The SureCloud PCI ASV scanning solution helps organisations meet PCI Requirements 11.2.2. SureCloud offer a simple, easy to use approach to schedule, run and track PCI ASV scans. All PCI ASV scanning activity is powered through the SureCloud Platform and backed by CESG CHECK and CREST Approved Penetration Testing team.
- A completely automated PCI solution
- Cloud based Software-as-a-Service offering
- Simple to use interface
- Meet PCI Requirements 11.2.2
- Full history of previous ASV scan reports (and compliance state)
- Custom extracts of vulnerability data can be created and downloaded
- Detailed descriptions and solutions for each vulnerability identified
- Full workflow, task assignment and remediation management tools
- Run your scan instantly
- Backed by SureCloud's experienced team
- Ease of Administration
- Low Total Cost of Ownership
- Fully Automated
- Simple and Ease to Use Interface
- Obtain PCI ASV Compliance Quickly and Easily
- Backed by SureCloud's CESG CHECK and CREST Accredited Team
£800 to £10000 per licence per year
- Education pricing available
0208 012 8544
|Software add-on or extension||No|
|Cloud deployment model||Private cloud|
|System requirements||A web browser and internet connectivity.|
|Email or online ticketing support||Email or online ticketing|
|Support response times||
SureCloud commit to a response to tickets within 4 business hours.
Support coverage is from 08:30 to 17:30 Monday to Friday (excluding bank holidays).
There is support cover during the weekends, but it is limited.
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||None or don’t know|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Onsite support|
All support is part of SureCloud's standard licensing and pricing model.
We have an SLA of responses to submitted tickets within 4 business hours.
A main technical contact is provided whom can also act as an escalation point if required.
|Support available to third parties||Yes|
Onboarding and offboarding
Full onsite and/or remote training (via Webex) is provided depending on what is preferred and also procured from a consultancy perspective.
Full documentation is also provided around platform use.
|End-of-contract data extraction||Users can extract all data from the platform to CSV/Excel format when the contract ends if required.|
Full access to the licensed features of the SureCloud platform are provided. These are split into the separate 'applications' and the buyer purchases as needed.
There are no additional costs outside of the licensed bracket and implementation costs.
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||Full functionality is available from mobile devices.|
|Accessibility standards||None or don’t know|
|Description of accessibility||
Users can zoom the screen to improve readability.
Some, but not all the information, is compatible with screen readers.
|Description of customisation||A customised instance of the SureCloud can be provided with corporate branding, logos and colour schemes. An organisation specific URL is also provided.|
|Independence of resources||The environment is scaled, as needed, to meet demand. Each individual platform is also monitored to ensure that the service remains optimal for all users.|
|Service usage metrics||No|
|Supplier type||Not a reseller|
|Staff security clearance||Conforms to BS7858:2012|
|Government security clearance||Up to Security Clearance (SC)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||No|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least every 6 months|
|Penetration testing approach||‘IT Health Check’ performed by a CHECK service provider|
|Protecting data at rest||
|Data sanitisation process||Yes|
|Data sanitisation type||Explicit overwriting of storage before reallocation|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||Users can download all data to Excel and/of PDF format as required.|
|Data export formats||
|Other data export formats|
|Data import formats||CSV|
|Data protection between buyer and supplier networks||TLS (version 1.2 or above)|
|Data protection within supplier network||
Availability and resilience
Monthly Uptime Percentage|Service Credit
|Approach to resilience||
SureCloud has designed and built its own private cloud infrastructure with data at two physical geographically separate locations. The environment has been setup to ensure there are no single points of failure.
Further information is available upon request.
|Outage reporting||Email Alerts|
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||
Management access to the underlying infrastructure is only permitted to 3 trusted individuals. These individuals have go through multiple layers of authentication and authorisation before access is possible.
Support staff only have access to accounts within SureCloud they are actively involved in supporting. This is tightly controlled by permissions within the SureCloud application itself.
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users contact the support team to get audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||British Standards Institution (IS 664769)|
|ISO/IEC 27001 accreditation date||29/08/17|
|What the ISO/IEC 27001 doesn’t cover||Certificate applies to all products and services delivered both internally and externally by SureCloud globally.|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||
All policies and processes are accredited to ISO 27001.
Copies of reporting structure and policies themselves are available upon request.
|Configuration and change management standard||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Configuration and change management approach||
SureCloud utilises its own technology and platform for management of change requests, which track the whole lifecycle of a change.
A high-level over of the form is as follows:
- Date change due to be implemented
- Details of change
- Security Impact of change
- Affected systems
- Change reserve plan
- Change success measure
- Change to be authorised by?
- Change Approved?
- Change Completed?
|Vulnerability management type||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Vulnerability management approach||
SureCloud utilises its own Vulnerability Management platform and technology for scanning and management of its network.
Scans are run on a weekly basis, with automated tasks set to immediately alert the Security Team of any high or critical vulnerabilities.
Patches are deployed to all critical and high vulnerabilities immediately. Medium/low severity vulnerabilities are patched within 1 month.
The security team obtain threat intelligence data from a partner and are subscribed to all relevant social media channels for new vulnerability alerting.
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||
SureCloud uses its own technology and solution Event Manager for this purpose.
The solution has been designed around GPG13 and the PCI Standard Event Management requirements.
Each event is severity weighted and anything high or critical is immediately alerted to the Security Team.
Any potential compromise follows SureClouds incident response processes and, due to the nature of the activity, are actioned immediately.
|Incident management type||Supplier-defined controls|
|Incident management approach||
SureCloud has fully documented incident response policies and procedures, which all staff are extensively trained on.
Users report incidents via the SureCloud platform using the 'Incident Manager' Application, which triggers workflow and escalation to their line manager and incident panel.
Any incidents relating to client data are reported to them within 1 business day, as per SureClouds procedure.
|Approach to secure software development best practice||Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)|
Public sector networks
|Connection to public sector networks||No|
|Price||£800 to £10000 per licence per year|
|Discount for educational organisations||Yes|
|Free trial available||No|