Download PCI-DSS Compliance Requirements and more Exams Wireless Networking in PDF only on Docsity!
Perimeter firewalls installed. ✔✔between all wireless networks and the CHD environment. Where should firewalls be installed? ✔✔At each Internet connection and between any DMZ and the internal network. Review of firewall and router rule sets at least every _. ✔✔ 6 months If disk encryption is used ✔✔logical access must be managed separately and independently of native operating system authentication and access control mechanisms Manual clear-text key-management procedures specify processes for the use of the following: ✔✔Split knowledge AND Dual control of keys What is considered "Sensitive Authentication Data"? ✔✔Card verification value
PCI-DSS ISA Exam with verified Questions andAnswers latest update
2025; Graded A+
When a PAN is displayed to an employee who does NOT need to see the full PAN, the minimum digits to be masked are: All digits between the and the. ✔✔first 6; last 4 Regarding protection of PAN... ✔✔PAN must be rendered unreadable during the transmission over public and wireless networks. Under requirement 3.4, what method must be used to render the PAN unreadable? ✔✔Hashing the entire PAN using strong cryptography Weak security controls that should NOT be used ✔✔WEP, SSL, and TLS 1.0 or earlier Per requirement 5, anti-virus technology must be deployed ✔✔on all system components commonly affected by malicious software. Key functions for anti-vius program per Requirement 5: ✔✔1) Detect
- Remove
- Protect
access—to verify that their IDs have been deactivated or removed from the access lists. ✔✔ 6 months How many logon attempts should be allowed until resulting temporarily account locked-out? ✔✔ 6 attempts Once user account is locked-out, it will remain locked for a minimum of or until a system administrator resets the account. ✔✔30 minutes System/session idle time out must be set to minutes or less. ✔✔15 minutes What are the methods to authenticate users? ✔✔- "Something you know", such as a password or passphrase
- "Something you have", such as a token device or smart card, or
- "Something you are", such as a biometric. Where passwords or pass-phrases are used, they must be at least characters long and contain both numeric and alphabetic characters. ✔✔ 7
Passwords must be changed at least once every. ✔✔ 90 days Password history must also be in place to ensure that users' previous passwords can't be re-used. ✔✔ 4 An example of a "one-way" cryptographic function used to render data unreadable is: ✔✔SHA- 2 Data from video cameras and/or access control mechanisms is reviewed, and that data is stored for at least. ✔✔3 months The visitor logs must contain the relevant information and be retained for at least. ✔✔3 months Verify that the storage location security is reviewed at least to confirm that backup media storage is secure. ✔✔annually Review media inventory logs to verify that logs are maintained and media inventories are performed at least. ✔✔annually
For external scans, no vulnerabilities exist that are scored by the CVSS. ✔✔4. or higher Penetration testing for "Service Provider" in which targeting segmentation controls must be perform every. ✔✔6 months FIM tools must be configured to perform critical file comparisons check at least , ✔✔weekly A retail location that does not use wireless devices in store must test for the presence of unauthorized wireless devices every. ✔✔quarter Verify that personnel attend security awareness training upon hire and at least
. ✔✔annually Appendix A1 applies to ✔✔hosting providers Appendix A2 applies to ✔✔entities using SSL/Early TLS
Appendix A3 applies to ✔✔Designated Entities Supplemental Validation (DESV) An entity is required to undergo an assessment according to this Appendix ONLY if instructed to do so by an acquirer or a payment brand. Designated entities (DESV) must document and confirm the accuracy of PCI DSS scope at least and upon significant changes to the in-scope environment. ✔✔quarterly Designated Entities (DESV) must ensure that pen tests are performed on "segmentation controls" every , and after significant changes. ✔✔ 6 months In regards to DESV, user accounts and access privileges are reviewed at least every. ✔✔ 6 months ASV scans must cover. ✔✔ALL Internet-Facing IP addresses in existence at the entity. Compensating controls need to be evaluated at least. ✔✔annually
Service provider levels are defined by. ✔✔the payment brands according to transaction volume and/or type of service provider. Issuer ✔✔Bank or other organization issuing a payment card on behalf of a Payment Brand. Merchant ✔✔Organization accepting the payment card for payment during a purchase Acquirer ✔✔Bank or entity the merchant uses to process their payment card transactions Acquirer is also called: Merchant Bank ISO (sometimes) Payment Brand - Amex, Discover, JCB Never Visa or MasterCard only one primary function ✔✔Verify system configurations that is implemented per server.
Do not store AFTER authorization even if. ✔✔sensitive authentication data; encrypted (sensitive auth data: track data, verification code, PIN) Req 3.3: Protection of PAN that displayed on screens, paper receipts, etc. by ✔✔masking the PAN and only show first 6 digits and last 4 digits. Req 3.4: Protection of PAN when stored in files, databases, etc. by. (hint: do what to the information?) ✔✔render the information unreadable. Disk Encryption ✔✔Must verify that logical access to encrypted file systems is implemented via a mechanism that is separate from the native operating system's authentication mechanism. Key-encrypting keys are as data-encrypting keys and
. ✔✔at least as strong; stored separately. Key Management documentation must specifies the following: ✔✔Procedures to:
- Use either manual or automated vulnerability security assessment tools or methods at least annually and after any changes.
- Use of automated technical solution that detects and prevents web-based attacks (WAP) ✔✔Either One Req 7.1 - Limited access to what user roles based on. ✔✔Least privileges and need-to-know basis based on job functions. Req 7.2 - Access control system must be set to by default. ✔✔deny-all Multi-factor authentication is required for: and. ✔✔All remote access by personnel (user and administrator) and all third-party/vendor remote access An example of a "one-way" cryptographic function used to render data unreadable is: ✔✔SHA- 2 Req 10.4: Time-synchronization technology - What type of server is required to receives time signals from external sources, and time signals from external sources are based on International Atomic Time or UTC. ✔✔Central time server(s)
- Where there is more than one designated time server, the time servers peer with one another to keep accurate time
- Systems receive time information only from designated central time server(s). IDS and IPS must be in place to monitor all traffic at and. ✔✔the perimeter and at critical points Reviewing and confirming that personnel are following security policies and operational procedures, and that reviews cover:
- Daily log reviews
- Firewall rule-set reviews
- Applying configuration standards to new systems
- Responding to security alerts
- Change management processes This must be review at least. ✔✔Quarterly
