From the article below answer this question: I recently visited a local weekend festival. While browsing among the small business shops, I noticed many vendors using their Smartphones to accept credit card sales. Knowing the process of Operation Security and reading the referenced DB article. What safeguards should vendors have in place to protect themselves and their customers against any threat?

P CI DSS 3.0: The Impact on Your Security Operations Written by Chris Hinkley 12/31/2013 Last month, the PCI Security Standards Council (PCI SSC) released its proposed changes for the Payment Card Industry Data Security Standard (PCI DSS) version 3.0. For security professionals it means that PCI compliance will become more of an everyday business practice, rather than an annual checklist obligation. Looking ahead, heres what you can expect from 3.0s impact on your operations and the steps youll need to take to stay compliant. Vulnerability management When it comes to managing system vulnerabilities, Requirement 11 mandates a methodology for penetration testing, including verification that segmentation methods are operational and effective. The reasoning here is that segmentation creates a smaller scope for cardholder data, which shrinks the organizations attack surface and creates fewer points of entry for attackers. The best way to get there: conducting your own assessments to augment third-party assessments and using those results to reduce the scope of your cardholder data environments. POS Terminals When it comes to point-of-sale (POS) terminals, you might not dwell too much on the possibility of physical compromise. Yet many are accessible to the random public and all too often have exposed connections like a keyboard or USB port. All an attacker needs is a simple hardware keylogger or an auto-run USB and boom, theyre in. This is one reason skimming and other attacks are on the rise, and the main reason POS terminals and other payment-related devices must be secured from tampering or substitution. Another mandatory step: careful inventory management, as well as checking device serial numbers and stickers to verify that no one's tampered with them. These practices might seem tedious, but theyll go a long way to stopping any physical attacks before they escalate into serious disasters. Strengthening Password Policies, Tokens and Certificates Password protection is a major focus of 3.0. While the recommendations arent terribly new, they may still be fresh ground for some businesses. To start with, youll need to strengthen default passwords for application and service accounts, as well as user accounts. When it comes to user- created passwords, users must protect their credentials and change passwords upon suspicion of compromise. Again, most businesses should already be doing this. While the minimum-criteria of alphanumeric seven-character passwords is still promoted, alternatives like longer passphrases are now permitted. This means you might consider requiring a relatively long passphrase with uppercase characters, lowercase characters, numbers and special characters. These can be especially secure and even easier to remember than traditional gibberish passwords. Similarly, security must be tightened for physical security tokens, smart cards and certificates. If youre not already conducting daily log reviews, now is the time to start. Also make sure that all authentic mechanisms are linked to individual accounts and then protect access to those accounts. Defining in-scope Systems In another move toward improved clarity, youll need a network diagram showing all connections to cardholder data, as well as an up-to-date diagram that details how cardholder data flows through your systems. 3.0 places more emphasis on defining the in-scope environment on a regular basis, and also emphasizes the application and data layers over the network and infrastructure layers. Ultimately these definitions benefit both auditors and the audited, by illuminating potential weaknesses in a comprehensive risk assessment. Evolving Malware Threats Because malware is still a major threat hovering over cloud environments, merchants must now include malware controls even on systems not commonly affected by malware. That includes systems like Linux, which you might (incorrectly) assume was safe. Malware can destroy files, servers and end users, which means that every aspect must be protected with anti-malware technology. Set up an alert system that detects the first sign of digital cancer and youll go a long way toward containing the damage and mitigate data loss. Security and Compliance Responsibility If your organization isnt exactly clear on which PCI DSS requirements your group manages and which ones your providers handle, things are about to change. Youll need to hammer out every detail of whos responsible for what and that can be a tall order with the explosion and diversity of SaaS, PaaS, and MssP offerings. All of these changes might seem like a lot to undertake, but its important to remember whats at stake. Getting compliant isnt just about passing inspection; its about dealing as effectively as possible with the threats targeting applications every day, from XSS attacks to SQL injections. Security teams have the next 12 months to tackle these operational changes, and whether you have considerable adjustments to make or very few, its a good opportunity for your security staff to analyze your programs, tighten up your processes and strengthen your provider relationship. Include compliance in your daily tasks and youll have less work to do in crunch time and your critical business applications will be that much safer.