Certification

The PCI DSS requires to “run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades)”. (Requirement 11.2).

After contacting eMaze, the Customer will receive a document to read and fill in with the following details:

• Contact information (name of the referee, title/position in the company, telephone, e-mail, etc.).
• IP addresses to be tested (server, router, workstation, firewall, etc.).
• Any virtual hosts.
• Any alternative entry points to on-line systems (hidden directories, administrative interfaces, etc.).
• A statement declaring that any IDS/ISP devices are adequately configured to avoid interference with the results.

Upon reception of the document, eMaze will contact the Customer to schedule the intervention and arrange its operational details.

The scans performed by eMaze are aimed at verifying the absence, on the scanned systems, of “High” ranked vulnerabilities (as defined by the PCI DSS Requirement 6.2) and do not have any impact on the Customer’s normal operations. When vulnerabilities are detected, an intermediate report will be submitted to the Customer to allow the implementation of the necessary corrective activities. After the interventions, the scans will be repeated until a vulnerability-free environment is verified. At the end of the process, a certificate of compliance will be issued and the Customer will be able to provide it to their counterparts.

The price of the verification activities is not related to the single scan but to the whole process which, if necessary, may include more than one scan.