be anonymous

SLIDE 12 © 2010 netVigilance, Inc. All rights reserved.

netVigilance Key Advantages

Beyond Compliance™Compliance is simply not enough. It is a minimum, rather than a maximum standard. Only netVigilance detects up to 97% of all common vulnerabilities, far more than competitors.

Labor- and Time-Saving ReportsOur reports provide a wealth of specific detail on precisely how to remediate the vulnerabilities we detect. Instead of spending time researching a fix, engineers and support personnel spend their time making the fix.

SLIDE 13 © 2010 netVigilance, Inc. All rights reserved.

For More Information

netVigilance, Inc.14525 SW Millikan #34423Beaverton, OR, USA 97005-2343(+1) 503-524-5758

PR & Analyst Contact: Steven Mason

steven.mason@netvigilance.com

(+1) 650-776-7968