Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
116 Cards in this Set
- Front
- Back
|
MNEMONIC FOR all requirements |
IDPEPDRIRTRM -install, do not, protect, encrypt, protect from malware, secure systems, restrict, track, regularly test and maintain infosec policy. |
|
|
What is requirement 3 |
Protect stored cardholder data i.e. if must store it then protect it! |
|
|
requirement 3.1 is about retention periods and deleting exceeded retention periods by doing what? |
Limit cardholder data to a minimum by utilising a retention and disposal policy, adopt a quarterly process for identifying and deleting exceeded retention period. |
|
|
requirement 3.2 is about not storing what? |
Do not store SAD after authentication, or CVV, track, PIN |
|
|
requirement 3.3 masking pan when displayed. How many numbers are allowed |
Mask Pan when displayed, first six last 4 max allowed visible |
|
|
requirement 3.4 is about rendering PAN unreadable when stored - how can this be achieved? |
Render PAN unreadable - one way hash, truncation or tokens pad, use strong crypto. Disk encryption - access control via seperate authentication mechanism |
|
|
requirement 3.5 is about documenting and implementing procedures to protect keys for stored data including key encrypting keys. What strength mus they be? |
Protect against disclosure and misuse. Includes algorithms, protocols, custodians, secret and private key storage, HSM, PTS POI, store in fewest locations. Key encrypting keys must be as strong as the data encrypting key they are protecting. |
|
|
requirement 3.6 is about key management - what specifically? |
Fully document all key mgmt processes, strong keys, secure distribution, storage, end of life, retirement, split knowledge, dual control, prevent substitution, custodian acknowledge of responsibilities. |
|
|
What is requirement 4? |
if you must send chd then encrypt it! Strong crypto, never unprotected pans |
|
|
requirement 4.1 is about transmission encryption - what should you use? |
Use strong crypto and security protocols to safeguard SAD during transmission over wireless, GSM, GPRS and extra requirements Appendix A2 for SSL/TLS No SSL3 and No WEP |
|
|
Require 4.2 is about sending PANs over messaging technologies. What must we do? |
Never send unprotected PANS by end user messaging technologies- its so easy to intercept them! |
|
|
what is Requirement 5 |
Protect all systems against malware and regularly update AV or programs i.e. protect yourself against malware and other attacks |
|
|
requirement 5.1 is about ensuring what kind of systems have anti virus? |
Deploy AV on all systems commonly affected, make sure its capable, systems not commonly affected must be periodically evaluated, |
|
|
requirement 5.2 - what must the AV be and do? |
AV must be current, periodically scan and generate audit logs per 10.7 |
|
|
requirement 5.3 - how should AV be configured |
AV must be current, actively running and generating audit logs. Ensure logging cant be disabled by users |
|
|
what is Requirement 6 |
Develop and maintain secure systems and applications i.e build software properly and securely |
|
|
requirement 6.1 is about rating what? |
Establish a process to identify vulns using rankings like CVSS |
|
|
requirement 6.2 is about patch management - how often |
Ensure components are software is protected by installing patches according to ranking (6.1) and with 30 days |
|
|
requirement 6.3 is about custom code - how should it be developed? |
Develop apps according to industry best practice, remove dev & test accounts, review custom code to identify coding vulns |
|
|
requirement 6.4 is about the change management process - what should it be like? |
Follow change control processes, seperate dev & test environments, seperation of duties, no live PANs, remove test data before go live. Change control procedures must - document impact, document authorisation, details of functionality testing and the back out procedure. Finally validate change - does it meet all 12 requirements? |
|
|
requirement 6.5 is about ensuring developers are trained in secure coding techniques - such as? |
Address common coding vulns, give developers annual training, develop best practice OWASP. Address injection flaws, buffer overflow, crypto storage, comms, error handling, ranking of high risk vulns (6.1) XSS, access control, CSRF and session management. |
|
|
requirement 6.6 What about public facing web apps? |
For public facing web apps use WAF in front |
|
|
Mnemonic for Requirement 7 |
Keep access to a minimum Restrict/Limit NTK, Deny all, SecPol |
|
|
Requirement 7 is about what? |
Restrict Access to card holder data by busines need-to-know |
|
|
requirement 7.1 access control policies |
Limit access to RBAC, principle of least privilege, job function and documented authorisation confirm access rights and controls for privileged users |
|
|
What is requirement 7.2 access control |
Establish access control restricted to those who ntk with permissions set to deny all. Included system components, rbac and deny all default setting. Confirm access controls default with 'deny-all'. |
|
|
What is requirement 8 |
Make sure people are who they say they are! Identify and authenticate access to system components |
|
|
Mnemonic for Requirement 8 |
IAM Process , UID & Authentication, Comms & Guidance, Tokens, DB's, SecPol |
|
|
requirement 8.1 - verify all users have a unique id - how? |
Define process for proper user and admin identification management. Ensure unique id, cover adds, mods, deletions, revocation, disable inactives (90 days) lockout 6 times duration 30 mins, idle 15. |
|
|
requirement 8.2 what else is needed in addtion to a unique uid? |
In addition to unique UID must use at least one - something you know, have or are (pwd, token, biometric) |
|
|
requirement 8.2.1-6 verify authentication how and when should it change? |
Ensure access control process ensures - Encrypt auth data, verify id, min length pwd 7 alphanumeric, change every 90 days, remembers last four pwds/phrases and that pwds are reset at first time use |
|
|
requirement 8.3 - MFA what? |
Secure all non-console admin access and remote access to CDE using MFA (bp til 31/01/18) |
|
|
requirement 8.4 - guidance on what? hint pwds |
Document and communicate guidance on strong authentication credentials, how to protect them, instructions not to reuse, instructions to change if any suspicion of discovery |
|
|
requirement 8.5 - what about shared accounts? |
Do not use generic or shared passwords or authentication methods, remove generic/shared, no generic sys admin - accountability Service Providers - must use unique authentication per customer of shared hosting |
|
|
requirement 8.6 - Tokens - what about them? |
Tokens - Authentication methods were used must be assigned to individual not shared and physical/logical controls must be in place to ensure that only intended account can use. |
|
|
requirement 8.7 - DB's what about them? |
DB's - all access to db's must be through programmatic methods, on dba's have ability to have direct access or query db, ap id's can only be used by app |
|
|
What is requirement 9 |
Physical security is just as important! Restrict physical access to cardholder data |
|
|
Mnemonic for requirement 9 |
Entry controls, Visitor procedures, sensitive areas, visitor authorisation, Media - Secure, Control, Storage, Destroy. Devices that Capture CD tampering awareness |
|
|
requirement 9.1- what should we use to limit and monitor access |
Use entry controls to limit and monitor access, CCTV, ph or log controls to network jacks, AP's, gateways, handhelds, hw and telcoms lines No network jacks in public areas |
|
|
requirement 9.2 - how do we tell who is a visitor? |
Distinguish between staff and visitors, use badges, assign access requirements and revoke on expiry |
|
|
requirement 9.3 - who is allowed in to sensitive areas? |
Control access to sensitive areas - authorised, based on job function and revoked upon termination |
|
|
requirement 9.4 - is there a process for assigning badges? |
Procedures to authorise visitors - before entering, escorted within CDE, given a badge to distinguish as visitors, which expires, asked to surrender when leaving and maintain a log/audit trail for 3 months |
|
|
requirement 9.5 a - securing media where? |
Securing media - backups at secure location, off site and review security annually |
|
|
requirement 9.6 a- securing media, if you send it, how should it be sent? |
strict control over media - classify sensitivity, send by secure courier, and ensure it has management approval for move |
|
|
requirement 9.7 - secure media, how should we check it? |
strict storage control - inventory, review annually |
|
|
requirement 9.8 - media no longer needed, what should we do with it? |
Destroy media - incinerate, shred, pulp, render cd unrecoverable so that cd cannot be reconstructed |
|
|
requirement 9.9 - staff awareness wrt peds |
Protect devices that capture chd from tampering not keyboards or pin pads. Inventory - make model, location, serial no. periodically inspect. Train staff re attempted tampering, verify identity of maintenance persons, verify installation, be aware of suspicious behaviour, report such behaviour or signs of tampering |
|
|
What is requirement 10 |
Track who's going where and what they do! Track and monitor all access to network resources and cardholder data |
|
|
requirement 10.1 - what do we use to track and monitor activity? |
implement audit trails to link activity to users and admins |
|
|
requirement 10.2 - what should the audit trail record? |
Automated audit trails - records indiviudal user access to cd, root/admin actions, access to audit logs, invalid login attempts, changes to accounts i.e. elevation of privs, adds, deletions, stopping or pausing of audit logging, creation/deletion of system level objects. |
|
|
requirement 10.3 - what user activity should audit trail contain? |
Audit trail should record the following - uid, type of event, date and time, success or failure, orginiation and identity of affected data, system component or source |
|
|
requirement 10.4 what about the time? |
Time sync all critical components - correct and consistent time, protected, from industry accepted sources |
|
|
requirement 10.5 -where should we hold audit logs? |
secure audit trails, limit viewing, protect from unauthorised modification, backup to a centralised log server, external facing devices should log to centralised log, use FIM or change detection software (alerting) |
|
|
requirement 10.6 when should we review audit logs and why? |
Review logs for anomalies, can use tools, review daily all security events from all sources that store, process or transmit, review logs of other components according to policy/risk assessment, follow up anomalies, |
|
|
requirement 10.7 - how long should we keep logs? |
retain audit trail for 1 year with 3 months immediately available (can be from backup) |
|
|
requirement 10.8 SP's only - network monitoring - what should be included? |
SP's only - process for timely detection of failures of critical security controls i.e from firewalls, IDS/IPS, FIM, AV, physical and logical access controls. Note: best practice til 31/01/18. Respond to any such failures timely, restore, identify root cause, address any issues, risk assess, implement additional controls, fully document. |
|
|
Requirement 11 |
Test to make sure it's all working properly! Regularly test security systems and processes - test and check everything is working correctly! |
|
|
Requirement 11.1 - wireless? what of it? |
Test for the presence of auth and un-auth wireless AP's quarterly. Inventory of authorised AP's including business justification , incident response procedure (IRP) if un-auth detected. |
|
|
Requirement 11.2 - internal and external scans, when, how, why, who? |
Vuln scans - internal and external (ASV) quarterly and after changes, scans must be done by authorised personnel, address all high risk. Rescan until passing scan achieved, scan after any changes. |
|
|
Requirement 11.3 - pen test when and why? |
Pen test methodology - based on industry standards (NIST SP800-115), covers entire cde, internal/external, network layer pen test, review of threats and vulns of last 12 months, suggested remedial activities. All tests annual, or after significant changes, correct exploitable vulns found, test segmentation every 6 months if SP. best practice til 31/01/18 |
|
|
Requirement 11.4 - should we monitor the perimeter? |
IDS/IPS, monitor all traffic as well as critical points of the cde, keep all signatures and engines up to date. |
|
|
Requirement 11.5 - should we monitor files? |
Change detection mechanism, FIM, alert to un-auth modification of critical files. implement process to respond to alerts. File comparisons at least weekly. Why- unath changes could render other security controls ineffective or mean a breach. |
|
|
Requirement 12 |
Make sure everyone knows what's required. maintain a policy that addresses infosec for all personnel |
|
|
Requirement 12.1 - Security Policies - what about them? |
Establish, publish, dissmeninate, review annually |
|
|
Requirement 12.2 - risks? |
Risk assessment process, annually and on significant changes |
|
|
Requirement 12.3 - acceptable use of what? |
usage policies for critical technologies to define their proper use - wireless, remote access, laptops, removable media, email and internet. Includes authorised approval, authentication for the use of technology, list of personnel and devices, inventory of ownership - contact,label, purpose, acceptable use, acceptable locations, remote access for vendors and 3rd parties including deactivation, where cd is access by remote access there must be no copying, moving or storage of cd unless auth business need |
|
|
requirement 12.4 - infosec responsibilities for all personnel - what about them? |
Ensure that security policies clearly define infosec responsibilities for all personnel. Service providers only - executive management shall establish responsbility for the protection of chd including accountability, defining a chartger for the program and communication to all exec management - bp til 31/01/18 |
|
|
Requirement 12.5 - Responsibilities - what for? |
Assign responsibilities - establish, doc and distribute infosec pols, monitor and analyse security alerts, incident response and escalation procedures, admin user accounts - add, deletes changes, monitor and control all access to cardholder data |
|
|
Requirement 12.6 - awareness why? when? |
implement security awareness program make all personnel aware of the need to protect CD. Educate annually and require all staff to acknowledge at least annually that they have read and understood security policies and procedures. |
|
|
Requirement 12.7 - check your staff out! |
Employee background checks - criminal record, credit history, references |
|
|
requirement 12.8 - what about service providers? |
policies and procedures to manage service providerss whre cd is shared or could affect the security of cd. maintain a list including description of service provided. Written agreement including acknowledgement that sp are responsible for the security of chd where they store, transmit or process or could affect the security of the cde. Due diligence prior to engagement, monitor SPs annually, maintain info about what is managed by sp and what is managed by entity. |
|
|
requirement 12.9 - SP's only - what are their responsibilities? |
Service Providers only: acknowledge in writing that they are responsible for security of cde where they store, transmit or process cd or where they could affect the security of the cde. |
|
|
Requirment 12.10 - What should the IRP cover? |
Implement an Incident Response Plan (IRP): must address roles and responsibilities, communications strategy including to payment brands, IR procedures, business resilience, data backup, legal requirements for reporting compromises, coverage of all critical systems. Review and test plan at least annually, Designate personnel to be available 24/7/365 to respond to alerts, provide training to staff with breach responsiblities, include alerts from all systems not just IDS/IPS, firewalls FIM. Process to evolve lessons learned. |
|
|
Requirement 12.11 - Review your personnel and what they are doing? |
SP's only : Review quarterly to confirm personnel are following procedures - daily log reviews, firewall sets, config standards to new systems, change management, response to security alerts. bp til 31/01/18. Maintain documentation of quarterly review, review and sign off by personnel assigned responsibility for pci dss compliance program. |
|
|
What is appendix A about? |
Additional pci dss requirements for shared hosting providers re protecting each entity, making sure that each only have access to their own cde, restricting privs to cde only, ensuring logging and audit trails and processes for timely forensics investigations. |
|
|
What is Appendix 2 about |
Entities still using SSL or early TLS. Stop using by 30/06/18, ensure terminals are not susceptible to known attacks, risk mitigation plan, |
|
|
what are the main sections of the Compensating Controls Worksheet |
Constraints, Objectives, Identified Risk, Definition of Compensating Controls, Validation of Compensating Controls and Maintenance. COIDVM |
|
|
What are the main components of the RoC |
contact info and report date Executive Summary Description of Scope of work and approach taken Details about the reviewed environment Quarterly scan results Findings and objectives Compensating Controls Worksheet CExDDQFCcw |
|
|
What is the process flow of card transactions |
CMAPBI Cardholder - Merchant - Acquirer - Payment Brand Network - Issuer |
|
|
Requirement 1 - keep the bad guys out! requirement 1.1 is about firewall and router configs - what else? |
Install and maintain a firewall configuration to protect cardholder data. Config stds must include: change control, network diagram, data flow diagram, fw @ internet and between dmz and internal zone, roles and responsibilities, documented business justification for rules, review of fw rules every 6 months. |
|
|
requirement 1.2 is about what the config should do and what else |
Build FW/router configs to restrict access between untrusted networks and the cde. Restrict inbound/outbound to only necessary traffic, deny all , secure and sync router files, put perimeter fw between wireless and cde, permit only authorised traffic |
|
|
requirement 1.3 is about prohibiting what traffic |
Prohibit direct public access between INT and CDE. Prevent access to CD must go through DMZ. |
|
|
Requirement 2 - Set systems up properly! is about vendor defaults and what else |
Do not use vendor-supplied defaults for system passwords and other security parameters i.e Attempt to sign on with defaults Hardening standards and system configurations Ensure that non-console access is encrypted |
|
|
What is DESV and what is it about? |
an entity determined by an acquirer or payment brand as requiring additional validation to existing PCI requirements. could be due to breaches, need greater assurance, S-RoC, S-AoC |
|
|
Track 1 vs Track 2 - whats the difference? |
Track 1 contains all fields of both tracks upto 79 characters Track 2 provides shorter processing time for older dial up systems up to 40 characters |
|
|
What part of track 1 are a violation to store/ |
44-56 = CVV/CVC |
|
|
What parts of track 2 are a violation to store |
28-40 = CVV/CVC, PIN, Service Code |
|
|
What should an inventory contain for systems that store transmit or process CD |
System name, account data stored, reason, retention period, and protection mechanism |
|
|
Storing track data is not permitted except for who? |
Issuers and issuing processors may be permitted to retain SAD if needed for business purposes (troubleshooting) but payment brands may have addtional requirements for issuers. |
|
|
Where can track data be found hidden? |
Databases, flat files, log files and debug files |
|
|
What type of system commonly store track data? |
POS systems and servers, authorisation servers |
|
|
What is the mod 10 check and how does it work? |
1) start from 2nd digit right, double alternative digits and subtract 9 for those over 10 2) add calculated values including skipped, together 3) The total obtained in step 2 must be divisible by 10 or use cardholder data discovery tool |
|
|
What are the principles of sampling? |
1)consider business facilities and components 2)samples must be representative of all types and locations of the aforementioned 3)samples must be sufficiently large enough Sampling is not a PCI-DSS requirement. Facilities = offices, DCs, retail stores 4)document the rationale for sampling and methodology used. |
|
|
requirement 3.2 prohibits the storage of SAD after authorisation - what should happen to it if received? |
It must be rendered unrecoverable - securely deleted |
|
|
How should Cryptographic keys be kept? |
one or more of the following:- encrypted with a key-encrypting key that is at least as strong as the data-encrypting key and stored seperately, within a secure crypto device (HSM, PTS approved), as a key components or key shares (industry standard method) |
|
|
What is split knowledge and how is it managed, why should it be used? |
Where clear text key management processes are used the split knowledge should be used. At least 2 people have knowledge of a part of a key and never the resultant key once two or more parts come together. Dual control should be used to perform a function but again neither should have access to the resultant key. |
|
|
What is important to remember about key custodians? |
Requirement 3.5.1 - access to keys must be limited to the fewest number of custodians possible Requirement 3.6 custodians should acknowledge and accept their responsibilities as key custodians. |
|
|
What are the requiements for video cameras and their retention period. |
To monitor access control to entrances/exits to sensitive areas such as the CDE, they must be protected from tampering, actively monitored and data retained for 90 days. |
|
|
What happens in the clearing process? |
The acquirer and issuer exchange purchase information to complete the transaction via the payment brand network. The acquirer sends payment info to the payment brand network. |
|
|
What happens in the reconciliation process? |
The payment brand sends purchase info to the issuer and then provides reconciliation to the acquirer as part of the clearing process |
|
|
What happens during the settlement process? |
the issuer determines acquirer and sends payment to the merchant and bills the cardholder. |
|
|
name some common coding standards |
OWASP, SANS CWE Top 25, CERT Secure Coding |
|
|
What is SAQ A used for? |
card not present, MO/TO merchants - all cd functions outsourced to pci-dss compliant SP no stored cd |
|
|
SAQ-A EP is for whom? |
eCommerce only merchants who outsource cd functions and who have website that doesnt received cd but hands off to SP or 3rd party compliant org |
|
|
SAQ - C is for who? |
merchants with segmented payment apps connect to internet, no stored cd. |
|
|
SAQ-C VT is for whom? |
Merchants using only web based virtual terminal with no cd stored. - not eccomerce |
|
|
SAQ-D |
Merchants not included in any other SAQ or all Service Providers |
|
|
SAQ- P2PE is for who |
merchants with validated P2PE solution listed on Standards council website with no stored cd. No ecommerce. |
|
|
What are payment brands compliance programs responsible for?
|
Tracking, Enforcement, Penalties, Deadlines, Validation process, Approval and posting of compliant entities, Definition of merchant and SP levels. Also forensic investigations and responding to account data compromises |
|
|
Who should one go to in the event of a data breach?
|
The payment brands - a list can be found of contact details for the payment brands on the SCC website |
|
|
What type of assessment is needed by a Level 1 merchant or Service Provider
|
Onsite, RoC and ASV scan report |
|
|
What type of assessment is needed by a Level 2 merchant or Service Provider
|
Self Assessment, SAQ and ASV Scan |
|
|
What type of assessment is needed for L2 and L4 merchants
|
Determined by brand or acquirer |
|
|
who determines merchant levels and how
|
Payment brands based on transaction volume, which is determined by the acquirer
|
|
|
who determines a service providers level?
|
Brands based on transax volume or type of service provider. can also be determined by acquirer or service provider themselves |
|
|
how is a scope of the environment determined?
|
verify that they are all included in the cde ensure correctly documented - verify |
