A. Be "above and beyond" other PCI DSS requirement (i.e., not simply in compliance with other requirements)
B. Sufficiently offset the risk that the original PCI DSS requirement was designed to defend against
C. Meet the intent and rigor of the original PCI requirement
D. Be commensurate with additional risk imposed by not adhering to original requirement
A - Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced
A-EP - E-Commerce Merchants, Partially Outsourced
B- Imprints Machine Only- No Electronic Card Storage, Standalone, Dial out Terminal. Data not Transmitted
B-IP- Merchant using only PTS Standalone Payment Terminal with an IP Connection to a Payment Processor . PTS- Approved Point of Interaction Device. Data Transmitted via IP
C-VT - Merchants who manually enter a single transaction at a time via Keyboard into a Internet based Virtual Terminal.
C- Merchant with Payment Application Systems connected to Internet, No Electronic Card Data Storage.
D - Merchant & Service Provider not Included in above description
- Password Reset: Users passwords/passphrases should be changed every 3 months (Minimum)
- Check for Wireless access points: must implement a process to test for the presence of wireless access points and detect and identify all authorized and unauthorized wireless access points
-An audit trail history should be available immediately for analysis
Methods for stealing payment card data include:
- Weak Password
Sensitive authentication exists in the magnetic strip or chip, and is also printed on the payment card. In a credit card- there are two tracks with 79 and 40 Characters.
Payment Card Flow
Authorization, Clearing, Settlement, Undo (If Needed)
Cyber Threat - Real Time Map
echo "export PS1='$ '" >> ~/.bash_profile