Authentication
What information do you need to authenticate a new account?
MID, company name, zip code
Joe accepts credit card information in person and then calls Vantiv to give them the numbers and process the payments.
Dialup, SAQ B + no scan
What do you do if you cannot authenticate a sponsor user?
Ask to speak with an auth sponsor or have them escalate internally.
PCI
Payment Card Industry
When a customer calls in for help with their scan, what are the first two things we should confirm, assuming they have already been authenticated?
1. They have the correct merchant type.
2. They are scanning the correct location.
SAQ C + scan
INET-PA
What information do you need to authenticate a user on an active account?
MID/CID/username, first and last name, security questions
Richard uses a pinpad connected to his phone line.
Dialup, SAQ B + no scan
You get Gary Johnson's name and MID, but he cannot answer security questions. You tell him he can answer them from the gear/wheel icon in the account. He answers one of them correctly after seeing them.
Is this properly authenticated?
NOOOO
MSP
Merchant Services Provider
Helen is calling you asking for her certificate of compliance. She uploaded her documentation from her third party last week. What can you do?
Helen cannot get a certificate of compliance from Trustwave. She did not become compliant with us, so we cannot vouch for her compliance and provide her with this certificate.
SAQ B + no scan
DIALUP
What information do you need to authenticate an email?
email address must match what is on file
if the address pulls up one account - it is authenticated
if not - company name/MID/CID/username
I use a mobile device to process payments. I have wifi at my business, but I don't connect to it with my device.
Mobile, SAQ C + no scan
You pull up a new account.
Is this authenticated properly?
ISP
Internet Services Provider
If you do not pull up an account for a phone call, how do you create a ticket?
Create Ticket In > TKSponsor Program
SAQ B-IP + scan
How do you authenticate a closed account that was active when it was closed?
first and last name of authorized user, company name, MID/CID/username
Margaret uses a website that has a link for customers to enter donations. All donations are taken through PayPal.
ECR, SAQ A + no scan
If you cannot find a user within the PCIM Admin tab of Trustkeeper, where should you look?
Customer Management
EVS
External Vulnerability Scan
A merchant is trying to set up an IP address starting with 192...and is receiving an error message. What is wrong?
They are trying to scan an internal IP address. We require an external IP address.
SAQ D + scan
EC COMPLEX
What do you do if you cannot authenticate a merchant?
Try to speak with an authorized user or transfer to their merchant services for authentication.
Jennifer uses a computer to process payments with CardPointe. She doesnt store any credit card information and she doesn't use any other machines, computers or swipers.
INET-VT, SAQ C-VT + no scan
You call a merchant's MSP to get the merchant authenticated.
The MSP gives you permission to speak with the merchant.
Is this authenticated?
No! You must ask f/l name and security questions.
TVM
Trustwave Vulnerability Manager
An analyst sent a PDF scan report to an IT person. He wasn't listed on the account. What did she do wrong?
We should never send PDF reports, especially not to un-authorized users.
SAQ P2PE + no scan
P2PE
How do you authenticate a Client Manager (CLM)?
They will send an email to americanexpresscompliance@trustwave.com and provide you with the ticket number. If their email address ends in @aexp.com - it is authenticated.
If un-owned, this is your ticket for the call.
George is using a website to process payments. He has full control over his entire website. He also processes credit cards in person using a simple terminal machine connected to the internet.
ECC + INET, SAQ D + scan
Where do you check to see the rules regarding making changes to an account?
The Matrix
P2PE
Point to Point Ecryption
When do merchants need to attest to their scan setup?
Every quarter.
When they change the scan location.
Uploading self assessment and scan.
3PSS
How do you authenticate a sponsor user?
Sponsor Management
First and Last name
Security Question
I use my cell phone to process payments at festivals. I also use a terminal machine at my store. It's connected to the phone line.
Mobile, SAQ C + no scan
A sponsor asks you to change the merchant type of an account while on the phone.
You do.
Are you allowed?
No! The request must come via email!
ASV
Approved Scanning Vendor
You have located an account with a program sponsor of First Data and reporting sponsor of Wells Fargo.
What Matrix page do you look at to make changes?
First Data
SAQ D + scan (website and network)
ECC + INET