Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
131 Cards in this Set
- Front
- Back
PCI DSS Requirement 1
|
Install and maintain a firewall configuration to protect cardholder data
|
|
PCI DSS Requirement 2
|
Do not use vendor supplied defaults for system passwords and other security parameters
|
|
PCI DSS Requirement 3
|
Protect stored cardholder data by enacting a formal data retention policy and implement secure deletion methods
|
|
PCI DSS Requirement 4
|
Protected Cardholder Data during transmission over the internet, wireless networks or other open access networks or systems (GSM, GPRS, etc.)
|
|
PCI DSS Requirement 5
|
Use and regularly update anti-virus software or programs
|
|
PCI DSS Requirement 6
|
Develop and maintain secure systems and applications
|
|
PCI DSS Requirement 7
|
Restrict access to cardholder data by business need to know
|
|
PCI DSS Requirement 8
|
Assign a unique ID to each person with computer access
|
|
PCI DSS Requirement 9
|
Restrict physical access to cardholder data
|
|
PCI DSS Requirement 10
|
Track and monitor all access to network resources and cardholder data
|
|
PCI DSS Requirement 11
|
Regularly test security systems and processes with wireless scans, vulnerability scans, log audits, ASV (Approved Scanning Vendor)
|
|
PCI DSS Requirement 12
|
Maintain a policy that addresses information security for all personnel
|
|
PCI Data Security Standards (PCI DSS)
|
Covers the security of the environments that store, process or transmit account data.
Environments receive account data from payment applications and other sources (e.g. acquirers) |
|
PCI Payment Application Data Security Standards
(PCI PA-DSS) |
Covers secure payment applications to support PCI DSS compliance.
Payment application receives account data from PIN Entry Devices (PED) or other devices and begins payment transaction |
|
PCI PIN Transaction Security (PCI PTS)
|
Covers device tamper detection, cryptographic processes and other mechanisms to protect the Personal Identification Number (PIN).
Encrypted PIN is passed to payment application or hardware terminal. |
|
PCI PIN Security
|
Covers secure management, processing and transmission of personal identification number data during online and offline payment card transaction processing
|
|
PCI Point to Point Encryption (PCI P2PE)
|
Covers encryption, decryption and key management within secure cryptographic devices (SCD).
|
|
CDE
|
Cardholder Data Environment
|
|
Relationship between PTS and PCI DSS
|
DSS prevents the storage of encrypted PIN blocks. PTS supports the PIN encryption so there's no overlap.
|
|
Relationship between PCI DSS and PA-DSS
|
Paymnet applications must support and not hinder PCI DSS compliance
PCI DSS requirements mirrored in many payment application requirements in PA-DSS |
|
Relationship between PCI DSS and P2PE
|
Incorporates requirements from Pin Transaction Security, PCI DSS, PA-DSS and PCI PIN to protect CHD from the point of capture until it reaches the payment processor.
Properly implemented, validated P2PE solutions may help reduce the scope of a merchant's PCI DSS assessment. |
|
CHD
|
Card Holder Data
|
|
PA-DSS applies to third party payment applications
|
if application performs authorization and/or settlement (POS, shopping carts, etc.)
|
|
PA-DSS ensure a payment application functions
|
in a PCI DSS compliant manner by supporting the compliance of those that use the application.
|
|
Use of a PA-DSS application alone
|
does not guarantee PCI DSS compliance.
|
|
Assessor must validate that payment application is installed
|
per instructions in the PA-DSS implementation Guide provided by payment application vendor and in a PCI DSS compliant manner.
|
|
PTS requirements apply to:
|
Point of Interaction (POI) devices
Encrypting PIN Pads (EPP) Point of Sale devices (POS) Hardware/host Security Modules (HSM) Unattended Payment Terminals (UPT) non-PIN entry modules |
|
PTS ensures terminals cannot be
|
manipulated or attacked to allow the capture of sensitive authentication data nor allow access to clear-text PINS or keys
|
|
SRED
|
Secure Read and Exchange Module
|
|
The SRED allows terminals to be
|
approved for the secure encryption of cardholder data as part of the P2PE program.
|
|
PTS has been extended to allow non-PIN entry modules
|
to be evaluated against the SRED module to allow secure encryption at the point of interaction for non-chip and PIN cards.
|
|
A PCI DSS assessor must validate that the payment application is installed
|
per PA-DSS implementation guide
and in a PCI DSS compliant manner |
|
POI
|
Point of Interaction
|
|
There are two types of devices addressed by PTS...
|
Point of Interaction (POI)
Hardware Security Modules (HSM) |
|
Points of Interaction are broken into _____ device types....
|
3---
Attended POS devices such as cash registers Encrypting PIN pads for use in unattended environments such as ATM's Unattended payment terminals such as automated fuel dispensers and kiosks. |
|
PIN (Personal Identification Number) security is comprised of
|
secure management, processing and transmission of PIN data during online and offline payment card transaction processing - such as POS terminals (attended or unattended) and ATMs
|
|
P2PE
|
Point to Point Encryption
|
|
Using a P2PE hardware to hardware solution may reduce
|
the scope of the cardholder data environment
|
|
P2PE addresses merchants who
|
..do not store or decrypt encrypted data within their environment and who use validated solutions consisting of hardware-based encryption and third-party hardware-based encryption
|
|
P2PE solutions typically consist of
|
a secure encryption device at the merchant premises (PTS validated POI device), all applications on the Point of Interaction device and secure decryption and key management in the service provider's environment.
|
|
PCI DSS scope can be reduced on the merchant side because
|
merchants have no access to account data within POI or decryption environment
merchants have no involvement in crypto key management all crypto operations managed by solution provider |
|
Cardholder
|
the person actually owns the payment card
|
|
Cardholder purchases goods either as a
|
Card present or card not present transaction
|
|
The cardholder receives the card and bills from
|
the issuer.
|
|
The issuer is
|
the bank or other organization issuing a payment card on behalf of a payment brand (i.e. Visa, MC)
|
|
Can the issuer be a payment brand directly?
|
Yes
|
|
The merchant is
|
the organization accepting the payment card for payment during a purchase
|
|
PAN
|
Primary Account Number
|
|
PAN, Cardholder name, expiration date, service code are all examples of
|
cardholder data.
|
|
SAD
|
Sensitive Authentication Data
|
|
full magnetic stripe data or equivalent on a chip, CAV2/CVC2/CVV2/CID, PINs/PIN blocks...are all examples of
|
SAD (sensitive authentication data)
|
|
If the PAN or SAD is stored processed or transmitted, are the PCI DSS requirements applicable?
|
Yes
|
|
Sensitive Authentication Data ________________ be stored after authorization.
|
Cannot
|
|
Does encryptiong Cardholder data or SAD remove it from scope?
|
No, not necessarily
|
|
Track data or track equivalent data
|
Data stored on a magnetic strip or equivalent data encoded on a chip
|
|
Chip track data contains a unique chip CVV/CVC code which prevents ___________ the magnetic stripe.
|
Cloning
|
|
The PAN and expiration data in the chip can be used for fraudulent card-not-present transactions...true or false?
|
True
|
|
Contains all fields of both Track 1 and Track 2 and is up to 79 characters
|
Track 1 on the magnetic stripe
|
|
Provides shorter processing time for older dial up transmissions and is up to 40 characters
|
Track 2 on magnetic stripe
|
|
Issuers and issuing processors may be permitted to retain sensitive authentications data after authorization if needed for business purposes - T or F?
|
True
|
|
Businesses may have a need to store track data temporarily for troubleshooting purposes - tracks mis-reads, network errors, encryption issues, etc. TorF?
|
True
|
|
Requirements for a firewall at each internet connection and between any demilitarized zone and the internal network zone - t or f?
|
True
|
|
Requirment to review firewall and router rule sets at least every _____ months
|
6
|
|
Firewalls do not have to be installed between all wireless networks and the CDE - regardless of the purpose of the environment to which the wireless network is connected - t or f?
|
False
|
|
Is the implementation of a DMZ recommended?
|
Yes
|
|
Firewalls should be stateful - true or false?
|
True
|
|
Segregate system components that store cardholder data (such as a database) in an internal network zone, separate from the DMZ and other untrusted networks t or F?
|
True
|
|
Cardholder data within the DMZ makes it easier or harder for the external attacker to access?
|
Easier
|
|
The implementation of multiple functions on one server is encouraged - t or f?
|
False
|
|
Are there additional requirements for shared hosting providers?
|
Yes - Appendix A
|
|
Use a one way hash of entire PAN as a way or rendering PAN unreadable - t or f?
|
True
|
|
A cryptoperiod is a time span during which a particular cryptographic key can be used for its defined purpose - true or false?
|
True
|
|
Which NIST SP is used for guidance on cryptographic measures for PCI?
|
800-57
|
|
______-knowledge and dual control of keys is used to eliminate one person's access to the whole key.
|
Split
|
|
The use of WEP as a security control was prohibited as of June 30, 2010 - true or false?
|
True
|
|
Keep your **** patched - always within two months of patch release - true or false?
|
False - answer is one month
|
|
The intention of this requirement is that organizations keep up to date with new vulnerabilities that may impact their environment
|
PCI DSS Requirement 6
|
|
The ranking of vulnerabilities is a requirement enacted June 30, 2012 - t or f?
|
True
|
|
Security must be at the table during requirements definition, design, etc. - t or false?
|
T
|
|
Production data (live PANs) are used for testing and development - true or false?
|
F
|
|
The P2PE standard covers...
|
encryption, decryption and key management within Secure Cryptographic Devices (SCD)
|
|
The PCI DSS applies to any entity that ________, _________, or ____________ cardholder data.
|
stores, processes, transmits
|
|
The PCI DSS follows a defined ______________ lifecycle.
|
36 month
|
|
Providing:
-authorization services to a merchant -clearing services to a merchant -settlement services to a merchant are functions associated with an _____________? |
Acquirer
|
|
Who approves a purchase?
|
Issuing bank
|
|
Is clearing, auth and settlement the correct order for a payment card transaction?
|
No - auth, clearing, settlement is the correct order
|
|
Service providers can control or impact the security of the cardholder data - t or f?
|
True
|
|
Cardholder data may be stored in 'KNOWN' and 'UNKNOWN' locations - t or f?
|
True
|
|
Track data can be stored long term or persistently if the ____________ is storing it.
|
issuer
|
|
Req. 3.4 states that PAN must be rendered unreadable when stored, using encryption, hashing or truncation - true or false?
|
True
|
|
Rlogon, telnet and ftp are secure services - true or false?
|
False
|
|
Which requirement concerns controlling access to data?
|
7
|
|
'least privilege'
|
when access is granted only to the least amount of data and privileges needed to perform a job
|
|
RBAC
|
when privileges are assigned to individual on the basis of their job classification and function
|
|
Two factor auth applies to users that have remote access to the network, where that remote access could lead to access to the cardholder data environment and is required for networks with access to the CDE- t or f?
|
true
|
|
Password change every 90 - t or f?
|
True
|
|
Min length is 8 - true or false?
|
false - min is 7
|
|
no repeats of last three pwords used - t or f?
|
false - no repeat of last 4
|
|
3 attempt lock out - true or false?
|
False - 6 attempts
|
|
lockout duration is 30 mins - true or false?
|
true
|
|
session idle timeout is 10 mins - true or false?
|
false - timeout for session idle is 15 mins
|
|
Logging is a highly critical part of the security posture - true or false?
|
True - how else can activity be tracked?
|
|
Retain audit trail history for at least _____ year/s with a minimum of _______ months immediately available.
|
1
3 |
|
Perform external and internal pen testing at least once a year and after any significant upgrade or modification - t or f?
|
True
|
|
FIM
|
file integrity monitoring tools
|
|
Perform a risk assessment annually - t or f?
|
true
|
|
Create an __________ ___________ plan to be implemented in the event of system breach.
|
incident response - tested annually
|
|
SAQ
|
Self Assessment questionnaire
|
|
A validation tool intended to assist merchants and service providers in self-evaluating their compliance with the PCI DSS
|
SAQ
|
|
Name the 5 SAQs
|
A, B, C, D, C-VT
|
|
SAQ A
|
Card not present merchants, all cardholder data source functions outsourced
|
|
SAQ B
|
Imprint only merchants with no electronic cardholder data storage or stand alone dial out terminals with no electronic cardholder data storage
|
|
SAQ C-VT
|
merchants with web-based virtual terminals, no electronic cardholder data storage
|
|
SAQ C
|
Merchants with payment application systems connected to the internet, no electronic cardholder data storage
|
|
SAQ D
|
All other merchants and all service providers defined by a payment brand as eligible to complete an SAQ
|
|
tokenization
|
process by which a PAN is replaced with a surrogate value called a token.
|
|
de-tokenization
|
process by which a token is redeemed for its associated PAN value
|
|
Storing tokens instead of PANs is one alternative to reduce the amount of cardholder data in the environment - t or f?
|
true
|
|
Tokenization solutions complicate validation efforts - t or f?
|
False - they actually reduce the number of system components covered by PCI DSS
|
|
Virtualization
|
separates applications, desktops, machines, networks, data and services from their physical constraints
|
|
If virtualization is used in a CDE, PCI DSS requirments do not apply - t or f?
|
f
|
|
Encryption
|
the algorithmic process of transforming plaintext into unreadable ciphertext.
|
|
P2PE encrypts at source, delivers information encrypted and then decrypted at destination - t or f?
|
true
|
|
A compensating control may be considered for most PCI DSS requirments when an entity cannot meet a requirement explicitly as stated due to technical or documented business constraints and can be removed after the assessment is complete - t or f?
|
false - compensating control must remain effective after assessment
|
|
Meet the rigor and intent of the original requirement
|
compensating control
|
|
sufficiently offset the risk that the original requirement was designed to defend against
|
compensating control
|
|
be above and beyond other PCI DSS requirements
|
compensating control
|
|
be commensurate with additional risk imposed by not adhering to the original requirement
|
compensating control
|
|
Two reasons for consideration of compensating controls:
|
Legit technical or documented business constraint
|
|
Existing PCI DSS requirements CANNOT be considered as compensating controls if there are already required for the item under review - t or f?
|
t
|
|
Existing PCI DSS requirements CAN be considered as compensating controls if they are not already required for the item under review - t or f?
|
t
|