Requirement 8: Identify And Authenticate Access To System Components - VeriFone Vx520 Implementation Manual

"To ensure critical data can only be accessed by authorized personnel, systems and processes must
be in place to limit access based on need to know and according to job responsibilities. "Need to
know" is when access rights are granted to only the least amount of data and privileges needed to
perform a job.", reference 2.
b. How your Point Vx helps you meet this requirement
The Point Vx does not disclose any cardholder data. Sensitive authentication data is always encrypt-
ed when sent for authorization and never stored. PAN is always truncated and/or encrypted when
stored, thus only truncated and/or encrypted PANs are sent to the ECR for printouts of reports, logs
or receipts.
c. What this means to you
In case you need to enter card numbers manually or if you have to do voice referrals you must never
keep written copies or otherwise store copies of cardholder data. Also, you must never e-mail, fax
etc cardholder data.
For cards read by the Point Vx magnetic stripe reader or chip card reader you do not need to take
any additional security measures.

Requirement 8: Identify and authenticate access to system components

a. What the requirement says
"Assigning a unique identification (ID) to each person with access ensures that each individual is
uniquely accountable for their actions. When such accountability is in place, actions taken on critical
data and systems are performed by, and can be traced to, known and authorized users and process-
es.
The effectiveness of a password is largely determined by the design and implementation of the au-
thentication system — particularly, how frequently password attempts can be made by an attacker,
© 2015 VeriFone. All rights reserved. VeriFone, the VeriFone logo, Vx, Mx, VeriCentre, VeriShield, Verix V, Verix and PAYware are either
trademarks or registered trademarks of VeriFone in the United States and/or other countries. All other trademarks or brand names are the
properties of their respective holders. All features and specifications are subject to change without notice.
The information contained in this document is confidential and property of VeriFone, Inc. This material may not be copied or published, or
divulged in part or in totality without written permission form VeriFone, Inc.
Author
Jevgenijs Smirnovs
E-mail
jevgenijs.smirnovs@verifone.com
Phone
+371 67844726
Document name Verifone Payment Core
Point VxPC F02.01.xxx
Implementation Guide
Date
12-Jun-2015
Page number Version
17 1.0