• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

Card Range To Study

through

image

Play button

image

Play button

image

Progress

1/34

Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

34 Cards in this Set

  • Front
  • Back

Requirement 5.1

Deploy anti-virus software on allsystems commonly affected by malicioussoftware (particularly personal computersand servers).

Requirement 5.1.1

Ensure that anti-virus programsare capable of detecting, removing,and protecting against all known typesof malicious software.

Requirement 5.1.2

For systems considered to be notcommonly affected by malicioussoftware, perform periodic evaluationsto identify and evaluate evolvingmalware threats in order to confirmwhether such systems continue to notrequire anti-virus software.

Requirement 5.2

Ensure that all anti-virus mechanismsare maintained as follows: Are kept current, Perform periodic scans Generate audit logs which areretained per PCI DSS Requirement10.7.

Requirement 5.3

Ensure that anti-virus mechanismsare actively running and cannot bedisabled or altered by users, unlessspecifically authorized by managementon a case-by-case basis for a limitedtime period.

Requirement 5.4

Ensure that security policies andoperational procedures for protectingsystems against malware aredocumented, in use, and known to allaffected parties.

Requirement 6.1

Establish a process to identify securityvulnerabilities, using reputable outsidesources for security vulnerability information,and assign a risk ranking (for example, as“high,” “medium,” or “low”) to newlydiscovered security vulnerabilities.

Requirement 6.2

Ensure that all system components andsoftware are protected from knownvulnerabilities by installing applicable vendorsuppliedsecurity patches. Install criticalsecurity patches within one month of release.

Requirement 6.3

Develop internal and external softwareapplications (including web-basedadministrative access to applications)securely, as follows: In accordance with PCI DSS (forexample, secure authentication andlogging) Based on industry standards and/or bestpractices. Incorporating information securitythroughout the software-development lifecycle

Requirement 6.3.1

Remove development, test and/orcustom application accounts, user IDs, andpasswords before applications becomeactive or are released to customers.

Requirement 6.3.2

Review custom code prior to releaseto production or customers in order toidentify any potential coding vulnerability(using either manual or automatedprocesses) to include at least the following: Code changes are reviewed byindividuals other than the originatingcode author, and by individualsknowledgeable about code-reviewtechniques and secure codingpractices. Code reviews ensure code isdeveloped according to secure codingguidelines Appropriate corrections areimplemented prior to release. Code-review results are reviewed andapproved by management prior torelease.

Requirement 6.4

Follow change control processes andprocedures for all changes to systemcomponents. The processes must include thefollowing:

Requirement 6.4.1

Separate development/testenvironments from productionenvironments, and enforce the separationwith access controls.

Requirement 6.4.2

Separation of duties betweendevelopment/test and productionenvironments

Requirement 6.4.3

Production data (live PANs) are notused for testing or development

Requirement 6.4.4

Removal of test data and accountsbefore production systems become active

Requirement 6.4.5

Change control procedures for theimplementation of security patches andsoftware modifications must include thefollowing: 4.5.1 - 4.5.4

Requirement 6.4.5.1

Documentation of impact.

Requirement 6.4.5.2

Documented change approval byauthorized parties.

Requirement 6.4.5.3

Functionality testing to verify thatthe change does not adversely impact thesecurity of the system.

Requirement 6.4.5.4

Back-out procedures.

Requirement 6.5

Address common coding vulnerabilities insoftware-development processes as follows: Train developers in secure codingtechniques, including how to avoidcommon coding vulnerabilities, andunderstanding how sensitive data ishandled in memory. Develop applications based on securecoding guidelines.

Requirement 6.5.1

Injection flaws, particularly SQLinjection. Also consider OS CommandInjection, LDAP and XPath injection flawsas well as other injection flaws.

Requirement 6.5.2

Buffer overflows

Requirement 6.5.3

Insecure cryptographic storage

Requirement 6.5.4

Insecure communications

Requirement 6.5.5

Improper error handling

Requirement 6.5.6

All “high risk” vulnerabilities identifiedin the vulnerability identification process (asdefined in PCI DSS Requirement 6.1).

Requirement 6.5.7

Cross-site scripting (XSS)

Requirement 6.5.8

Improper access control (such asinsecure direct object references, failure torestrict URL access, directory traversal, andfailure to restrict user access to functions).

Requirement 6.5.9

Cross-site request forgery (CSRF)

Requirement 6.5.10

Broken authentication and sessionmanagement

Requirement 6.6

For public-facing web applications,address new threats and vulnerabilities on anongoing basis and ensure these applicationsare protected against known attacks by eitherof the following methods: Reviewing public-facing webapplications via manual or automatedapplication vulnerability securityassessment tools or methods, at leastannually and after any changes Installing an automated technicalsolution that detects and prevents webbasedattacks (for example, a webapplicationfirewall) in front of publicfacingweb applications, to continuallycheck all traffic.

Requirement 6.7

Ensure that security policies andoperational procedures for developing andmaintaining secure systems and applicationsare documented, in use, and known to allaffected parties.