Requirement 2: Do Not Use Vendor-Supplied Defaults For System Passwords And Other Security Parameters; Protect Cardholder Data; Requirement 3: Protect Stored Cardholder Data - VeriFone Vx520 Implementation Manual

Requirement 2: Do not use vendor-supplied defaults for system passwords and other se-
curity parameters
a. What the requirement says
"Malicious individuals (external and internal to an entity) often use vendor default passwords and
other vendor default settings to compromise systems. These passwords and settings are well known
by hacker communities and are easily determined via public information.", reference 2.
Encrypt all non-console administrative access using strong cryptography. Use technologies such as
SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.
b. How your Point Vx helps you meet this requirement
Point Vx does not allow users to access any card holder data or sensitive authentication data. The
application also doesn't facilitate any non-console administrative access to the network. IP address-
es for processors, terminal management systems and software download servers are protected by
unique passwords per terminal and these passwords are changed on a daily basis.
c. What this means to you
Since the password protection for the Point Vx is handled entirely within the unit and no any non-
console administrative access provided there is no need for you to take any action.

2.2. Protect Cardholder Data

Requirement 3: Protect stored cardholder data

a. What the requirement says
"Protection methods such as encryption, truncation, masking, and hashing are critical components
of cardholder data protection. If an intruder circumvents other security controls and gains access to
encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that
person. Other effective methods of protecting stored data should also be considered as potential
risk mitigation opportunities. For example, methods for minimizing risk include not storing cardhold-
© 2015 VeriFone. All rights reserved. VeriFone, the VeriFone logo, Vx, Mx, VeriCentre, VeriShield, Verix V, Verix and PAYware are either
trademarks or registered trademarks of VeriFone in the United States and/or other countries. All other trademarks or brand names are the
properties of their respective holders. All features and specifications are subject to change without notice.
The information contained in this document is confidential and property of VeriFone, Inc. This material may not be copied or published, or
divulged in part or in totality without written permission form VeriFone, Inc.
Author
Jevgenijs Smirnovs
E-mail
jevgenijs.smirnovs@verifone.com
Phone
+371 67844726
Document name Verifone Payment Core
Point VxPC F02.01.xxx
Implementation Guide
Date
12-Jun-2015
Page number Version
12 1.0