You may select some or all of the following Services:
If you have selected service packages that contain PCI Compliance Services, then that package may include, but is not limited to, all or some of the Services listed below.
- Help you determine the scope of the applicable PCI Compliance requirements. You alone are responsible for determining the scope of your PCI Compliance requirements. SecurityMetrics will not be liable for any mistake or error in determining the scope;
- Provide you with a copy of the self-assessment questionnaire determined by the scope determined above and help understanding the questions, if needed;
- Provide Customer with access to scan results and copies of the self-assessment questionnaire
- Report the status of the self-assessment questionnaire and vulnerability scans via SecurityMetrics website;
- Service Warranty (described below);
- SecurityMetrics Mobile, a software application that scans mobile devices for vulnerabilities;
- Seats to PCI Compliance trainings; and
- Technical support.
If you have selected service packages that contain HIPAA Compliance Services, then that package may include, but is not limited to, all or some of the Services listed below:
- Help you determine a map of the protected health information ("PHI") – as defined by 45 C.F.R. part 164 and subparts A and B of part 160 – contained on your systems. You alone are responsible for determining what, how much, and where PHI is located on your systems. SecurityMetrics will not be liable for any mistake or error in determining your PHI map.
- Provide a template of a general risk analysis document that inventories the hardware, software, policies, and procedures put in place by you.
- Provide a template of a risk management plan document.
- Vulnerability scanning on IP address or domains specified and provided by the Customer.
- Business Associate Agreement;
- Service Warranty (described below);
- SecurityMetrics Mobile, a software application that scans mobile devices for vulnerabilities;
- Seats to SecurityMetrics trainings; and
- Technical support.
Managed Firewall Services is part of a PCI Compliance service package. If you have selected service packages that contain Managed Firewall Services, then that package may include, but is not limited to, some or all of the following:
- SecurityMetrics will provide you with some equipment that contains a firewall, managed by SecurityMetrics ("Managed Equipment"). The firewall may be managed by SecurityMetrics:
- Monitoring the hardware and the firewall,
- Updating and patching the firewall,
- Maintaining logs at SecurityMetrics discretion, and
- Providing Customer support.
- SecurityMetrics may also provide another piece of equipment ("Failover Equipment") that supports 3G or 4G failover in case the internet connection of the Managed Equipment is not working or down. You are responsible for purchasing any secure digital ("SD") cards required for the 3G or 4G wireless access to function
- SecurityMetrics or other third parties own and retain all rights to the hardware, software, and firmware of the Managed Services, Managed Equipment, and Failover Equipment. The hardware will not be deemed fixtures or in any way part of your premises. SecurityMetrics may remove or change the hardware at SecurityMetrics' sole discretion at any time. You may not sell, lease, abandon, or give away the hardware. The hardware may only be used on the premises that you and SecurityMetrics configured the hardware for during the initial set-up call. YOU UNDERSTAND AND ACKNOWLEDGE THAT IF YOU MOVE, INSTALL, OR USE THE HARDWARE OR MANAGED FIREWALL SERVICES AT A LOCATION OTHER THAN THE PREMISES FOR WHICH IT WAS SET UP, THEN THE SERVICES AND HARDWARE MAY NOT FUNCTION PROPERLY.
- SecurityMetrics has no obligation to provide support, maintenance, or repair of any hardware or software not owned by SecurityMetrics.
Changes to Services or Rates
SecurityMetrics reserves the right to change the Services, prices, or charges at any time without notice. If you do not accept these changes, you have the right to cancel the Services, but cancellation fees may apply. If you continue to use the Services after these changes have been applied, then you be deemed to have accepted these changes.
Users are strictly forbidden to use the Services or the Website to perform security tests on computers, servers, or devices that they do not have permission or authorization to test. If Customer uses a third party hosting service, Customer must notify the service and receive permission for SecurityMetrics to perform security testing. Customer agrees to hold SecurityMetrics harmless for any failure to obtain any necessary permission.
Customer may not use the Services or the Website:
- In any way that violates any applicable federal, state, local, or international law or regulation (including, without limitation, any laws regarding the export of data or software to and from the US or other countries).
- For the purpose of exploiting, harming, or attempting to exploit or harm minors in any way by exposing them to inappropriate content, asking for personally identifiable information or otherwise.
- To impersonate or attempt to personate SecurityMetrics, a SecurityMetrics employee, another user, or any other person or entity (including, without limitation, by using email addresses associated with any of the foregoing).
- To transmit, or procure the sending of, any advertising or promotional material including any junk mail, chain letter, or spam or any other similar solicitation.
- To engage in any other conduct that restricts or inhibits anyone's use or enjoyment of SecurityMetrics Websites, or may harm SecurityMetrics or any of its users
Additionally, you agree not to:
- Use any robot, spider, or other automatic device, process, or means to access this Website for any purpose, including monitoring or copying any of the material on the Website.
- Introduce any viruses, Trojan horses, worms, logic bombs or other material which is malicious or technologically harmful.
- Attack the Website via a denial-of-service attack or a distributed denial-of-service attack.
- Attempt to gain unauthorized access to, interfere with, damage or disrupt any parts of the Website or any user's use of the Website.
- Otherwise attempt to interfere with the proper working of the Website.
SecurityMetrics will provide Customer with written or online reports, data, policies, templates, checklists, and other materials (collectively, "Materials") in connection with the Services. Customer agrees that all intellectual property rights in the Materials, including trade secrets, copyrights, patents and trademarks, are exclusively owned by SecurityMetrics and its licensors. Customer shall hold in confidence all Materials marked as "confidential" and shall use the Materials solely for the purposes for which they are disclosed. All Materials are licensed to Customer only for its own use and Customer does not have any rights to copy, distribute or make derivative works of the Materials without the prior written authorization of SecurityMetrics. Dissemination, distribution, copying or use of the Materials in whole or in part by a SecurityMetrics competitor or their agents is strictly prohibited.
Customer agrees to pay all charges for the Services provided to Customer, unless Customer's acquirer, payment processor, or other entity has entered into an agreement with SecurityMetrics to pay for those services. If Customer's acquirer, processor or other entity has an agreement with SecurityMetrics to pay for the Services, then Customer authorizes its acquiring bank or other merchant service provider to bill Customer for the Services. If Customer has provided SecurityMetrics with credit card information ("Card Information"), Customer authorizes SecurityMetrics to charge Customer the price of the Services, as provided in the invoice or order confirmation sent by SecurityMetrics, using the Card Information. Customer also authorizes SecurityMetrics to charge any cancellation fee associated with the cancellation of the Services. If Customer is purchasing online Compliance services, Customer also authorizes SecurityMetrics to automatically charge the price of Services for each renewal term of this Agreement using the Card Information. Customer agrees to give SecurityMetrics prompt notice of any changes to the Card Information.
For Customers that have purchased packages of services that contain Managed Firewall Services, a cancellation fee will apply if Customer cancels the Managed Firewall Services before the end of the three-year term. The cancellation fee will cover the costs of hardware and the setup fees and may vary depending on the circumstances of the cancellation.
If SecurityMetrics uses a collection agency or attorney to collect money owed by you, you agree to pay the reasonable costs of collection, including, but not limited to, any collection agency's fees, reasonable attorneys' fees, and arbitration or court costs.
If an acquirer or merchant service provider pays for the Services, refunds may not apply. Refunds for the unused portion of services may be obtained by contacting the Account Renewals team at SecurityMetrics. Refunds will be processed within 5 business days.
SecurityMetrics owns and operates the servers that host this web site. Contact information for SecurityMetrics may be obtained by clicking the "Contact Us" link at the top of any page.
Accuracy of Information
Customer's compliance depends entirely upon the accuracy of information provided to SecurityMetrics by Customer. Customer agrees that if Customer provides incomplete or inaccurate information this may affect the Services, Customer's compliance status, and SecurityMetrics will not be held liable for any damages incurred as a result of incomplete or inaccurate information provided by customer. A scan result from SecurityMetrics only indicates the compliance status of the systems that SecurityMetrics has scanned and does not represent Customer's overall compliance status with the PCI Data Security Standards. Customer also agrees to give SecurityMetrics prompt notice if any information affecting data security previously provided to SecurityMetrics has changed, is changing or will change. Customer understands and agrees that any threat designated as a false positive by Customer is done at Customer's own risk. In no event shall SecurityMetrics be liable for any damages incurred by Customer as a result of Customer's designation of a threat as a false positive.
Customer authorizes SecurityMetrics to contact Customer through email, phone or fax to notify Customer of changes in Customer's compliance status or Services. Customer also authorizes SecurityMetrics to contact Customer in regards to payment, renewal, cancellation, or the Services.
Reliance on Information Posted
The information presented on or through the Website is made available solely for general information purposes. SecurityMetrics does not warrant the accuracy, completeness or usefulness of this information. Any reliance you place on such information is strictly at your own risk. SecurityMetrics disclaims all liability arising from any reliance placed on such materials by you or any other visitor to the Website or by anyone who may be informed of any of its contents.
Information About You and Your Visits to the Website
DUE TO THE NATURE OF THE COMPUTER SECURITY BUSINESS, NO SECURITY COMPANY CAN GUARANTEE THAT IT WILL DETECT EVERY VULNERABILITY OR SECURITY PROBLEM. SECURITYMETRICS PROVIDES ITS SERVICES ON AN "AS IS" BASIS AND WITHOUT ANY WARRANTIES WHATSOEVER. SECURITYMETRICS DISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO ITS SERVICES, MATERIALS AND PRODUCTS. SECURITYMETRICS DOES NOT WARRANT THAT THE SERVICES WILL DETECT EVERY VULNERABILITY ON CUSTOMER'S SYSTEM, OR THAT SECURITYMETRICS' VULNERABILITY ASSESSMENTS, SUGGESTED SOLUTIONS OR ADVICE WILL BE ERROR-FREE OR COMPLETE. CUSTOMER AGREES THAT SECURITYMETRICS SHALL NOT BE RESPONSIBLE OR LIABLE FOR THE ACCURACY OR USEFULNESS OF ANY INFORMATION PROVIDED BY IT, OR FOR ANY USE OF SUCH INFORMATION.
Limitation of Liability
Customer acknowledges that use of the Services does not guarantee compliance with the PCI DSS, the HIPAA Standard, or any other security or privacy standards, or that its Systems are secure from unauthorized access. This is due to, and Customer acknowledges that, the Services being dependent upon multiple variables, which include the information provided by Customer, and Customer's level of cooperation with policies regarding compliance with the PCI DSS or the validation thereof.
CUSTOMER ACKNOWLEDGES THAT THE RATE OF BRINGING CUSTOMER AND ITS SYSTEM IN COMPLIANCE WITH PCI DSS OR HIPAA IS DEPENDENT UPON MULTIPLE VARIABLES, WHICH INCLUDE CUSTOMER'S LEVEL OF COOPERATION WITH POLICIES REGARDING COMPLIANCE. UNDER NO CIRCUMSTANCES SHALL SECURITYMETRICS, ITS AFFILIATES OR THEIR LICENSORS, SERVICE PROVIDERS, EMPLOYEES, AGENTS, OFFICERS, OR DIRECTORS BE LIABLE FOR DAMAGES OF ANY KIND, UNDER ANY LEGAL THEORY, ARISING OUT OF IN CONNECTION WITH CUSTOMER'S USE, OR INABILITY TO USE, THE WEBSITE, ANY WEBSITES LINKED TO IT, ANY CONTENT ON THE WEBSITE OR SUCH OTHER WEBSITES OR ANY SERVICES ON OR OBTAINED THROUGH THE WEBSITE, DELAY IN BECOMING OR CUSTOMER'S FAILURE TO BECOME COMPLIANT. IN NO EVENT SHALL SECURITYMETRICS OR ITS AGENTS BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO, PERSONAL INJURY, PAIN AND SUFFERING, EMOTIONAL DISTRESS, LOSS OF REVENUE, LOSS OF PROFITS, LOSS OF BUSINESS OR ANTICIPATED SAVINGS, LOSS OF USE, LOSS OF GOODWILL, LOSS OF DATA, AND WHETHER CAUSED BY TORT (INCLUDING NEGLIGENCE), BREACH OF CONTRACT OR OTHERWISE, EVEN IF FORESEEABLE.
THE FOREGOING DOES NOT AFFECT ANY LIABILITY WHICH CANNOT BE EXCLUDED OR LIMITED UNDER APPLICABLE LAW.
None of the information contained within our Services, or within the content SecurityMetrics makes available through our Services, should be regarded as Legal Advice. The distribution and publication of our Services, and the content made available with our Services, does not create an attorney-client relationship between Customer and SecurityMetrics.
SecurityMetrics reserves the right to modify or terminate the Services and SecurityMetrics' Websites or to terminate Customer's access to the Services and SecurityMetrics' Website, in whole or in part, at any time.
PREMIUM SERVICE WARRANTY("BREACH PROTECTION").
The following Premium Service Warranty ("PSW") applies to Customers who have purchased Services that also contains a premium service warranty.
- SecurityMetrics will provide a PSW to merchants or entities in the health industry (collectively "Merchants") that have purchased service packages that include a premium service warranty. This PSW provision modifies the Limited Warranty provision set forth above for those Merchants that are enrolled in and have purchased a service package that includes a PSW. SecurityMetrics represents and warrants that SecurityMetrics PCI DSS and HIPAA compliance Services will be performed in accordance and comply with the PCI DSS as amended or HIPAA as amended from time to time. SecurityMetrics provides a PSW to a Merchant only for Services actually purchased by the Merchants.
- Exclusions. This PSW excludes incorrect data, information, or policies provided by the Merchant, zero-day vulnerabilities, customer labeled false positives identified by SecurityMetrics' scanning engine. The PSW does not apply to SecurityMetrics Managed Firewall Services, any security and privacy trainings sold by SecurityMetrics, and any services performed by a Qualified Security Assessor, Payment Application Qualified Security Assessor, Point-to-Point Encryption Qualified Security Assessor, Payment Card Industry Forensic Investigator, penetration tester, or an employee supervised by one of the above-mentioned specialists.
- A Merchant's credit card processor, acquiring bank, independent sales organization, or merchant services provider (collectively "Acquirer") may contract and/or pay SecurityMetrics for the PCI compliance Services, for which SecurityMetrics provides the PSW.
- Costs of a forensic investigation conducted by a PCI Forensic Investigator approved by the PCI Security Standards Council.
- The costs associated with replacing credit cards that were compromised in a breach.
- Any GLBA or HIPAA regulatory penalty or fine charged to a Merchant by a governmental regulatory agency or body.
- The cost of an audit to determine the cause or extent of a GLBA or HIPAA violation.
- If approved in writing by SecurityMetrics, notification costs, victim cost reimbursement, or identity theft monitoring and services.
The Program Limit.The PSW Limit is the most any Merchant can recover for each merchant identification number (or other mutually agreed upon form of identification) during a twelve (12) month period for any or all such costs or expenses, combined, and regardless of the number of data security events discovered or regulatory actions taken.
Notification.Merchants are required to provide SecurityMetrics notice within thirty (30) days of discovery or suspicious of a breach or compromise. A Merchant is required to provide SecurityMetrics with any documentation, invoice, or other evidence required by SecurityMetrics within thirty (30) days after receipt of this documentation, invoice, or other evidence.
Reporting.The PSW reimburses Merchants only if a Merchant provides a timely (within 30 days) notification and complete report of a data security event or regulatory action as soon as the Merchant becomes aware of such event or action. Merchants will need to provide details on the data security event or regulatory action including, but not limited to: a complete description of the data security event or regulatory action, all documents relating to the data security event or regulatory action, and any other pertinent information requested by or on behalf of SecurityMetrics. To report a data security event or regulatory action under the Program, contact SecurityMetrics at: Breach_Reporting@securitymetrics.com.
- Merchants must provide invoices of costs described in Section 1 above to SecurityMetrics in a timely manner–within 30 days. Merchants may email SecurityMetrics at the email address above, or by certified mail to 1275 West 1600 North, Orem, Utah 84057.
- Once an invoice is received by SecurityMetrics, SecurityMetrics will determine whether the PSW applies to the Merchant's breach or compromise. If SecurityMetrics determines that the PSW applies and SecurityMetrics will reimburse the Merchant in accordance with the PSW terms, then SecurityMetrics will provide the Merchant with the reimbursement in a reasonable time. If SecurityMetrics determines that the PSW doesn't apply, then SecurityMetrics will notify the Merchant that no reimbursement is available.
Limitation of Liability for the Program.Merchants assume sole responsibility and liability for making timely and complete claims under the PSW, providing necessary or requested data and information, and otherwise complying with the terms and conditions set forth in the PSW.
SecurityMetrics, Inc., is a PCI Approved Scanning Vendor under certificate number 3707-01-08 and performs security assessment scans within the guidelines of the PCI data security initiative.
It is important to allow SecurityMetrics security scanners to have the same level of network access to your Internet-connected devices that you provide to the rest of the world under normal circumstances. Users of SecurityMetrics scanning services are encouraged to add rules to their firewalls and inform their ISPs or hosting providers that security assessment scans may originate from the scanning locations listed in the table below. Ensuring that traffic from SecurityMetrics scanners does not get blocked ensures maximum accuracy of the security assessments, which leads to better security. If you have any questions, please contact SecurityMetrics Technical Support.
|IP Ranges||Subnet Mask (Short)||Subnet Mask (Long)|
Note: This table may be updated from time to time without notice.
Do you believe some form of SecurityMetrics scanning service abuse is occurring?
Please email us (firstname.lastname@example.org)