








Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community for help and clear up your study doubts
Discover the best universities in your country according to Docsity users
Free resources
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
The key requirements for pci-dss (payment card industry data security standard) compliance, which is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. A wide range of topics related to pci-dss, including firewall configuration, encryption, access control, vulnerability management, logging and monitoring, and more. It provides detailed information on the specific requirements and best practices that organizations must follow to achieve and maintain pci-dss compliance. This information is crucial for any business that handles credit card data, as non-compliance can result in significant fines and penalties. Likely intended for it professionals, security personnel, and compliance managers who are responsible for implementing and maintaining pci-dss controls within their organization.
Typology: Exams
1 / 14
This page cannot be seen from the preview
Don't miss anything!
Perimeter firewalls installed. ✔✔between all wireless networks and the CHD environment. Where should firewalls be installed? ✔✔At each Internet connection and between any DMZ and the internal network. Review of firewall and router rule sets at least every _. ✔✔ 6 months If disk encryption is used ✔✔logical access must be managed separately and independently of native operating system authentication and access control mechanisms Manual clear-text key-management procedures specify processes for the use of the following: ✔✔Split knowledge AND Dual control of keys What is considered "Sensitive Authentication Data"? ✔✔Card verification value
When a PAN is displayed to an employee who does NOT need to see the full PAN, the minimum digits to be masked are: All digits between the and the. ✔✔first 6; last 4 Regarding protection of PAN... ✔✔PAN must be rendered unreadable during the transmission over public and wireless networks. Under requirement 3.4, what method must be used to render the PAN unreadable? ✔✔Hashing the entire PAN using strong cryptography Weak security controls that should NOT be used ✔✔WEP, SSL, and TLS 1.0 or earlier Per requirement 5, anti-virus technology must be deployed ✔✔on all system components commonly affected by malicious software. Key functions for anti-vius program per Requirement 5: ✔✔1) Detect
access—to verify that their IDs have been deactivated or removed from the access lists. ✔✔ 6 months How many logon attempts should be allowed until resulting temporarily account locked-out? ✔✔ 6 attempts Once user account is locked-out, it will remain locked for a minimum of or until a system administrator resets the account. ✔✔30 minutes System/session idle time out must be set to minutes or less. ✔✔15 minutes What are the methods to authenticate users? ✔✔- "Something you know", such as a password or passphrase
Passwords must be changed at least once every. ✔✔ 90 days Password history must also be in place to ensure that users' previous passwords can't be re-used. ✔✔ 4 An example of a "one-way" cryptographic function used to render data unreadable is: ✔✔SHA- 2 Data from video cameras and/or access control mechanisms is reviewed, and that data is stored for at least. ✔✔3 months The visitor logs must contain the relevant information and be retained for at least. ✔✔3 months Verify that the storage location security is reviewed at least to confirm that backup media storage is secure. ✔✔annually Review media inventory logs to verify that logs are maintained and media inventories are performed at least. ✔✔annually
For external scans, no vulnerabilities exist that are scored by the CVSS. ✔✔4. or higher Penetration testing for "Service Provider" in which targeting segmentation controls must be perform every. ✔✔6 months FIM tools must be configured to perform critical file comparisons check at least , ✔✔weekly A retail location that does not use wireless devices in store must test for the presence of unauthorized wireless devices every. ✔✔quarter Verify that personnel attend security awareness training upon hire and at least
. ✔✔annually Appendix A1 applies to ✔✔hosting providers Appendix A2 applies to ✔✔entities using SSL/Early TLS
Appendix A3 applies to ✔✔Designated Entities Supplemental Validation (DESV) An entity is required to undergo an assessment according to this Appendix ONLY if instructed to do so by an acquirer or a payment brand. Designated entities (DESV) must document and confirm the accuracy of PCI DSS scope at least and upon significant changes to the in-scope environment. ✔✔quarterly Designated Entities (DESV) must ensure that pen tests are performed on "segmentation controls" every , and after significant changes. ✔✔ 6 months In regards to DESV, user accounts and access privileges are reviewed at least every. ✔✔ 6 months ASV scans must cover. ✔✔ALL Internet-Facing IP addresses in existence at the entity. Compensating controls need to be evaluated at least. ✔✔annually
Service provider levels are defined by. ✔✔the payment brands according to transaction volume and/or type of service provider. Issuer ✔✔Bank or other organization issuing a payment card on behalf of a Payment Brand. Merchant ✔✔Organization accepting the payment card for payment during a purchase Acquirer ✔✔Bank or entity the merchant uses to process their payment card transactions Acquirer is also called: Merchant Bank ISO (sometimes) Payment Brand - Amex, Discover, JCB Never Visa or MasterCard only one primary function ✔✔Verify system configurations that is implemented per server.
Do not store AFTER authorization even if. ✔✔sensitive authentication data; encrypted (sensitive auth data: track data, verification code, PIN) Req 3.3: Protection of PAN that displayed on screens, paper receipts, etc. by ✔✔masking the PAN and only show first 6 digits and last 4 digits. Req 3.4: Protection of PAN when stored in files, databases, etc. by. (hint: do what to the information?) ✔✔render the information unreadable. Disk Encryption ✔✔Must verify that logical access to encrypted file systems is implemented via a mechanism that is separate from the native operating system's authentication mechanism. Key-encrypting keys are as data-encrypting keys and
. ✔✔at least as strong; stored separately. Key Management documentation must specifies the following: ✔✔Procedures to: