AMEX
What is an SE number?
How you are able to locate an account - a MID for an AMEX account.
A merchant is trying to complete their assessment and they are receiving an error message when trying to move forward within the portal. The wizard is not populating the questionnaire. What do you do?
You impersonate them within multiple browsers to see if you are receiving the same error message. If you do, you escalate to engineering with a team lead's approval.
I have an online clothing business. Customers enter their payments onto my website, but I send the information to Mercury. I don't keep credit card numbers and I don't physically touch them!
EC-Complex, SAQ D + scan
When talking to merchants about Host Not Detected, what is the first step after authentication?
Confirm the merchant type and the IP address.
Can we authenticate a merchant using their email address while on the phone with them?
No! Unless the merchant notifies you that their email address is their username.
OR if they are AMEX level 1/2
What information do you need to authenticate a NEW account?
MID, company name, zip code (postal code)
PCI DSS
Payment Card Industry Data Security Standards
You are speaking with a merchant that starts swearing at you and calling you names.
What do you do?
1. Inform the merchant that they need to keep their conversation professional.
2. If they continue to be abusive, transfer them to a Team Lead.
If you wake up and feel sick and need to call off, what must you do?
(2 things)
1. Email CSSAbsence@Trustwave.com. Include your f/l name, late/absent/left early, date in the subject line
2. Call your manager
Where can you find the notes from a previous analyst's call on an account?
The notes tab of PCIM.
Can an account have a PCI status as failing and still be okay?
Yes. This is the difference between Compliant and Communicating.
A project plan is technically failing compliance - it is a plan to become compliant.
Leslie has already completed SAQ C today and her account reflects that she requires a scan. However, you confirm that she is only required to complete SAQ C-VT and she is not required to scan. What do you do?
You confirm in the matrix that you are allowed, and you update her merchant type to remove her scan requirement - change to inet-vt.
Advise Leslie how to take her assessment next year. Most likely, she entered her product incorrectly.
I use a terminal machine connected to my phone line, but it's also connected to my router.
INET-TERM, SAQ B-IP + scan
Sherry is calling in about Host Not Detected. She has previously been assisted and is talking about white listing her firewall. What do you do?
Merchants should never be advised to white list on their firewall as this may cause further issues. She should be advised that, if the issue is coming from her firewall due to a secure setup, she can dispute this finding.
A merchant calls in asking about the daily emails that they are receiving regarding File Integrity Monitoring. They want these emails to stop. How can you assist them?
Advise them that File Integrity Monitoring is a service that is informational and shows a daily report of their computer. If they want to disable emails or change the frequency of these emails, they can do from the FIM icon of their account and the settings tab.
What information do you need to authenticate a user on an ACTIVE account?
MID/CID/username, first and last name, security questions
MSP
Merchant Service Provider
You have a merchant that states that we scanned their network without their permission.
What do you do?
Escalate to the Scan Abuse team.
If you were late for lunch or a break, what must you do?
Ping a Team Lead to get permission to go on your break/lunch.
Email CBUScheduling@Trustwave.com.
Include when your break/lunch was scheduled for and when you are taking it as well as the Team Lead who gave their approval.
If you want to see who made changes to an account, where do you check?
The Compliance History tab
A merchant has an account with a program Sponsor as First Data and a reporting Sponsor as American Express. To make changes on this account, where do you look in the matrix?
Under the First Data matrix page.
George calls in asking you to add users to his scanning account with TVM. You search for his CID in PCIM and cannot locate an account.
Where should you look?
How do you authenticate?
Look up George's account in customer management.
If you pull up an account, you confirm first and last name and impersonate to locate their security questions and ask them.
Our restaurant accepts orders over the phone. We manually enter cards into the terminal machine, and we run cards in person with the same terminal machine connected to the internet.
INET-TERM, SAQ B-IP + scan
Jennifer is failing her scan due to a finding regarding SSL certificate. You tell her that she needs to purchase a certificate.
Why is this wrong?
You need to explain how to dispute the finding first. If the dispute is not applicable, then we can advise to look into her certificate.
If a merchant has a dynamic IP address and their account includes Endpoint, what advice can you give them?
You can tell the merchant that Endpoint comes with IP beacon. They can download the software onto a computer at the same location and use IP beacon to find the correct location every time.
What information do you need to authenticate an EMAIL?
email address must match what is on file
If the email address pulls up multiple MIDs, you also need company name/MID/CID/username
ISP
Internet Service Provider
A merchant emails in asking about their Fortinet firewall. They want us to white list for them.
What do you do?
Escalate to MSS.
Confirm with a team lead that you should escalate to MSS. Ask a manager to transfer your current ticket to the MSS queue.
(In this office - Bob Belusko or Donna Gray)
If you need to take a Monday or a Friday off and don't want to call off, what is your other option?
Ask an analyst that works a Saturday or Sunday shift to swap with you.
You cannot find a merchant in PCIM. They swear they are giving you the correct username. Where do you look?
Customer Management.
A Client Manager calls in and gives you their First and Last name and security question. Later, you check your grades and see that you got a zero for this call. Why?
CLMs must be authenticated via email. They will send us an email and give you the ticket number over the phone.
Roger Davis is a First Data sales rep. He is asking for information on an account. You can't find him listed anywhere in the portal. What do you do?
Explain to Roger that you cannot share information on accounts with un-authorized users. You can share information with the merchant if he is able to get them on the line. If he cannot, then you will need to transfer to First Data for authentication.
I use an online payment gateway to enter my customers' credit card information. I don't store my customers' credit card information or have any other processing method. I have other computers at my business and they are all connected to one another on the same network.
INET-PA, SAQ D + scan
A merchant is scanning a physical location and failing because of the vulnerability "SSL Certificate Not Trusted". What would you advise the merchant to do?
If the services running on the port in question are not accessible to the general public AND are not involved with cardholder data, the merchant can dispute this finding.
What must you do when you want to work on a ticket?
(2 things)
1. Take the ticket
2. Open the ticket
How do you authenticate a CLOSED or DISABLED account that was ACTIVE?
first and last name of authorized user, company name, MID/CID/username
IDS
Intrusion Detection System
You are unable to take calls because your phone is malfunctioning.
What do you do?
Escalate to IT.
Confirm with your Team Lead that you should escalate. Send an email to the CBUScheduling@trustwave.com to notify the team why you were unable to take phone calls.
Where can you find your daily schedule?
WFM
How do you look up a Sponsor User?
Sponsor Management > Browse Hierarchy > find the MSP > Search for first and last name of sponsor > ask a security question.
A merchant is processing "Onsite with ROC". They call in asking questions about their vulnerability scan and why the status is no longer shown in their account. Why does their scan not apply?
Merchants using an ROC do not need to complete a scan per AMEX. You can confirm this information from the "compliance history" tab of the account. If AMEX or an authorized user has made this change, then you can confirm this change. Advise the merchant.
Mark Ingham with First Data calls and asks you to merge accounts. Can you do it?
No.
Account change requests from sponsors must be made via email.
You are speaking to a merchant that processes using a terminal machine connected to the internet and using a website that redirects customers to PayPal to enter their payment information.
ECR + INET-TERM, SAQ B-IP + scan
Rosie is in need of assistance with her scan report. She has one store that processes via a terminal machine connected to a router.
Her scan has been failing since January. She says that she made changes to her network but is still failing.
What do you do?
She needs to run a new scan.
What are the four URLs merchants can use to log in to complete their compliance?
What do you do if you cannot authenticate a merchant? (2 options)
1. Try to speak with an authorized user
2. Transfer to their merchant services for authentication.
ASV
Approved Scanning Vendor
A merchant wants to add a user to their TVM-only account.
What do you do?
Escalate to Delivery Operations
How many holidays are you required to work in a year?
2
Where can you see the accounts that have been merged to a primary account?
Account Details
What is the difference between COMMUNICATING and COMPLIANT?
Communicating - the merchant has submitted documentation to prove that they are working on their compliance and meeting the requirements
Compliant - the merchant has met all of the requirements and they are passing their compliance
You cannot authenticate Betsy Smythe. You end up transferring to her MSP. You are speaking to Lisa Friedman. She gives you the go ahead to bring the merchant on the line and gives you permission to speak with Betsy. You receive a zero for this call.
Why?
You must authenticate the sponsor user first. Once you have authenticated, then you can get permission to speak to the merchant.
A merchant sends their customers a link to an app. Their customers can use this app to make payments.
ECR, SAQ A + NO SCAN
When a merchant is using TVM, what icon must show next to the configuration they want to use for their compliance?
The PCI badge
What must you do with a new account EVERY TIME in addition to sending a registration email?
(2 things)
1. Typify
2. Set acceptance channels
An AMEX level 1 merchant calls in. They give you their email address, company name and first and last name. She does not have any security questions set up. Are you able to authenticate this merchant?
Yes. You can authenticate level 1/2 merchants without a security question AND you are able to locate accounts with an email address.
Level 3 - You must authenticate the same way as a PCIM account - with security questions and email is not accepted.
ROC
Report on Compliance
A merchant says that their scan will not run. You try on your end as well and it will not work.
What do you do?
Escalate to Engineering.
You must first obtain approval from a Team Lead.
If you need to call off for vacation, how do you submit the request? When does the request need to be submitted?
In WFM, choose the "messaging" tab. Add a new request and choose the category "Exception Request". Enter the dates you need to call off and include a reason as a comment.
You must submit requests at least 2 weeks in advance.
Where can you see when a merchant's scan attestation expires?
PCI Details > under the vulnerability scan status
You are assisting a merchant with uploading their Project Plan. You upload the Plan with a "compliant" status.
Later Leti pings you and lets you know that you did this incorrectly. Why?
Project Plans should ALWAYS be uploaded as non-compliant. They are conforming but non-compliant.
Eliza logs in to her account and doesn't see any of her compliance information. You pull up her account and see that she has not logged in since last year.
How do you help her?
The merchant is most likely logging in to a closed or disabled account.
Confirm her username and assist her with that account - explain the closure.
If you've authenticated her on the correct account - then assist her with getting into the correct one.
Bob provides his employees with mobile devices to process payments when they are at shows. He also processes payments using his iPhone connected to wifi at his store.
INET-PA, SAQ C + SCAN
Geoffrey has been passing his scan and is suddenly getting a failed result. He lets you know that he had previously submitted a dispute and we had accepted it.
"Why is my dispute no longer accepted?"
It is May. Geoffrey submitted his dispute on his scan report in January.
What can you tell him?
Merchants must submit a dispute once every 90 days.
He will need to submit this dispute again in order to remain in compliance.
A merchant calls in requesting to do the Verbal Assessment. You do not check the matrix and transfer them to the Verbal Assessment.
What should you have done? (3 things)
Check the matrix to confirm the merchant is eligible for the VA.
Confirm they called in on the correct phone line.
Confirm their MID is correct in the agent.
How do you authenticate a Client Manager (CLM)?
They will send an email to the American Express queue and provide you with a ticket number. If the ticket is taken, make a new one and link the two. If the ticket is new, take it - this is your ticket for the call.
The email address must come from @aexp.com.
WFM
Work Force Management
Every time you escalate to another department via outlook what do you need to make sure you do?
(2 things)
1. Include your outlook correspondence in your ticket as a comment.
2. Link your ticket to the escalation ticket (when applicable)
You logged in to the agent and put yourself in ready mode at 9:10. Your shift starts at 9.
What do you need to do? (2 things)
1. You should have sent an email to CSSAbsence@Trustwave.com notifying of your tardiness BEFORE the start of your shift.
2. You must stay an extra 10 minutes to make up the time lost.
A merchant is in the middle of completing their assessment. You don't want to impersonate, but you want to see what questions were answered wrong.
What can you do?
On the PCI Details tab of the account, you can view the current progress of the self assessment by clicking on the "View Progress" hyperlink.