• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off

Card Range To Study



Play button


Play button




Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

131 Cards in this Set

  • Front
  • Back
PCI DSS Requirement 1
Install and maintain a firewall configuration to protect cardholder data
PCI DSS Requirement 2
Do not use vendor supplied defaults for system passwords and other security parameters
PCI DSS Requirement 3
Protect stored cardholder data by enacting a formal data retention policy and implement secure deletion methods
PCI DSS Requirement 4
Protected Cardholder Data during transmission over the internet, wireless networks or other open access networks or systems (GSM, GPRS, etc.)
PCI DSS Requirement 5
Use and regularly update anti-virus software or programs
PCI DSS Requirement 6
Develop and maintain secure systems and applications
PCI DSS Requirement 7
Restrict access to cardholder data by business need to know
PCI DSS Requirement 8
Assign a unique ID to each person with computer access
PCI DSS Requirement 9
Restrict physical access to cardholder data
PCI DSS Requirement 10
Track and monitor all access to network resources and cardholder data
PCI DSS Requirement 11
Regularly test security systems and processes with wireless scans, vulnerability scans, log audits, ASV (Approved Scanning Vendor)
PCI DSS Requirement 12
Maintain a policy that addresses information security for all personnel
PCI Data Security Standards (PCI DSS)
Covers the security of the environments that store, process or transmit account data.

Environments receive account data from payment applications and other sources (e.g. acquirers)
PCI Payment Application Data Security Standards
Covers secure payment applications to support PCI DSS compliance.

Payment application receives account data from PIN Entry Devices (PED) or other devices and begins payment transaction
PCI PIN Transaction Security (PCI PTS)
Covers device tamper detection, cryptographic processes and other mechanisms to protect the Personal Identification Number (PIN).

Encrypted PIN is passed to payment application or hardware terminal.
PCI PIN Security
Covers secure management, processing and transmission of personal identification number data during online and offline payment card transaction processing
PCI Point to Point Encryption (PCI P2PE)
Covers encryption, decryption and key management within secure cryptographic devices (SCD).
Cardholder Data Environment
Relationship between PTS and PCI DSS
DSS prevents the storage of encrypted PIN blocks. PTS supports the PIN encryption so there's no overlap.
Relationship between PCI DSS and PA-DSS
Paymnet applications must support and not hinder PCI DSS compliance

PCI DSS requirements mirrored in many payment application requirements in PA-DSS
Relationship between PCI DSS and P2PE
Incorporates requirements from Pin Transaction Security, PCI DSS, PA-DSS and PCI PIN to protect CHD from the point of capture until it reaches the payment processor.

Properly implemented, validated P2PE solutions may help reduce the scope of a merchant's PCI DSS assessment.
Card Holder Data
PA-DSS applies to third party payment applications
if application performs authorization and/or settlement (POS, shopping carts, etc.)
PA-DSS ensure a payment application functions
in a PCI DSS compliant manner by supporting the compliance of those that use the application.
Use of a PA-DSS application alone
does not guarantee PCI DSS compliance.
Assessor must validate that payment application is installed
per instructions in the PA-DSS implementation Guide provided by payment application vendor and in a PCI DSS compliant manner.
PTS requirements apply to:
Point of Interaction (POI) devices
Encrypting PIN Pads (EPP)
Point of Sale devices (POS)
Hardware/host Security Modules (HSM)
Unattended Payment Terminals (UPT)
non-PIN entry modules
PTS ensures terminals cannot be
manipulated or attacked to allow the capture of sensitive authentication data nor allow access to clear-text PINS or keys
Secure Read and Exchange Module
The SRED allows terminals to be
approved for the secure encryption of cardholder data as part of the P2PE program.
PTS has been extended to allow non-PIN entry modules
to be evaluated against the SRED module to allow secure encryption at the point of interaction for non-chip and PIN cards.
A PCI DSS assessor must validate that the payment application is installed
per PA-DSS implementation guide

and in a PCI DSS compliant manner
Point of Interaction
There are two types of devices addressed by PTS...
Point of Interaction (POI)

Hardware Security Modules (HSM)
Points of Interaction are broken into _____ device types....

Attended POS devices such as cash registers

Encrypting PIN pads for use in unattended environments such as ATM's

Unattended payment terminals such as automated fuel dispensers and kiosks.
PIN (Personal Identification Number) security is comprised of
secure management, processing and transmission of PIN data during online and offline payment card transaction processing - such as POS terminals (attended or unattended) and ATMs
Point to Point Encryption
Using a P2PE hardware to hardware solution may reduce
the scope of the cardholder data environment
P2PE addresses merchants who
..do not store or decrypt encrypted data within their environment and who use validated solutions consisting of hardware-based encryption and third-party hardware-based encryption
P2PE solutions typically consist of
a secure encryption device at the merchant premises (PTS validated POI device), all applications on the Point of Interaction device and secure decryption and key management in the service provider's environment.
PCI DSS scope can be reduced on the merchant side because
merchants have no access to account data within POI or decryption environment

merchants have no involvement in crypto key management

all crypto operations managed by solution provider
the person actually owns the payment card
Cardholder purchases goods either as a
Card present or card not present transaction
The cardholder receives the card and bills from
the issuer.
The issuer is
the bank or other organization issuing a payment card on behalf of a payment brand (i.e. Visa, MC)
Can the issuer be a payment brand directly?
The merchant is
the organization accepting the payment card for payment during a purchase
Primary Account Number
PAN, Cardholder name, expiration date, service code are all examples of
cardholder data.
Sensitive Authentication Data
full magnetic stripe data or equivalent on a chip, CAV2/CVC2/CVV2/CID, PINs/PIN blocks...are all examples of
SAD (sensitive authentication data)
If the PAN or SAD is stored processed or transmitted, are the PCI DSS requirements applicable?
Sensitive Authentication Data ________________ be stored after authorization.
Does encryptiong Cardholder data or SAD remove it from scope?
No, not necessarily
Track data or track equivalent data
Data stored on a magnetic strip or equivalent data encoded on a chip
Chip track data contains a unique chip CVV/CVC code which prevents ___________ the magnetic stripe.
The PAN and expiration data in the chip can be used for fraudulent card-not-present transactions...true or false?
Contains all fields of both Track 1 and Track 2 and is up to 79 characters
Track 1 on the magnetic stripe
Provides shorter processing time for older dial up transmissions and is up to 40 characters
Track 2 on magnetic stripe
Issuers and issuing processors may be permitted to retain sensitive authentications data after authorization if needed for business purposes - T or F?
Businesses may have a need to store track data temporarily for troubleshooting purposes - tracks mis-reads, network errors, encryption issues, etc. TorF?
Requirements for a firewall at each internet connection and between any demilitarized zone and the internal network zone - t or f?
Requirment to review firewall and router rule sets at least every _____ months
Firewalls do not have to be installed between all wireless networks and the CDE - regardless of the purpose of the environment to which the wireless network is connected - t or f?
Is the implementation of a DMZ recommended?
Firewalls should be stateful - true or false?
Segregate system components that store cardholder data (such as a database) in an internal network zone, separate from the DMZ and other untrusted networks t or F?
Cardholder data within the DMZ makes it easier or harder for the external attacker to access?
The implementation of multiple functions on one server is encouraged - t or f?
Are there additional requirements for shared hosting providers?
Yes - Appendix A
Use a one way hash of entire PAN as a way or rendering PAN unreadable - t or f?
A cryptoperiod is a time span during which a particular cryptographic key can be used for its defined purpose - true or false?
Which NIST SP is used for guidance on cryptographic measures for PCI?
______-knowledge and dual control of keys is used to eliminate one person's access to the whole key.
The use of WEP as a security control was prohibited as of June 30, 2010 - true or false?
Keep your **** patched - always within two months of patch release - true or false?
False - answer is one month
The intention of this requirement is that organizations keep up to date with new vulnerabilities that may impact their environment
PCI DSS Requirement 6
The ranking of vulnerabilities is a requirement enacted June 30, 2012 - t or f?
Security must be at the table during requirements definition, design, etc. - t or false?
Production data (live PANs) are used for testing and development - true or false?
The P2PE standard covers...
encryption, decryption and key management within Secure Cryptographic Devices (SCD)
The PCI DSS applies to any entity that ________, _________, or ____________ cardholder data.
stores, processes, transmits
The PCI DSS follows a defined ______________ lifecycle.
36 month
-authorization services to a merchant
-clearing services to a merchant
-settlement services to a merchant
are functions associated with an _____________?
Who approves a purchase?
Issuing bank
Is clearing, auth and settlement the correct order for a payment card transaction?
No - auth, clearing, settlement is the correct order
Service providers can control or impact the security of the cardholder data - t or f?
Cardholder data may be stored in 'KNOWN' and 'UNKNOWN' locations - t or f?
Track data can be stored long term or persistently if the ____________ is storing it.
Req. 3.4 states that PAN must be rendered unreadable when stored, using encryption, hashing or truncation - true or false?
Rlogon, telnet and ftp are secure services - true or false?
Which requirement concerns controlling access to data?
'least privilege'
when access is granted only to the least amount of data and privileges needed to perform a job
when privileges are assigned to individual on the basis of their job classification and function
Two factor auth applies to users that have remote access to the network, where that remote access could lead to access to the cardholder data environment and is required for networks with access to the CDE- t or f?
Password change every 90 - t or f?
Min length is 8 - true or false?
false - min is 7
no repeats of last three pwords used - t or f?
false - no repeat of last 4
3 attempt lock out - true or false?
False - 6 attempts
lockout duration is 30 mins - true or false?
session idle timeout is 10 mins - true or false?
false - timeout for session idle is 15 mins
Logging is a highly critical part of the security posture - true or false?
True - how else can activity be tracked?
Retain audit trail history for at least _____ year/s with a minimum of _______ months immediately available.
Perform external and internal pen testing at least once a year and after any significant upgrade or modification - t or f?
file integrity monitoring tools
Perform a risk assessment annually - t or f?
Create an __________ ___________ plan to be implemented in the event of system breach.
incident response - tested annually
Self Assessment questionnaire
A validation tool intended to assist merchants and service providers in self-evaluating their compliance with the PCI DSS
Name the 5 SAQs
A, B, C, D, C-VT
Card not present merchants, all cardholder data source functions outsourced
Imprint only merchants with no electronic cardholder data storage or stand alone dial out terminals with no electronic cardholder data storage
merchants with web-based virtual terminals, no electronic cardholder data storage
Merchants with payment application systems connected to the internet, no electronic cardholder data storage
All other merchants and all service providers defined by a payment brand as eligible to complete an SAQ
process by which a PAN is replaced with a surrogate value called a token.
process by which a token is redeemed for its associated PAN value
Storing tokens instead of PANs is one alternative to reduce the amount of cardholder data in the environment - t or f?
Tokenization solutions complicate validation efforts - t or f?
False - they actually reduce the number of system components covered by PCI DSS
separates applications, desktops, machines, networks, data and services from their physical constraints
If virtualization is used in a CDE, PCI DSS requirments do not apply - t or f?
the algorithmic process of transforming plaintext into unreadable ciphertext.
P2PE encrypts at source, delivers information encrypted and then decrypted at destination - t or f?
A compensating control may be considered for most PCI DSS requirments when an entity cannot meet a requirement explicitly as stated due to technical or documented business constraints and can be removed after the assessment is complete - t or f?
false - compensating control must remain effective after assessment
Meet the rigor and intent of the original requirement
compensating control
sufficiently offset the risk that the original requirement was designed to defend against
compensating control
be above and beyond other PCI DSS requirements
compensating control
be commensurate with additional risk imposed by not adhering to the original requirement
compensating control
Two reasons for consideration of compensating controls:
Legit technical or documented business constraint
Existing PCI DSS requirements CANNOT be considered as compensating controls if there are already required for the item under review - t or f?
Existing PCI DSS requirements CAN be considered as compensating controls if they are not already required for the item under review - t or f?