Author
Jevgenijs Smirnovs
Document name
Point VxPC F02.01.xxx
Implementation Guide
E-mail
jevgenijs.smirnovs@verifone.com
Date
12-Jun-2015
Phone
+371 67844726
Page number
12
Version
1.0
© 2015 VeriFone. All rights reserved. VeriFone, the VeriFone logo, Vx, Mx, VeriCentre, VeriShield, Verix V, Verix and PAYware are either
trademarks or registered trademarks of VeriFone in the United States and/or other countries. All other trademarks or brand names are the
properties of their respective holders. All features and specifications are subject to change without notice.
The information contained in this document is confidential and property of VeriFone, Inc. This material may not be copied or published, or
divulged in part or in totality without written permission form VeriFone, Inc.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other se-
curity parameters
a. What the requirement says
“Malicious individuals (external and internal to an entity) often use vendor default passwords and
other vendor default settings to compromise systems. These passwords and settings are well known
by hacker communities and are easily determined via public information.”, reference 2.
Encrypt all non-console administrative access using strong cryptography. Use technologies such as
SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.
b. How your Point Vx helps you meet this requirement
Point Vx does not allow users to access any card holder data or sensitive authentication data. The
application also doesn’t facilitate any non-console administrative access to the network. IP address-
es for processors, terminal management systems and software download servers are protected by
unique passwords per terminal and these passwords are changed on a daily basis.
c. What this means to you
Since the password protection for the Point Vx is handled entirely within the unit and no any non-
console administrative access provided there is no need for you to take any action.
2.2. Protect Cardholder Data
Requirement 3: Protect stored cardholder data
a. What the requirement says
“Protection methods such as encryption, truncation, masking, and hashing are critical components
of cardholder data protection. If an intruder circumvents other security controls and gains access to
encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that
person. Other effective methods of protecting stored data should also be considered as potential
risk mitigation opportunities. For example, methods for minimizing risk include not storing cardhold-
To Next Page
Loading...
Need help?
General
