




























Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community for help and clear up your study doubts
Discover the best universities in your country according to Docsity users
Free resources
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
The relationship between pts (pin transaction security) and pci dss (payment card industry data security standard). Pts is a set of modular evaluation requirements for pin acceptance poi (point of interaction) terminals, ensuring they cannot be manipulated to capture sensitive data. The document covers topics like sred, p2pe, and the cardholder data environment. It discusses how p2pe can reduce pci dss scope for merchants. Concepts like sad, magnetic stripe, firewall, and saq are also covered. Additionally, it discusses principles for virtualization, disciplinary actions for pci-p, and the pci dss scoping process.
Typology: Exams
1 / 36
This page cannot be seen from the preview
Don't miss anything!
PCI DSS Requirement 1 ✔✔Install and maintain a firewall configuration to protect cardholder data PCI DSS Requirement 2 ✔✔Do not use vendor supplied defaults for system passwords and other security parameters PCI DSS Requirement 3 ✔✔Protect stored cardholder data by enacting a formal data retention policy and implement secure deletion methods PCI DSS Requirement 4 ✔✔Protected Cardholder Data during transmission over the internet, wireless networks or other open access networks or systems (GSM, GPRS, etc.) PCI DSS Requirement 5 ✔✔Use and regularly update anti-virus software or programs PCI DSS Requirement 6 ✔✔Develop and maintain secure systems and applications PCI DSS Requirement 7 ✔✔Restrict access to cardholder data by business need to know
PCI DSS Requirement 8 ✔✔Assign a unique ID to each person with computer access PCI DSS Requirement 9 ✔✔Restrict physical access to cardholder data PCI DSS Requirement 10 ✔✔Track and monitor all access to network resources and cardholder data PCI DSS Requirement 11 ✔✔Regularly test secuirty systems and processes with wireless scans, vulnerability scnas, log audits, ASV (Approved Scanning Vendor) PCI DSS Requirement 12 ✔✔Maintain a policy that addresses information security for all personnel ASV (Approved Scanning Vendor) ✔✔Company approved by the PCI SSC to conduct external vulnerability scanning services. PCI Data Security Standards (PCI DSS) ✔✔Covers the security of the environments that store, process or transmit account data.
PCI-PTS - PIN Security ✔✔Covers secure management, processing and transmission of personal identification number data during online and offline payment card transaction processing PCI-PTS - HSM (Hardware Security Module or Host Security Module) ✔✔A physically and logically protected hardware device that provides a secure set of cryptographic services, used for cryptographic key-management functions and/or the decryption of account data. Not required by DSS, but may help with the management of keys. PCI Point to Point Encryption (PCI P2PE) ✔✔Covers encryption, decryption and key management within secure cryptographic devices (SCD). Not a requirement but may result in reduction of scope. Secure Cryptographic Device (SCD) ✔✔A set of hardware, software and firmware that implements cryptographic processes (including cryptographic algorithms and key generation) and is contained within a defined cryptographic boundary. Examples of secure cryptographic devices include host/hardware security modules (HSMs) and point-of-interaction devices (POIs) that have been validated to PCI PTS. POI - Point of Interaction ✔✔The initial point where data is read from a card. An electronic transaction-acceptance product, a POI consists of hardware and software and is hosted in
acceptance equipment to enable a cardholder to perform a card transaction. The POI may be attended or unattended. POI transactions are typically integrated circuit (chip) and/or magnetic- stripe card-based payment transactions. PCI Card Production ✔✔Covers physical and logical security requirements for systems and business processes associated with card personalization, PIN generation, PIN mailers, and card carriers and distribution. CDE - Cardholder Data Environment ✔✔The people, processes and technology that store, process, or transmit cardholder data or sensitive authentication data. Relationship between PTS and PCI DSS ✔✔DSS prevents the storage of encrypted PIN blocks. PTS supports the PIN encryption so there's no overlap. Relationship between PCI DSS and PA-DSS ✔✔Payment applications must support and not hinder PCI DSS compliance PCI DSS requirements mirrored in many payment application requirements in PA-DSS
in a PCI DSS compliant manner by supporting the compliance of those that use the application. ✔✔PA-DSS ensure a payment application functions True ✔✔True or False: Use of a PA-DSS application alone does not guarantee PCI DSS compliance. Assessor must validate that payment application is installed ✔✔per instructions in the PA-DSS implementation Guide provided by payment application vendor and in a PCI DSS compliant manner. PTS ✔✔Acronym for "PIN Transaction Security," PTS is a set of modular evaluation requirements managed by PCI Security Standards Council, for PIN acceptance POI terminals PTS requirements apply to: ✔✔Point of Interaction (POI) devices Encrypting PIN Pads (EPP) Point of Sale devices (POS) Hardware/host Security Modules (HSM) Unattended Payment Terminals (UPT) non-PIN entry modules
PTS ensures terminals cannot be ✔✔manipulated or attacked to allow the capture of sensitive authentication data nor allow access to clear-text PINS or keys SRED ✔✔Secure Read and Exchange Module The SRED allows terminals to be ✔✔approved for the secure encryption of cardholder data as part of the P2PE program. PTS has been extended to allow non-PIN entry modules ✔✔to be evaluated against the SRED module to allow secure encryption at the point of interaction for non-chip and PIN cards. per PA-DSS implementation guide and in a PCI DSS compliant manner ✔✔A PCI DSS assessor must validate that the payment application is installed Point of Interaction (POI) Hardware Security Modules (HSM) ✔✔There are two types of devices addressed by PTS...
P2PE addresses merchants who ✔✔..do not store or decrypt encrypted data within their environment and who use validated solutions consisting of hardware-based encryption and third- party hardware-based encryption P2PE solutions typically consist of ✔✔a secure encryption device at the merchant premises (PTS validated POI device), all applications on the Point of Interaction device and secure decryption and key management in the service provider's environment. Service Provider ✔✔Is a business that is not a payment brand and is directly involved in the processing, storage or transmission of cardholder data on behalf of another entity. Sometimes is a merchant. Can control or impact the security of the cardholder. Could be a managed security(firewall, ids, ips), managed network or hosting providers. PCI DSS scope can be reduced on the merchant side because ✔✔merchants have no access to account data within POI or decryption environment merchants have no involvement in crypto key management all crypto operations managed by solution provider
Cardholder ✔✔the person actually owns the payment card Card present or card not present transaction ✔✔Cardholder purchases goods either as a the issuer. ✔✔The cardholder receives the card and bills from The issuer is ✔✔the bank or other organization issuing a payment card on behalf of a payment brand (i.e. Visa, MC) Yes ✔✔Can the issuer be a payment brand directly? The merchant is ✔✔the organization accepting the payment card for payment during a purchase PAN ✔✔Primary Account Number cardholder data. ✔✔PAN, Cardholder name, expiration date, service code are all examples of SAD ✔✔Sensitive Authentication Data
Track 1 on the magnetic stripe ✔✔Contains all fields of both Track 1 and Track 2 and is up to 79 characters Track 2 on magnetic stripe ✔✔Provides shorter processing time for older dial up transmissions and is up to 40 characters True ✔✔Issuers and issuing processors may be permitted to retain sensitive authentications data after authorization if needed for business purposes - T or F? True ✔✔Businesses may have a need to store track data temporarily for troubleshooting purposes - tracks mis-reads, network errors, encryption issues, etc. TorF? True ✔✔Requirements for a firewall at each internet connection and between any demilitarized zone and the internal network zone - t or f? 6 ✔✔Requirment to review firewall and router rule sets at least every _ months
False ✔✔Firewalls do not have to be installed between all wireless networks and the CDE - regardless of the purpose of the environment to which the wireless network is connected - t or f? Yes ✔✔Is the implementation of a DMZ recommended? True ✔✔Firewalls should be stateful - true or false? True ✔✔Segregate system components that store cardholder data (such as a database) in an internal network zone, separate from the DMZ and other untrusted networks t or F? Easier ✔✔Cardholder data within the DMZ makes it easier or harder for the external attacker to access? False ✔✔The implementation of multiple functions on one server is encouraged - t or f? Yes - Appendix A1 states shared hosting providers must protect each entity's cardholder data environment ✔✔Are there additional requirements for shared hosting providers?
True ✔✔The ranking of vulnerabilities is a requirement enacted June 30, 2012 - t or f? True ✔✔Security must be at the table during requirements definition, design, etc. - t or false? False ✔✔Production data (live PANs) are used for testing and development - true or false? encryption, decryption and key management within Secure Cryptographic Devices (SCD) ✔✔The P2PE standard covers... stores, processes, transmits ✔✔The PCI DSS applies to any entity that , , or cardholder data. 36 month ✔✔The PCI DSS follows a defined lifecycle. Acquirer ✔✔Providing:
are functions associated with an? Acquirer - Also referred to as "merchant bank," "acquiring bank," or "acquiring financial institution". ✔✔Entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer. Acquirers are subject to payment brand rules and procedures regarding merchant compliance. Can also be payment brand (Amex, Discover, JCB. But never Visa or Mastercard) Issuing bank ✔✔Who approves a purchase? No - auth, clearing, settlement is the correct order ✔✔Is clearing, auth and settlement the correct order for a payment card transaction? True ✔✔Service providers can control or impact the security of the cardholder data - t or f? True ✔✔Cardholder data may be stored in 'KNOWN' and 'UNKNOWN' locations - t or f? Issuer ✔✔Track data can be stored long term or persistently if the is storing it.
false - min is 7 ✔✔Min length is 8 - true or false? false - no repeat of last 4 ✔✔no repeats of last three pwords used - t or f? False - 6 attempts ✔✔ 3 attempt lock out - true or false? true ✔✔lockout duration is 30 mins - true or false? false - timeout for session idle is 15 mins ✔✔session idle timeout is 10 mins - true or false? True - how else can activity be tracked? ✔✔Logging is a highly critical part of the security posture - true or false? 1 3 ✔✔Retain audit trail history for at least year/s with a minimum of months immediately available.
True ✔✔Perform external and internal pen testing at least once a year and after any significant upgrade or modification - t or f? file integrity monitoring tools ✔✔FIM true ✔✔Perform a risk assessment annually - t or f? incident response - tested annually ✔✔Create an _ plan to be implemented in the event of system breach. Self Assessment questionnaire ✔✔SAQ SAQ ✔✔A validation tool intended to assist merchants and service providers in self-evaluating their compliance with the PCI DSS A, A-EP, B, B-IP, C, C-VT, D, P2PE ✔✔Name the SAQs