NetworkiNg SolutioNS

1 . 8 0 0 . i N S i g H t t i N S i g H t. c o m

PCI Auditing OverviewAs Qualified Security Assessor (QSA) for PCI, Insight offers auditing services to meet the needs of all North American companies that are required to validate compliance through a 3rd party assessment. This data sheet provides a detailed description of our services.

Our Proven MethodolgyInsight provides two options through which we can validate your compliance with the Payment Card Industry (PCI) Data Security Standard (DSS). While it is recommended that all merchants engage in a Gap Analysis prior to starting an audit, Insight provides two options to validate compliance.

The first option is intended for those going through the audit for the first-time or who are unfamiliar with technology audits in general. It provides significantly more direction and assistance by allowing audit exceptions to remain open for sometimes extended periods (measured in weeks) of time while discovered deficiencies are remedied and items are reassessed.

The second option is intended for those who have previously been through a successful PCI audit, have a high-degree of certainty of their compliance status and maintain a mature audit preparation program. This option rewards these internal efficiencies with a less-intrusive audit, but at the risk of a one-pass audit: there is much less flexibility in holding the audit open while deficiencies are remediated.

In either approach, Insight will collect all of the information necessary to validate compliance according to the current PCI-DSS Assessment Procedures. This includes documentation reviews, interviews and direct observation of all 220+ requirements in the DSS. As the audit progresses, the compliance status of each requirement will be measured against your organizational controls are sufficient.

When all available data has been collected, reviewed and analyzed, Insight will prepare the Report on Compliance (RoC) as required by the DSS Assessment Procedures. Once you’ve reviewed the RoC and indicate your agreement with the accuracy of the findings, Insight will prepare the RoC, the Confirmation of Report Accuracy (CoRA) and other documents as necessary for submission.

Our product meets PCI requirements and follows the format mandated by the PCI Security Standards Council. Our assessor will remain at the ready to discuss our findings with card brands, your bank or your staff as necessary.

SuCCeSS StOrIeS

Insight has delivered its unique

blend of compliance management

services to a wide variety of

industries, including:

• State and municipal government

agencies

• High-tech companies

• Financial services industry

• Hospitality industry

• Manufacturing industry

• Logistics and transportation

industry

• Healthcare industry

• Retail industry

PCI Auditing Services

AbOut InSIght

Insight Networking is a strategic business unit of Insight, a technology solutions provider serving global and local clients in 170 countries. Today, thousands of clients, including more than 80 percent of the Global Fortune 500, rely on Insight to acquire, implement and manage technology solutions to empower their business. Insight provides software and licensing services globally. In addition, we offer a comprehensive portfolio which also includes networking, hardware and value added services for our clients in North America and the U.K. We are aggressively expanding our global capabilities by introducing new offerings, including hardware and services, to meet emerging needs for our clients worldwide. Insight is ranked No. 484 on the 2009 Fortune 500.

1 . 8 0 0 . i N S i g H t t i N S i g H t. c o m

Insight PCI Compliance Management Offerings • Insight PCI Gap Analysis • Insight PCI Scanning • Insight PCI Compliance Portal • Insight PCI Audit Service

Other Assessment and Compliance Offerings • Perimeter Security Assessments • Internet Security Assessment • Wireless Security Assessment • Remote Access Security Assessment • Firewall Policy & Configuration Analysis • Internal Security Assessments • Internal Risk & Vulnerability Assessment • Data Management Practices Assessment (DBAs) • Data Management Practices assessment (End users) • Web Application Security Assessment • Social Engineering Assessment • HIPAA Compliance Consulting • NERC CIP Compliance Consulting • GLBA/FFIEC Compliance Consulting • Network and Host Security Technology Design and Implementation • 24x7 Managed Network and Security Services

Comparison

Insight and the Insight logo are registered trademarks of Insight Direct USA, Inc. All other trademarks, registered trademarks, photos, logos and illustrations are the property of their respective owners. ©2009, Insight Direct USA, Inc. All rights reserved. Updated 5.09

First time Audit Subsequent Audits

basic Approach Data collection through interviews,

documentation reviews and direct

observation as mandated by the PCI-

DSS Assessment Procedures

Data collection through interviews,

documentation reviews and direct

observation as mandated by the PCI-

DSS Assessment Procedures

Deficiency Management

Audit deficiencies will be

communicated at the time of

discovery, and the RoC held open

until remedied. Depending on how

much time has elapsed and the extent

to which remediation impacts other

controls, revalidation of other controls

may be necessary, but is included in

the original scope.

Audit deficiencies will be noted, but

will result in a non-compliant RoC if

not remediated prior to completion of

the data collection effort. No additional

revalidation of other controls is

included.

evidence request Management

Providing insufficient or incorrect

evidence will result in audit

deficiency. Audit will be held open

while correct evidence is obtained.

Providing insufficient or incorrect

evidence will result in an audit

deficiency while other data collection

tasks continue. If evidence is not

submitted before audit phase

completes, a non-compliant RoC will be

submitted.

Audit timetable Management

Fluid timetables with possibility for

audit activities to pause possibly for

extended periods of time (measured

in weeks or even months)

Timetables are strictly adhered to.

Pricing entry Point $29,000/year $15,000/year