PCI Assessment Evidence of PCI Policy Compliance

CONFIDENTIALITY NOTE: The information contained in this report document is for the Prepared for: exclusive use of the client specified above and may contain confidential, privileged and non-disclosable information. If the recipient of this report is not the client or Prospect or Customer addressee, such recipient is strictly prohibited from reading, photocopying, distributing or otherwise using this report or its contents in any way. Prepared by: Your Company Name

Evidence of PCI Policy Compliance PCI ASSESSMENT

Table of Contents

1 - Overview 1.1 - Security Officer 1.2 - Overall Risk 2 - PCI DSS Evidence of Compliance 2.1 - Install and maintain firewall to protect cardholder data 2.1.1.1 - Requirements for firewall at each Internet connections and between DMZ and internal network zone 2.1.1.2 - Business justification for use of all services, protocols and ports allowed 2.1.2 - Build firewall and router configurations that restrict connections between untrusted networks and the cardholder data environment 2.1.2.1 - Restrict inbound and outbound to that which is necessary for the cardholder data environment 2.1.2.3 - Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet 2.1.2.4 - Implement stateful inspection (also known as dynamic packet filtering) 2.1.2.5 - Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet 2.2 - Prohibition of vendor-supplied default password for systems and security parameters 2.2.1 - Always change vendor-supplied defaults and remove or disable unnecessary default accounts 2.2.2 - Encrypt all non-console administrative access using strong cryptography 2.3 - Protection of stored cardholder data 2.3.1 - Do not store sensitive authentication data after authorization 2.4 - Encrypt transmission of cardholder data across open, public networks 2.4.1 - Never send unprotected Personal Account Numbers (PANs) by end-user messaging technologies 2.5 - Protection against Malicious Software 2.5.1 - Deploy anti-virus software on all systems affected by malicious software 2.5.1.1 - Ensure that anti-virus programs can detect, remove and protect against all types of malicious software 2.5.1.2 - Review systems not commonly affected by malicious software to confirm that systems do not require anti-virus software 2.5.2 - Ensure that all anti-virus mechanisms are kept current, perform scans and generate logs as required 2.5.3 - Ensure that anti-virus mechanisms are running and cannot be disabled unless authorized 2.6 - Develop and maintain secure systems and applications 2.6.1 - Establish process to identify security vulnerabilities using reputable outside sources 2.6.2 - Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches 2.6.3 - Patch Installation Procedure 2.6.4 - Address common code vulnerabilities

PROPRIETARY & CONFIDENTIAL PAGE 2 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

2.7 - Restricted access to cardholder data 2.7.1 - Limit access to system components and cardholder data 2.8 - Access to Cardholder Data Environment (CDE) system components 2.8.1 - Proper User Identification Management for Non-Consumer Users and Administrators 2.8.1.1 - Unique User Identification 2.8.1.2 - Termination Procedures 2.8.1.3 - Third- Party Vendor User ID Management, System Component Access, and Monitoring 2.8.1.4 - Repeated login access attempts 2.8.1.5 - User ID lockout duration 2.8.2 - Ensuring proper user-authentication management 2.8.2.1 - Password strength and complexity 2.8.2.2 - Password expiration policy 2.8.2.3 - New password/phrase requirements 2.8.3 - Two-Factor authentication requirement for remote network access by users 2.8.4 - Group, shared, and Generic IDs prohibition policy 2.9 - Controlling physical access to cardholder data 2.9.1 - Facility entry controls and monitoring physical access to systems in the cardholder data environment 2.10 - Track and monitor access to network resources and cardholder data 2.10.1 - Automated audit trails for all system components 2.10.1.1 - Generate audit trail of all actions taken by any individual with root or administrative privileges 2.10.1.2 - Generate audit trails of invalid logical access attempts 2.10.1.3 - Generate audit trails of the use of and changes to identification and authentication mechanisms 2.10.2 - Review logs and security events for all system components 2.10.2.1 - Daily review of security events including logs of system components, critical system components, and servers that perform security functions 2.10.2.2 - Review logs of all other system components periodically based on risk management strategy and annual risk assessment 2.11 - Regular testing of security systems and processes 2.11.1.1 - Perform internal and external scans, and rescans as needed, after any significant change 2.11.2 - Deploy a change-detection mechanism to alert personnel to unauthorized modification of critical system files, configuration files, or content files 2.11.2.1 - Implement a process to respond to any alerts generated by the change- detection solution

PROPRIETARY & CONFIDENTIAL PAGE 3 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT 1 - Overview

This document provides evidence of policy compliance.

1.1 Security Officer

Name of Security Officer: Joe Secoff

Contact Information for Security Officer: 555 PCI Way Retail City, VA

1.2 Overall Risk

We have performed a Risk Assessment as part of our routine PCI DSS version 3.0 compliance review. See the attached PCI DSS Risk Assessment and Management Plan document.

PROPRIETARY & CONFIDENTIAL PAGE 4 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT 2 PCI DSS Evidence of Compliance

2.1 Install and maintain firewall to protect cardholder data

PCI DSS Requirement 1.0: Install and maintain a firewall configuration to protect cardholder data.

2.1.1.1 Requirements for firewall at each Internet connections and between DMZ and internal network zone

PCI DSS Requirement 1.1.4: Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone.

PCI DSS Requirement 1.1.4.a: Examine the firewall configuration standards and verify that they include requirements for a firewall at each Internet connection and between any DMZ and the internal network zone.

PCI DSS Guidance: PCI DSS Guidance: Using a firewall on every Internet connection coming into (and out of) the network, and between any DMZ and the internal network, allows the organization to monitor and control access and minimizes the chances of a malicious individual obtaining access to the internal network via an unprotected connection.

One or more Internet connections are not secured as required to protect the Cardholder Data Environment from malicious attacks. Further action should be taken to ensure the situation is remediated.

PCI DSS Requirement 1.1.4.b: Verify that the current network diagram is consistent with the firewall configuration standards.

The required network diagram document is consistent with the firewall configuration standards.

PROPRIETARY & CONFIDENTIAL PAGE 5 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

2.1.1.2 Business justification for use of all services, protocols and ports allowed

PCI DSS Requirement 1.1.6: Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.

PCI DSS Requirement 1.1.6.a: Verify that firewall and router configuration standards include a documented list of all services, protocols and ports, including business justification for each— for example, hypertext transfer protocol (HTTP) and Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols.

PCI DSS Requirement 1.1.6.b: Identify insecure services, protocols, and ports allowed; and verify that security features are documented for each service.

PCI DSS Guidance: PCI DSS Guidance: Compromises often happen due to unused or insecure service and ports, since these often have known vulnerabilities and many organizations don’t patch vulnerabilities for the services, protocols, and ports they don't use (even though the vulnerabilities are still present). By clearly defining and documenting the services, protocols, and ports that are necessary for business, organizations can ensure that all other services, protocols, and ports are disabled or removed. If insecure services, protocols, or ports are necessary for business, the risk posed by use of these protocols should be clearly understood and accepted by the organization, the use of the protocol should be justified, and the security features that allow these protocols to be used securely should be documented and implemented. If these insecure services, protocols, or ports are not necessary for business, they should be disabled or removed.

The list of open ports discovered during an external scan of the network are documented below along with their business justification.

External IP Address: 199.38.223.84 Port/Protocol Business Justification Insecure Security Feature Protocol Documented 80/TCP (http) No justification provided Yes Undocumented 443/TCP (https) Secure Web Portal No 1723/TCP VPN No

One or more services, protocols or ports in use have been implemented and are not documented within the standards, or the business justification has not been clearly specified. Please remediate immediately, attention is required.

One or more insecure services have not been identified and/or one or more service’s security features have not been implemented. Please remediate immediately, attention is required.

PROPRIETARY & CONFIDENTIAL PAGE 6 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

2.1.2 Build firewall and router configurations that restrict connections between untrusted networks and the cardholder data environment

PCI DSS Requirement 1.2: Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.

PCI DSS Guidance: PCI DSS Guidance: It is essential to install network protection between the internal, trusted network and any untrusted network that is external and/or out of the entity’s ability to control or manage. Failure to implement this measure correctly results in the entity being vulnerable to unauthorized access by malicious individuals or software. For firewall functionality to be effective, it must be properly configured to control and/or limit traffic into and out of the entity’s network.

Instruction: Note: An “untrusted network” is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity's ability to control or manage.

2.1.2.1 Restrict inbound and outbound to that which is necessary for the cardholder data environment

PCI DSS Requirement 1.2.1: Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.

PCI DSS Requirement 1.2.1.a: Examine firewall and router configuration standards to verify that they identify inbound and outbound traffic necessary for the cardholder data environment.

PCI DSS Requirement 1.2.1.b: Examine firewall and router configurations to verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment.

PCI DSS Guidance: This requirement is intended to prevent malicious individuals from accessing the entity’s network via unauthorized IP addresses or from using services, protocols, or ports in an unauthorized manner (for example, to send data they've obtained from within your network out to an untrusted server.) Implementing a rule that denies all inbound and outbound traffic that is not specifically needed helps to prevent inadvertent holes that would allow unintended and potentially harmful traffic in or out.

Our company employs standards and practices that ensure only necessary traffic inbound and outbound is allowed to the cardholder data environment (CDE).

We were unable to examine the firewall configurations of the following devices: ● fw2 The following firewall configurations were examined for outbound and inbound deny rules: Firewall Explicit Deny Inbound Rule Explicit Deny Outbound Rule fw1 Yes No

2.1.2.3 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet

PROPRIETARY & CONFIDENTIAL PAGE 7 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

PCI DSS Requirement 1.3.5: Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.

Connection tests from inside the CDE were performed to unknown destination IP addresses to ensure proper firewall settings.

This report is designed to point out issues that were detected while performing the security assessment. This includes issues found in the areas of system leakage, system control, and user control.

Assessment Summary # End-points in Data Collection 29 System Leakage # End-points with protocol leaks 0 # Protocols leaked by all tested end-points 0 System Controls # Partially restricted protocols 0 # Unrestricted protocols 0 User Controls # Partially restricted sites 0 # Unrestricted sites 13

System Protocol Leakage

Users inside your network are able to access and transmit to the following ports and protocols:

Windows Protocols Internal Windows protocols in most cases should not be allowed to leave the local network

Protocol Common Name End Point(s) No issues detected

System Management Protocols The following protocols can be leaked externally to an unknown source on the Internet. These protocols can convey security related information regarding network devices and be used to export configuration information.

Protocol Common Name End Point(s) No issues detected

Exploitable Protocols The following protocols have been known to leak information or can be used to create “phone home” scenarios that may permit access to your internal network.

Protocol Common Name End Point(s) No issues detected

PROPRIETARY & CONFIDENTIAL PAGE 8 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

Some protocols should be highly restricted to systems which rely on them for their operation. Granting access to more than one system (unless specifically designated to require the protocol) is not recommended. The following table shows Internet-based protocols and highlights if these “allow, but limit” protocols are pervasive.

Protocol Common End Point(s) Analysis Name No issues detected

An analysis of user controls indicates if content-filtering and access filtering has been implemented to prevent users from accessing potentially harmful websites and other Internet resources.

The following site categories were found to be accessible from various end-points:

URL Category Unrestricted End Point(s) Analysis http://espn.go.com Entertainment BROWND Unrestricted ccproc01 CONFERENCEROOM DC03 DEVTFS DEVTFSBUILD FILE2012-1 FT-LENOVO HV01 HV02 jacob-WIN8 Mmayhemon-HP Mwest-PC Mwest-WIN864 PITmarcusus-PC PS01 Psimpson-PC Psimpson-WIN7TEST QA-PC RANCOR RDGATEWAY RJOHNSON-PC Sdavis-LT

PROPRIETARY & CONFIDENTIAL PAGE 9 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

URL Category Unrestricted End Point(s) Analysis STORAGE01 thanos-PC Thayden-DT trex UTIL12 VPNGW http://www.playboy.com Pornography BROWND Unrestricted ccproc01 CONFERENCEROOM DC03 DEVTFS DEVTFSBUILD FILE2012-1 FT-LENOVO HV01 HV02 jacob-WIN8 Mmayhemon-HP Mwest-PC Mwest-WIN864 PITmarcusus-PC PS01 Psimpson-PC Psimpson-WIN7TEST QA-PC RANCOR RDGATEWAY RJOHNSON-PC Sdavis-LT STORAGE01 thanos-PC Thayden-DT trex UTIL12 VPNGW http://www.youporn.com Pornography BROWND Unrestricted ccproc01 CONFERENCEROOM DC03 DEVTFS DEVTFSBUILD FILE2012-1 FT-LENOVO HV01 HV02 jacob-WIN8 Mmayhemon-HP Mwest-PC Mwest-WIN864 PITmarcusus-PC PS01 Psimpson-PC Psimpson-WIN7TEST QA-PC RANCOR RDGATEWAY

PROPRIETARY & CONFIDENTIAL PAGE 10 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

URL Category Unrestricted End Point(s) Analysis RJOHNSON-PC Sdavis-LT STORAGE01 thanos-PC Thayden-DT trex UTIL12 VPNGW http://www.cnet.com Shareware BROWND Unrestricted ccproc01 CONFERENCEROOM DC03 DEVTFS DEVTFSBUILD FILE2012-1 FT-LENOVO HV01 HV02 jacob-WIN8 Mmayhemon-HP Mwest-PC Mwest-WIN864 PITmarcusus-PC PS01 Psimpson-PC Psimpson-WIN7TEST QA-PC RANCOR RDGATEWAY RJOHNSON-PC Sdavis-LT STORAGE01 thanos-PC Thayden-DT trex UTIL12 VPNGW http://www.tucows.com Shareware BROWND Unrestricted ccproc01 CONFERENCEROOM DC03 DEVTFS DEVTFSBUILD FILE2012-1 FT-LENOVO HV01 HV02 jacob-WIN8 Mmayhemon-HP Mwest-PC Mwest-WIN864 PITmarcusus-PC PS01 Psimpson-PC Psimpson-WIN7TEST QA-PC

PROPRIETARY & CONFIDENTIAL PAGE 11 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

URL Category Unrestricted End Point(s) Analysis RANCOR RDGATEWAY RJOHNSON-PC Sdavis-LT STORAGE01 thanos-PC Thayden-DT trex UTIL12 VPNGW http://www.facebook.com Social Media BROWND Unrestricted ccproc01 CONFERENCEROOM DC03 DEVTFS DEVTFSBUILD FILE2012-1 FT-LENOVO HV01 HV02 jacob-WIN8 Mmayhemon-HP Mwest-PC Mwest-WIN864 PITmarcusus-PC PS01 Psimpson-PC Psimpson-WIN7TEST QA-PC RANCOR RDGATEWAY RJOHNSON-PC Sdavis-LT STORAGE01 thanos-PC Thayden-DT trex UTIL12 VPNGW http://www.myspace.com Social Media BROWND Unrestricted ccproc01 CONFERENCEROOM DC03 DEVTFS DEVTFSBUILD FILE2012-1 FT-LENOVO HV01 HV02 jacob-WIN8 Mmayhemon-HP Mwest-PC Mwest-WIN864 PITmarcusus-PC PS01 Psimpson-PC

PROPRIETARY & CONFIDENTIAL PAGE 12 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

URL Category Unrestricted End Point(s) Analysis Psimpson-WIN7TEST QA-PC RANCOR RDGATEWAY RJOHNSON-PC Sdavis-LT STORAGE01 thanos-PC Thayden-DT trex UTIL12 VPNGW http://www.youtube.com Social Media BROWND Unrestricted ccproc01 CONFERENCEROOM DC03 DEVTFS DEVTFSBUILD FILE2012-1 FT-LENOVO HV01 HV02 jacob-WIN8 Mmayhemon-HP Mwest-PC Mwest-WIN864 PITmarcusus-PC PS01 Psimpson-PC Psimpson-WIN7TEST QA-PC RANCOR RDGATEWAY RJOHNSON-PC Sdavis-LT STORAGE01 thanos-PC Thayden-DT trex UTIL12 VPNGW https://plus.google.com Social Media BROWND Unrestricted ccproc01 CONFERENCEROOM DC03 DEVTFS DEVTFSBUILD FILE2012-1 FT-LENOVO HV01 HV02 jacob-WIN8 Mmayhemon-HP Mwest-PC Mwest-WIN864 PITmarcusus-PC

PROPRIETARY & CONFIDENTIAL PAGE 13 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

URL Category Unrestricted End Point(s) Analysis PS01 Psimpson-PC Psimpson-WIN7TEST QA-PC RANCOR RDGATEWAY RJOHNSON-PC Sdavis-LT STORAGE01 thanos-PC Thayden-DT trex UTIL12 VPNGW http://isohunt.to Warez BROWND Unrestricted ccproc01 CONFERENCEROOM DC03 DEVTFS DEVTFSBUILD FILE2012-1 FT-LENOVO HV01 HV02 jacob-WIN8 Mmayhemon-HP Mwest-PC Mwest-WIN864 PITmarcusus-PC PS01 Psimpson-PC Psimpson-WIN7TEST QA-PC RANCOR RDGATEWAY RJOHNSON-PC Sdavis-LT STORAGE01 thanos-PC Thayden-DT trex UTIL12 VPNGW http://thepiratebay.se Warez BROWND Unrestricted ccproc01 CONFERENCEROOM DC03 DEVTFS DEVTFSBUILD FILE2012-1 FT-LENOVO HV01 HV02 jacob-WIN8 Mmayhemon-HP Mwest-PC

PROPRIETARY & CONFIDENTIAL PAGE 14 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

URL Category Unrestricted End Point(s) Analysis Mwest-WIN864 PITmarcusus-PC PS01 Psimpson-PC Psimpson-WIN7TEST QA-PC RANCOR RDGATEWAY RJOHNSON-PC Sdavis-LT STORAGE01 thanos-PC Thayden-DT trex UTIL12 VPNGW http://gmail.google.com Web Mail BROWND Unrestricted ccproc01 CONFERENCEROOM DC03 DEVTFS DEVTFSBUILD FILE2012-1 FT-LENOVO HV01 HV02 jacob-WIN8 Mmayhemon-HP Mwest-PC Mwest-WIN864 PITmarcusus-PC PS01 Psimpson-PC Psimpson-WIN7TEST QA-PC RANCOR RDGATEWAY RJOHNSON-PC Sdavis-LT STORAGE01 thanos-PC Thayden-DT trex UTIL12 VPNGW http://mail.yahoo.com Web Mail BROWND Unrestricted ccproc01 CONFERENCEROOM DC03 DEVTFS DEVTFSBUILD FILE2012-1 FT-LENOVO HV01 HV02 jacob-WIN8

PROPRIETARY & CONFIDENTIAL PAGE 15 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

URL Category Unrestricted End Point(s) Analysis Mmayhemon-HP Mwest-PC Mwest-WIN864 PITmarcusus-PC PS01 Psimpson-PC Psimpson-WIN7TEST QA-PC RANCOR RDGATEWAY RJOHNSON-PC Sdavis-LT STORAGE01 thanos-PC Thayden-DT trex UTIL12 VPNGW

2.1.2.4 Implement stateful inspection (also known as dynamic packet filtering)

PCI DSS Requirement 1.3.6: Implement stateful inspection, also known as dynamic packet filtering. (That is, only “established” connections are allowed into the network.)

System Component Name Stateful Inspection Activated? fw1 Yes

All routers and firewalls are configured to perform stateful inspections in compliance with the relevant policies and procedures to ensure that only established connections are allowed into the Cardholder Data Environment network.

2.1.2.5 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet

PCI DSS Requirement 1.3.8: Do not disclose private IP addresses and routing information to unauthorized parties.

Note: Methods to obscure IP addressing may include, but are not limited to:

* Network Address Translation (NAT), * Placing servers containing cardholder data behind proxy servers/firewalls, * Removal or filtering of route advertisements for private networks that employ registered addressing, * Internal use of RFC1918 address space instead of registered addresses.

PCI DSS Requirement 1.3.8a: Examine firewall and router configurations to verify that methods are in place to prevent the disclosure of private IP addresses and routing information from internal networks to the Internet.

PROPRIETARY & CONFIDENTIAL PAGE 16 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

PCI DSS Guidance: Restricting the disclosure of internal or private IP addresses is essential to prevent a hacker “learning” the IP addresses of the internal network, and using that information to access the network. Methods used to meet the intent of this requirement may vary depending on the specific networking technology being used. For example, the controls used to meet this requirement may be different for IPv4 networks than for IPv6 networks.

The following servers, which have been identified as part of the Cardholder Data Environment (CDE), were checked.

Server Name IP Address Can Access Uses Network Only uses RFC1918 Internet Address Internal Addresses Translation Boppenheimer-DT 10.0.7.17 N/A N/A Yes ccproc01 10.0.6.4 Yes N/A Yes CERTsvr N/A N/A Yes jacob-WIN8 10.0.7.44 Yes N/A Yes REMOTE N/A N/A Yes STORAGE01 10.0.1.69 Yes N/A Yes USER-PC23 N/A N/A Yes

PROPRIETARY & CONFIDENTIAL PAGE 17 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

2.2 Prohibition of vendor-supplied default password for systems and security parameters

PCI DSS Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

PCI DSS Guidance: Malicious individuals (external and internal to an entity) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known by hacker communities and are easily determined via public information.

2.2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts

PCI DSS Requirement 2.1: Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.

This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.

Network Devices IP Address System Component Details Login with Vendor Name Defaults Passed/Failed 10.0.0.1 10.0.0.1 Passed 10.0.0.11 10.0.0.11 Protocol: SNMP Failed Pwd: private 10.0.0.21 10.0.0.21 Protocol: SNMP Failed Pwd: private 10.0.1.1 10.0.1.1 Protocol: HTTP Failed User: admin Pwd: password 10.0.1.201 10.0.1.201 Passed 10.0.1.202 10.0.1.202 Passed 10.0.1.203 10.0.1.203 Passed 10.0.1.204 10.0.1.204 Passed 10.0.1.205 10.0.1.205 Passed 10.0.1.240 10.0.1.240 Passed 10.0.1.51 10.0.1.51 Protocol: SNMP Failed Pwd: private 10.0.1.52 10.0.1.52 Protocol: SNMP Failed Pwd: private 10.0.3.204 10.0.3.204 Passed 10.0.5.1 10.0.5.1 Protocol: HTTP Failed User: admin Pwd: password 10.0.6.23 10.0.6.23 Passed

PROPRIETARY & CONFIDENTIAL PAGE 18 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address System Component Details Login with Vendor Name Defaults Passed/Failed 10.0.6.29 10.0.6.29 Passed 10.0.6.49 10.0.6.49 Passed 10.0.7.1 10.0.7.1 Passed 10.0.6.25 ANDROID- Passed 811B08F6FF1125CE.COR P.myco.COM 10.0.6.57 ANDROID- Passed 9D778EFBF30C431E.COR P.myco.COM 10.0.6.45 ANDROID- Passed CD912E8ADD4AE1F6.CO RP.myco.COM 10.0.7.87 CMHX5D1.CORP.myco.C Passed OM 10.0.1.81 FINANCE Passed 10.0.6.122 IDRAC- Passed FTJMPQ1.CORP.myco.C OM 10.0.7.123 ISTCORP- Passed PC.CORP.myco.COM 10.0.6.13 ISTCORPS- Passed IPHONE.CORP.myco.CO M 10.0.6.88 JRAWIN8K1QA3.CORP.m Passed yco.COM 10.0.6.100 KCM_PC.CORP.myco.CO Passed M 10.0.1.50 myco-DATTO Passed 10.0.6.8 NEWBUILD.CORP.myco. Passed COM 10.0.6.59 PAUL- Passed TPLT.CORP.myco.COM 10.0.6.58 PGK- Passed W520.CORP.myco.COM 10.0.6.77 PITMACMINI.CORP.myc Passed o.COM 10.0.7.89 SPA112.CORP.myco.CO Passed M 10.0.6.2 svr74QG- Passed U.CORP.myco.COM 10.0.6.90 svrDEMO1- Passed U.CORP.myco.COM 10.0.6.50 svrDEV2.CORP.myco.CO Passed M

PROPRIETARY & CONFIDENTIAL PAGE 19 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address System Component Details Login with Vendor Name Defaults Passed/Failed 10.0.6.84 svrDEV2- Passed U.CORP.myco.COM 10.0.6.20 svrDEV3.CORP.myco.CO Passed M 10.0.6.52 svrDEV3- Passed U.CORP.myco.COM 10.0.6.30 svrQA1- Passed U.CORP.myco.COM 10.0.6.86 svrRFT1.CORP.myco.CO Passed M 10.0.6.62 svrRFT1- Passed U.CORP.myco.COM 10.0.6.12 svrTEST1.CORP.myco.CO Passed M 10.0.6.60 svrTEST1- Passed U.CORP.myco.COM 10.0.6.78 WINDOWS- Passed PHONE.CORP.myco.CO M

Printers IP Address System Component Details Login with Vendor Name Defaults Passed/Failed 10.0.1.245 BRN001BA921EFB7 Passed 10.0.1.244 BRN30055C36B0DA Passed

One or more system components contain Login accounts and/or passwords using vendor supplied defaults. Remediate these issues immediately to prevent security vulnerabilities that can enable malicious individuals to access one more system components within the Cardholder Data Environment.

2.2.1.1 Implement only one primary function per server

PCI DSS Requirement 2.2.1: Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)

PCI DSS Guidance: If server functions that need different security levels are located on the same server, the security level of the functions with higher security needs would be reduced due to the presence of the lower-security functions. Additionally, the server functions with a lower security level may introduce security weaknesses to other functions on the same server. By considering the security needs of different server functions as part of the system configuration standards and related processes, organizations can ensure that functions requiring different security levels don’t co-exist on the same server.

PROPRIETARY & CONFIDENTIAL PAGE 20 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

The following table lists all identified servers in the Cardholder Data Environment (CDE) along with their identified functions. The table lists all physical and virtual servers per requirements 2.2.1a (physical) and 2.2.1b (virtual). If a server is configured to perform more than one function, it is highlighted in RED.

Corp.myco.com IP Address Server Name Server Details Server Function CERTsvr OS: Windows Server Web Server 2012 R2 Standard IP address: Description: CPU : RAM : Last Login : 4/24/2015 8:12:44 AM REMOTE OS: Windows 8.1 Pro IP Terminal address: Description: CPU : RAM : Last Login : 5/7/2015 11:22:10 AM fe80::7862:940f:f35b:ee STORAGE01 OS: Windows Server File Server 35%24,fe80::2421:204a: 2008 R2 Enterprise IP f5ff:feba%21,10.0.1.69, address: 2001:0:9d38:6abd:2421: fe80::7862:940f:f35b:ee 204a:f5ff:feba 35%24,fe80::2421:204a: f5ff:feba%21,10.0.1.69,2 001:0:9d38:6abd:2421:2 04a:f5ff:feba Description: CPU : Intel(R) Xeon(R) CPU L5639 @ 2.13GHz RAM : 6144 MB Last Login : 5/7/2015 2:10:49 PM

All servers identified in the Cardholder Data Environment are configured to perform one primary function.

2.2.1.2 Enable only necessary services, protocols, daemons, etc., as required for the function of the system

PCI DSS Requirement 2.2.2: Enable only necessary services, protocols, daemons, etc., as required for the function of the system.

All detected startup applications, running services, listening protocols, and daemons are listed below. Items in RED were flagged as unnecessary for the operation of the primary server role.

Startup Applications IP Address Server Name Startup Applications Server Function fe80::7862:940f:f35b:ee STORAGE01 BacsTray Application File Server 35%24,fe80::2421:204a: Oracle VM VirtualBox f5ff:feba%21,10.0.1.69, Guest Additions Virtual CloneDrive

PROPRIETARY & CONFIDENTIAL PAGE 21 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address Server Name Startup Applications Server Function 2001:0:9d38:6abd:2421: GFI Business Agent 204a:f5ff:feba

Windows Services IP Address Server Name Startup Applications Server Function fe80::7862:940f:f35b:ee STORAGE01 Application Experience File Server 35%24,fe80::2421:204a: Application Layer f5ff:feba%21,10.0.1.69, Gateway Service 2001:0:9d38:6abd:2421: Application Host Helper 204a:f5ff:feba Service Application Identity Application Information Application Management ASP.NET State Service Windows Audio Endpoint Builder Windows Audio Base Filtering Engine Background Intelligent Transfer Service Computer Browser Certificate Propagation Microsoft .NET Framework NGEN v2.0.50727_X86 Microsoft .NET Framework NGEN v2.0.50727_X64 Microsoft .NET Framework NGEN v4.0.30319_X86 Microsoft .NET Framework NGEN v4.0.30319_X64 Cluster Service COM+ System Application Cryptographic Services DCOM Server Process Launcher Disk Defragmenter DFS Namespace DFS Replication DHCP Client DNS Client

PROPRIETARY & CONFIDENTIAL PAGE 22 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address Server Name Startup Applications Server Function Wired AutoConfig Diagnostic Policy Service Extensible Authentication Protocol Encrypting File System (EFS) Windows Event Log COM+ Event System Microsoft Fibre Channel Platform Registration Service Function Discovery Provider Host Function Discovery Resource Publication Windows Font Cache Service Windows Presentation Foundation Font Cache 3.0.0.0 GFI LanGuard 10 Attendant Service Group Policy Client Single Instance Store Groveler Human Interface Device Access Health Key and Certificate Management Windows CardSpace Internet Explorer ETW Collector Service IIS Admin Service IKE and AuthIP IPsec Keying Modules PnP-X IP Bus Enumerator IP Helper CNG Key Isolation KtmRm for Distributed Transaction Coordinator Server Workstation Link-Layer Topology Discovery Mapper TCP/IP NetBIOS Helper

PROPRIETARY & CONFIDENTIAL PAGE 23 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address Server Name Startup Applications Server Function Multimedia Class Scheduler Windows Firewall Distributed Transaction Coordinator Microsoft iSCSI Initiator Service Windows Installer SQL Server (SUNBELT) SQL Server Active Directory Helper Network Access Protection Agent Net Driver HPZ12 Netlogon Network Connections Net.Msmq Listener Adapter Net.Pipe Listener Adapter Network List Service Net.Tcp Listener Adapter Net.Tcp Port Sharing Service Client for NFS Server for NFS Network Location Awareness Network Store Interface Service internal Counter DLL Host internal Logs & Alerts Plug and Play Pml Driver HPZ12 IPsec Policy Agent Power Printer Extensions and Notifications User Profile Service Protected Storage Remote Access Auto Connection Manager Remote Access Connection Manager

PROPRIETARY & CONFIDENTIAL PAGE 24 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address Server Name Startup Applications Server Function Routing and Remote Access Remote Registry RPC Endpoint Mapper Remote Procedure Call (RPC) Locator Remote Procedure Call (RPC) Remote Access Quarantine Agent Resultant Set of Policy Provider Special Administration Console Helper Security Accounts Manager VIPRE Business Premium SB Recovery Service Smart Card Task Scheduler Smart Card Removal Policy ScreenConnect Client (2872323bbe412f4c) Secondary Logon System Event Notification Service Remote Desktop Configuration ShadowProtect Service Internet Connection Sharing (ICS) Shell Hardware Detection SNMP Trap Print Spooler Software Protection SPP Notification Service SQL Server Browser SQL Server VSS Writer File Server Storage Reports Manager File Server Resource Manager SSDP Discovery

PROPRIETARY & CONFIDENTIAL PAGE 25 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address Server Name Startup Applications Server Function Secure Socket Tunneling Protocol Service StorageCraft Raw Agent StorageCraft ImageReady Microsoft Software Shadow Copy Provider Telephony TPM Base Services Remote Desktop Services Thread Ordering Server Distributed Link Tracking Client Windows Modules Installer Interactive Services Detection Remote Desktop Services UserMode Port Redirector UPnP Device Host Desktop Window Manager Session Manager Credential Manager Virtual Disk VIPRE Business Premium Site Service Hyper-V Heartbeat Service Hyper-V Data Exchange Service Hyper-V Remote Desktop Virtualization Service Hyper-V Guest Shutdown Service Hyper-V Time Synchronization Service Hyper-V Volume Shadow Copy Requestor StorageCraft Shadow Copy Provider Volume Shadow Copy Windows Time

PROPRIETARY & CONFIDENTIAL PAGE 26 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address Server Name Startup Applications Server Function World Wide Web Publishing Service Windows Process Activation Service Block Level Backup Engine Service Windows Color System Diagnostic Service Host Diagnostic System Host Windows Deployment Services Server Windows Event Collector Problem Reports and Solutions Control Panel Support Windows Error Reporting Service WinHTTP Web Proxy Auto-Discovery Service Windows Management Instrumentation Windows Remote Management (WS- Management) Microsoft iSCSI Software Target WMI internal Adapter Portable Device Enumerator Service Windows Update Windows Driver Foundation - User-mode Driver Framework

Listening Protocols IP Address Server Name Startup Applications Server Function No entries.

2.2.1.3 Implement additional security features for any required services, protocols, or daemons that are considered to be insecure

PCI DSS Requirement 2.2.3: Implement additional security features for any required services, protocols, or daemons that are considered to be insecure—for example, use secured technologies such

PROPRIETARY & CONFIDENTIAL PAGE 27 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT as SSH, S-FTP, SSL, or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc.

Some protocols have been flagged as inherently insecure. The following lists those protocols along with additional security features. IP Address Server Name Listening Protocols Security Features 10.0.0.1 23/tcp No additional security features 80/tcp No additional security features 10.0.0.11 80/tcp Yes 10.0.0.21 80/tcp No additional security features 10.0.1.1 23/tcp No additional security features 80/tcp No additional security features 10.0.1.5 VPNGW 80/tcp No additional security features 10.0.1.6 ISA1.CORP.myco.COM 23/tcp No additional security features 80/tcp No additional security features 8080/tcp No additional security features 10.0.1.15 UTIL12.CORP.myco.COM 80/tcp No additional security features 10.0.1.16 DEVTFS.CORP.myco.CO 80/tcp No additional security features M 8080/tcp No additional security features 10.0.1.21 RDGATEWAY.CORP.myc 80/tcp Yes o.COM 10.0.1.41 FILE2012- 80/tcp No additional security features 1.CORP.myco.COM 10.0.1.50 myco-DATTO 80/tcp No additional security features 5900/tcp No additional security features 10.0.1.51 23/tcp No additional security features 80/tcp No additional security features 10.0.1.52 23/tcp No additional security features 80/tcp No additional security features 10.0.1.69 STORAGE01.CORP.myco. 80/tcp No additional security features COM 10.0.1.81 FINANCE 80/tcp No additional security features 10.0.1.120 HV02.CORP.myco.COM 80/tcp No additional security features 10.0.1.121 HV02.CORP.myco.COM 80/tcp No additional security features 10.0.1.201 80/tcp No additional security features 10.0.1.202 80/tcp No additional security features 10.0.1.203 80/tcp No additional security features 10.0.1.204 80/tcp No additional security features 10.0.1.205 80/tcp No additional security features 5900/tcp No additional security features 10.0.1.240 80/tcp No additional security features 10.0.1.244 BRN30055C36B0DA 23/tcp No additional security features 80/tcp No additional security features 10.0.1.245 BRN001BA921EFB7 23/tcp No additional security features 80/tcp No additional security features

PROPRIETARY & CONFIDENTIAL PAGE 28 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address Server Name Listening Protocols Security Features 10.0.3.2 AMAZONROUTER.CORP. 80/tcp No additional security features myco.COM 10.0.5.1 23/tcp No additional security features 80/tcp No additional security features 10.0.6.2 svr74QG- 80/tcp No additional security features U.CORP.myco.COM 10.0.6.8 NEWBUILD.CORP.myco. 80/tcp No additional security features COM 10.0.6.12 svrTEST1.CORP.myco.CO 80/tcp No additional security features M 10.0.6.20 svrDEV3.CORP.myco.CO 80/tcp No additional security features M 10.0.6.23 8080/tcp No additional security features 10.0.6.49 80/tcp No additional security features 10.0.6.69 ISA1.CORP.myco.COM 23/tcp No additional security features 80/tcp No additional security features 10.0.6.76 svrDEMO1.CORP.myco.C 80/tcp No additional security features OM 10.0.6.77 PITMACMINI.CORP.myc 5900/tcp No additional security features o.COM 10.0.6.80 PS01.CORP.myco.COM 80/tcp No additional security features 10.0.6.84 svrDEV2- 80/tcp No additional security features U.CORP.myco.COM 10.0.6.86 svrRFT1.CORP.myco.CO 80/tcp No additional security features M 10.0.6.88 JRAWIN8K1QA3.CORP.m 80/tcp No additional security features yco.COM 10.0.6.97 RANCOR.CORP.myco.CO 80/tcp No additional security features M 10.0.6.107 VPNGW.CORP.myco.CO 80/tcp No additional security features M 10.0.6.122 IDRAC- 80/tcp No additional security features FTJMPQ1.CORP.myco.C OM 5900/tcp No additional security features 10.0.7.45 Thayden- 80/tcp No additional security features DT.CORP.myco.COM 10.0.7.65 myco30DEV.CORP.myco. 80/tcp No additional security features COM 8080/tcp No additional security features 10.0.7.89 SPA112.CORP.myco.CO 80/tcp No additional security features M

2.2.1.4 Configure system security parameters to prevent misuse

PROPRIETARY & CONFIDENTIAL PAGE 29 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

PCI DSS Requirement 2.2.4: Configure system security parameters to prevent misuse.

To examine this requirement, security policies from the sampled systems were examined and compared against known best practices.

2.2.1.5 Remove all unnecessary functionality

PCI DSS Requirement 2.2.5: Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.

PCI DSS Requirement 2.2.5.a: Select a sample of system components and inspect the configurations to verify that all unnecessary functionality (for example, scripts, drivers, features, subsystems, file systems, etc.) is removed.

PCI DSS Requirement 2.2.5.b: Examine the documentation and security parameters to verify enabled functions are documented and support secure configuration.

PCI DSS Requirement 2.2.5.c: Examine the documentation and security parameters to verify that only documented functionality is present on the sampled system components.

PCI DSS Guidance: Unnecessary functions can provide additional opportunities for malicious individuals to gain access to a system. By removing unnecessary functionality, organizations can focus on securing the functions that are required and reduce the risk that unknown functions will be exploited. Including this in server-hardening standards and processes addresses the specific security implications associated with unnecessary functions (for example, by removing/disabling FTP or the web server if the server will not be performing those functions).

Sampled Systems

IP Addresses Computer Name Operating System Part of Cardholder Data Environment 10.0.7.17 Boppenheimer-DT Windows 8.1 Enterprise Yes fe80::e9b9:8bb8:4fc5:f9 ccproc01 Windows 8.1 Pro Yes b0%12,10.0.6.4 CERTsvr Windows Server 2012 R2 Yes Standard fe80::c18b:1a25:db41:7 jacob-WIN8 Windows 8.1 Enterprise Yes e4c%3,10.0.7.44 REMOTE Windows 8.1 Pro Yes fe80::7862:940f:f35b:ee STORAGE01 Windows Server 2008 R2 Yes 35%24,fe80::2421:204a: Enterprise f5ff:feba%21,10.0.1.69,2 001:0:9d38:6abd:2421:2 04a:f5ff:feba USER-PC23 Windows 7 Enterprise Yes Yes Yes

PROPRIETARY & CONFIDENTIAL PAGE 30 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

Yes

Analysis

We have compared the list of system functionality to verify on the functionality required to perform the documented system roles are enabled.

The following unnecessary functionality was found and is marked for removal:

IP Addresses Computer Name Marked for Removal fe80::7862:940f:f35b:ee STORAGE01 Driver WAN Miniport (SSTP) 35%24,fe80::2421:204a: f5ff:feba%21,10.0.1.69,2 001:0:9d38:6abd:2421:2 04a:f5ff:feba fe80::7862:940f:f35b:ee STORAGE01 Driver WAN Miniport (PPTP) 35%24,fe80::2421:204a: f5ff:feba%21,10.0.1.69,2 001:0:9d38:6abd:2421:2 04a:f5ff:feba fe80::7862:940f:f35b:ee STORAGE01 Driver WAN Miniport (PPPOE) 35%24,fe80::2421:204a: f5ff:feba%21,10.0.1.69,2 001:0:9d38:6abd:2421:2 04a:f5ff:feba fe80::7862:940f:f35b:ee STORAGE01 Driver WAN Miniport (IPv6) 35%24,fe80::2421:204a: f5ff:feba%21,10.0.1.69,2 001:0:9d38:6abd:2421:2 04a:f5ff:feba fe80::7862:940f:f35b:ee STORAGE01 Feature Common HTTP Features 35%24,fe80::2421:204a: f5ff:feba%21,10.0.1.69,2 001:0:9d38:6abd:2421:2 04a:f5ff:feba

2.2.2 Encrypt all non-console administrative access using strong cryptography

PCI DSS Requirement 2.3: Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.

PCI DSS Guidance: If non-console (including remote) administration does not use secure authentication and encrypted communications, sensitive administrative or operational level information (like administrator’s IDs and passwords) can be revealed to an eavesdropper. A malicious individual could use this information to access the network, become administrator, and steal data. Clear-text protocols (such as HTTP, telnet, etc.) do not encrypt traffic or logon details, making it easy for an eavesdropper to

PROPRIETARY & CONFIDENTIAL PAGE 31 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT intercept this information. To be considered “strong cryptography,” industry-recognized protocols with appropriate key strengths and key management should be in place as applicable for the type of technology in use. (Refer to "strong cryptography" in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms.)

PCI DSS Requirement 2.3.a: Observe an administrator log on to each system and examine system configurations to verify that a strong encryption method is invoked before the administrator’s password is requested.

Based upon observing administrator log on procedures and the further examination of system configurations, it has been determined that a strong encryption method is not invoked before the administrator’s password is requested. Further action should be taken to ensure the situation is remediated.

Web host login was not secure.

PCI DSS Requirement 2.3.b: Review services and parameter files on systems to determine that Telnet and other insecure remote-login commands are not available for non-console access.

IP Address Computer Name Telnet HTTP VNC HTTP (23/TCP) (80/TCP) (5900/TCP) (8080/TCP) 10.0.0.1 ✓ ✓ 10.0.0.21 ✓ 10.0.1.1 ✓ ✓ 10.0.1.5 VPNGW ✓* 10.0.1.6 ISA1 ✓ ✓* ✓ 10.0.1.15 UTIL12 ✓ 10.0.1.16 DEVTFS ✓ ✓ 10.0.1.41 FILE2012-1 ✓ 10.0.1.50 MYCO-DATTO ✓ ✓ 10.0.1.51 ✓ ✓ 10.0.1.52 ✓ ✓ 10.0.1.69 STORAGE01 ✓ 10.0.1.81 FINANCE ✓ 10.0.1.120 HV02 ✓ 10.0.1.121 HV02 ✓ 10.0.1.201 ✓ 10.0.1.202 ✓ 10.0.1.203 ✓ 10.0.1.204 ✓ 10.0.1.205 ✓ ✓ 10.0.1.240 ✓ 10.0.1.244 BRN30055C36B0DA ✓ ✓ 10.0.1.245 BRN001BA921EFB7 ✓ ✓ 10.0.3.2 AMAZONROUTER ✓ 10.0.5.1 ✓ ✓ 10.0.6.2 SVR74QG-U ✓ 10.0.6.8 NEWBUILD ✓ 10.0.6.12 SVRTEST1 ✓ 10.0.6.20 SVRDEV3 ✓

PROPRIETARY & CONFIDENTIAL PAGE 32 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address Computer Name Telnet HTTP VNC HTTP (23/TCP) (80/TCP) (5900/TCP) (8080/TCP) 10.0.6.23 ✓ 10.0.6.49 ✓ 10.0.6.69 ISA1 ✓ ✓ 10.0.6.76 SVRDEMO1 ✓ 10.0.6.77 PITMACMINI ✓ 10.0.6.80 PS01 ✓ 10.0.6.84 SVRDEV2-U ✓ 10.0.6.86 SVRRFT1 ✓ 10.0.6.88 JRAWIN8K1QA3 ✓ 10.0.6.97 RANCOR ✓ 10.0.6.107 VPNGW ✓ 10.0.6.122 IDRAC-FTJMPQ1 ✓ ✓ 10.0.7.45 THAYDEN-DT ✓ 10.0.7.65 MYCO30DEV ✓ ✓ 10.0.7.89 SPA112 ✓

* See Compensating Control Worksheet

PCI DSS Requirement 2.3.c: Observe an administrator log on to each system to verify that administrator access to any web-based management interfaces is encrypted with strong cryptography.

The following table lists web-based management interfaces along with observations for the administrative logins.

URL Observed Secure http://webconsole01 No https://telesys:5050/admin Yes

PROPRIETARY & CONFIDENTIAL PAGE 33 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

2.3 Protection of stored cardholder data

PCI DSS Requirement 3: Protect stored cardholder data

PCI DSS Guidance: Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should also be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed, and not sending unprotected PANs using end-user messaging technologies, such as e-mail and instant messaging. Please refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms for definitions of “strong cryptography” and other PCI DSS terms.

2.3.1 Do not store sensitive authentication data after authorization

PCI DSS Requirement 3.2: Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process.

It is permissible for issuers and companies that support issuing services to store sensitive authentication data if: * There is a business justification, and * The data is stored securely.

Sensitive authentication data includes the data as cited in the following Requirements 3.2.1 through 3.2.3:

PCI DSS Requirement 3.2.2: Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions.

PCI DSS Requirement 3.2.3: Do not store the personal identification number (PIN) or the encrypted PIN block.

Our organization does not store Cardholder Data in our environment.

We have run a PAN Scanner against the following systems to search for Cardholder Data within our environment.

Sampled Systems Computer Name IP Addresses Operating System QA-PC 10.0.6.41 Windows 7 Professional

Personal Account Numbers were found on the following systems. Immediate attention is required.

QA-PC (10.0.6.41)

PROPRIETARY & CONFIDENTIAL PAGE 34 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

Location PAN Discovered Personal Account Numbers found: QA-PC (10.0.6.41) 5555********4444, 5019********3742, (C:\QA_Files\creditcardfiles\122000000000003.docx) 3670******0000, 3614******7913, 6011********0000, 3528********0000 Personal Account Numbers found: QA-PC (10.0.6.41) 3670******0000, 3614******7913 (C:\QA_Files\creditcardfiles\Diners_creditcard.xlsx) Personal Account Numbers found: QA-PC (10.0.6.41) 6011********0000 (C:\QA_Files\creditcardfiles\Discover_creditcard.xlsx) Personal Account Numbers found: QA-PC (10.0.6.41) 4911*****0000, 4917********0000 (C:\QA_Files\creditcardfiles\Visa_creditcard.xlsx) Personal Account Numbers found: QA-PC (10.0.6.41) 5555********4444, 5019********3742, (C:\QA_Files\creditcardfiles\creditcardstxtfile.txt) 3670******0000, 3614******7913, 6011********0000, 3528********0000 Personal Account Numbers found: QA-PC (10.0.6.41) 4462********0000 (C:\QA_Files\creditcardfiles\visadebit_creditcard.xlsx) Personal Account Numbers found: QA-PC (10.0.6.41) 5124********0258 (C:\Users\jsmith\AppData\Roaming\Microsoft\Window s\Cookies\C57IJUF1.txt) Personal Account Numbers found: QA-PC (10.0.6.41) 3670******0000, 3614******7913 (C:\Users\jsmith\Documents\Diners_creditcard.xlsx) Personal Account Numbers found: QA-PC (10.0.6.41) 6011********0000 (C:\Users\jsmith\Documents\Discover_creditcard.xlsx) Personal Account Numbers found: QA-PC (10.0.6.41) 4911*****0000, 4917********0000 (C:\Users\jsmith\Documents\Visa_creditcard.xlsx) Personal Account Numbers found: QA-PC (10.0.6.41) 4462********0000 (C:\Users\jsmith\Documents\visadebit_creditcard.xlsx)

PROPRIETARY & CONFIDENTIAL PAGE 35 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

2.4 Encrypt transmission of cardholder data across open, public networks

PCI DSS Requirement 4: Encrypt transmission of cardholder data across open, public networks.

PCI DSS Guidance: Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals. Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols continue to be targets of malicious individuals who exploit these vulnerabilities to gain privileged access to cardholder data environments.

SSID Secured Security Used in CDE Risk Level Yes RSNA_PSK No N/A 3213 6400 Yes IEEE80211_Open No N/A Aptean WPA Yes RSNA_PSK No N/A ApteanPS Yes RSNA_PSK No N/A ARG-Guest-DMZ No IEEE80211_Open No N/A ATTHpe6Hfi Yes RSNA_PSK No N/A CBCI-697F-2.4 Yes RSNA_PSK No N/A CBCI-697F-5 Yes RSNA_PSK No N/A EMC Guest Cafe No IEEE80211_Open No N/A execue Yes RSNA_PSK No N/A Goldtouch Yes RSNA_PSK No N/A HP4EB548 No IEEE80211_Open No N/A HP869B1D No IEEE80211_Open No N/A HPC4995C No IEEE80211_Open No N/A HPCP1525-9b9bb6 No IEEE80211_Open No N/A HP-Print-95- No IEEE80211_Open No N/A Officejet Pro 8600 HP-Print-B5- Yes RSNA_PSK No N/A Officejet 4630 IMPACTCRYO Yes RSNA_PSK No N/A InternalARG Yes RSNA_PSK No N/A Jabian Yes RSNA No N/A Jabian-Guest Yes RSNA_PSK No N/A MobileMind APTC Yes RSNA_PSK No N/A ngHub_319437N20 Yes RSNA_PSK No N/A 5B2F ObjectNet Yes IEEE80211_Open Yes High PerfIT-A Yes RSNA_PSK No N/A PerfIT-G Yes RSNA_PSK No N/A PerfIT-Guest Yes RSNA_PSK No N/A PIT-Domain Yes RSNA No N/A quark2008 Yes RSNA_PSK No N/A RKCPA Yes RSNA_PSK No N/A SMSCOOP Yes RSNA No N/A SMSPUB Yes RSNA_PSK No N/A Stonehill Yes RSNA_PSK No Low Stonehill2 Yes RSNA_PSK Yes Low

PROPRIETARY & CONFIDENTIAL PAGE 36 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

SSID Secured Security Used in CDE Risk Level Verizon-291LVW- Yes RSNA_PSK No N/A A5D7 Verizon-MiFi5510L- Yes RSNA_PSK No N/A 302E xfinitywifi No IEEE80211_Open No N/A

The wireless key has not been changed since the latest high risk employee termination.

PROPRIETARY & CONFIDENTIAL PAGE 37 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

2.4.1 Never send unprotected Personal Account Numbers (PANs) by end-user messaging technologies

PCI DSS Requirement 4.2: Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat, etc.).

PCI DSS Guidance: E-mail, instant messaging, and chat can be easily intercepted by packet-sniffing during delivery across internal and public networks. Do not utilize these messaging tools to send PAN unless they are configured to provide strong encryption.

Employee Training Employees have been trained not to send unprotected PANs using end-user messaging technologies.

PAN Scan A routine PAN scan as part of this assessment found Personal Account Numbers in the checked file systems. See the Compensating Control Worksheet and PCI Management Plan for compensating controls and required remediation actions.

PROPRIETARY & CONFIDENTIAL PAGE 38 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

2.5 Protection against Malicious Software

PCI DSS Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs.

PCI DSS Guidance: Malicious software, commonly referred to as “malware”—including viruses, worms, and Trojans—enters the network during many business-approved activities including employee e-mail and use of the Internet, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities. Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats. Additional anti-malware solutions may be considered as a supplement to the anti-virus software; however, such additional solutions do not replace the need for anti-virus software to be in place.

2.5.1 Deploy anti-virus software on all systems affected by malicious software

PCI DSS Requirement 5.1: Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).

This section contains a listing of detected Antivirus and Antispyware as detected through Security Center and/or Installed Services for major vendors, which is then categorized by domain or workgroup membership.

Values in the "Name" column contain either the name of the product, None indicating the machine returned information but no product was found, or indicating information was not obtainable. Further, a status of ✓ indicates "yes",  indicates "no", and indicates that a status was not available.

CORP.PERFORMANCEIT.COM Computer Name Antivirus Antispyware Name On Current Name On Current REX Microsoft Security ✓ ✓ Microsoft Security ✓ ✓ Essentials Essentials Spybot - Search and   Destroy Windows Defender  

CORP.MYCO.COM Computer Name Antivirus Antispyware Name On Current Name On Current AMAZONROUTER APPASSURECORE Aturner-LT Windows Defender ✓ ✓ Windows Defender ✓ ✓ BACKUP-01 bkrickey-WIN7 bkrickey-Win81 GFI Languard ✓ GFI Languard ✓ GFI Software VIPRE ✓ ✓ GFI Software VIPRE ✓ ✓

PROPRIETARY & CONFIDENTIAL PAGE 39 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

Computer Name Antivirus Antispyware Name On Current Name On Current Windows Defender  ✓ Windows Defender  ✓ Boppenheimer-DT Windows Defender ✓ ✓ Windows Defender ✓ ✓ BO-SANDBOX BROWND Windows Defender ✓ ✓ Windows Defender ✓ ✓ ccproc01 GFI Languard ✓ GFI Languard ✓ ThreatTrack Security ✓ ✓ ThreatTrack Security ✓ ✓ VIPRE Business Agent VIPRE Business Agent Windows Defender  ✓ Windows Defender  ✓ CERTsvr CONFERENCE_ROOM CONFERENCEROOM Norton Internet Security   Norton Internet Security   Windows Defender ✓ ✓ dbrown-pc DC03 GFI Languard ✓ GFI Languard ✓ VIPRE  VIPRE  DC1950 DEV_2012-CORE DEVKASEYA DEVTFS None None

DEVTFSBUILD None None

DEVWIKI Ehammond-WIN7 ENTCERTS FILE2012 FILE2012-1 None None File2012-HV FINANCE FT-LENOVO Windows Defender ✓ ✓ Windows Defender ✓ ✓ HV00 None None HV01 None None HV02 None None HV04 None None ISA1 jacob-WIN7 None Windows Defender  ✓ jacob-WIN8 GFI Languard ✓ GFI Languard ✓ GFI Software VIPRE ✓ ✓ GFI Software VIPRE ✓ ✓ Windows Defender  ✓ Windows Defender  ✓ JAGA Jdavis-Win8 JMATSON-PC JOES-PC KjacobsASUSPC KjacobsPC

PROPRIETARY & CONFIDENTIAL PAGE 40 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

Computer Name Antivirus Antispyware Name On Current Name On Current MARKETING-1 METRO Mmayhemon1 Mmayhemon-HP Windows Defender ✓ ✓ Windows Defender ✓ ✓ Msummer-LT Msummer-LT1 Mwest-PC Windows Defender ✓ ✓ Windows Defender ✓ ✓

Mwest-WIN864 GFI Languard ✓ GFI Languard ✓ GFI Software VIPRE ✓ ✓ GFI Software VIPRE ✓ ✓ Windows Defender  ✓ Windows Defender  ✓ MW-LAPTOP myco30DEV myco-ATL-CORE mycoPATCH mycoROOTAUTH PABUILD peter-HOME PITmarcusus-PC GFI Languard ✓ GFI Languard ✓ ThreatTrack Security ✓ ✓ ThreatTrack Security ✓ ✓ VIPRE Business Agent VIPRE Business Agent Windows Defender  ✓ Windows Defender  ✓ PKWin8 Windows Defender ✓ ✓ Windows Defender ✓ ✓ PS01 None None Psimpson2 Psimpson-PC Windows Defender  ✓ Windows Defender  ✓ Psimpson-WIN764 Windows Defender  ✓ Windows Defender  ✓ Psimpson-WIN7TEST None Windows Defender ✓ ✓ Pturner Pturner-PC QA-PC GFI Languard ✓ GFI Languard ✓ ThreatTrack Security ✓ ✓ ThreatTrack Security ✓ ✓ VIPRE Business Agent VIPRE Business Agent Windows Defender  ✓ RANCOR Windows Defender ✓  Windows Defender ✓ 

RDGATEWAY None None REMOTE RJOHNSON-PC Windows Defender ✓ ✓ Windows Defender ✓ ✓ Sdavis-LT GFI Languard ✓ GFI Languard ✓ GFI Software VIPRE ✓ ✓ GFI Software VIPRE ✓ ✓ Windows Defender  ✓ Windows Defender  ✓ SHAREPOINT-01 SLOWE-WIN8

PROPRIETARY & CONFIDENTIAL PAGE 41 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

Computer Name Antivirus Antispyware Name On Current Name On Current SQL2012-01 STORAGE01 GFI Languard ✓ GFI Languard ✓ VIPRE  VIPRE  tandem thanos-PC Windows Defender ✓ ✓ Windows Defender ✓ ✓ Thayden-DT GFI Languard ✓ GFI Languard ✓ GFI Software VIPRE ✓ ✓ GFI Software VIPRE ✓ ✓ Windows Defender  ✓ ttrex Microsoft Security ✓ ✓ Microsoft Security ✓ ✓ Essentials Essentials Spybot - Search and ✓ ✓ Destroy Windows Defender   USER-PC23 UTIL12 None None

VPNGW None None WIN10-1 ZOTAC-PITMS ZWIN7-140929

No Domain Computer Name Antivirus Antispyware Name On Current Name On Current peter-HOME Windows Defender ✓ ✓ Windows Defender ✓ ✓

PROPRIETARY & CONFIDENTIAL PAGE 42 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

2.5.1.1 Ensure that anti-virus programs can detect, remove and protect against all types of malicious software

PCI DSS Requirement 5.1.1: Ensure that anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software.

Program Name Malware Detection and Removal Support Capabilities Adware Rootkits Spyware Trojans Viruses Worms Detection Removal Real- Time Protectio n Microsoft Security ✓ ✓ ✓ ✓ ✓ ✓ ✓ Essentials  ✓ Windows Defender ✓ ✓ ✓ ✓ ✓  ✓ ✓ ✓ GFI Languard ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ GFI Software VIPRE ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ VIPRE ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ThreatTrack Security ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ VIPRE Business Agent ✓ Norton Internet ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Security ✓

One or more anti-virus programs identified within the Cardholder Data Environment do not meet the minimum standards of protection necessary. Immediate attention is required.

PROPRIETARY & CONFIDENTIAL PAGE 43 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

2.5.1.2 Review systems not commonly affected by malicious software to confirm that systems do not require anti-virus software

PCI DSS Requirement 5.1.2: For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software.

PCI DSS Guidance: Typically, mainframes, mid-range computers (such as AS/400) and similar systems may not currently be commonly targeted or affected by malware. However, industry trends for malicious software can change quickly, so it is important for organizations to be aware of new malware that might affect their systems—for example, by monitoring vendor security notices and anti-virus news groups to determine whether their systems might be coming under threat from new and evolving malware. Trends in malicious software should be included in the identification of new security vulnerabilities, and methods to address new trends should be incorporated into the company's configuration standards and protection mechanisms as needed.

Upon assessment of this policy’s execution and the interviews performed with personnel, it has been determined that periodic reviews and evaluations are being undertaken in compliance with this security policy and requirement.

2.5.2 Ensure that all anti-virus mechanisms are kept current, perform scans and generate logs as required

PCI DSS Requirement 5.2: Ensure that all anti-virus mechanisms are maintained as follows: * Are kept current. * Perform periodic scans. * Generate audit logs which are retained per PCI DSS Requirement 10.7.

Policies and Procedures (5.2a) Our policies and procedures specify that all anti-virus software and definitions required for use within the cardholder data environment are to be maintained and kept “up-to-date” in compliance with this security policy and requirement.

Automatic Updates and Periodic Scans (5.2b) Corp.myco.com

Computer Name Antivirus Name On Definitions Periodic Scan Current Enabled Boppenheimer-DT Windows Defender ✓ ✓ ✓ ccproc01 GFI Languard ✓  ✓ ThreatTrack Security VIPRE ✓ ✓ Business Agent  Windows Defender  ✓ ✓ jacob-WIN8 GFI Languard ✓   GFI Software VIPRE ✓ ✓ ✓ Windows Defender  ✓ ✓

PROPRIETARY & CONFIDENTIAL PAGE 44 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

Computer Name Antivirus Name On Definitions Periodic Scan Current Enabled STORAGE01 GFI Languard ✓ ✓  VIPRE  ✓ 

2.5.3 Ensure that anti-virus mechanisms are running and cannot be disabled unless authorized

PCI DSS Requirement 5.3: Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.

All anti-virus software installed on required endpoints within the Cardholder Data Environment are actively running in compliance with established security policy and requirements.

PROPRIETARY & CONFIDENTIAL PAGE 45 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

2.6 Develop and maintain secure systems and applications

PCI DSS Requirement 6: Develop and maintain secure systems and applications.

PCI DSS Guidance: Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor-provided security patches, which must be installed by the entities that manage the systems. All systems must have all appropriate software patches to protect against the exploitation and compromise of cardholder data by malicious individuals and malicious software. Note: Appropriate software patches are those patches that have been evaluated and tested sufficiently to determine that the patches do not conflict with existing security configurations. For in-house developed applications, numerous vulnerabilities can be avoided by using standard system development processes and secure coding techniques.

2.6.1 Establish process to identify security vulnerabilities using reputable outside sources

PCI DSS Requirement 6.1: Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities.

PCI DSS Guidance: The intent of this requirement is that organizations keep up to date with new vulnerabilities that may impact their environment. Sources for vulnerability information should be trustworthy and often include vendor websites, industry news groups, mailing list, or RSS feeds. Once an organization identifies a vulnerability that could affect their environment, the risk that the vulnerability poses must be evaluated and ranked. The organization must therefore have a method in place to evaluate vulnerabilities on an ongoing basis and assign risk rankings to those vulnerabilities. This is not achieved by an ASV scan or internal vulnerability scan, rather this requires a process to actively monitor industry sources for vulnerability information. Classifying the risks (for example, as “high,” “medium,” or “low”) allows organizations to identify, prioritize, and address the highest risk items more quickly and reduce the likelihood that vulnerabilities posing the greatest risk will be exploited.

We subscribe to the following trustworthy sources: o nist.gov o pcisecurity.info

2.6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches

PCI DSS Requirement 6.2: Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.

This section contains the patching status of computers using MBSA to determine need. Computers with missing patches are highlighted in red.

PROPRIETARY & CONFIDENTIAL PAGE 46 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address Computer Name Issue Result Assessment 10.0.1.3 MYCO\DC03 SQL Server Passed No security Security Updates updates are missing. Windows Security Failed (critical) 9 security updates Updates are missing. 1 service packs or update rollups are missing. 10.0.1.4 MYCO\DC03 SQL Server Passed No security Security Updates updates are missing. Windows Security Failed (critical) 9 security updates Updates are missing. 1 service packs or update rollups are missing. 10.0.1.5 MYCO\VPNGW SQL Server Passed No security Security Updates updates are missing. Windows Security Failed (critical) 22 security Updates updates are missing. 2 service packs or update rollups are missing. 10.0.1.6 MYCO\ISA1 Internet Security Failed (critical) 1 security updates and Acceleration are missing. 1 Server Security service packs are Updates missing. SQL Server Failed (critical) 1 security updates Security Updates are missing. Windows Security Failed (critical) 51 security Updates updates are missing. 2 update rollups are missing. 10.0.1.15 MYCO\UTIL12 Developer Tools, Passed No security Runtimes, and updates are Redistributables missing. Security Updates SQL Server Passed No security Security Updates updates are missing. Windows Security Failed (critical) 21 security Updates updates are missing. 2 update

PROPRIETARY & CONFIDENTIAL PAGE 47 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address Computer Name Issue Result Assessment rollups are missing. 10.0.1.16 MYCO\DEVTFS Active Directory Passed No security Security Updates updates are missing. ASP.NET Web and Failed (critical) 1 security updates Data Frameworks are missing. Security Updates Developer Tools, Passed No security Runtimes, and updates are Redistributables missing. Security Updates SQL Server Failed (critical) 1 security updates Security Updates are missing. 1 service packs are missing. Windows Security Failed (critical) 58 security Updates updates are missing. 2 update rollups are missing. 10.0.1.21 MYCO\RDGATEWAY SQL Server Passed No security Security Updates updates are missing. Windows Security Failed (critical) 18 security Updates updates are missing. 2 update rollups are missing. 10.0.1.23 MYCO\DC03 SQL Server Passed No security Security Updates updates are missing. Windows Security Failed (critical) 9 security updates Updates are missing. 1 update rollups are missing. 10.0.1.41 MYCO\FILE2012-1 Developer Tools, Failed (critical) 2 security updates Runtimes, and are missing. Redistributables Security Updates SQL Server Passed No security Security Updates updates are missing. Windows Security Failed (critical) 9 security updates Updates are missing. 1 service packs or

PROPRIETARY & CONFIDENTIAL PAGE 48 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address Computer Name Issue Result Assessment update rollups are missing. 10.0.1.69 MYCO\STORAGE01 Developer Tools, Passed No security Runtimes, and updates are Redistributables missing. Security Updates SDK Components Passed No security Security Updates updates are missing. SQL Server Passed No security Security Updates updates are missing. Windows Security Failed (critical) 37 security Updates updates are missing. 1 service packs or update rollups are missing. 10.0.1.111 MYCO\HV01 Developer Tools, Failed (critical) 2 security updates Runtimes, and are missing. Redistributables Security Updates SQL Server Passed No security Security Updates updates are missing. Windows Security Failed (critical) 17 security Updates updates are missing. 2 service packs or update rollups are missing. 10.0.1.120 MYCO\HV02 Developer Tools, Failed (critical) 2 security updates Runtimes, and are missing. Redistributables Security Updates SQL Server Passed No security Security Updates updates are missing. Windows Security Failed (critical) 17 security Updates updates are missing. 2 service packs or update rollups are missing. 10.0.1.121 MYCO\HV02 Developer Tools, Failed (critical) 2 security updates Runtimes, and are missing.

PROPRIETARY & CONFIDENTIAL PAGE 49 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address Computer Name Issue Result Assessment Redistributables Security Updates SQL Server Passed No security Security Updates updates are missing. Windows Security Failed (critical) 17 security Updates updates are missing. 2 service packs or update rollups are missing. 10.0.6.0 MYCO\MWEST-PC ASP.NET Web and Passed No security Data Frameworks updates are Security Updates missing. Developer Tools, Passed No security Runtimes, and updates are Redistributables missing. Security Updates Office Security Passed No security Updates updates are missing. SDK Components Passed No security Security Updates updates are missing. Silverlight Security Passed No security Updates updates are missing. SQL Server Passed No security Security Updates updates are missing. Windows Security Passed No security Updates updates are missing. 10.0.6.1 MYCO\TTREX ASP.NET Web and Passed No security Data Frameworks updates are Security Updates missing. Developer Tools, Passed No security Runtimes, and updates are Redistributables missing. Security Updates Microsoft Lync Passed No security Server and updates are Microsoft Lync missing. Security Updates

PROPRIETARY & CONFIDENTIAL PAGE 50 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address Computer Name Issue Result Assessment Office Passed No security Communications updates are Server And Office missing. Communicator Security Updates Office Security Failed (critical) 10 security Updates updates are missing. SDK Components Passed No security Security Updates updates are missing. Silverlight Security Passed No security Updates updates are missing. SQL Server Passed No security Security Updates updates are missing. Windows Security Failed (critical) 18 security Updates updates are missing. 1 service packs or update rollups are missing. 10.0.6.4 MYCO\CCPROC01 ASP.NET Web and Passed No security Data Frameworks updates are Security Updates missing. Developer Tools, Passed No security Runtimes, and updates are Redistributables missing. Security Updates Office Security Failed (critical) 2 security updates Updates are missing. Silverlight Security Passed No security Updates updates are missing. SQL Server Passed No security Security Updates updates are missing. Windows Security Failed (critical) 16 security Updates updates are missing. 2 service packs or update rollups are missing.

PROPRIETARY & CONFIDENTIAL PAGE 51 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address Computer Name Issue Result Assessment 10.0.6.14 MYCO\SDAVIS-LT Developer Tools, Passed No security Runtimes, and updates are Redistributables missing. Security Updates Office Security Passed No security Updates updates are missing. SQL Server Passed No security Security Updates updates are missing. Windows Security Passed No security Updates updates are missing. 10.0.6.26 MYCO\ATURNER-LT Developer Tools, Passed No security Runtimes, and updates are Redistributables missing. Security Updates Office Security Passed No security Updates updates are missing. SQL Server Passed No security Security Updates updates are missing. Windows Security Passed No security Updates updates are missing. 10.0.6.33 MYCO\CONFERENCEROOM Developer Tools, Passed No security Runtimes, and updates are Redistributables missing. Security Updates Office Security Failed (critical) 9 security updates Updates are missing. 2 service packs or update rollups are missing. SQL Server Passed No security Security Updates updates are missing. Windows Security Failed (non- 1 service packs or Updates critical) update rollups are missing. 10.0.6.35 MYCO\BROWND ASP.NET Web and Failed (critical) 1 security updates Data Frameworks are missing. Security Updates

PROPRIETARY & CONFIDENTIAL PAGE 52 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address Computer Name Issue Result Assessment Developer Tools, Passed No security Runtimes, and updates are Redistributables missing. Security Updates SQL Server Passed No security Security Updates updates are missing. Windows Security Passed No security Updates updates are missing. 10.0.6.40 MYCO\PSIMPSON-PC Developer Tools, Passed No security Runtimes, and updates are Redistributables missing. Security Updates Office Security Passed No security Updates updates are missing. SQL Server Passed No security Security Updates updates are missing. Windows Security Passed No security Updates updates are missing. 10.0.6.41 MYCO\QA-PC ASP.NET Web and Passed No security Data Frameworks updates are Security Updates missing. Developer Tools, Passed No security Runtimes, and updates are Redistributables missing. Security Updates Office Security Passed No security Updates updates are missing. Silverlight Security Passed No security Updates updates are missing. SQL Server Passed No security Security Updates updates are missing. Windows Security Passed No security Updates updates are missing. 10.0.6.44 MYCO\JACOB-WIN7 Developer Tools, Failed (critical) 1 security updates Runtimes, and are missing. Redistributables Security Updates

PROPRIETARY & CONFIDENTIAL PAGE 53 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address Computer Name Issue Result Assessment Office Security Failed (critical) 18 security Updates updates are missing. 1 service packs or update rollups are missing. SQL Server Passed No security Security Updates updates are missing. Windows Security Failed (non- 1 service packs or Updates critical) update rollups are missing. 10.0.6.47 MYCO\PKWIN8 SQL Server Passed No security Security Updates updates are missing. Windows Security Passed No security Updates updates are missing. 10.0.6.53 MYCO\PSIMPSON- Developer Tools, Passed No security WIN7TEST Runtimes, and updates are Redistributables missing. Security Updates Office Security Passed No security Updates updates are missing. SQL Server Passed No security Security Updates updates are missing. Windows Security Failed (non- 1 service packs or Updates critical) update rollups are missing. 10.0.6.55 MYCO\CONFERENCEROOM Developer Tools, Passed No security Runtimes, and updates are Redistributables missing. Security Updates Office Security Failed (critical) 9 security updates Updates are missing. 2 service packs or update rollups are missing. SQL Server Passed No security Security Updates updates are missing. Windows Security Failed (non- 1 service packs or Updates critical) update rollups are missing.

PROPRIETARY & CONFIDENTIAL PAGE 54 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address Computer Name Issue Result Assessment 10.0.6.67 MYCO\DEVTFSBUILD ASP.NET Web and Failed (critical) 1 security updates Data Frameworks are missing. Security Updates Developer Tools, Failed (critical) 1 security updates Runtimes, and are missing. Redistributables Security Updates Silverlight Security Failed (critical) 1 security updates Updates are missing. 1 service packs or update rollups are missing. SQL Server Passed No security Security Updates updates are missing. Windows Security Failed (critical) 30 security Updates updates are missing. 1 service packs or update rollups are missing. 10.0.6.69 MYCO\ISA1 Internet Security Failed (critical) 1 security updates and Acceleration are missing. 1 Server Security service packs or Updates update rollups are missing. SQL Server Failed (critical) 1 security updates Security Updates are missing. Windows Security Failed (critical) 51 security Updates updates are missing. 2 service packs or update rollups are missing. 10.0.6.74 MYCO\FT-LENOVO Developer Tools, Passed No security Runtimes, and updates are Redistributables missing. Security Updates Office Security Passed No security Updates updates are missing. Silverlight Security Passed No security Updates updates are missing.

PROPRIETARY & CONFIDENTIAL PAGE 55 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address Computer Name Issue Result Assessment SQL Server Passed No security Security Updates updates are missing. Windows Security Passed No security Updates updates are missing. 10.0.6.80 MYCO\PS01 Developer Tools, Failed (critical) 2 security updates Runtimes, and are missing. Redistributables Security Updates SQL Server Passed No security Security Updates updates are missing. Windows Security Failed (critical) 20 security Updates updates are missing. 2 service packs or update rollups are missing. 10.0.6.96 MYCO\MWEST-WIN864 ASP.NET Web and Passed No security Data Frameworks updates are Security Updates missing. Developer Tools, Passed No security Runtimes, and updates are Redistributables missing. Security Updates Microsoft Lync Passed No security Server and updates are Microsoft Lync missing. Security Updates Office Passed No security Communications updates are Server And Office missing. Communicator Security Updates Office Security Passed No security Updates updates are missing. SDK Components Passed No security Security Updates updates are missing. Silverlight Security Passed No security Updates updates are missing.

PROPRIETARY & CONFIDENTIAL PAGE 56 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address Computer Name Issue Result Assessment SQL Server Failed (non- 1 service packs or Security Updates critical) update rollups are missing. Windows Security Passed No security Updates updates are missing. 10.0.6.97 MYCO\RANCOR ASP.NET Web and Passed No security Data Frameworks updates are Security Updates missing. Developer Tools, Passed No security Runtimes, and updates are Redistributables missing. Security Updates Office Security Failed (critical) 3 security updates Updates are missing. SDK Components Passed No security Security Updates updates are missing. Silverlight Security Passed No security Updates updates are missing. SQL Server Failed (non- 1 service packs or Security Updates critical) update rollups are missing. Windows Security Failed (critical) 39 security Updates updates are missing. 2 service packs or update rollups are missing. 10.0.6.107 MYCO\VPNGW SQL Server Passed No security Security Updates updates are missing. Windows Security Failed (critical) 22 security Updates updates are missing. 2 service packs or update rollups are missing. 10.0.6.133 MYCO\PITMARCUSUS-PC ASP.NET Web and Failed (critical) 1 security updates Data Frameworks are missing. Security Updates Developer Tools, Failed (critical) 2 security updates Runtimes, and are missing. Redistributables Security Updates

PROPRIETARY & CONFIDENTIAL PAGE 57 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address Computer Name Issue Result Assessment Office Security Failed (critical) 8 security updates Updates are missing. 1 service packs or update rollups are missing. Silverlight Security Passed No security Updates updates are missing. SQL Server Passed No security Security Updates updates are missing. Windows Security Passed No security Updates updates are missing. 10.0.7.29 MYCO\RJOHNSON-PC SQL Server Passed No security Security Updates updates are missing. Windows Security Passed No security Updates updates are missing. 10.0.7.44 MYCO\JACOB-WIN8 Developer Tools, Passed No security Runtimes, and updates are Redistributables missing. Security Updates Microsoft Lync Passed No security Server and updates are Microsoft Lync missing. Security Updates Office Passed No security Communications updates are Server And Office missing. Communicator Security Updates Office Security Passed No security Updates updates are missing. Silverlight Security Passed No security Updates updates are missing. SQL Server Passed No security Security Updates updates are missing. Windows Security Failed (critical) 41 security Updates updates are missing. 3 service packs or update

PROPRIETARY & CONFIDENTIAL PAGE 58 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address Computer Name Issue Result Assessment rollups are missing. 10.0.7.45 MYCO\THAYDEN-DT Developer Tools, Passed No security Runtimes, and updates are Redistributables missing. Security Updates Microsoft Passed No security Application updates are Virtualization missing. Security Updates Microsoft Lync Passed No security Server and updates are Microsoft Lync missing. Security Updates Office Passed No security Communications updates are Server And Office missing. Communicator Security Updates Office Security Passed No security Updates updates are missing. Silverlight Security Passed No security Updates updates are missing. SQL Server Passed No security Security Updates updates are missing. Windows Security Passed No security Updates updates are missing. 10.0.7.49 MYCO\THANOS-PC Developer Tools, Passed No security Runtimes, and updates are Redistributables missing. Security Updates Office Security Passed No security Updates updates are missing. Silverlight Security Passed No security Updates updates are missing. SQL Server Passed No security Security Updates updates are missing.

PROPRIETARY & CONFIDENTIAL PAGE 59 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address Computer Name Issue Result Assessment Windows Security Passed No security Updates updates are missing. 10.0.7.74 MYCO\BKRICKEY-WIN81 Developer Tools, Passed No security Runtimes, and updates are Redistributables missing. Security Updates SQL Server Passed No security Security Updates updates are missing. Windows Security Passed No security Updates updates are missing. 10.0.7.95 MYCO\MMAYHEMON-HP Developer Tools, Passed No security Runtimes, and updates are Redistributables missing. Security Updates Office Security Passed No security Updates updates are missing. SQL Server Passed No security Security Updates updates are missing. Windows Security Passed No security Updates updates are missing. 10.0.6.4 CCPROC01 Critical Updates, Failed (critical) 23 critical updates Office 2013 are missing. Definition Failed (non- 1 update is Updates, Office critical) missing. 2013 Drivers, Windows Failed (non- 1 update is 8.1 critical) missing. Feature Packs, Failed (non- 1 update is Skype for critical) missing. Windows Feature Packs, Failed (non- 1 update is Windows 8 critical) missing. Office 2013, Failed (critical) 2 security updates Security Updates are missing. Office 2013, Failed (non- 1 update is Updates critical) missing. Security Updates, Failed (critical) 16 security Windows 8 updates are missing.

PROPRIETARY & CONFIDENTIAL PAGE 60 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address Computer Name Issue Result Assessment Update Rollups, Failed (non- 2 updates are Windows 8 critical) missing. Updates, Windows Failed (non- 15 updates are 8 critical) missing. 10.0.6.35 BROWND Definition Failed (non- 1 update is Updates, Windows critical) missing. Defender Drivers, Windows Failed (non- 1 update is 8.1 Drivers critical) missing. Feature Packs, Failed (non- 1 update is Windows 8.1 critical) missing. Updates, Windows Failed (non- 28 updates are 8.1 critical) missing. 10.0.6.55, CONFERENCEROOM Drivers, Windows Failed (non- 2 updates are 10.0.6.33 7 critical) missing. Update Rollups, Failed (non- 1 update is Windows 7 critical) missing. Updates, Windows Failed (non- 9 updates are 7 critical) missing. 10.0.1.23, DC03 Critical Updates, Failed (critical) 2 critical updates 10.0.1.4, Windows Server are missing. 10.0.1.3 2012 R2 Feature Packs, Failed (non- 1 update is Silverlight critical) missing. Feature Packs, Failed (non- 1 update is Windows Server critical) missing. 2012 R2 Security Updates, Failed (critical) 9 security updates Windows Server are missing. 2012 R2 Update Rollups, Failed (non- 1 update is Windows Server critical) missing. 2012 R2 Updates, Windows Failed (non- 3 updates are Server 2012 R2 critical) missing. 10.0.1.16 DEVTFS ASP.NET Web Failed (critical) 1 security update Frameworks, is missing. Security Updates Critical Updates, Failed (critical) 8 critical updates Windows Server are missing. 2012 Feature Packs, Failed (non- 1 update is Silverlight critical) missing. Feature Packs, Failed (non- 1 update is Windows Server critical) missing. 2012

PROPRIETARY & CONFIDENTIAL PAGE 61 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address Computer Name Issue Result Assessment Microsoft SQL Failed (critical) 1 security update Server 2012, is missing. Security Updates Microsoft SQL Failed (non- 1 update is Server 2012, critical) missing. Service Packs Security Updates, Failed (critical) 58 security Windows Server updates are 2012 missing. Update Rollups, Failed (non- 1 update is Windows Server critical) missing. 2012 Updates, Windows Failed (non- 16 updates are Server 2012 critical) missing. 10.0.6.67 DEVTFSBUILD ASP.NET Web Failed (critical) 1 security update Frameworks, is missing. Security Updates Critical Updates, Failed (critical) 2 critical updates Visual Studio 2010 are missing. Tools for Office Runtime Critical Updates, Failed (critical) 1 critical update is Visual Studio 2013 missing. Critical Updates, Failed (critical) 5 critical updates Windows Server are missing. 2012 R2 Feature Packs, Failed (non- 1 update is Windows Server critical) missing. 2012 R2 Security Updates, Failed (critical) 1 security update Visual Studio 2013 is missing. Security Updates, Failed (critical) 30 security Windows Server updates are 2012 R2 missing. Silverlight, Update Failed (non- 1 update is Rollups critical) missing. Update Rollups, Failed (non- 1 update is Windows Server critical) missing. 2012 R2 Updates, Windows Failed (non- 46 updates are Server 2012 R2 critical) missing. 10.0.1.41 FILE2012-1 Critical Updates, Failed (critical) 2 critical updates Windows Server are missing. 2012 R2 Feature Packs, Failed (non- 1 update is Silverlight critical) missing.

PROPRIETARY & CONFIDENTIAL PAGE 62 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address Computer Name Issue Result Assessment Feature Packs, Failed (non- 1 update is Windows Server critical) missing. 2012 R2 Security Updates, Failed (critical) 1 security update Visual Studio 2005 is missing. Security Updates, Failed (critical) 1 security update Visual Studio 2008 is missing. Security Updates, Failed (critical) 9 security updates Windows Server are missing. 2012 R2 Update Rollups, Failed (non- 1 update is Windows Server critical) missing. 2012 R2 Updates, Windows Failed (non- 3 updates are Server 2012 R2 critical) missing. 10.0.6.74 FT-LENOVO Definition Failed (non- 1 update is Updates, Windows critical) missing. Defender Drivers, Windows Failed (non- 5 updates are 8.1 critical) missing. Feature Packs, Failed (non- 1 update is Skype for critical) missing. Windows Updates, Windows Failed (non- 9 updates are 8 critical) missing. 10.0.1.111 HV01 Critical Updates, Failed (critical) 8 critical updates Windows Server are missing. 2012 R2 Feature Packs, Failed (non- 1 update is Silverlight critical) missing. Feature Packs, Failed (non- 1 update is Windows Server critical) missing. 2012 R2 Security Updates, Failed (critical) 1 security update Visual Studio 2005 is missing. Security Updates, Failed (critical) 1 security update Visual Studio 2008 is missing. Security Updates, Failed (critical) 17 security Windows Server updates are 2012 R2 missing. Update Rollups, Failed (non- 2 updates are Windows Server critical) missing. 2012 R2 Updates, Windows Failed (non- 10 updates are Server 2012 R2 critical) missing.

PROPRIETARY & CONFIDENTIAL PAGE 63 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address Computer Name Issue Result Assessment 192.168.1.12, HV02 Critical Updates, Failed (critical) 8 critical updates 10.0.1.121, Windows Server are missing. 10.0.1.120 2012 R2 Feature Packs, Failed (non- 1 update is Silverlight critical) missing. Feature Packs, Failed (non- 1 update is Windows Server critical) missing. 2012 R2 Security Updates, Failed (critical) 1 security update Visual Studio 2005 is missing. Security Updates, Failed (critical) 1 security update Visual Studio 2008 is missing. Security Updates, Failed (critical) 17 security Windows Server updates are 2012 R2 missing. Update Rollups, Failed (non- 2 updates are Windows Server critical) missing. 2012 R2 Updates, Windows Failed (non- 8 updates are Server 2012 R2 critical) missing. 10.0.6.44 JACOB-WIN7 Feature Packs, Failed (non- 1 update is Windows 7 critical) missing. Update Rollups, Failed (non- 1 update is Windows 7 critical) missing. Updates, Windows Failed (non- 61 updates are 7 critical) missing. Updates, Windows Failed (non- 34 updates are 7 Language Packs critical) missing. 10.0.7.44 JACOB-WIN8 Critical Updates, Failed (critical) 2 critical updates Office 2013 are missing. Critical Updates, Failed (critical) 6 critical updates Windows 8.1 are missing. Drivers, Windows Failed (non- 4 updates are 8.1 and later critical) missing. drivers Feature Packs, Failed (non- 1 update is Skype for critical) missing. Windows Feature Packs, Failed (non- 1 update is Windows 8.1 critical) missing. Office 2013, Failed (non- 1 update is Updates critical) missing. Security Updates, Failed (critical) 41 security Windows 8.1 updates are missing.

PROPRIETARY & CONFIDENTIAL PAGE 64 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address Computer Name Issue Result Assessment Update Rollups, Failed (non- 2 updates are Windows 8.1 critical) missing. Updates, Windows Failed (non- 55 updates are 8.1 critical) missing. 10.0.7.95 MMAYHEMON-HP Definition Failed (non- 1 update is Updates, Windows critical) missing. Defender Drivers, Windows Failed (non- 7 updates are 8.1 and later critical) missing. drivers Drivers, Windows Failed (non- 1 update is 8.1 Drivers critical) missing. Feature Packs, Failed (non- 1 update is Silverlight critical) missing. Feature Packs, Failed (non- 1 update is Skype for critical) missing. Windows Feature Packs, Failed (non- 1 update is Windows 8.1 critical) missing. Updates, Windows Failed (non- 29 updates are 8.1 critical) missing. 10.0.6.0 MWEST-PC Definition Failed (non- 1 update is Updates, Windows critical) missing. Defender Drivers, Windows Failed (non- 2 updates are 8.1 critical) missing. Feature Packs, Failed (non- 1 update is Skype for critical) missing. Windows Updates, Windows Failed (non- 9 updates are 8 critical) missing. 10.0.6.96 MWEST-WIN864 Drivers, Windows Failed (non- 1 update is 8.1 critical) missing. Feature Packs, Failed (non- 1 update is Skype for critical) missing. Windows Service Packs, SQL Failed (non- 1 update is Server 2008 critical) missing. Updates, Windows Failed (non- 9 updates are 8 critical) missing. 10.0.6.133 PITMARCUSUS-PC Drivers, Windows Failed (non- 1 update is 8.1 Drivers critical) missing. Updates, Windows Failed (non- 27 updates are 8.1 critical) missing.

PROPRIETARY & CONFIDENTIAL PAGE 65 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address Computer Name Issue Result Assessment 10.0.6.80, PS01 Critical Updates, Failed (critical) 11 critical updates 192.168.159.1, Windows Server are missing. 192.168.85.1 2012 R2 Feature Packs, Failed (non- 1 update is Windows Server critical) missing. 2012 R2 Security Updates, Failed (critical) 20 security Windows Server updates are 2012 R2 missing. Update Rollups, Failed (non- 2 updates are Windows Server critical) missing. 2012 R2 Updates, Windows Failed (non- 10 updates are Server 2012 R2 critical) missing. 10.0.6.40 PSIMPSON-PC Drivers, Windows Failed (non- 2 updates are 8.1 Drivers critical) missing. Feature Packs, Failed (non- 1 update is Silverlight critical) missing. Feature Packs, Failed (non- 1 update is Skype for critical) missing. Windows Feature Packs, Failed (non- 1 update is Windows 8.1 critical) missing. Updates, Windows Failed (non- 28 updates are 8.1 critical) missing. 10.0.6.53 PSIMPSON-WIN7TEST Feature Packs, Failed (non- 2 updates are Security Essentials critical) missing. Free Antivirus Feature Packs, Failed (non- 1 update is Silverlight critical) missing. Feature Packs, Failed (non- 1 update is Skype for critical) missing. Windows Update Rollups, Failed (non- 1 update is Windows 7 critical) missing. Updates, Windows Failed (non- 9 updates are 7 critical) missing. 10.0.6.97 RANCOR Critical Updates, Failed (critical) 1 critical update is Office 2007 missing. Critical Updates, Failed (critical) 23 critical updates Office 2013 are missing. Critical Updates, Failed (critical) 5 critical updates Windows 8 are missing. Definition Failed (non- 1 update is Updates, Office critical) missing. 2013

PROPRIETARY & CONFIDENTIAL PAGE 66 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address Computer Name Issue Result Assessment Definition Failed (non- 1 update is Updates, Windows critical) missing. Defender Drivers, Windows Failed (non- 2 updates are 8.1 critical) missing. Feature Packs, Failed (non- 1 update is Skype for critical) missing. Windows Microsoft SQL Failed (non- 1 update is Server 2012, critical) missing. Service Packs Office 2007, Failed (critical) 1 security update Security Updates is missing. Office 2013, Failed (critical) 2 security updates Security Updates are missing. Office 2013, Failed (non- 1 update is Updates critical) missing. Security Updates, Failed (critical) 39 security Windows 8 updates are missing. Update Rollups, Failed (non- 2 updates are Windows 8 critical) missing. Updates, Windows Failed (non- 21 updates are 8 critical) missing. 10.0.1.21 RDGATEWAY Critical Updates, Failed (critical) 8 critical updates Windows Server are missing. 2012 R2 Feature Packs, Failed (non- 1 update is Silverlight critical) missing. Feature Packs, Failed (non- 1 update is Windows Server critical) missing. 2012 R2 Security Updates, Failed (critical) 18 security Windows Server updates are 2012 R2 missing. Update Rollups, Failed (non- 2 updates are Windows Server critical) missing. 2012 R2 Updates, Windows Failed (non- 10 updates are Server 2012 R2 critical) missing. 10.0.6.1 TTREX Critical Updates, Failed (critical) 1 critical update is Office 2007 missing. Critical Updates, Failed (critical) 12 critical updates Office 2010 are missing. Critical Updates, Failed (critical) 18 critical updates Office 2013 are missing.

PROPRIETARY & CONFIDENTIAL PAGE 67 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address Computer Name Issue Result Assessment Critical Updates, Failed (critical) 1 critical update is Windows 7 missing. Definition Failed (non- 1 update is Updates, MS critical) missing. Security Essentials Definition Failed (non- 1 update is Updates, Office critical) missing. 2010 Definition Failed (non- 1 update is Updates, Office critical) missing. 2013 Drivers, Windows Failed (non- 2 updates are 7 critical) missing. Feature Packs, Failed (non- 1 update is Skype for critical) missing. Windows Feature Packs, Failed (non- 1 update is Windows 7 critical) missing. Office 2007, Failed (critical) 3 security updates Security Updates are missing. Office 2010, Failed (critical) 6 security updates Security Updates are missing. Office 2013, Failed (critical) 1 security update Security Updates is missing. Office 2013, Failed (non- 1 update is Updates critical) missing. Security Updates, Failed (critical) 18 security Windows 7 updates are missing. Update Rollups, Failed (non- 1 update is Windows 7 critical) missing. Updates, Windows Failed (non- 8 updates are 7 critical) missing. 10.0.7.29 RJOHNSON-PC Definition Failed (non- 1 update is Updates, Windows critical) missing. Defender Drivers, Windows Failed (non- 2 updates are 8.1 and later critical) missing. drivers Feature Packs, Failed (non- 1 update is Windows 8.1 critical) missing. Updates, Windows Failed (non- 28 updates are 8.1 critical) missing. 10.0.6.14 SDAVIS-LT Drivers, Windows Failed (non- 5 updates are 8.1 critical) missing.

PROPRIETARY & CONFIDENTIAL PAGE 68 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address Computer Name Issue Result Assessment Feature Packs, Failed (non- 1 update is Silverlight critical) missing. Feature Packs, Failed (non- 1 update is Skype for critical) missing. Windows Feature Packs, Failed (non- 1 update is Windows 8 critical) missing. Updates, Windows Failed (non- 9 updates are 8 critical) missing. 10.0.1.69 STORAGE01 Critical Updates, Failed (critical) 2 critical updates Windows Server are missing. 2008 R2 Feature Packs, Failed (non- 1 update is Silverlight critical) missing. Feature Packs, Failed (non- 1 update is Windows Server critical) missing. 2008 R2 Security Updates, Failed (critical) 37 security Windows Server updates are 2008 R2 missing. Update Rollups, Failed (non- 1 update is Windows Server critical) missing. 2008 R2 Updates, Windows Failed (non- 12 updates are Server 2008 R2 critical) missing. 10.0.7.45, THAYDEN-DT Drivers, Windows Failed (non- 5 updates are 192.168.56.1 7 critical) missing. Updates, Windows Failed (non- 9 updates are 7 critical) missing. 10.0.7.49 THANOS-PC Definition Failed (non- 1 update is Updates, Windows critical) missing. Defender Drivers, Windows Failed (non- 1 update is 8.1 critical) missing. Feature Packs, Failed (non- 1 update is Windows 8 critical) missing. Updates, Windows Failed (non- 9 updates are 8 critical) missing. 10.0.1.15 UTIL12 Critical Updates, Failed (critical) 11 critical updates Windows Server are missing. 2012 R2 Feature Packs, Failed (non- 1 update is Silverlight critical) missing. Feature Packs, Failed (non- 1 update is Windows Server critical) missing. 2012 R2

PROPRIETARY & CONFIDENTIAL PAGE 69 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Address Computer Name Issue Result Assessment Security Updates, Failed (critical) 21 security Windows Server updates are 2012 R2 missing. Update Rollups, Failed (non- 2 updates are Windows Server critical) missing. 2012 R2 Updates, Windows Failed (non- 10 updates are Server 2012 R2 critical) missing. 10.0.1.5, VPNGW Critical Updates, Failed (critical) 8 critical updates 10.0.6.107 Windows Server are missing. 2012 R2 Feature Packs, Failed (non- 1 update is Windows Server critical) missing. 2012 R2 Security Updates, Failed (critical) 17 security Windows Server updates are 2012 R2 missing. Update Rollups, Failed (non- 2 updates are Windows Server critical) missing. 2012 R2 Updates, Windows Failed (non- 10 updates are Server 2012 R2 critical) missing. 10.0.6.41 QA-PC Updates, Windows Failed (non- 9 updates are 7 critical) missing.

Security Patch Assessment Security patches are missing on 24 computers without Compensating Controls. These patches should be applied as soon as possible to prevent or restrict the spread of malicious software.

Timely Patch Installation We have policies and procedures in place to install patches within 30 days for critical patches and 90 days for non-critical patches. Detailed patch history is available in the Security Patch Installation History Report.

Some patches were not installed in compliance with the prescribed policy. Action should be taken to ensure timely patch installation.

2.6.3 Patch Installation Procedure

PCI DSS Requirement 6.4: Follow change control processes and procedures for all changes to system components.

PCI DSS Requirement 6.4.5: Change control procedures for the implementation of security patches and software modifications must include the following: * Documentation of impact. * Documented change approval by authorized parties.

PROPRIETARY & CONFIDENTIAL PAGE 70 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

* Functionality testing to verify that the change does not adversely impact the security of the system. * Back-out procedures.

We follow industry best practices, change control processes, and procedures to control, document, and authorize changes to the system components.

2.6.4 Address common code vulnerabilities

PCI DSS Requirement 6.5: Address common coding vulnerabilities in software-development processes as follows:

* Train developers in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory. * Develop applications based on secure coding guidelines.

Our organization does not develop applications involving cardholder data.

PROPRIETARY & CONFIDENTIAL PAGE 71 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

2.7 Restricted access to cardholder data

PCI DSS Requirement 7: Restrict access to cardholder data by business need-to-know

PCI DSS Guidance: To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities. “Need to know” is when access rights are granted to only the least amount of data and privileges needed to perform a job.

2.7.1 Limit access to system components and cardholder data

PCI DSS Requirement 7.1: Limit access to system components and cardholder data to only those individuals whose job requires such access.

PCI DSS Guidance: The more people who have access to cardholder data, the more risk there is that a user’s account will be used maliciously. Limiting access to those with a legitimate business reason for the access helps an organization prevent mishandling of cardholder data through inexperience or malice.

Employees with access to the Cardholder Data Environment (0 users)

Vendors with access to the Cardholder Data Environment (1 users) partners Corp.myco.com\internal IT Managed Services Partners

PCI DSS Requirement 7.1.2: - Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.

PROPRIETARY & CONFIDENTIAL PAGE 72 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

PCI DSS Requirement 7.1.3: Assign access based on individual personnel’s job classification and function.

Through a review of Security Groups, we evaluate the privilege levels of individual users and ensure users are restricted to the least permissions necessary to perform their job responsibilities.

No Security Groups were found.

Group Name Members Access Control Assistance Operators (Corp.myco.com/Builtin/Access Control Assistance Operators) 0 Total: 0 Enabled, 0 Disabled

Account Operators (Corp.myco.com/Builtin/Account Operators) 0 Total: 0 Enabled, 0 Disabled

Administrators Enabled: admin only, Administrator, Domain Admins, Enterprise (Corp.myco.com/Builtin/Administrators) Admins, fred thomas, k mayhem1, Kevin mayhem, Mark summer, 22 Total: 12 Enabled, 10 Disabled Michael mayhemon, netvendor, peter simpson, Sam rammond. Disabled: ben yellin, Bryant pratt, Chris epps, dennis harold, Deonne williams, hank joel, jacob pane, Robert lindy, Steve boardroom, Trey lemon Allowed RODC Password Replication Group (Corp.myco.com/Users/Allowed RODC Password Replication Group) 0 Total: 0 Enabled, 0 Disabled

AppV Administrators Enabled: James davis, Joe craig (Corp.myco.com/AppV/AppV Disabled: TestV Administrators) 3 Total: 2 Enabled, 1 Disabled

Appv Users Enabled: James davis, Joe craig (Corp.myco.com/AppV/Appv Users) Disabled: TestV 3 Total: 2 Enabled, 1 Disabled

Backup Operators (Corp.myco.com/Builtin/Backup Operators) 0 Total: 0 Enabled, 0 Disabled

Cert Publishers Enabled: mycoROOTAUTH (Corp.myco.com/Users/Cert Publishers) 1 Total: 1 Enabled, 0 Disabled

Certificate Service DCOM Access

PROPRIETARY & CONFIDENTIAL PAGE 73 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

Group Name Members (Corp.myco.com/Builtin/Certificate Service DCOM Access) 0 Total: 0 Enabled, 0 Disabled

Cloneable Domain Controllers (Corp.myco.com/Users/Cloneable Domain Controllers) 0 Total: 0 Enabled, 0 Disabled

Cryptographic Operators (Corp.myco.com/Builtin/Cryptographic Operators) 0 Total: 0 Enabled, 0 Disabled

Denied RODC Password Replication Enabled: Cert Publishers, Domain Admins, Domain Controllers, Group Enterprise Admins, Group Policy Creator Owners, krbtgt, Read-only (Corp.myco.com/Users/Denied RODC Domain Controllers, Schema Admins Password Replication Group) 8 Total: 8 Enabled, 0 Disabled

Development (Corp.myco.com/Users/Development) 0 Total: 0 Enabled, 0 Disabled

DHCP Administrators Disabled: ben yellin, hank joel (Corp.myco.com/Users/DHCP Administrators) 2 Total: 0 Enabled, 2 Disabled

DHCP Users (Corp.myco.com/Users/DHCP Users) 0 Total: 0 Enabled, 0 Disabled

Distributed COM Users (Corp.myco.com/Builtin/Distributed COM Users) 0 Total: 0 Enabled, 0 Disabled

DnsAdmins Enabled: Domain Admins (Corp.myco.com/Users/DnsAdmins) 1 Total: 1 Enabled, 0 Disabled

DnsUpdateProxy (Corp.myco.com/Users/DnsUpdateProxy) 0 Total: 0 Enabled, 0 Disabled

Domain Admins Enabled: Administrator, brad oppenheimer, Darrien Brown, fred (Corp.myco.com/Users/Domain Admins) thomas, James davis, James smith, Kevin jacobs, marcusus parish, 14 Total: 14 Enabled, 0 Disabled Mark summer, mary west, Paul krickey, peter simpson, tony hughes, wendell

PROPRIETARY & CONFIDENTIAL PAGE 74 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

Group Name Members

Domain Computers Enabled: AMAZONROUTER, APPASSURECORE, Aturner-LT, BACKUP- (Corp.myco.com/Users/Domain 01, bkrickey-WIN7, bkrickey-Win81, Boppenheimer-DT, BO- Computers) SANDBOX, brownd, ccproc01, CERTsvr, CONFERENCE_ROOM, 85 Total: 85 Enabled, 0 Disabled CONFERENCEROOM, dbrown-pc, DC1950, DEV_2012-CORE, DEVKASEYA, DEVTFS, DEVTFSBUILD, DEVWIKI, Ehammond-WIN7, ENTCERTS, FILE2012, FILE2012-1, File2012-HV, FINANCE, FT- LENOVO, HV00, HV01, HV02, HV04, ISA1, jacob-WIN7, jacob-WIN8, JAGA, Jdavis-Win8, JMATSON-PC, JOES-PC, KjacobsASUSPC, KjacobsPC, MARKETING-1, METRO, Mmayhemon1, Mmayhemon-HP, Msummer-LT, Msummer-LT1, Mwest-PC, Mwest-WIN864, MW- LAPTOP, myco30DEV, myco-ATL-CORE, mycoPATCH, mycoROOTAUTH, PABUILD, peter-HOME, PITmarcusus-PC, PKWin8, PS01, Psimpson2, Psimpson-PC, Psimpson-WIN764, Psimpson- WIN7TEST, Pturner, Pturner-PC, QA-PC, RANCOR, RDGATEWAY, REMOTE, RJOHNSON-PC, Sdavis-LT, SHAREPOINT-01, SLOWE-WIN8, SQL2012-01, STORAGE01, svrDEV1, tandem, thanos-PC, Thayden-DT, ttrex, USER-PC23, UTIL12, VPNGW, WIN10-1, ZOTAC-PITMS, ZWIN7- 140929 Domain Controllers Enabled: DC03 (Corp.myco.com/Users/Domain Controllers) 1 Total: 1 Enabled, 0 Disabled

Domain Guests Disabled: Guest (Corp.myco.com/Users/Domain Guests) 1 Total: 0 Enabled, 1 Disabled

Domain Users Enabled: admin admin, admin only, Administrator, alan turner, (Corp.myco.com/Users/Domain Users) ASPNET, Backup User, beth gelding, Beth krickey, Bob vinings, brad 98 Total: 60 Enabled, 38 Disabled oppenheimer, CORE$, Darrien Brown, DEV$, fred thomas, helper, HQ$, internal IT HR, internal IT Managed Services Partners, internal IT PR, internal IT Sales, internal IT Support Team, IUSR_DC02, IUSR_STEINBRENNER, IWAM_DC02, IWAM_STEINBRENNER, James davis, James smith, Joe craig, k mayhem1, Kevin jacobs, Kevin mayhem, krbtgt, marcusus parish, Mark summer, mary west, matt crantz, Michael mayhemon, Net Scanner - myco, netvendor, Paul krickey, peter simpson, PGK Test1, phillip turner, Purchase User, Quickbooks Service Account, ray Johnson, rita phillis, sam murray, Sam rammond., SharePoint SQL, sherry Lowe, steve davis, SUPPORT$, supportguy supportguy, terry hayden, test non-admin, Test User, Tester, tony hughes, wendell Disabled: ben yellin, Brad Minor, Bruce hanks, Bryant pratt, carrie Woods, Chris epps, dennis bard, dennis harold, Deonne williams, Elvin hammond, ethan-paul christy, Greg hammond, hank joel, jacob pane, Jamie little, Jay Matson, Joe terencel, jonathan Poole, K glass, Kevin james, Lance Hall, Leah Gray, Marie garrison, Marshall shoals, Marvin baker, Michael elkins, michal davis, Rob Taylor, Robert lindy, Steve boardroom, SUPPORT_388945a0, terry Williams, Test

PROPRIETARY & CONFIDENTIAL PAGE 75 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

Group Name Members Account, Test User, TestV, Trey lemon, westridge Development, Wilson mathers Enterprise Admins Enabled: Administrator, fred thomas, Paul krickey, peter simpson (Corp.myco.com/Users/Enterprise Admins) 4 Total: 4 Enabled, 0 Disabled

Enterprise Read-only Domain Controllers (Corp.myco.com/Users/Enterprise Read- only Domain Controllers) 0 Total: 0 Enabled, 0 Disabled

Event Log Readers (Corp.myco.com/Builtin/Event Log Readers) 0 Total: 0 Enabled, 0 Disabled

Exchange Install Domain Servers (Corp.myco.com/Microsoft Exchange System Objects/Exchange Install Domain Servers) 0 Total: 0 Enabled, 0 Disabled

Exchange Organization Administrators (Corp.myco.com/Microsoft Exchange Security Groups/Exchange Organization Administrators) 0 Total: 0 Enabled, 0 Disabled

Exchange Public Folder Administrators Enabled: Exchange Organization Administrators (Corp.myco.com/Microsoft Exchange Security Groups/Exchange Public Folder Administrators) 1 Total: 1 Enabled, 0 Disabled

Exchange Recipient Administrators Enabled: Exchange Organization Administrators (Corp.myco.com/Microsoft Exchange Security Groups/Exchange Recipient Administrators) 1 Total: 1 Enabled, 0 Disabled

Exchange Servers Enabled: Exchange Install Domain Servers (Corp.myco.com/Microsoft Exchange Security Groups/Exchange Servers) 1 Total: 1 Enabled, 0 Disabled

Exchange View-Only Administrators Enabled: Exchange Public Folder Administrators, Exchange Recipient (Corp.myco.com/Microsoft Exchange Administrators Security Groups/Exchange View-Only Administrators)

PROPRIETARY & CONFIDENTIAL PAGE 76 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

Group Name Members 2 Total: 2 Enabled, 0 Disabled

ExchangeLegacyInterop (Corp.myco.com/Microsoft Exchange Security Groups/ExchangeLegacyInterop) 0 Total: 0 Enabled, 0 Disabled

Executive Enabled: fred thomas, k mayhem1, Kevin mayhem, Michael (Corp.myco.com/Users/Executive) mayhemon, wendell 5 Total: 5 Enabled, 0 Disabled

Group Policy Creator Owners Enabled: Administrator (Corp.myco.com/Users/Group Policy Disabled: Robert lindy, Steve boardroom Creator Owners) 3 Total: 1 Enabled, 2 Disabled

Guests Enabled: Domain Guests, IUSR_DC02, IUSR_STEINBRENNER (Corp.myco.com/Builtin/Guests) Disabled: Guest 4 Total: 3 Enabled, 1 Disabled

HelpServicesGroup Disabled: SUPPORT_388945a0 (Corp.myco.com/Users/HelpServicesGroup) 1 Total: 0 Enabled, 1 Disabled

Hyper-V Administrators (Corp.myco.com/Builtin/Hyper-V Administrators) 0 Total: 0 Enabled, 0 Disabled

Hyper-V Admins Enabled: Development, PIT Support Team (Corp.myco.com/Users/Hyper-V Admins) 2 Total: 2 Enabled, 0 Disabled

Hyper-V Servers Enabled: FILE2012-1, HV00, HV01, HV02, HV04, STORAGE01 (Corp.myco.com/Security Groups/Hyper-V Servers) 6 Total: 6 Enabled, 0 Disabled

IIS_IUSRS (Corp.myco.com/Builtin/IIS_IUSRS) 0 Total: 0 Enabled, 0 Disabled

IIS_WPG Enabled: IWAM_DC02, IWAM_STEINBRENNER, NETWORK SERVICE, (Corp.myco.com/Users/IIS_WPG) SERVICE, SYSTEM 5 Total: 5 Enabled, 0 Disabled

Incoming Forest Trust Builders (Corp.myco.com/Builtin/Incoming Forest Trust Builders)

PROPRIETARY & CONFIDENTIAL PAGE 77 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

Group Name Members 0 Total: 0 Enabled, 0 Disabled internal Log Users (Corp.myco.com/Builtin/internal Log Users) 0 Total: 0 Enabled, 0 Disabled internal Monitor Users (Corp.myco.com/Builtin/internal Monitor Users) 0 Total: 0 Enabled, 0 Disabled myco Tools Enabled: brad oppenheimer, fred thomas, James davis, James smith, (Corp.myco.com/Security Groups/myco marcusus parish, mary west, Michael mayhemon, peter simpson, rita Tools) phillis, tony hughes, wendell 11 Total: 11 Enabled, 0 Disabled

Network Configuration Operators (Corp.myco.com/Builtin/Network Configuration Operators) 0 Total: 0 Enabled, 0 Disabled

Operations (Corp.myco.com/Users/Operations) 0 Total: 0 Enabled, 0 Disabled

PIT Support Team Enabled: James davis, Joe craig, mary west, Paul krickey, peter (Corp.myco.com/Users/PIT Support Team) simpson, Sam rammond. 8 Total: 6 Enabled, 2 Disabled Disabled: ethan-paul christy, hank joel

Pre-Windows 2000 Compatible Access Enabled: Authenticated Users, mycoROOTAUTH (Corp.myco.com/Builtin/Pre-Windows 2000 Compatible Access) 2 Total: 2 Enabled, 0 Disabled

Print Operators (Corp.myco.com/Builtin/Print Operators) 0 Total: 0 Enabled, 0 Disabled

Protected Users (Corp.myco.com/Users/Protected Users) 0 Total: 0 Enabled, 0 Disabled

RAS and IAS Servers Enabled: RDGATEWAY, VPNGW (Corp.myco.com/Users/RAS and IAS Servers) 2 Total: 2 Enabled, 0 Disabled

RDS Endpoint Servers Enabled: CERTsvr, RDGATEWAY

PROPRIETARY & CONFIDENTIAL PAGE 78 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

Group Name Members (Corp.myco.com/Builtin/RDS Endpoint Servers) 2 Total: 2 Enabled, 0 Disabled

RDS Management Servers (Corp.myco.com/Builtin/RDS Management Servers) 0 Total: 0 Enabled, 0 Disabled

RDS Remote Access Servers (Corp.myco.com/Builtin/RDS Remote Access Servers) 0 Total: 0 Enabled, 0 Disabled

Read-only Domain Controllers (Corp.myco.com/Users/Read-only Domain Controllers) 0 Total: 0 Enabled, 0 Disabled

Remote Desktop Users Enabled: Authenticated Users, James davis, phillip turner, sherry (Corp.myco.com/Builtin/Remote Desktop Lowe, steve davis Users) Disabled: Bryant pratt, ethan-paul christy, jacob pane, Leah Gray, 10 Total: 5 Enabled, 5 Disabled Rob Taylor

Remote Management Users (Corp.myco.com/Builtin/Remote Management Users) 0 Total: 0 Enabled, 0 Disabled

Replicator (Corp.myco.com/Builtin/Replicator) 0 Total: 0 Enabled, 0 Disabled

Schema Admins Enabled: Administrator, fred thomas, Paul krickey, peter simpson (Corp.myco.com/Users/Schema Admins) 4 Total: 4 Enabled, 0 Disabled

Server Operators (Corp.myco.com/Builtin/Server Operators) 0 Total: 0 Enabled, 0 Disabled

Session Broker Computers (Corp.myco.com/Users/Session Broker Computers) 0 Total: 0 Enabled, 0 Disabled

TelnetClients (Corp.myco.com/Users/TelnetClients) 0 Total: 0 Enabled, 0 Disabled

PROPRIETARY & CONFIDENTIAL PAGE 79 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

Group Name Members Terminal Server License Servers Enabled: NETWORK SERVICE, RDGATEWAY (Corp.myco.com/Builtin/Terminal Server License Servers) 2 Total: 2 Enabled, 0 Disabled

TS Web Access Administrators (Corp.myco.com/Users/TS Web Access Administrators) 0 Total: 0 Enabled, 0 Disabled

TS Web Access Computers (Corp.myco.com/Users/TS Web Access Computers) 0 Total: 0 Enabled, 0 Disabled

Users Enabled: ASPNET, Authenticated Users, Domain Users, INTERACTIVE (Corp.myco.com/Builtin/Users) 4 Total: 4 Enabled, 0 Disabled

Windows Authorization Access Group Enabled: ENTERPRISE DOMAIN CONTROLLERS, Exchange Servers (Corp.myco.com/Builtin/Windows Authorization Access Group) 2 Total: 2 Enabled, 0 Disabled

WINS Users (Corp.myco.com/Users/WINS Users) 0 Total: 0 Enabled, 0 Disabled

No Security Groups were found.

PROPRIETARY & CONFIDENTIAL PAGE 80 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

2.8 Access to Cardholder Data Environment (CDE) system components

PCI DSS Requirement 8: Identify and authenticate access to system components

PCI DSS Guidance: Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for their actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users and processes. The effectiveness of a password is largely determined by the design and implementation of the authentication system—particularly, how frequently password attempts can be made by an attacker, and the security methods to protect user passwords at the point of entry, during transmission, and while in storage.

Note: These requirements are applicable for all accounts, including point-of-sale accounts, with administrative capabilities and all accounts used to view or access cardholder data or to access systems with cardholder data. This includes accounts used by vendors and other third parties (for example, for support or maintenance). However, Requirements 8.1.1, 8.2, 8.5, 8.2.3 through 8.2.5, and 8.1.6 through 8.1.8 are not intended to apply to user accounts within a point-of-sale payment application that only have access to one card number at a time in order to facilitate a single transaction (such as cashier accounts).

2.8.1 Proper User Identification Management for Non-Consumer Users and Administrators

PCI DSS Requirement 8.1: Define and implement policies and procedures to ensure proper user identification management for non- consumer users and administrators on all system components as follows:

2.8.1.1 Unique User Identification

PCI DSS Requirement 8.1.1: Assign all users a unique ID before allowing them to access system components or cardholder data.

PCI DSS Guidance: By ensuring each user is uniquely identified—instead of using one ID for several employees—an organization can maintain individual responsibility for actions and an effective audit trail per employee. This will help speed issue resolution and containment when misuse or malicious intent occurs.

We employ the use of Windows Authenticated users as a means for unique user identification.

As part our regular review of system activity, we validate the list of current users and identify former employees and vendors who may still have access. This review involves looking at audit logs, access reports, and reviewing security incident tracking reports. During the review, generic accounts logins are also identified for further investigation. See the User Identification Worksheet, User Behavior Analysis, and Login History by Computer Report.

Potential Generic Accounts found

PROPRIETARY & CONFIDENTIAL PAGE 81 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

Generic account logins were used on the following computers and should be investigated. The use of generic logins may prevent proper tracking and identification and is discouraged. There are legitimate uses for generic login, such as limited administrative access and use, as well as access to workstations where secondary logins are required to access the CDE. If access is deemed inappropriate, further action should be taken to ensure the situation is remediated.

Generic Account First Name Last Name Computer IP Address admin admin admin Administrator Administrator ASPNET ASPNET CORE$ CORE$ DEV$ DEV$ helper helper HQ$ HQ$ IUSR_DC02 IUSR_DC02 IUSR_STEINBRENNER IUSR_STEINBRENNER IWAM_DC02 IWAM_DC02 IWAM_STEINBRENNER IWAM_STEINBRENNER netvendor netvendor supportguy supportguy supportguy Tester Tester

2.8.1.2 Termination Procedures

PCI DSS Requirement 8.1.3: Immediately revoke access for any terminated users.

PCI DSS Guidance: If an employee has left the company and still has access to the network via their user account, unnecessary or malicious access to cardholder data could occur—either by the former employee or by a malicious user who exploits the old and/or unused account. To prevent unauthorized access, user credentials and other authentication methods therefore need to be revoked promptly (as soon as possible) upon the employee’s departure.

Former Employees and Former Vendors with Enabled Accounts Terminated employees and vendors should have their accounts disabled to prevent potential unauthorized access to Cardholder Data. The following active accounts designated as former employees or former vendors were identified. These accounts should be disabled or removed.

CORP.MYCO.COM

Username Name Status Jdavis James davis Former Employee kjacobs Kevin jacobs Former Vendor mwest mary west Former Employee mcrantz matt crantz Former Vendor supportguy supportguy supportguy Former Employee

PROPRIETARY & CONFIDENTIAL PAGE 82 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

Potential Former Employees with Enabled Accounts The following user accounts were found to not have user activity in the past 30 days and could be an indication of an account that should be disabled. Security exceptions for these accounts can be found in the Compensating Control Worksheet.

Corp.myco.com

Username Name Current Status Last Login admin admin admin Monday, January 1, 2018 adminonly admin only Tuesday, July 2, 2018 ASPNET* ASPNET BackupUser Backup User Monday, January 1,2018 bvinings Bob vinings Wednesday, February 28, 2018 bgelding beth gelding CORE$ CORE$ Monday, January 1, 2018 DEV$ DEV$ Monday, January 1, 2018 helper helper Monday, January 1, 2018 HQ$ HQ$ Monday, January 1, 2018 IUSR_DC02 IUSR_DC02 Monday, October 12, 2013 IUSR_STEINBRENNER IUSR_STEINBRENNER Wednesday, April 11, 2016 IWAM_DC02 IWAM_DC02 Thursday, April 30, 2013 IWAM_STEINBRENNER IWAM_STEINBRENNER jcraig Joe craig Tuesday, January 14, 2018 kmayhem1 k mayhem1 mwest mary west Monday, January 19, 2019 msummer Mark summer Friday, March 20, 2019 NetScanner Net Scanner - myco Friday, July 20, 2016 netvendor netvendor hr internal IT HR info internal IT PR prsales internal IT Sales support internal IT Support Team Saturday, November 5, 2015 PGKTest1 PGK Test1 Monday, January 1, 2018 PurchaseUser Purchase User Thursday, January 29, 2019 srammond Sam rammond. Friday, May 2, 2018 smurray sam murray Monday, December 16, 2017 SharePointSQL SharePoint SQL Friday, July 4, 2018 slowe sherry Lowe Thursday, July 24, 2018 supportguy supportguy supportguy Monday, January 1, 2018 nonadminuser test non-admin Tuesday, July 15, 2018 marcusustest Test User Tuesday, December 11, 2016

* See Compensating Control Worksheet

Interactive Login by Former Employee and Former Vendors

PROPRIETARY & CONFIDENTIAL PAGE 83 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

Terminated employees and vendors should have their accounts disabled to prevent potential unauthorized access to Cardholder Data. Below represents the Local Interactive Logon and Remote Interactive Logon of former Employees and Vendors.

CORP.MYCO.COM\mcrantz (matt crantz)

Interactive Logon (logon at keyboard and screen of system) Computer Past 30 days Past 7 days Past 24 hours Success Failure Success Failure Success Failure CONFERENCEROOM 1 0 0 0 0 0 Remote Interactive Logon (Terminal Services, Remote Desktop, or Remote Assistance)

2.8.1.5 Third- Party Vendor User ID Management, System Component Access, and Monitoring

PCI DSS Requirement 8.1.5: Manage IDs used by vendors to access, support, or maintain system components via remote access as follows: * Enabled only during the time period needed and disabled when not in use. * Monitored when in use.

PCI DSS Guidance: Allowing vendors to have 24/7 access into your network in case they need to support your systems increases the chances of unauthorized access, either from a user in the vendor’s environment or from a malicious individual who finds and uses this always-available external entry point into your network. Enabling access only for the time periods needed, and disabling it as soon as it is no longer needed, helps prevent misuse of these connections. Monitoring of vendor access provides assurance that vendors are accessing only the systems necessary and only during approved time frames.

We employ the use of Windows Authenticated users as a means for unique user identification, including vendors.

Corp.myco.com

# Enabled Users # Disabled Users Vendor – Cardholder Data Environment authorization 1 0 Vendor – Cardholder Data Environment authorization 0 0 Former Vendor 2 0

As part our regular review of system activity, we validate the list of current users and identify former vendors who may still have access. This review involves looking at audit logs, access reports, and reviewing security incident tracking reports.

Current Vendor with Enabled Account

PROPRIETARY & CONFIDENTIAL PAGE 84 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

Vendor user accounts with access rights to the Cardholder Data Environment and/or system components must be disabled when not in use. Enabled vendors that are marked as not active appear in RED BOLD in the table below. Corp.myco.com

Username Name Account Current Required? Enabled/Disabled Status partners internal IT Managed Enabled Yes Services Partners kjacobs Kevin jacobs Enabled Yes mcrantz matt crantz Enabled No

Former Vendors with Enabled Accounts

Terminated employees and vendors should have their accounts disabled to prevent potential unauthorized access to Cardholder Data. The following active accounts designated as former employees or former vendors were identified. These accounts should be disabled or removed.

Corp.myco.com

Username Name Status kjacobs Kevin jacobs Former Vendor mcrantz matt crantz Former Vendor

Potential Former Vendors with Enabled Accounts The following user accounts were found to not have user activity in the past 30 days and could be an indication of an account that should be disabled. Security exceptions for these accounts can be found in the Compensating Controls Worksheet.

Corp.myco.com

Username Name Current Status Last Login partners internal IT Managed Services Partners

2.8.1.4 Repeated login access attempts

PCI DSS Requirement 8.1.6: Limit repeated access attempts by locking out the user ID after not more than six attempts.

Policy Setting Computers Account lockout threshold Disabled All Sampled

2.8.1.5 User ID lockout duration

PROPRIETARY & CONFIDENTIAL PAGE 85 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

PCI DSS Requirement 8.1.7: Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID.

Policy Setting Computers Account lockout duration Not Applicable All Sampled

2.8.2 Ensuring proper user-authentication management

PCI DSS Requirement 8.2: In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users:

* Something you know, such as a password or passphrase. * Something you have, such as a token device or smart card. * Something you are, such as a biometric.

Some systems are present that do not require authentication. These system, even if not part of the Cardholder Data Environment, may pose a risk.

Notes:

2.8.2.1 Password strength and complexity

PCI DSS Requirement 8.2.3: Passwords/phrases must meet the following:

* Require a minimum length of at least seven characters. * Contain both numeric and alphabetic characters.

Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above.

Proper password management is vital for ensuring the security of the network. Password complexity and expiration policy should be enabled and enforced by Group Policy when possible.

Policy Setting Computers Minimum password length 7 characters CCPROC01, BROWND, CONFERENCEROOM, DC03, DEVTFS, DEVTFSBUILD, FILE2012- 1, FT-LENOVO, HV01, HV02, JACOB-WIN8, MMAYHEMON-HP, MWEST-PC, MWEST-WIN864, PITMARCUSUS-PC, PS01, PSIMPSON-PC, PSIMPSON- WIN7TEST, QA-PC, RANCOR, RDGATEWAY, RJOHNSON-PC, SDAVIS-LT, STORAGE01,

PROPRIETARY & CONFIDENTIAL PAGE 86 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

Policy Setting Computers THAYDEN-DT, THANOS-PC, UTIL12, VPNGW 0 characters TREX Password must meet complexity Enabled CCPROC01, BROWND, requirements CONFERENCEROOM, DC03, DEVTFS, DEVTFSBUILD, FILE2012- 1, FT-LENOVO, HV01, HV02, JACOB-WIN8, MMAYHEMON-HP, MWEST-PC, MWEST-WIN864, PITMARCUSUS-PC, PS01, PSIMPSON-PC, PSIMPSON- WIN7TEST, QA-PC, RANCOR, RDGATEWAY, RJOHNSON-PC, SDAVIS-LT, STORAGE01, THAYDEN-DT, THANOS-PC, UTIL12, VPNGW Disabled TREX Store passwords using reversible Disabled All Sampled encryption

2.8.2.2 Password expiration policy

PCI DSS Requirement 8.2.4: Change user passwords/passphrases at least every 90 days.

PCI DSS Guidance: Passwords/phrases that are valid for a long time without a change provide malicious individuals with more time to work on breaking the password/phrase.

Policy Setting Computers Maximum password age 42 days All Sampled

2.8.2.3 New password/phrase requirements

PCI DSS Requirement 8.2.5: Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used.

PCI DSS Guidance: If password history isn’t maintained, the effectiveness of changing passwords is reduced, as previous passwords can be reused over and over. Requiring that passwords cannot be reused for a period of time reduces the likelihood that passwords that have been guessed or brute- forced will be used in the future.

Policy Setting Computers Enforce password history 0 passwords remembered CCPROC01, BROWND, CONFERENCEROOM, DEVTFS, DEVTFSBUILD, FILE2012-1, FT- LENOVO, HV01, HV02, JACOB- WIN8, MMAYHEMON-HP, MWEST-PC, MWEST-WIN864, PITMARCUSUS-PC, PS01,

PROPRIETARY & CONFIDENTIAL PAGE 87 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

Policy Setting Computers PSIMPSON-PC, PSIMPSON- WIN7TEST, QA-PC, RANCOR, RDGATEWAY, TREX, RJOHNSON- PC, SDAVIS-LT, STORAGE01, THAYDEN-DT, THANOS-PC, UTIL12, VPNGW 24 passwords remembered DC03

2.8.3 Two-Factor authentication requirement for remote network access by users

PCI DSS Requirement 8.3: Incorporate two-factor authentication for remote network access originating from outside the network, by personnel (including users and administrators) and all third parties, (including vendor access for support or maintenance).

PCI DSS Guidance: Two-factor authentication requires two forms of authentication for higher-risk accesses, such as those originating from outside the network This requirement is intended to apply to all personnel—including general users, administrators, and vendors (for support or maintenance) with remote access to the network—where that remote access could lead to access to the cardholder data environment. If remote access is to an entity’s network that has appropriate segmentation, such that remote users cannot access or impact the cardholder data environment, two-factor authentication for remote access to that network would not be required. However, two-factor authentication is required for any remote access to networks with access to the cardholder data environment, and is recommended for all remote access to the entity’s networks.

Remote Employee Access

All employee account(s) that do not have two-factor authentication configured and integrated within the remote login process, are listed in the table above in RED text.

User System Components Accessed Two-Factor Authentication Method

Remote Vendors Access

All vendor account(s) that do not have two-factor authentication configured and integrated within the remote login process, are listed in the table above in RED text.

User System Components Accessed Two-Factor Authentication Method

2.8.4 Group, shared, and Generic IDs prohibition policy

PCI DSS Requirement 8.5: Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows:

PROPRIETARY & CONFIDENTIAL PAGE 88 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

* Generic user IDs are disabled or removed. * Shared user IDs do not exist for system administration and other critical functions. * Shared and generic user IDs are not used to administer any system components.

PCI DSS Guidance: If multiple users share the same authentication credentials (for example, user account and password), it becomes impossible to trace system access and activities to an individual. This in turn prevents an entity from assigning accountability for, or having effective logging of, an individual’s actions, since a given action could have been performed by anyone in the group that has knowledge of the authentication credentials.

Potential Generic Accounts found Generic account logins were used on the following computers and should be investigated. The use of generic logins may prevent proper tracking and identification and is discouraged. There are legitimate uses for generic login, such as limited administrative access and use, as well as access to workstations where secondary logins are required to access the CDE. If access is deemed inappropriate, further action should be taken to ensure the situation is remediated.

Generic Account First Name Last Name Computer IP Address admin admin admin Administrator Administrator ASPNET ASPNET CORE$ CORE$ DEV$ DEV$ helper helper HQ$ HQ$ IUSR_DC02 IUSR_DC02 IUSR_STEINBRENNER IUSR_STEINBRENNER IWAM_DC02 IWAM_DC02 IWAM_STEINBRENNER IWAM_STEINBRENNER netvendor netvendor supportguy supportguy supportguy Tester Tester

PROPRIETARY & CONFIDENTIAL PAGE 89 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

2.9 Controlling physical access to cardholder data

PCI DSS Requirement 9: Restrict physical access to cardholder data

PCI DSS Guidance: Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted. For the purposes of Requirement 9, “onsite personnel” refers to full-time and part-time employees, temporary employees, contractors and consultants who are physically present on the entity’s premises. A “visitor” refers to a vendor, guest of any onsite personnel, service workers, or anyone who needs to enter the facility for a short duration, usually not more than one day. “Media” refers to all paper and electronic media containing cardholder data.

2.9.1 Facility entry controls and monitoring physical access to systems in the cardholder data environment

PCI DSS Requirement 9.1: Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.

Access to systems in the Cardholder Data Environment is not limited through use of authorized badges read by badge readers that operate door controls, or 2) door lock keys.

PROPRIETARY & CONFIDENTIAL PAGE 90 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

2.10 Track and monitor access to network resources and cardholder data

PCI DSS Requirement 10: Track and monitor all access to network resources and cardholder data

PCI DSS Guidance: Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs.

2.10.1 Automated audit trails for all system components

PCI DSS Requirement 10.2: Implement automated audit trails for all system components to reconstruct the following events:

2.10.1.1 Generate audit trail of all actions taken by any individual with root or administrative privileges

PCI DSS Requirement 10.2.2: All actions taken by any individual with root or administrative privileges.

PCI DSS Guidance: Accounts with increased privileges, such as the “administrator” or “root” account, have the potential to greatly impact the security or operational functionality of a system. Without a log of the activities performed, an organization is unable to trace any issues resulting from an administrative mistake or misuse of privilege back to the specific action and individual.

Sampled Systems IP Addresses Computer Name Operating System 10.0.6.4 ccproc01 Windows 8.1 Pro 10.0.6.35 BROWND Windows 8.1 Enterprise 10.0.6.55, 10.0.6.33 CONFERENCEROOM Windows 7 Professional 10.0.1.23, 10.0.1.4, 10.0.1.3 DC03 Windows Server 2012 R2 Datacenter 10.0.1.16 DEVTFS Windows Server 2012 Standard 10.0.6.67 DEVTFSBUILD Windows Server 2012 R2 Standard 10.0.1.41 FILE2012-1 Windows Server 2012 R2 Standard 10.0.6.74 FT-LENOVO Windows 8.1 Pro 10.0.1.111 HV01 Windows Server 2012 R2 Standard 192.168.1.12, 10.0.1.121, HV02 Windows Server 2012 R2 10.0.1.120 Standard 10.0.7.44 jacob-WIN8 Windows 8.1 Enterprise

PROPRIETARY & CONFIDENTIAL PAGE 91 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

10.0.7.95 Mmayhemon-HP Windows 8.1 Enterprise 10.0.6.0 Mwest-PC Windows 8.1 Pro 10.0.6.96 Mwest-WIN864 Windows 8.1 Pro 10.0.6.133 PITmarcusus-PC Windows 8.1 Pro 10.0.6.80, 192.168.159.1, PS01 Windows Server 2012 R2 192.168.85.1 Standard 10.0.6.40 Psimpson-PC Windows 8.1 Pro 10.0.6.53 Psimpson-WIN7TEST Windows 7 Professional 10.0.6.41 QA-PC Windows 7 Professional 10.0.6.97 RANCOR Windows 8.1 Pro 10.0.1.21 RDGATEWAY Windows Server 2012 R2 Datacenter 10.0.6.1 trex Windows 7 Enterprise 10.0.7.29 RJOHNSON-PC Windows 8.1 Enterprise 10.0.6.14 Sdavis-LT Windows 8.1 Pro 10.0.1.69 STORAGE01 Windows Server 2008 R2 Enterprise 10.0.7.45, 192.168.56.1 Thayden-DT Windows 7 Professional 10.0.7.49 thanos-PC Windows 8.1 Pro 10.0.1.15 UTIL12 Windows Server 2012 R2 Standard 10.0.1.5, 10.0.6.107 VPNGW Windows Server 2012 R2 Standard

The following are the current Windows auditing configuration:

Policy Setting Computers Audit account logon events No auditing CCPROC01, BROWND, CONFERENCEROOM, DC03, DEVTFS, DEVTFSBUILD, FILE2012-1, FT-LENOVO, HV01, HV02, MMAYHEMON- HP, MWEST-PC, MWEST- WIN864, PITMARCUSUS-PC, PS01, PSIMPSON-PC, PSIMPSON-WIN7TEST, QA-PC, RANCOR, RDGATEWAY, TREX, RJOHNSON-PC, SDAVIS-LT, STORAGE01, THAYDEN-DT, THANOS-PC, UTIL12, VPNGW Success, Failure JACOB-WIN8 Audit account management No auditing All Sampled Audit directory service access No auditing All Sampled Audit logon events No auditing CCPROC01, BROWND, CONFERENCEROOM, DC03, DEVTFS, DEVTFSBUILD, FILE2012-1, FT-LENOVO,

PROPRIETARY & CONFIDENTIAL PAGE 92 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

Policy Setting Computers HV01, HV02, MMAYHEMON- HP, MWEST-PC, MWEST- WIN864, PITMARCUSUS-PC, PS01, PSIMPSON-PC, PSIMPSON-WIN7TEST, QA-PC, RANCOR, RDGATEWAY, TREX, RJOHNSON-PC, SDAVIS-LT, STORAGE01, THAYDEN-DT, THANOS-PC, UTIL12, VPNGW Success, Failure JACOB-WIN8 Audit object access No auditing All Sampled Audit policy change No auditing All Sampled Audit privilege use No auditing All Sampled Audit process tracking No auditing All Sampled Audit system events No auditing All Sampled

The auditing configurations in RED above should be reviewed and activated to log Success/Failure events are required under this PCI DSS requirement and to remain in compliance with established policy and procedure.

2.10.1.2 Generate audit trails of invalid logical access attempts

PCI DSS Requirement 10.2.4: Invalid logical access attempts.

PCI DSS Guidance: Malicious individuals will often perform multiple access attempts on targeted systems. Multiple invalid login attempts may be an indication of an unauthorized user’s attempts to “brute force” or guess a password.

No unexpected excessive login failures detected.

2.10.1.3 Generate audit trails of the use of and changes to identification and authentication mechanisms

PCI DSS Requirement 10.2.5: Use of and changes to identification and authentication mechanisms— including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges.

PCI DSS Guidance: Without knowing who was logged on at the time of an incident, it is impossible to identify the accounts that may have been used. Additionally, malicious users may attempt to manipulate the authentication controls with the intent of bypassing them or impersonating a valid account.

Sampled Systems

PROPRIETARY & CONFIDENTIAL PAGE 93 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

IP Addresses Computer Name Operating System 10.0.6.4 ccproc01 Windows 8.1 Pro 10.0.6.35 BROWND Windows 8.1 Enterprise 10.0.6.55, 10.0.6.33 CONFERENCEROOM Windows 7 Professional 10.0.1.23, 10.0.1.4, 10.0.1.3 DC03 Windows Server 2012 R2 Datacenter 10.0.1.16 DEVTFS Windows Server 2012 Standard 10.0.6.67 DEVTFSBUILD Windows Server 2012 R2 Standard 10.0.1.41 FILE2012-1 Windows Server 2012 R2 Standard 10.0.6.74 FT-LENOVO Windows 8.1 Pro 10.0.1.111 HV01 Windows Server 2012 R2 Standard 192.168.1.12, 10.0.1.121, HV02 Windows Server 2012 R2 10.0.1.120 Standard 10.0.7.44 jacob-WIN8 Windows 8.1 Enterprise 10.0.7.95 Mmayhemon-HP Windows 8.1 Enterprise 10.0.6.0 Mwest-PC Windows 8.1 Pro 10.0.6.96 Mwest-WIN864 Windows 8.1 Pro 10.0.6.133 PITmarcusus-PC Windows 8.1 Pro 10.0.6.80, 192.168.159.1, PS01 Windows Server 2012 R2 192.168.85.1 Standard 10.0.6.40 Psimpson-PC Windows 8.1 Pro 10.0.6.53 Psimpson-WIN7TEST Windows 7 Professional 10.0.6.41 QA-PC Windows 7 Professional 10.0.6.97 RANCOR Windows 8.1 Pro 10.0.1.21 RDGATEWAY Windows Server 2012 R2 Datacenter 10.0.6.1 trex Windows 7 Enterprise 10.0.7.29 RJOHNSON-PC Windows 8.1 Enterprise 10.0.6.14 Sdavis-LT Windows 8.1 Pro 10.0.1.69 STORAGE01 Windows Server 2008 R2 Enterprise 10.0.7.45, 192.168.56.1 Thayden-DT Windows 7 Professional 10.0.7.49 thanos-PC Windows 8.1 Pro 10.0.1.15 UTIL12 Windows Server 2012 R2 Standard 10.0.1.5, 10.0.6.107 VPNGW Windows Server 2012 R2 Standard

The following are the current Windows auditing configuration:

Policy Setting Computers Audit account logon events No auditing CCPROC01, BROWND, CONFERENCEROOM, DC03, DEVTFS, DEVTFSBUILD,

PROPRIETARY & CONFIDENTIAL PAGE 94 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

Policy Setting Computers FILE2012-1, FT-LENOVO, HV01, HV02, MMAYHEMON- HP, MWEST-PC, MWEST- WIN864, PITMARCUSUS-PC, PS01, PSIMPSON-PC, PSIMPSON-WIN7TEST, QA-PC, RANCOR, RDGATEWAY, TREX, RJOHNSON-PC, SDAVIS-LT, STORAGE01, THAYDEN-DT, THANOS-PC, UTIL12, VPNGW Success, Failure JACOB-WIN8 Audit account management No auditing All Sampled Audit directory service access No auditing All Sampled Audit policy change No auditing All Sampled Audit privilege use No auditing All Sampled

The auditing configurations in RED above should be reviewed and activated to log Success/Failure events are required under this PCI DSS requirement and to remain in compliance with established policy and procedure.

2.10.2 Review logs and security events for all system components

PCI DSS Requirement 10.6: Review logs and security events for all system components to identify anomalies or suspicious activity.

Note:Log harvesting, parsing, and alerting tools may be used to meet this Requirement.

PCI DSS Guidance: Many breaches occur over days or months before being detected. Checking logs daily minimizes the amount of time and exposure of a potential breach. Regular log reviews by personnel or automated means can identify and proactively address unauthorized access to the cardholder data environment. The log review process does not have to be manual. The use of log harvesting, parsing, and alerting tools can help facilitate the process by identifying log events that need to be reviewed.

2.10.2.1 Daily review of security events including logs of system components, critical system components, and servers that perform security functions

PCI DSS Requirement 10.6.1.b: Review the following at least daily:

* All security events * Logs of all system components that store, process, or transmit CHD and/or SAD, or that could impact the security of CHD and/or SAD * Logs of all critical system components

PROPRIETARY & CONFIDENTIAL PAGE 95 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

* Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e- commerce redirection servers, etc.).

Due to a lapse in performing the periodic evaluation mandated by this requirement, the Cardholder Data Environment may potentially be exposed to unknown security threats.

Urgent action should be undertaken to perform a review security logs and enact a procedure for on- going log review either through manual or automated means.

2.10.2.2 Review logs of all other system components periodically based on risk management strategy and annual risk assessment

PCI DSS Requirement 10.6.2: Review logs of all other system components periodically based on the organization’s policies and risk management strategy, as determined by the organization’s annual risk assessment.

PCI DSS Guidance: PCI DSS Guidance: Logs for all other system components should also be periodically reviewed to identify indications of potential issues or attempts to gain access to sensitive systems via less-sensitive systems. The frequency of the reviews should be determined by an entity’s annual risk assessment.

See the Login Failure by Computer for information on repeated login failures on a system by system basis. This includes, systems that are both within the Cardholder Data Environment as well as other systems.

PROPRIETARY & CONFIDENTIAL PAGE 96 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

2.11 Regular testing of security systems and processes

PCI DSS Requirement 11: Regularly test security systems and processes

PCI DSS Guidance: Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.

2.11.1.1 Perform internal and external scans, and rescans as needed, after any significant change

PCI DSS Requirement 11.2.3: Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel.

PCI DSS Requirement 11.2.3.a: Internal and external scans, and rescans as needed, performed after any significant change.

PCI DSS Requirement 11.2.3.b: Scan process includes rescans until external and internal scans until vulnerability standards are met.

PCI DSS Requirement 11.2.3.c: Scans are to be performed by a qualified internal resource or a qualified external third party, and if applicable, organization independence of the tester exists (not required to be a QSA or ASV).

PCI DSS Guidance: The determination of what constitutes a significant change is highly dependent on the configuration of a given environment. If an upgrade or modification could allow access to cardholder data or affect the security of the cardholder data environment, then it could be considered significant. Scanning an environment after any significant changes are made ensures that changes were completed appropriately such that the security of the environment was not compromised as a result of the change. All system components affected by the change will need to be scanned.

External Vulnerability Scan

As part of our routine procedure to ensure protection from external threats, we have conducted an external vulnerability scan. The following external IP addresses were scanned and accessed:

Host Issue Summary

Host Open Ports High Med Low False Highest CVSS 199.38.223.84 3 0 1 1 0 4.3 Total: 1 0 0 0 0 0 4.3

The following high and medium risk issues were detected. Further details and low risk issues can be found in the External Vulnerability Scan Detail report. Issues that have been investigated and marked as either false positives or with compensating controls are marked non-issues with entries in the Compensating Controls Worksheet.

PROPRIETARY & CONFIDENTIAL PAGE 97 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

199.38.223.84

Issue CCW Medium (CVSS: 4.3)443/tcp (https) NVT: Deprecated SSLv2 and SSLv3 Protocol Detection (OID: 1.3.6.1.4.1.25623.1.0.111012)

Internal Vulnerability Scan

As part of our routine procedure to ensure protection from external threats, we have conducted an internal vulnerability scan. The following external IP addresses were scanned and accessed:

Host Issue Summary

Host Open Ports High Med Low False Highest CVSS 10.0.6.69 (ISA1) 144 0 3 1 0 10.0 10.0.1.5 (VPNGW) 9 1 5 1 0 10.0 10.0.1.15 (UTIL12) 8 2 6 2 0 10.0 10.0.1.21 (RDGATEWAY) 9 2 5 1 0 10.0 10.0.1.69 (STORAGE01) 11 2 6 1 0 10.0 10.0.1.81 (FINANCE) 7 2 6 2 0 10.0 10.0.6.12 (INSP-TEST1) 5 1 2 1 0 10.0 10.0.6.20 (INSP-DEV3) 5 1 2 1 0 10.0 10.0.6.76 (INSP-DEMO1) 6 1 2 1 0 10.0 10.0.6.86 (INSP-RFT1) 6 1 2 1 0 10.0 10.0.6.107 (VPNGW) 9 1 5 2 0 10.0 10.0.6.109 (INSP-TEST2) 6 1 2 1 0 10.0 10.0.7.45 (THOLMES-DT) 5 7 15 2 0 10.0 10.0.6.50 (INSP-DEV2) 4 1 3 1 0 10.0 10.0.7.68 (REMOTE) 16 0 2 0 0 10.0 10.0.1.201 5 1 2 1 0 10.0 10.0.1.202 5 1 4 1 0 10.0 10.0.1.203 5 1 2 1 0 10.0 10.0.1.204 5 1 2 1 0 10.0 10.0.1.205 7 1 3 1 0 10.0 10.0.6.122 6 3 2 1 0 10.0 10.0.1.50 (PIT-DATTO) 12 2 0 1 0 10.0 10.0.7.65 (PROIT30DEV) 14 2 16 0 0 9.3 10.0.1.1 5 1 4 1 0 9.0 10.0.5.1 4 1 4 1 0 9.0 10.0.0.21 3 2 0 1 0 7.8 10.0.1.240 4 1 5 1 0 7.5 10.0.6.103 (USER-HP) 6 8 5 1 0 7.5 10.0.0.1 6 1 3 1 0 7.5 10.0.0.11 5 1 1 1 0 7.5 10.0.1.51 5 1 0 2 0 7.5 10.0.1.16 (DEVTFS) 9 0 3 1 0 6.8 10.0.6.80 (PS01) 10 0 3 1 0 6.8 10.0.6.49 4 0 4 1 0 6.8 10.0.1.6 (ISA1) 24 0 3 1 0 6.4 10.0.1.3 (DC03) 12 0 4 1 0 5.0 10.0.1.4 11 0 4 1 0 5.0 10.0.1.23 10 0 4 1 0 5.0 10.0.1.41 (FILE2012-1) 9 0 2 1 0 5.0

PROPRIETARY & CONFIDENTIAL PAGE 98 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

Host Open Ports High Med Low False Highest CVSS 10.0.1.100 (HV00) 6 0 2 1 0 5.0 10.0.1.104 (HV04) 6 0 2 1 0 5.0 10.0.1.120 (HV02) 7 0 2 1 0 5.0 10.0.1.121 (HV02) 7 0 2 1 0 5.0 10.0.6.0 (MNORTH-PC) 5 0 2 2 0 5.0 10.0.6.1 (REX) 5 0 2 2 0 5.0 10.0.6.4 (BOBCAT) 5 0 2 2 0 5.0 10.0.6.14 4 0 2 1 0 5.0 10.0.6.33 (CONFERENCEROOM) 4 0 2 2 0 5.0 10.0.6.35 (BROWND) 5 0 2 2 0 5.0 10.0.6.40 (PSOLER-PC) 6 0 2 1 0 5.0 10.0.6.41 (QA-PC) 4 0 2 2 0 5.0 10.0.6.44 (JIM-WIN7) 5 0 2 2 0 5.0 10.0.6.47 (PKWIN8) 5 0 2 2 0 5.0 10.0.6.53 (PSOLER-WIN7TEST) 6 0 2 1 0 5.0 10.0.6.55 (CONFERENCEROOM) 4 0 2 2 0 5.0 10.0.6.67 (DEVTFSBUILD) 6 0 2 2 0 5.0 10.0.6.88 (JRAWIN8K1QA3) 6 0 2 1 0 5.0 10.0.6.96 (MNORTH-WIN864) 6 0 2 1 0 5.0 10.0.6.97 (RANCOR) 8 0 2 1 0 5.0 10.0.6.106 (PABLO-HOME) 5 0 2 1 0 5.0 10.0.6.133 (PITMARC-PC) 4 0 2 2 0 5.0 10.0.7.18 (PSOLER-WIN764) 7 0 2 2 0 5.0 10.0.7.44 (JIM-WIN8) 5 0 2 1 0 5.0 10.0.7.74 (BKURR-WIN81) 5 0 2 2 0 5.0 10.0.7.95 (MMITTEL-HP) 5 0 2 2 0 5.0 10.0.7.123 (ISTCORP-PC) 4 0 2 2 0 5.0 10.0.1.52 4 0 1 2 0 5.0 10.0.3.2 5 0 0 1 0 2.6 10.0.3.204 2 0 0 1 0 2.6 10.0.7.89 1 0 0 1 0 2.6 10.0.6.30 0 0 0 0 0 0.0 10.0.6.52 0 0 0 0 0 0.0 10.0.6.60 0 0 0 0 0 0.0 10.0.6.62 0 0 0 0 0 0.0 10.0.6.84 0 0 0 0 0 0.0 10.0.6.90 0 0 0 0 0 0.0 10.0.6.110 0 0 0 0 0 0.0 10.0.1.244 0 0 0 0 0 0.0 10.0.1.245 0 0 0 0 0 0.0 10.0.7.87 0 0 0 0 0 0.0 Total: 80 0 0 0 0 0 10.0

The following high and medium risk issues were detected. Further details and low risk issues can be found in the Internal Vulnerability Scan Detail report. Issues that have been investigated and marked as either false positives or with compensating controls are marked non-issues with entries in the Compensating Controls Worksheet.

10.0.6.69

Issue CCW Medium (CVSS: 6.4)3389/tcp

PROPRIETARY & CONFIDENTIAL PAGE 99 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

NVT: Microsoft RDP Server Private Key Information Disclosure Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.902658) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.1.5

Issue CCW High (CVSS: 10)80/tcp (http) NVT: MS15-034 HTTP.sys Remote Code Execution Vulnerability (remote check) (OID: 1.3.6.1.4.1.25623.1.0.105257) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 4.3)443/tcp (https) NVT: Check for SSL Weak Ciphers (OID: 1.3.6.1.4.1.25623.1.0.103440) Medium (CVSS: 4.3)443/tcp (https) NVT: Deprecated SSLv2 and SSLv3 Protocol Detection (OID: 1.3.6.1.4.1.25623.1.0.111012) Medium (CVSS: 4.3)443/tcp (https) NVT: POODLE SSLv3 Protocol CBC ciphers Information Disclosure Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.802087)

10.0.1.15

Issue CCW High (CVSS: 10)80/tcp (http) NVT: MS15-034 HTTP.sys Remote Code Execution Vulnerability (remote check) (OID: 1.3.6.1.4.1.25623.1.0.105257) High (CVSS: 10)443/tcp (https) NVT: MS15-034 HTTP.sys Remote Code Execution Vulnerability (remote check) (OID: 1.3.6.1.4.1.25623.1.0.105257) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)443/tcp (https) NVT: SSL Certification Expired (OID: 1.3.6.1.4.1.25623.1.0.103955) Medium (CVSS: 4.3)443/tcp (https) NVT: Check for SSL Weak Ciphers (OID: 1.3.6.1.4.1.25623.1.0.103440) Medium (CVSS: 4.3)443/tcp (https) NVT: Deprecated SSLv2 and SSLv3 Protocol Detection (OID: 1.3.6.1.4.1.25623.1.0.111012) Medium (CVSS: 4.3)443/tcp (https) NVT: POODLE SSLv3 Protocol CBC ciphers Information Disclosure Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.802087)

PROPRIETARY & CONFIDENTIAL PAGE 100 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

10.0.1.21

Issue CCW High (CVSS: 10)80/tcp (http) NVT: MS15-034 HTTP.sys Remote Code Execution Vulnerability (remote check) (OID: 1.3.6.1.4.1.25623.1.0.105257) High (CVSS: 10)443/tcp (https) NVT: MS15-034 HTTP.sys Remote Code Execution Vulnerability (remote check) (OID: 1.3.6.1.4.1.25623.1.0.105257) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 4.3)443/tcp (https) NVT: Check for SSL Weak Ciphers (OID: 1.3.6.1.4.1.25623.1.0.103440) Medium (CVSS: 4.3)443/tcp (https) NVT: Deprecated SSLv2 and SSLv3 Protocol Detection (OID: 1.3.6.1.4.1.25623.1.0.111012) Medium (CVSS: 4.3)443/tcp (https) NVT: POODLE SSLv3 Protocol CBC ciphers Information Disclosure Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.802087)

10.0.1.69

Issue CCW High (CVSS: 10)80/tcp (http) NVT: MS15-034 HTTP.sys Remote Code Execution Vulnerability (remote check) (OID: 1.3.6.1.4.1.25623.1.0.105257) High (CVSS: 10)443/tcp (https) NVT: MS15-034 HTTP.sys Remote Code Execution Vulnerability (remote check) (OID: 1.3.6.1.4.1.25623.1.0.105257) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)443/tcp (https) NVT: SSL Certification Expired (OID: 1.3.6.1.4.1.25623.1.0.103955) Medium (CVSS: 4.3)443/tcp (https) NVT: Check for SSL Weak Ciphers (OID: 1.3.6.1.4.1.25623.1.0.103440) Medium (CVSS: 4.3)443/tcp (https) NVT: Deprecated SSLv2 and SSLv3 Protocol Detection (OID: 1.3.6.1.4.1.25623.1.0.111012) Medium (CVSS: 4.3)443/tcp (https) NVT: POODLE SSLv3 Protocol CBC ciphers Information Disclosure Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.802087)

10.0.1.81

Issue CCW High (CVSS: 10)80/tcp (http)

PROPRIETARY & CONFIDENTIAL PAGE 101 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

NVT: MS15-034 HTTP.sys Remote Code Execution Vulnerability (remote check) (OID: 1.3.6.1.4.1.25623.1.0.105257) High (CVSS: 10)443/tcp (https) NVT: MS15-034 HTTP.sys Remote Code Execution Vulnerability (remote check) (OID: 1.3.6.1.4.1.25623.1.0.105257) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)443/tcp (https) NVT: SSL Certification Expired (OID: 1.3.6.1.4.1.25623.1.0.103955) Medium (CVSS: 4.3)443/tcp (https) NVT: Check for SSL Weak Ciphers (OID: 1.3.6.1.4.1.25623.1.0.103440) Medium (CVSS: 4.3)443/tcp (https) NVT: Deprecated SSLv2 and SSLv3 Protocol Detection (OID: 1.3.6.1.4.1.25623.1.0.111012) Medium (CVSS: 4.3)443/tcp (https) NVT: POODLE SSLv3 Protocol CBC ciphers Information Disclosure Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.802087)

10.0.6.12

Issue CCW High (CVSS: 10)80/tcp (http) NVT: MS15-034 HTTP.sys Remote Code Execution Vulnerability (remote check) (OID: 1.3.6.1.4.1.25623.1.0.105257) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.6.20

Issue CCW High (CVSS: 10)80/tcp (http) NVT: MS15-034 HTTP.sys Remote Code Execution Vulnerability (remote check) (OID: 1.3.6.1.4.1.25623.1.0.105257) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.6.76

Issue CCW High (CVSS: 10)80/tcp (http) NVT: MS15-034 HTTP.sys Remote Code Execution Vulnerability (remote check) (OID: 1.3.6.1.4.1.25623.1.0.105257)

PROPRIETARY & CONFIDENTIAL PAGE 102 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.6.86

Issue CCW High (CVSS: 10)80/tcp (http) NVT: MS15-034 HTTP.sys Remote Code Execution Vulnerability (remote check) (OID: 1.3.6.1.4.1.25623.1.0.105257) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.6.107

Issue CCW High (CVSS: 10)80/tcp (http) NVT: MS15-034 HTTP.sys Remote Code Execution Vulnerability (remote check) (OID: 1.3.6.1.4.1.25623.1.0.105257) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 4.3)443/tcp (https) NVT: Check for SSL Weak Ciphers (OID: 1.3.6.1.4.1.25623.1.0.103440) Medium (CVSS: 4.3)443/tcp (https) NVT: Deprecated SSLv2 and SSLv3 Protocol Detection (OID: 1.3.6.1.4.1.25623.1.0.111012) Medium (CVSS: 4.3)443/tcp (https) NVT: POODLE SSLv3 Protocol CBC ciphers Information Disclosure Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.802087)

10.0.6.109

Issue CCW High (CVSS: 10)80/tcp (http) NVT: MS15-034 HTTP.sys Remote Code Execution Vulnerability (remote check) (OID: 1.3.6.1.4.1.25623.1.0.105257) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

PROPRIETARY & CONFIDENTIAL PAGE 103 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

10.0.7.45

Issue CCW High (CVSS: 10)80/tcp (http) NVT: PHP _php_stream_scandir() Buffer Overflow Vulnerability (Windows) (OID: 1.3.6.1.4.1.25623.1.0.803317) High (CVSS: 7.5)80/tcp (http) NVT: PHP Multiple Vulnerabilities -March 2013 (Windows) (OID: 1.3.6.1.4.1.25623.1.0.803337) High (CVSS: 7.5)80/tcp (http) NVT: PHP phar/tar.c Heap Buffer Overflow Vulnerability (Windows) (OID: 1.3.6.1.4.1.25623.1.0.803342) High (CVSS: 7.5)80/tcp (http) NVT: PHP Remote Code Execution and Denail of Service Vulnerabilities Dec13 (OID: 1.3.6.1.4.1.25623.1.0.804174) High (CVSS: 7.5)80/tcp (http) NVT: PHP Multiple Double Free Vulnerabilities - Jan15 (OID: 1.3.6.1.4.1.25623.1.0.805412) High (CVSS: 7.5)80/tcp (http) NVT: PHP Multiple Vulnerabilities-02 - Jan15 (OID: 1.3.6.1.4.1.25623.1.0.805413) High (CVSS: 7.5)80/tcp (http) NVT: PHP Out of Bounds Read Multiple Vulnerabilities - Jan15 (OID: 1.3.6.1.4.1.25623.1.0.805414) Medium (CVSS: 6.8)80/tcp (http) NVT: PHP XML Handling Heap Buffer Overflow Vulnerability July13 (Windows) (OID: 1.3.6.1.4.1.25623.1.0.803729) Medium (CVSS: 6.8)80/tcp (http) NVT: PHP Sessions Subsystem Session Fixation Vulnerability-Aug13 (Windows) (OID: 1.3.6.1.4.1.25623.1.0.803737) Medium (CVSS: 5.8)80/tcp (http) NVT: http TRACE XSS attack (OID: 1.3.6.1.4.1.25623.1.0.11213) Medium (CVSS: 5.8)80/tcp (http) NVT: PHP Multiple Vulnerabilities -01 March13 (Windows) (OID: 1.3.6.1.4.1.25623.1.0.803341) Medium (CVSS: 5)80/tcp (http) NVT: Apache HTTP Server mod_proxy_ajp Process Timeout DoS Vulnerability (Windows) (OID: 1.3.6.1.4.1.25623.1.0.802683) Medium (CVSS: 5)80/tcp (http) NVT: PHP open_basedir Secuirity Bypass Vulnerability (Windows) (OID: 1.3.6.1.4.1.25623.1.0.803318) Medium (CVSS: 5)80/tcp (http) NVT: PHP Multiple Vulnerabilities - June13 (Windows) (OID: 1.3.6.1.4.1.25623.1.0.803678) Medium (CVSS: 5)80/tcp (http) NVT: PHP open_basedir Security Bypass Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.804241) Medium (CVSS: 5)80/tcp (http) NVT: PHP CDF File Parsing Denial of Service Vulnerabilities -01 Jun14 (OID: 1.3.6.1.4.1.25623.1.0.804639) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 4.3)80/tcp (http) NVT: PHP SSL Certificate Validation Security Bypass Vulnerability (Windows) (OID: 1.3.6.1.4.1.25623.1.0.803739) Medium (CVSS: 4.3)80/tcp (http) NVT: PHP SOAP Parser Multiple Information Disclosure Vulnerabilities (OID: 1.3.6.1.4.1.25623.1.0.803764)

PROPRIETARY & CONFIDENTIAL PAGE 104 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

Medium (CVSS: 4.3)80/tcp (http) NVT: PHP LibGD Denial of Service Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.804292) Medium (CVSS: 4.3)80/tcp (http) NVT: Apache HTTP Server httpOnly Cookie Information Disclosure Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.902830)

10.0.6.50

Issue CCW High (CVSS: 10)443/tcp (https) NVT: MS15-034 HTTP.sys Remote Code Execution Vulnerability (remote check) (OID: 1.3.6.1.4.1.25623.1.0.105257) Medium (CVSS: 4.3)443/tcp (https) NVT: Check for SSL Weak Ciphers (OID: 1.3.6.1.4.1.25623.1.0.103440) Medium (CVSS: 4.3)443/tcp (https) NVT: Deprecated SSLv2 and SSLv3 Protocol Detection (OID: 1.3.6.1.4.1.25623.1.0.111012) Medium (CVSS: 4.3)443/tcp (https) NVT: POODLE SSLv3 Protocol CBC ciphers Information Disclosure Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.802087)

10.0.7.68

Issue CCW Medium (CVSS: 6.4)25/tcp (smtp) NVT: Microsoft Windows SMTP Server DNS spoofing vulnerability (OID: 1.3.6.1.4.1.25623.1.0.100624) Medium (CVSS: 5)25/tcp (smtp) NVT: Microsoft Windows SMTP Server MX Record Denial of Service Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.100596)

10.0.1.201

Issue CCW High (CVSS: 10)623/tcp NVT: IPMI Cipher Zero Authentication Bypass Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.103840) Medium (CVSS: 5.1)623/udp (asf-rmcp) NVT: IPMI MD2 Auth Type Support Enabled (OID: 1.3.6.1.4.1.25623.1.0.103839) Medium (CVSS: 4.3)443/tcp (https) NVT: Check for SSL Weak Ciphers (OID: 1.3.6.1.4.1.25623.1.0.103440)

10.0.1.202

Issue CCW High (CVSS: 10)623/tcp NVT: IPMI Cipher Zero Authentication Bypass Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.103840)

PROPRIETARY & CONFIDENTIAL PAGE 105 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

Medium (CVSS: 5.1)623/udp (asf-rmcp) NVT: IPMI MD2 Auth Type Support Enabled (OID: 1.3.6.1.4.1.25623.1.0.103839) Medium (CVSS: 4.3)443/tcp (https) NVT: Check for SSL Weak Ciphers (OID: 1.3.6.1.4.1.25623.1.0.103440) Medium (CVSS: 4.3)443/tcp (https) NVT: POODLE SSLv3 Protocol CBC ciphers Information Disclosure Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.802087) Medium (CVSS: 4.3)443/tcp (https) NVT: OpenSSL RSA Temporary Key Handling EXPORT_RSA Downgrade Issue (FREAK) (OID: 1.3.6.1.4.1.25623.1.0.805142)

10.0.1.203

Issue CCW High (CVSS: 10)623/tcp NVT: IPMI Cipher Zero Authentication Bypass Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.103840) Medium (CVSS: 5.1)623/udp (asf-rmcp) NVT: IPMI MD2 Auth Type Support Enabled (OID: 1.3.6.1.4.1.25623.1.0.103839) Medium (CVSS: 4.3)443/tcp (https) NVT: Check for SSL Weak Ciphers (OID: 1.3.6.1.4.1.25623.1.0.103440)

10.0.1.204

Issue CCW High (CVSS: 10)623/tcp NVT: IPMI Cipher Zero Authentication Bypass Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.103840) Medium (CVSS: 5.1)623/udp (asf-rmcp) NVT: IPMI MD2 Auth Type Support Enabled (OID: 1.3.6.1.4.1.25623.1.0.103839) Medium (CVSS: 4.3)443/tcp (https) NVT: Check for SSL Weak Ciphers (OID: 1.3.6.1.4.1.25623.1.0.103440)

10.0.1.205

Issue CCW High (CVSS: 10)623/tcp NVT: IPMI Cipher Zero Authentication Bypass Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.103840) Medium (CVSS: 5.1)623/udp (asf-rmcp) NVT: IPMI MD2 Auth Type Support Enabled (OID: 1.3.6.1.4.1.25623.1.0.103839) Medium (CVSS: 4.3)443/tcp (https) NVT: Check for SSL Weak Ciphers (OID: 1.3.6.1.4.1.25623.1.0.103440) Medium (CVSS: 4.3)443/tcp (https) NVT: Dell iDRAC6 and iDRAC7 ErrorMsg Parameter Cross Site Scripting Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.103808)

10.0.6.122

PROPRIETARY & CONFIDENTIAL PAGE 106 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

Issue CCW High (CVSS: 10)623/tcp NVT: IPMI Cipher Zero Authentication Bypass Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.103840) High (CVSS: 9)22/tcp (ssh) NVT: SSH Brute Force Logins with default Credentials (OID: 1.3.6.1.4.1.25623.1.0.103239) High (CVSS: 8.5)623/udp (asf-rmcp) NVT: IPMI Default Password Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.105923) Medium (CVSS: 5.1)623/udp (asf-rmcp) NVT: IPMI MD2 Auth Type Support Enabled (OID: 1.3.6.1.4.1.25623.1.0.103839) Medium (CVSS: 4.3)443/tcp (https) NVT: Check for SSL Weak Ciphers (OID: 1.3.6.1.4.1.25623.1.0.103440)

10.0.1.50

Issue CCW High (CVSS: 10)2049/udp (nfs) NVT: NFS export (OID: 1.3.6.1.4.1.25623.1.0.102014) High (CVSS: 10)6001/tcp (x11-1) NVT: X Server (OID: 1.3.6.1.4.1.25623.1.0.10407)

10.0.7.65

Issue CCW High (CVSS: 9.3)21/tcp (ftp) NVT: Microsoft IIS FTPd NLST stack overflow (OID: 1.3.6.1.4.1.25623.1.0.100952) High (CVSS: 9)21/tcp (ftp) NVT: Windows Administrator NULL FTP password (OID: 1.3.6.1.4.1.25623.1.0.11160) Medium (CVSS: 6.8)8080/tcp (http-alt) NVT: Apache Tomcat servlet/JSP container default files (OID: 1.3.6.1.4.1.25623.1.0.12085) Medium (CVSS: 6.4)3389/tcp NVT: Microsoft RDP Server Private Key Information Disclosure Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.902658) Medium (CVSS: 5.8)80/tcp (http) NVT: http TRACE XSS attack (OID: 1.3.6.1.4.1.25623.1.0.11213) Medium (CVSS: 5.8)8080/tcp (http-alt) NVT: Apache Tomcat Multiple Vulnerabilities - 01 Mar14 (OID: 1.3.6.1.4.1.25623.1.0.804519) Medium (CVSS: 5)80/tcp (http) NVT: Missing httpOnly Cookie Attribute (OID: 1.3.6.1.4.1.25623.1.0.105925) Medium (CVSS: 5)80/tcp (http) NVT: IIS Service Pack - 404 (OID: 1.3.6.1.4.1.25623.1.0.11874) Medium (CVSS: 5)80/tcp (http) NVT: Microsoft ASP.NET Information Disclosure Vulnerability (2418042) (OID: 1.3.6.1.4.1.25623.1.0.901161) Medium (CVSS: 5)80/tcp (http) NVT: Microsoft IIS IP Address/Internal Network Name Disclosure Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.902796) Medium (CVSS: 5)135/tcp (loc-srv)

PROPRIETARY & CONFIDENTIAL PAGE 107 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)8080/tcp (http-alt) NVT: Apache Tomcat Multiple Vulnerabilities June-09 (OID: 1.3.6.1.4.1.25623.1.0.800813) Medium (CVSS: 5)8080/tcp (http-alt) NVT: Apache Tomcat Cross-Site Scripting and Security Bypass Vulnerabilities (OID: 1.3.6.1.4.1.25623.1.0.900021) Medium (CVSS: 4.6)80/tcp (http) NVT: Microsoft IIS Default Welcome Page Information Disclosure Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.802806) Medium (CVSS: 4.3)8080/tcp (http-alt) NVT: Apache Tomcat JSP Example Web Applications Cross Site Scripting Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.111014) Medium (CVSS: 4.3)8080/tcp (http-alt) NVT: Apache Tomcat RemoteFilterValve Security Bypass Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.800024) Medium (CVSS: 4.3)8080/tcp (http-alt) NVT: Apache Tomcat Multiple Vulnerabilities - 02 Mar14 (OID: 1.3.6.1.4.1.25623.1.0.804520)

10.0.1.1

Issue CCW High (CVSS: 9)22/tcp (ssh) NVT: SSH Brute Force Logins with default Credentials (OID: 1.3.6.1.4.1.25623.1.0.103239) Medium (CVSS: 6.4)443/tcp (https) NVT: Missing Secure Attribute SSL Cookie Information Disclosure Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.902661) Medium (CVSS: 5)80/tcp (http) NVT: Missing httpOnly Cookie Attribute (OID: 1.3.6.1.4.1.25623.1.0.105925) Medium (CVSS: 5)443/tcp (https) NVT: Missing httpOnly Cookie Attribute (OID: 1.3.6.1.4.1.25623.1.0.105925) Medium (CVSS: 4.3)443/tcp (https) NVT: POODLE SSLv3 Protocol CBC ciphers Information Disclosure Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.802087)

10.0.5.1

Issue CCW High (CVSS: 9)22/tcp (ssh) NVT: SSH Brute Force Logins with default Credentials (OID: 1.3.6.1.4.1.25623.1.0.103239) Medium (CVSS: 6.4)443/tcp (https) NVT: Missing Secure Attribute SSL Cookie Information Disclosure Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.902661) Medium (CVSS: 5)80/tcp (http) NVT: Missing httpOnly Cookie Attribute (OID: 1.3.6.1.4.1.25623.1.0.105925) Medium (CVSS: 5)443/tcp (https) NVT: Missing httpOnly Cookie Attribute (OID: 1.3.6.1.4.1.25623.1.0.105925) Medium (CVSS: 4.3)443/tcp (https)

PROPRIETARY & CONFIDENTIAL PAGE 108 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

NVT: POODLE SSLv3 Protocol CBC ciphers Information Disclosure Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.802087)

10.0.0.21

Issue CCW High (CVSS: 7.8)80/tcp (http) NVT: Multiple NetGear ProSafe Switches Information Disclosure Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.103773) High (CVSS: 7.5)161/tcp (snmp) NVT: Report default community names of the SNMP Agent (OID: 1.3.6.1.4.1.25623.1.0.10264)

10.0.1.240

Issue CCW High (CVSS: 7.5)80/tcp (http) NVT: Lighttpd Multiple vulnerabilities (OID: 1.3.6.1.4.1.25623.1.0.802072) Medium (CVSS: 6.8)443/tcp (https) NVT: OpenSSL CCS Man in the Middle Security Bypass Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.105042) Medium (CVSS: 5)22/tcp (ssh) NVT: Dropbear SSH Server Multiple Security Vulnerabilities (OID: 1.3.6.1.4.1.25623.1.0.105114) Medium (CVSS: 4.3)443/tcp (https) NVT: Check for SSL Weak Ciphers (OID: 1.3.6.1.4.1.25623.1.0.103440) Medium (CVSS: 4.3)443/tcp (https) NVT: Deprecated SSLv2 and SSLv3 Protocol Detection (OID: 1.3.6.1.4.1.25623.1.0.111012) Medium (CVSS: 4.3)443/tcp (https) NVT: POODLE SSLv3 Protocol CBC ciphers Information Disclosure Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.802087)

10.0.6.103

Issue CCW High (CVSS: 7.5)80/tcp (http) NVT: PHP Use-After-Free Remote Code EXecution Vulnerability - Jan15 (OID: 1.3.6.1.4.1.25623.1.0.805411) High (CVSS: 7.5)80/tcp (http) NVT: PHP Multiple Double Free Vulnerabilities - Jan15 (OID: 1.3.6.1.4.1.25623.1.0.805412) High (CVSS: 7.5)80/tcp (http) NVT: PHP Multiple Vulnerabilities-02 - Jan15 (OID: 1.3.6.1.4.1.25623.1.0.805413) High (CVSS: 7.5)80/tcp (http) NVT: PHP Out of Bounds Read Multiple Vulnerabilities - Jan15 (OID: 1.3.6.1.4.1.25623.1.0.805414) High (CVSS: 7.5)443/tcp (https) NVT: PHP Use-After-Free Remote Code EXecution Vulnerability - Jan15 (OID: 1.3.6.1.4.1.25623.1.0.805411) High (CVSS: 7.5)443/tcp (https) NVT: PHP Multiple Double Free Vulnerabilities - Jan15 (OID: 1.3.6.1.4.1.25623.1.0.805412)

PROPRIETARY & CONFIDENTIAL PAGE 109 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

High (CVSS: 7.5)443/tcp (https) NVT: PHP Multiple Vulnerabilities-02 - Jan15 (OID: 1.3.6.1.4.1.25623.1.0.805413) High (CVSS: 7.5)443/tcp (https) NVT: PHP Out of Bounds Read Multiple Vulnerabilities - Jan15 (OID: 1.3.6.1.4.1.25623.1.0.805414) Medium (CVSS: 5.8)80/tcp (http) NVT: http TRACE XSS attack (OID: 1.3.6.1.4.1.25623.1.0.11213) Medium (CVSS: 5.8)443/tcp (https) NVT: http TRACE XSS attack (OID: 1.3.6.1.4.1.25623.1.0.11213) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 4.3)443/tcp (https) NVT: POODLE SSLv3 Protocol CBC ciphers Information Disclosure Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.802087)

10.0.0.1

Issue CCW High (CVSS: 7.5)161/tcp (snmp) NVT: Report default community names of the SNMP Agent (OID: 1.3.6.1.4.1.25623.1.0.10264) Medium (CVSS: 6.8)443/tcp (https) NVT: OpenSSL CCS Man in the Middle Security Bypass Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.105042) Medium (CVSS: 5)161/udp (snmp) NVT: SNMP GETBULK Reflected DrDoS (OID: 1.3.6.1.4.1.25623.1.0.105062) Medium (CVSS: 4.3)443/tcp (https) NVT: POODLE SSLv3 Protocol CBC ciphers Information Disclosure Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.802087)

10.0.0.11

Issue CCW High (CVSS: 7.5)161/tcp (snmp) NVT: Report default community names of the SNMP Agent (OID: 1.3.6.1.4.1.25623.1.0.10264) Medium (CVSS: 4.3)80/tcp (http) NVT: Web Server Cross Site Scripting (OID: 1.3.6.1.4.1.25623.1.0.10815)

10.0.1.51

Issue CCW High (CVSS: 7.5)161/tcp (snmp) NVT: Report default community names of the SNMP Agent (OID: 1.3.6.1.4.1.25623.1.0.10264)

10.0.1.16

PROPRIETARY & CONFIDENTIAL PAGE 110 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

Issue CCW Medium (CVSS: 6.8) NVT: Microsoft SQL Server Elevation of Privilege Vulnerability (2984340) - Remote (OID: 1.3.6.1.4.1.25623.1.0.805110) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.6.80

Issue CCW Medium (CVSS: 6.8) NVT: Microsoft SQL Server Elevation of Privilege Vulnerability (2984340) - Remote (OID: 1.3.6.1.4.1.25623.1.0.805110) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.6.49

Issue CCW Medium (CVSS: 6.8)443/tcp (https) NVT: OpenSSL CCS Man in the Middle Security Bypass Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.105042) Medium (CVSS: 4.3)443/tcp (https) NVT: Check for SSL Weak Ciphers (OID: 1.3.6.1.4.1.25623.1.0.103440) Medium (CVSS: 4.3)443/tcp (https) NVT: Deprecated SSLv2 and SSLv3 Protocol Detection (OID: 1.3.6.1.4.1.25623.1.0.111012) Medium (CVSS: 4.3)443/tcp (https) NVT: POODLE SSLv3 Protocol CBC ciphers Information Disclosure Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.802087)

10.0.1.6

Issue CCW Medium (CVSS: 6.4)3389/tcp NVT: Microsoft RDP Server Private Key Information Disclosure Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.902658) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

PROPRIETARY & CONFIDENTIAL PAGE 111 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

10.0.1.3

Issue CCW Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)389/tcp (ldap) NVT: LDAP allows null bases (OID: 1.3.6.1.4.1.25623.1.0.10722) Medium (CVSS: 5)389/tcp (ldap) NVT: Use LDAP search request to retrieve information from NT Directory Services (OID: 1.3.6.1.4.1.25623.1.0.12105)

10.0.1.4

Issue CCW Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)389/tcp (ldap) NVT: LDAP allows null bases (OID: 1.3.6.1.4.1.25623.1.0.10722) Medium (CVSS: 5)389/tcp (ldap) NVT: Use LDAP search request to retrieve information from NT Directory Services (OID: 1.3.6.1.4.1.25623.1.0.12105)

10.0.1.23

Issue CCW Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)389/tcp (ldap) NVT: LDAP allows null bases (OID: 1.3.6.1.4.1.25623.1.0.10722) Medium (CVSS: 5)389/tcp (ldap) NVT: Use LDAP search request to retrieve information from NT Directory Services (OID: 1.3.6.1.4.1.25623.1.0.12105)

10.0.1.41

Issue CCW Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv)

PROPRIETARY & CONFIDENTIAL PAGE 112 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.1.100

Issue CCW Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.1.104

Issue CCW Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.1.120

Issue CCW Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.1.121

Issue CCW Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.6.0

Issue CCW Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

PROPRIETARY & CONFIDENTIAL PAGE 113 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

10.0.6.1

Issue CCW Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.6.4

Issue CCW Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.6.14

Issue CCW Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.6.33

Issue CCW Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.6.35

Issue CCW Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.6.40

PROPRIETARY & CONFIDENTIAL PAGE 114 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

Issue CCW Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.6.41

Issue CCW Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.6.44

Issue CCW Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.6.47

Issue CCW Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.6.53

Issue CCW Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.6.55

PROPRIETARY & CONFIDENTIAL PAGE 115 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

Issue CCW Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.6.67

Issue CCW Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.6.88

Issue CCW Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.6.96

Issue CCW Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.6.97

Issue CCW Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.6.106

Issue CCW

PROPRIETARY & CONFIDENTIAL PAGE 116 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.6.133

Issue CCW Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.7.18

Issue CCW Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.7.44

Issue CCW Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.7.74

Issue CCW Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.7.95

Issue CCW Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

PROPRIETARY & CONFIDENTIAL PAGE 117 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.7.123

Issue CCW Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736) Medium (CVSS: 5)135/tcp (loc-srv) NVT: DCE Services Enumeration (OID: 1.3.6.1.4.1.25623.1.0.10736)

10.0.1.52

Issue CCW Medium (CVSS: 5)161/udp (snmp) NVT: SNMP GETBULK Reflected DrDoS (OID: 1.3.6.1.4.1.25623.1.0.105062)

2.11.2 Deploy a change-detection mechanism to alert personnel to unauthorized modification of critical system files, configuration files, or content files

PCI DSS Requirement 11.5: Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.

Note: For change-detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change-detection mechanisms such as file-integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is, the merchant or service provider).

A mechanism for change-detection is not in place and should be remediated.

The change-detection is not configured properly to perform critical file comparisons at least weekly.

2.11.2.1 Implement a process to respond to any alerts generated by the change-detection solution

PCI DSS Requirement 11.5.1: Implement a process to respond to any alerts generated by the change- detection solution

PROPRIETARY & CONFIDENTIAL PAGE 118 of 119 Evidence of PCI Policy Compliance PCI ASSESSMENT

A mechanism for change-detection is not in place.

PROPRIETARY & CONFIDENTIAL PAGE 119 of 119