HACKERGUARDIAN SERVICES - GENERAL FAQ

WHAT'S THE DIFFERENCE BETWEEN THE HACKERGUARDIAN SERVICES?

HackerGuardian PCI Scan Compliancy

The PCI Scan Control Centre is an on-demand, vulnerability assessment scanning solution to enable merchants and service providers to achieve PCI scan compliance.

After each scan, users receive a comprehensive vulnerability report detailing any security issues with remediation advice and advisories to help fix them.

Following a successful scan (no vulnerabilities rated higher than CVSS
base score 4.0), merchants receive an official PCI compliance report that
can be sent to an acquiring bank.

Credit Cards

The Standard version enables merchants to run 10 PCI scans per quarter on up to 5 IP addresses using the full complement of over 30,000+ individual vulnerability tests. The Enterprise version is a more powerful and flexible service which provides for up to 100 scans per quarter on 20 IP addresses.

HackerGuardian Free PCI Scan

The Free PCI Scan service is valid for 90 days and allows merchants to achieve PCI scan compliancy free of charge. The service contains all the functionality of the Scan Compliancy but restricts the user to 5 PCI scans per quarter on a maximum of 3 separate IP addresses. The service generates an official 'PCI Compliant' report after every successful scan.

Learn More

Back to General FAQs | Back to the Top

WHY DO I NEED VULNERABILITY SCANNING IF I HAVE AN SSL CERTIFICATE?

SSL certificates do not secure a web server from malicious attacks or intrusions. High assurance SSL certificates such as InstantSSL provide the first tier of customer security and reassurance, namely:

  • A secure connection between the customer's browser and the web server
  • Validation that the web site operators are a legitimate, legally accountable organization

However, consumer fears in the light of recent attacks on high profile merchant web sites now mean that businesses need to ensure that their websites are tested and are secure against all known vulnerabilities. Furthermore, organizations such as the Payment Card Industry (PCI) have introduced guidelines that make server vulnerability testing a mandatory requirement. The HackerGuardian Scan Compliance service provides merchants with a fast, low cost way of meeting the PCI scanning guidelines.

Back to General FAQs | Back to the Top

ARE HOME USERS A SERIOUS TARGET FOR HACKERS?

Yes! Home users are arguably the most vulnerable people around simply because they are usually not well protected. Adopting a 'path of least resistance' model, intruders will often zero-in on home users - often exploiting their 'Always on' broadband connections and typical home use programs such as chat, Internet games and P2P files sharing applications. HackerGuardian Scanning Service allows home users and network administrators alike to identify and fix any security vulnerabilities on their desktop or laptop computers.

Back to General FAQs | Back to the Top

WHERE CAN I FIND A GLOSSARY OF TERMS USED ON THIS WEBSITE?

There is a glossary of terms available in the help section of the HackerGuardian website at hackerguardian.com/help/glossary.html

Back to General FAQs | Back to the Top

HACKERGUARDIAN SERVICES - TECHNICAL FAQ

ALL SERVICES: DO I NEED TO ALLOW THE HACKERGUARDIAN
SCANNING IP ADDRESS?

Yes. In order for the HackerGuardian scan to be successful, your firewall must be set to allow the IP address that the scan is coming from.

The IP ranges that we scan from are:

CIDR: 91.209.196.32/28 which translates to: 91.209.196.32 through 91.209.196.48
CIDR: 199.66.200.32/28 which translates to 199.66.200.32 through 199.66.200.48

Back to Technical FAQs | Back to the Top

ALL SERVICES: I SIGNED UP AND GOT THE FOLLOWING MESSAGE:
'NO VULNERABILITIES WERE FOUND AND THE HOST DID NOT RESPOND
TO ANY OF OUR CHECKS' - WHAT DOES THIS MEAN?

This can mean one of two things.

Either:

1) The host is currently unreachable.
     It could be that the host is unreachable because of a problem with your server.
     Quite often, however, it is because your firewall is denying access to the HackerGuardian scanner. In
     order for the HackerGuardian scan to be successful your firewall must be set to allow the IP address
     the scan is coming from.
     The IP ranges that we scan from are 199.66.200.32/28 and 91.209.196.32/28.

Or:

2) No services are available on the host and it is secure.

Back to Technical FAQs | Back to the Top

FREE SCAN: CAN I CHANGE THE IP ADDRESS THAT THE FREE
VULNERABILITY SCAN TESTS?

No, the Free Scan can only scan the IP address of the machine that you sign into the HackerGuardian website from.

If you need to scan specific IPs or websites then you should consider purchasing one of following:

HackerGuardian PCI Scan Compliancy
HackerGuardian PCI Scan Compliancy Enterprise

Back to Technical FAQs | Back to the Top

Scan Compliancy - I have a dynamic IP assigned by my ISP.
Can I still use HackerGuardian?

No. It is not possible to use the Scan Control Service unless you have a static IP.

Back to Technical FAQs | Back to the Top

All Services: Does Comodo maintain any statistics about
what % of clients consistently a score of 0% on the
'High Risk' threats? Or what % of all commercial servers
would have this score?

Comodo does not maintain any sort of global statistics about the scan results we produce.

Back to Technical FAQs | Back to the Top

All Services: How do I upgrade from a trial account to the
full version?

Upgrade PCI Scan Control Service

1) Click the Upgrade to Full Service button in the HackerGuardian interface.

2) Upgrade by buying the full version through this link:
     hackerguardian.com/pci-compliance/products.html

Remember to select 'Existing Customer' and use your regular Comodo account username and password to during signup.

Back to Technical FAQs | Back to the Top

All Services: After upgrading, will I have to re-enter
my IP/Domain information?

Free PCI Scanning Service

The free license is for a fixed period. At the end of this period the license expires.

Scan Control Centre:

For the PCI Scan Control Service any previously validated IP addresses will still be useable.

Back to Technical FAQs | Back to the Top

All Services: I am an existing Comodo account holder (e.g. SS)
can I use my existing Username and Password during purchase?

Yes. You should use the 'Existing Customer Option' and enter your existing Comodo UN/PW during the signup process. You can then also use your Comodo account Password and Username to log into the HackerGuardian interface at www.hackerguardian.com

Back to Technical FAQs | Back to the Top

All Services: Explain the password/username system to me.

During signup you created a Comodo account with a Username and Password. This Username and Password has dual functionality:

1. Use it to log into your Comodo account and manage your Comodo account details. You can log in at
comodo.com

2. Use it to log into the HackerGuardian web-application interface. Do this using the login box at:
hackerguardian.com

Also see documentation at: hackerguardian.com/help/starting_up.html

Back to Technical FAQs | Back to the Top

All Services: Can I scan private (internal) IP addresses?

Yes. Internal IP addresses can be scanned if you have a HackerGuardian PCI Scan Compliancy Enterprise license. It is not possible to scan internal IPs with the standard license.

Private IPs ranges are defined by RFC 1918 as:

10.0.0.0 - 10.255.255.255 (10/8 prefix)

172.16.0.0 - 172.31.255.255 (172.16/12 prefix)

192.168.0.0 - 192.168.255.255 (192/168/16 prefix)

Back to Technical FAQs | Back to the Top

Scan Compliancy - How many concurrent scans can I run?

The number of concurrent scans you can run is 10% of the number of IP's covered by your license and the maximum number is 25. For example, if the number of IP addresses covered by your license is 50, you can run five concurrent scans on different IP's.

Back to Technical FAQs | Back to the Top

All Services: How many ports does each service test?

Different level of services will allow for different total numbers of ports to be scanned. (If you use the Scan Control service, you may define ranges of ports to be scanned within the 'Set Options' page in the 'Port Range' field.)

  • The PCI Scan Control Service scan tests up to a total of 65,535 ports - the total number of ports
    available on your system.
  • The Daily and Free services will scan the first 15,000 ports on your system. This is a targeted
    selection of the most commonly used (and commonly attacked) ports.*

*Note that most services run on the reserved ports below 1024 and security industry experts agree that these are the most commonly
targeted ports. In some circumstances it will be beneficial to test all 65,535 ports, but administrators should be aware that this will
lengthen the scan time.

Back to Technical FAQs | Back to the Top

All Services: I have changed my password, and now cannot
login to the HackerGuardian website, why?

When you change your password there is a delay between changing it, and that change being synchronized with the HackerGuardian database.

Please allow 15 minutes for the synchronization to take place after changing your password.

Back to Technical FAQs | Back to the Top

Scan Compliancy: Does HackerGuardian use the latest CVSS v2?

Yes. HackerGuardian uses the latest Common Vulnerability Scoring System version 2 (CVSS v2). All HackerGuardian PCI Scan customers are not impacted by the change from CVSS v1 to v2 as we have already been using v2.

Back to Technical FAQs | Back to the Top

PCI FAQ

What is PCI DSS?

The Payment Card Industry Data Security Standards (PCI DSS) are a set of 12 requirements developed jointly by Visa, MasterCard, JCB International, Discover and American Express to prevent consumer data theft and reduce online fraud. The PCI DSS represents a multifaceted standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.

Compliance and validation of compliance with some or all of the 12 requirements is mandatory for any organization that stores, transmits or processes credit card transactions.

  • The exact number of requirements (out of the 12) that any one organization need comply with is
    dependant on that organization's 'Validation Type'. An organization's Validation Type is
    determined by precisely how that organization handles credit card data. There are 5 such
    Validation Types' and every organization will that needs to be PCI compliant will be categorized
    as one of these types. (see table 'Validation Types')
  • The Daily and Free services will scan the first 15,000 ports on your system. This is a targeted
    selection of the most commonly used (and commonly attacked) ports.*

Back to PCI FAQs | Back to the Top

What is the Self Assessment Questionnaire?

The PCI Data Security Standard Self Assessment Questionnaire (SAQ) is a validation tool intended to assist merchants and service providers who are permitted by the payment brands to self-evaluate their compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Comodo has simplified this often confusing process with the launch of the HackerGuardian PCI Compliance Wizard. The intuitive web-based application guides merchants through every step of the PCI Self Assessment Questionnaire. Each question is accompanied by expert advice to help the merchant interpret and appropriately answer each question. At the end of the wizard you will find out immediately whether or not your answers qualify your organization as PCI compliant.

The wizard will provide:

  • A Questionnaire Summary - Listing security control areas on which you failed compliance
  • A custom 'Remediation Plan' for your company containing:
    • A comprehensive list of remedial actions that you need to take to attain full PCI compliance
    • A remediation planning tool enabling task prioritization and project management
    • Links to recommended products and services that will help you cost-effectively resolve
      non-compliant areas
  • A 'ready-to-submit' PCI DSS Self Assessment Questionnaire

Your progress is automatically saved after each question - allowing you to log out and return at a later date to complete the questionnaire. Your free account and responses are retained, giving you an opportunity to revise and modify any of your answers. This also allows you to update, schedule and track the progress of outstanding remediation tasks.

Click the SAQ tab in the HackerGuardian navigation bar to begin the wizard.

Back to PCI FAQs | Back to the Top

What are the compliance validation reporting requirements
for merchants?

Under the new PCI standard, the compliance validation requirements of the old VISA CISP and MasterCard SDP programs have been aligned so that merchants need only validate their compliance once to fulfill their obligation to all payment cards accepted. Merchants will provide compliance validation documentation to their Acquirer(s). Compliance validation documentation consists of the appropriate annual self assessment questionnaire (and accompanying attestation of compliance) and possibly the quarterly PCI scan compliance report.

Back to PCI FAQs | Back to the Top

To whom does the PCI regulations apply?

The PCI DSS standards apply to all entities that process, store or transmit cardholder data. This includes all merchants and service providers with external-facing IP addresses handle, store or transmit credit card data. Even if your website does not offer website based transactions (for example, you link to a payment gateway) there are other services that may make card data accessible. Basic functions such as e-mail and employee Internet access will result in the Internet accessibility of a company's network. These seemingly insignificant paths to and from the Internet can provide unprotected pathways into merchant and service provider systems if not properly controlled.

Back to PCI FAQs | Back to the Top

What is defined as 'cardholder data'?

Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data.

Back to PCI FAQs | Back to the Top

What if a merchant or service provider does not store
cardholder data?

If a merchant or service provider does not store cardholder data, the PCI requirements still apply to the environment that transmits or processes cardholder data.

Back to PCI FAQs | Back to the Top

Are there alternatives, or compensating controls, that can
be used to meet a requirement?

If a requirement is not, or cannot, be met exactly as stated, compensating controls can be considered as alternatives to requirements defined by the PCI DSS. Compensating controls should meet the intention and rigor of the original PCI requirement, and should be examined by the assessor as part of the regular PCI compliance audit.

Back to PCI FAQs | Back to the Top

Are there alternatives to encrypting stored data?

Stored cardholder data should be rendered unreadable according to requirement 3 of the PCI Security Audit Procedures document. If encryption, truncation, or another comparable approach cannot be used, encryption options should continue to be investigated as the technology is rapidly evolving. In the interim, while encryption solutions are being investigated, stored data must be strongly protected by compensating controls.

An example of compensating controls for encryption of stored data is complex network segmentation that may include the following:

  • Internal firewalls that specifically protect the database
  • TCP wrappers or firewall on the database to specifically limit who can connect to the database
  • Separation of the corporate internal network on a different network segment from production,
    fire- walled away from database servers.

Back to PCI FAQs | Back to the Top

What are the compliance validation reporting requirements
for merchants?

Under the new PCI standard, the compliance validation requirements for merchants of the VISA CISP and MasterCard SDP programs have been aligned so that merchants need only validate their compliance once to fulfill their obligation to all payment cards accepted. Merchants will provide compliance validation documentation to their Acquirer(s). Compliance validation documentation consists of the annual self assessment questionnaire and the quarterly PCI scan compliance report.

Back to PCI FAQs | Back to the Top

Do merchants need to include their service providers in the
scope of their review?

If you outsource your card processing to a service provider then you should check that they are PCI compliant. Web hosted customers should also ensure the web hosts infrastructure is PCI compliant. This can usually be done by asking your provider via email.

Back to PCI FAQs | Back to the Top

What is a network security scan?

A Network Security Scan involves an automated tool that checks a merchant or service provider's systems for vulnerabilities. The tool will conduct a non-intrusive scan to remotely review networks and Web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan will identify vulnerabilities in operating systems, services, and devices that could be used by hackers to target the company's private network. As provided by qualified scan vendors such as Comodo the tool will not require the merchant or service provider to install any software on their systems, and no denial-of-service attacks will be performed.

Back to PCI FAQs | Back to the Top

How often do I have to scan?

Every 90 days / once per quarter. Merchants and Service providers should submit compliance documentation (successful scan reports) according to the timetable determined by their acquirer. Scans must be conducted by a PCI Approved Scanning Vendor (ASV). Comodo is a PCI Approved Scanning Vendor.

Back to PCI FAQs | Back to the Top

What reports are provided by HackerGuardian
scanning service?

HackerGuardian Scan Control service provides three reports after each scan - the attestation of scan compliance, the Executive Report and the Vulnerability Report. The attestation of scan compliance and the Executive Report are the ones you need to submit to your acquiring bank to demonstrate compliance. The Vulnerability Report is a more technical document used to identify and remediate any security holes.

Back to PCI FAQs | Back to the Top

What criteria causes a Pass or Fail on a PCI scan

Each post-scan HackerGuardian Executive report states a PCI compliance status of 'Compliant' or 'Not Compliant' based on the discovery of potential security flaws on your systems.

If no vulnerabilities with a CVSS base score greater than 4.0 are detected then the scanned IP addresses, hosts and Internet connected devices have passed the test and the report can be submitted to your acquiring bank.

If the report indicates 'Non Compliant' then the merchant or service provider must remediate the identified problems and re-run the scan until compliancy is achieved.

Back to PCI FAQs | Back to the Top

What if I fail the PCI scan?

If your HackerGuardian Executive Report indicates 'NOT COMPLIANT' then vulnerabilities with CVSS base score greater than 4.0 were discovered on your externally facing IP addresses. The accompanying Vulnerability Report contains a detailed synopsis of each vulnerability prioritized by threat severity. Each discovered vulnerability is accompanied with solutions, expert advice and cross referenced links to help you fix the problem. You should fix all vulnerabilities identified as a 'Security Hole'.

Furthermore, each report contains a condensed, PCI specific, 'Mitigation Plan' - a concise, bulleted list of actions that you need to take to achieve compliance.

After completing the actions specified in the Mitigation Plan you should run another scan until the report returns a 'COMPLIANT' status.

Back to PCI FAQs | Back to the Top

Where can I find and complete the Self-Assessment
Questionnaire?

Hackerguardian provides a free wizard that guide merchants and service providers through each stage of self-assessment questionnaire. More details on the wizard can be found : here

Merchants have to answer all questions with 'Yes' or 'N/A to be considered PCI compliant. Answering 'No' to any question means the merchant or service provider is not compliant. The risk(s) identified by the questionnaire must be remediated and the questionnaire retaken. After creating a user name and password, merchants can save their progress at any time. Following successful completion of the questionnaire, merchants will be provided with official certification that can be submitted to their acquirer.

Back to PCI FAQs | Back to the Top

Where can I find a PCI Approved Scanning Vendor capable
of providing quarterly PCI vulnerability scans?

Right here! Comodo HackerGuardian offers a range of PCI compliance services designed for merchants and service providers of all sizes. Click here to find out more.

Back to PCI FAQs | Back to the Top

What's the deadline for compliance/ When must I begin using
the new PCI standards?

The Payment Card Industry Standards, Security Audit Procedures, Self-Assessment Questionnaire, and Security Scanning Requirements are effective immediately.

Back to PCI FAQs | Back to the Top

What are the penalties for non-compliance with the
PCI standards?

Validation and enforcement is the responsibility of the acquiring financial institution or payment processor.

For each instance of non-compliance, these organizations levy various penalties onto merchants and service providers which can include:

  • Increased transaction processing fees
  • Fines of more than $500,000 for serious breaches
  • Suspension of credit card transaction processing abilities

Comodo HackerGuardian provides a range of services that make PCI compliance easy. Find out which service is right for you at hackerguardian.com

Back to PCI FAQs | Back to the Top

Make it easy for me. What do I have to do to become compliant?

1. Complete the PCI Self-Assessment Questionnaire using our free, online wizard

  • Preliminary questions will help you to determine which 'validation type' your company fits into
    and therefore of the 4 self assessments questionnaires you need to complete.
  • Each of the questions is accompanied by expert help, information and advice that will help you
    o both interpret the question correctly and provide the appropriate answer
  • Once the wizard is complete, you will receive:
    • A questionnaire summary detailing any control areas on which you failed compliance
    • A custom 'Remediation Plan' for your company containing a list of remedial actions that
      you need to take alongside links to recommended products and services that will help you
      resolve non-compliant areas.
    • A 'ready - to - submit' PCI DSS Self Assessment Questionnaire which will include your
      completed 'Attestation of Compliance'

2. Conduct a quarterly vulnerability scans on your externally facing IP addresses

If your organization is required to be compliant with section 11.2 of the PCI standard then you will also need to obtain quarterly vulnerability scans on your network.

HackerGuardian will conduct an in-depth audit of your network to detect vulnerabilities on your network and web-server. If your servers fail the test, you will find lots of helpful advisories in the scan report that will help you patch the security holes.

After your infrastructure passes the scan, HackerGuardian will automatically generate the PCI Compliance report that you need to send your acquiring bank as to demonstrate your compliance.

Find out more about HackerGuardian PCI Scanning Services.

3. Send the completed questionnaire, attestation of Scan Compliance report
and Executive Report to your acquirer.

The attestation, the Executive Report and the Annual Self Assessment Questionnaire should be turned into your merchant bank. Your merchant bank will then report back to the Payment Card Industry that your company is PCI Compliant.

Back to PCI FAQs | Back to the Top