Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
34 Cards in this Set
- Front
- Back
Requirement 5.1 |
Deploy anti-virus software on allsystems commonly affected by malicioussoftware (particularly personal computersand servers). |
|
Requirement 5.1.1 |
Ensure that anti-virus programsare capable of detecting, removing,and protecting against all known typesof malicious software. |
|
Requirement 5.1.2 |
For systems considered to be notcommonly affected by malicioussoftware, perform periodic evaluationsto identify and evaluate evolvingmalware threats in order to confirmwhether such systems continue to notrequire anti-virus software. |
|
Requirement 5.2 |
Ensure that all anti-virus mechanismsare maintained as follows: Are kept current, Perform periodic scans Generate audit logs which areretained per PCI DSS Requirement10.7. |
|
Requirement 5.3 |
Ensure that anti-virus mechanismsare actively running and cannot bedisabled or altered by users, unlessspecifically authorized by managementon a case-by-case basis for a limitedtime period. |
|
Requirement 5.4 |
Ensure that security policies andoperational procedures for protectingsystems against malware aredocumented, in use, and known to allaffected parties. |
|
Requirement 6.1 |
Establish a process to identify securityvulnerabilities, using reputable outsidesources for security vulnerability information,and assign a risk ranking (for example, as“high,” “medium,” or “low”) to newlydiscovered security vulnerabilities. |
|
Requirement 6.2 |
Ensure that all system components andsoftware are protected from knownvulnerabilities by installing applicable vendorsuppliedsecurity patches. Install criticalsecurity patches within one month of release. |
|
Requirement 6.3 |
Develop internal and external softwareapplications (including web-basedadministrative access to applications)securely, as follows: In accordance with PCI DSS (forexample, secure authentication andlogging) Based on industry standards and/or bestpractices. Incorporating information securitythroughout the software-development lifecycle |
|
Requirement 6.3.1 |
Remove development, test and/orcustom application accounts, user IDs, andpasswords before applications becomeactive or are released to customers. |
|
Requirement 6.3.2 |
Review custom code prior to releaseto production or customers in order toidentify any potential coding vulnerability(using either manual or automatedprocesses) to include at least the following: Code changes are reviewed byindividuals other than the originatingcode author, and by individualsknowledgeable about code-reviewtechniques and secure codingpractices. Code reviews ensure code isdeveloped according to secure codingguidelines Appropriate corrections areimplemented prior to release. Code-review results are reviewed andapproved by management prior torelease. |
|
Requirement 6.4 |
Follow change control processes andprocedures for all changes to systemcomponents. The processes must include thefollowing: |
|
Requirement 6.4.1 |
Separate development/testenvironments from productionenvironments, and enforce the separationwith access controls. |
|
Requirement 6.4.2 |
Separation of duties betweendevelopment/test and productionenvironments |
|
Requirement 6.4.3 |
Production data (live PANs) are notused for testing or development |
|
Requirement 6.4.4 |
Removal of test data and accountsbefore production systems become active |
|
Requirement 6.4.5 |
Change control procedures for theimplementation of security patches andsoftware modifications must include thefollowing: 4.5.1 - 4.5.4 |
|
Requirement 6.4.5.1 |
Documentation of impact. |
|
Requirement 6.4.5.2 |
Documented change approval byauthorized parties. |
|
Requirement 6.4.5.3 |
Functionality testing to verify thatthe change does not adversely impact thesecurity of the system. |
|
Requirement 6.4.5.4 |
Back-out procedures. |
|
Requirement 6.5 |
Address common coding vulnerabilities insoftware-development processes as follows: Train developers in secure codingtechniques, including how to avoidcommon coding vulnerabilities, andunderstanding how sensitive data ishandled in memory. Develop applications based on securecoding guidelines. |
|
Requirement 6.5.1 |
Injection flaws, particularly SQLinjection. Also consider OS CommandInjection, LDAP and XPath injection flawsas well as other injection flaws. |
|
Requirement 6.5.2 |
Buffer overflows |
|
Requirement 6.5.3 |
Insecure cryptographic storage |
|
Requirement 6.5.4 |
Insecure communications |
|
Requirement 6.5.5 |
Improper error handling |
|
Requirement 6.5.6 |
All “high risk” vulnerabilities identifiedin the vulnerability identification process (asdefined in PCI DSS Requirement 6.1). |
|
Requirement 6.5.7 |
Cross-site scripting (XSS) |
|
Requirement 6.5.8 |
Improper access control (such asinsecure direct object references, failure torestrict URL access, directory traversal, andfailure to restrict user access to functions). |
|
Requirement 6.5.9 |
Cross-site request forgery (CSRF) |
|
Requirement 6.5.10 |
Broken authentication and sessionmanagement |
|
Requirement 6.6 |
For public-facing web applications,address new threats and vulnerabilities on anongoing basis and ensure these applicationsare protected against known attacks by eitherof the following methods: Reviewing public-facing webapplications via manual or automatedapplication vulnerability securityassessment tools or methods, at leastannually and after any changes Installing an automated technicalsolution that detects and prevents webbasedattacks (for example, a webapplicationfirewall) in front of publicfacingweb applications, to continuallycheck all traffic. |
|
Requirement 6.7 |
Ensure that security policies andoperational procedures for developing andmaintaining secure systems and applicationsare documented, in use, and known to allaffected parties. |