PCI ISA Flashcards 3.2.1
For PCI DSS requirement 1, firewall and router rule sets need to be
reviewed every _ months – ANS 6 months
Non-console administrator access to any web-based management
interfaces must be encrypted with technology such as……… – ANS HTTPS
Requirements 2.2.2 and 2.2.3 cover the use of secure services, protocols
and daemons. Which of the following is considered to be secure? – ANS
SSH
Which of the following is considered “Sensitive Authentication Data”? –
ANS Card Verification Value (CAV2/CVC2/CVV2/CID), Full Track Data,
PIN/PIN Block
True or False: It is acceptable for merchants to store Sensitive
Authentication after authorization as long as it is strongly encrypted? –
ANS False
When a PAN is displayed to an employee who does NOT need to see the
full PAN, the minimum digits to be masked are: – ANS All digits between
the first six and last four
Which of the following is true regarding protection of PAN? – ANS PAN
must be rendered unreadable during transmission over public, wireless
networks
Which of the following may be used to render PAN unreadable in order to
meet requirement 3.4? – ANS Hashing the entire PAN using strong
cryptography
True or False Where keys are stored on production systems, split
knowledge and dual control is required? – ANS True
When assessing requirement 6.5, testing to verify secure coding
techniques are in place to address common coding vulnerabilities
includes: – ANS Reviewing software development policies and
procedures
One of the principles to be used when granting user access to systems in
CDE is: – ANS Least privilege
An example of a “one-way” cryptographic function used to render data
unreadable is: – ANS SHA-2
A set of cryptographic hash functions designed by the National Security
Agency (NS). – ANS SHA-2 (Secure Hash Algorithm
Inactive user accounts should be either removed or disabled within___ –
ANS 90 days
True or False: Procedures must be developed to easily distinguish the
difference between onsite personnel and visitors. – ANS True
When should access be revoked of recently terminated employees? – ANS
immediately
True or False: A visitor with a badge may enter sensitive area unescorted. –
ANS False, visitors must be escorted at all times.
pci isa
QSAs must retain work papers for a minimum of years. It is a
recommendation for ISAs to do the same. – ANS 3
According to PCI DSS requirement 1, Firewall and router rule sets need to
be reviewed every _ months. – ANS 6 At least _____ and prior to the annual assessment the assessed
entity:
- Identifies all locations and flows of cardholder data to verify they are
included in the CDE - Confirms the accuracy of their PCI DSS scope
- Retains their scoping documentation for assessor reference – ANS
annually
scope includes – ANS ppl process, tech
Evidence Retention
It is recommended that the ISA secure and maintain digital and/or hard
copies of case logs, audit results and work papers, notes, and any
technical information that was created and/or obtained during the PCI Data
Security Assessment for a minimum of or as applicable to
company data retention policies – ANS of three (3) years
A (time) process for identifying and securely deleting stored
cardholder data that exceeds defined retention requirements. – ANS
quarterly
Do not store SAD after ____ (even if encrypted). (track data / cvc /
pin) – ANS authorization
manual clear-text key-management procedures specify processes for the
use of the following – ANS Split knowledge.Dual control
Dual control – ANS least two people are required to perform any
key-management operations and no one person has access to the
authentication materials (for example, passwords or keys) of another
PCI DSS Fundamentals Exam
A Sustainable Compliance Program must: – ANS Be implemented into
Business-as-usual (BAU) activities as part of the organizations overall
security strategy.
True or False: The driving objective behind all PCI DSS compliance
activities is to attain a compliant report. – ANS False ongoing security of
cardholder data is the driving objective which will lead to a compliant
report
Effective metrics program can provide useful data for: – ANS Allocation of
resources to minimize risk occurrence and measure the business
consequences of security events.
Security Goals should include: – ANS Continuous monitoring, testing,
documenting implementation, effectiveness, efficiency, impact, and status
of controls and activities.
Control-failure response processes should include: – ANS minimizing the
impact of the incident, restoring controls, performing root-cause analysis
and remediation, implementing hardening standards and enhancing
monitoring.
True or False: 3rd party providers are monitored by issuers – ANS False,
Organizations should develop and implement processes to monitor the
compliance status of its service providers to determine whether a change
in status requires a change in the relationship.
True or False: Organizations should evolve their controls with the threat
landscape, changes in organizations structure, new business initiatives,
and changes in business processes and technologies – ANS True
Evolving security reduces the negative impact on an organizations security
posture.
How can organizations prevent “fall-off” between assessments – ANS
Develop a well designed program of security controls and monitoring
practices.
PCIP Exam
PCI Data Security Standard (PCI DSS)
The PCI DSS applies to all entities that store, process, and/or transmit cardholder
data. It covers technical
and operational system components included in or connected to cardholder data.
If you accept or process payment cards, PCI DSS applies to you.
Sensitive Authentication Data
Merchants, service providers, and other
entities involved with payment card processing must never store sensitive
authentication data after
authorization. This includes the 3- or 4- digit security code printed on the front or
back of a card (CVD), the data stored on a card’s magnetic stripe or chip (also
called “Full Track Data”) – and personal identification numbers (PIN) entered by
the cardholder.
Card Verification Data Codes (CVD)
Visa
Requirement 1
Install and maintain a firewall configuration to protect cardholder data
Network devices in scope for Requirement 1
Firewalls and Routers- Routers connect traffic between networks, Firewalls
control the traffic between networks and within internal network
-requires review of configuration rule sets at least every 6 months
QIR Qualified Integrators & Resellers
Qualified Integrators & Resellers- authorized by the SSC to implement, configure
and/or support PA-DSS payment applications. Visa requires all four levels of
merchants use QIRs for POS application and terminal installation and servicing
Compensating Controls
An alternative control, put in place to satisfy the requirement for a security
measure that is deemed too difficult or impractical to implement at the present
time.
Permitted reasons for using Compensating Controls
Examples of Compensating Controls
(i) Segregation of Duties (SOD) and (ii) Encryption
Compensating Controls must:
1) Meet the intent and rigor of the original stated requirement;
2) Provide a similar level of defense as the original stated requirement;
3) Be “above and beyond” other PCI DSS requirements (not simply in compliance
with other PCI DSS requirements); and
4) Be commensurate with the additional risk imposed by not adhering to the
original stated requirement.
Compensating Controls Worksheet
1) Constraint; 2) Objective; 3) Identified Risk; 4) Define Compensating Control;
5)Validate Controls; 6) Maintenance (COIDVM)
Card Data that cannot be stored by Merchants, Service providers after
authorization (exception-issuers)
Sensitive Authentication Data. i) 3- or 4- digit security code printed on the front or
back of a card, ii) data stored on a card’s magnetic stripe or chip (also called “Full
Track Data”), and iii) personal identification
numbers (PIN) entered by the cardholder
Card Data that MAY be stored
i) cardholder name, ii) service code (identifies industry iii) Personal Account
Number (PAN)
iv) expiration date may be stored.
Network Segmentation
The process of isolating the cardholder data environment from the remainder of
an entity’s network
Not a requirement but strongly recommended.
Report on Compliance (ROC)
Prepared at the time of the assessment of PCI compliance and comprehensively
provides details about the assessment approach and compliance standing
against each PCI DSS requirement
-On-Site assessments
-quarterly scan results
What is included in the Report on Compliance (ROC)?
ROC includes (1) Executive summary, (2) description of scope of work and
approach taken, (3) details about reviewed environment, (4) contact information
and report date, (5) quarterly scan results and (6) findings and observations.
Steps to take for a PCI Assessment (hint: SARA’s Remediation)
- Scope – determine which system components and networks are in scope for
PCI DSS - Assess – examine the compliance of system components in scope following
the testing
PCI-DSS ISA Exam
Perimeter firewalls installed __________________. – ANS
between all wireless networks and the CHD environment.
Where should firewalls be installed? – ANS At each Internet connection
and between any DMZ and the internal network.
Review of firewall and router rule sets at least every ______. –
ANS 6 months
If disk encryption is used – ANS logical access must be managed
separately and independently of native operating system authentication
and access control mechanisms
Manual clear-text key-management procedures specify processes for the
use of the following: – ANS Split knowledge AND Dual control of keys
What is considered “Sensitive Authentication Data”? – ANS Card
verification value
When a PAN is displayed to an employee who does NOT need to see the
full PAN, the minimum digits to be masked are: All digits between the
and the _. – ANS first 6; last 4
Regarding protection of PAN… – ANS PAN must be rendered unreadable
during the transmission over public and wireless networks.
Under requirement 3.4, what method must be used to render the PAN
unreadable? – ANS Hashing the entire PAN using strong cryptography
Weak security controls that should NOT be used – ANS WEP, SSL, and
TLS 1.0 or earlier
Per requirement 5, anti-virus technology must be
deployed_______________ – ANS on all system components commonly
affected by malicious software.
Key functions for anti-vius program per Requirement 5: – ANS 1) Detect
2) Remove
3) Protect
PCI ISA
SAQ-A – ANS e-commerce or telephone order merchants; processing fully
outsourced to validated 3rd party. No processing, transmitting, storing
done by merchant
SAQ-B – ANS merchants with imprint machines and/or merchant with only
standalone dial-out terminals
SAQ-B-IP – ANS Same as SAQ-B but the terminals not dial-out, the
terminals have an IP connection
SAQ-C – ANS Merchants with payment apps connected to the Internet but
have no CHD storage. Not available if doing ecommerce
SAQ-C-VT – ANS Merchants who only use virtual terminals from a
validated 3rd party. Do transactions one at a time. Not available if doing
ecommerce
SAQ-A-EP – ANS Same as SAQ-A but web site could affect the security of
outsourced 3rd party solution.
SAQ-D – ANS Used by merchants not eligible for any other SAQ. Service
providers must always use SAQ-D
Where are firewalls required – ANS Between Internet and CHD, between
DMZ and internal network, between wireless networks and CHD
How often must firewall rules be reviewed – ANS 6 months and after
significant environment change
Non-Console admin access must be _ – ANS encrypted CHD data can only be stored for how long? – ANS based on merchant documented policy based on biz, regulatory, legal requirements CHD that has exceeded its defined retention period must be deleted based on a _ process – ANS quarterly
PCI-DSS Fundamentals
Methods for Stealing Payment card data include:
a) Weak Passwords
b) Malware
c) Physical skimming
d) All of the options are correct – ANS d) All of the options are correct
The PCI DSS applies to:
a) Any entity that stores, processes, or transmits payment card account
data
b) Service Providers only
c) Merchants only
d) Merchants and third party processors (TTPs) only – ANS a) Any entity
that stores, processes, or transmits payment card account data
The PCI DSS applies to:
a) Any entity that stores, processes, or transmits payment card account
data
b) Service Providers only
c) Merchants only
d) Merchants and third party processors (TTPs) only – ANS a) Any entity
that stores, processes, or transmits payment card account data
The P2PE Standard Covers:
a) Secure payment applications for processing transactions
b) Encryption, decryption, and key management requirements for
point-to-point encryption solutions
c) Physical security requirements for manufacturing payment cards
d) Mechanisms used to protect the PIN and encrypted PIN Blocks – ANS
b) Encryption, decryption, and key management requirements for
point-to-point encryption solutions
The standard for validating off-the-shelf payment applications used in
authorizations and settlement is:
a) PCI P2PE
b) PA-DSS
c) PCI PTS
d) PCI DSS – ANS b) PA-DSS
Merchants using PA-DSS validated payment applications are automatically
PCI DSS compliant.
a) True
b) False – ANS b) False
Which of the below functions is associated with acquirers?
a) Provide settlement services to a merchant
b) Provide clearing services to a merchant
c) Provide authorization services to a merchant
d) All of the options – ANS d) All of the options
Which of the following entities will ultimately approve a purchase?
a) Issuer
b) Acquirer
c) Payment Transaction Gateway
d) Merchant – ANS a) Issuer
Which step does the payment brand network provide complete
reconciliation to the merchants’ bank?
a) Settlement
b) Authorization
pci fundamentals
ASV – ANS Approved Scanning Vendor
PCI – ANS Payment Card Industry
PTS – ANS PIN Transaction Security (device)
QSA – ANS Qualified Security Assessor
ROC – ANS Report on Compilance
ROV – ANS Report on Validation
QIR – ANS Qualified Integrator Reseller
Which entity is responsible for developing and enforcing compliance
programs? – ANS Payment Brands
Which entity is responsible for forensic investigations of account data
compromise? – ANS Payment Brands
Which entity is response to Accept validation documentation from QSAs,
PA-QSAs and ASVs – ANS Payment Brands
Which entity is response Endorse QSA, PA-QSA and ASV company
qualification criteria – ANS Payment Brands
Merchant obligations may include submitting their compliance status to
multiple entities. True or false? – ANS True
The decision about a merchant’s level is made by the – ANS Merchant’s
aquirer
Level 1 and 2 merchants must include _ as part of their PCI DSS
compliance validation reporting process? – ANS Level 1 and 2 merchants
need quarterly external vulnerability scans to be performed by an ASV.
Level 2 merchants may use SAQs to validate compliance.
SAQ – ANS Self-assessment Questionaire
Type of SAQ? Card-Not-Present (e-commerce or MO/TO) merchants, all
cardholder data functions outsourced to PCI DSS compliant service
providers.
Not applicable to face-to-face channels. – ANS A
Type of SAQ? E-commerce merchants who outsource all payment
processing to PCI DSS validated third parties, and who have a website(s)
that doesn’t directly receive cardholder data but that can impact the
security of the payment transaction. No electronic storage, processing, or
transmission of any cardholder data on the merchant’s systems or
premises.
Applicable only to e-commerce channels. – ANS A-EP
Type of SAQ? Imprint-only merchants with no electronic cardholder data
storage, or standalone, dial-out terminal merchants with no electronic
cardholder data storage.
Not applicable to e-commerce channels. – ANS B
PCI Practice Exam 3
When must cryptographic keys be changed?
- At the end of their defined crypto period
- At least annually
- When a new key custodian is employed
- Upon release of a new algorithm – ANS At the end of their defined crypto
period
What must the assessors verify when testing that cardholder data is
protected whenever it is sent over the Internet? - The security protocol is configured to support earlier versions
- The encryption strength is appropriate for the technology in use
- The security protocol is configured to accept all digital certificates
- The cardholder data is securely deleted once the transmission has been
sent – ANS The encryption strength is appropriate for the technology in
use
As defined in Requirement 8, what is the minimum complexity of user
passwords? - 8 characters, either alphabetic or numeric
- 5 characters, either alphabetic or numeric
- 6 characters, both alphabetic and numeric characters
- 7 characters, both alphabetic and numeric characters – ANS 7
characters, both alphabetic and numeric characters
Which statement is correct regarding use of production data (live PANs) for
testing and development? - Live PANs must not be used for testing or development
- Access to live PANs must be used for testing and development must be
restricted to authorized personnel - Live PANs must be used for testing and development
- All live PANs used for testing and development must be authorized by the
cardholder – ANS Live PANs must not be used for testing or development
Which of the following is an example of multi-factor authentication? - A token that must be presented twice during the login process
- A user passphrase and an application-level password
- A user password and a PIN-activated smart card
- A user fingerprint and a user thumbprint – ANS A user password and a
PIN-activated smart card
Which of the following types of events is required to be logged?
- All use of end-user messaging technologies
- All access to external websites
- All access to all audit trails
- All network transmissions – ANS All access to all audit trails
Which of the following meets PCI DSS requirements for secure destruction
of media containing cardholder data? - Cardholder data on hard copy materials is copied to electronic media
before the hard copy materials are destroyed - Storage containers used for hardcopy materials are located outside of the
CDE - Electronic media is physically destroyed to ensure the data cannot be
reconstructed - Electronic media is stored in a secure location when the data is no longer
needed for business or legal reasons – ANS Electronic media is
physically destroyed to ensure the data cannot be reconstructed
Which scenario meets the intent of PCI DSS requirements for assigning
users access to cardholder data?
PCI Practice Quiz 1
When confirming PCI-DSS requirements have been met, the accessors
must always use which of the following?
- previous reports on compliance (ROCs)
- independent judgment
- hard-copy documents
- Live testing – ANS independent judgment
Strong encryption of cardholder data is required during transmission over
which of the following? - Webservers in the DMZ and databases in an internal segment
- Any connection between host in the CDE
- Call center applications and data bases
- 4G connections from mobile terminal to the acquirer – ANS 4G
connections from mobile terminal to the acquirer
If network segmentation is being used to reduce the scope of the PCI-DSS
assessment, what must the assessor verify? - All controls used for segmentation are configured properly
- The payment card brands have approved the segmentation
- The segmentation solution is one of the PCI SSC is approved
segmentation solution - The segmentation is controlled by firewall – ANS All controls used for
segmentation are configured properly
Which of the following statement is true concerning transaction volumes of
merchants? - Transaction volume is based on the total number of combined
transactions from all payment card brands - Transaction volume is determined by each acquirer
- If transactions are split between two different acquirers, the merchant
level is determined by halving the transaction volume for each payment
card brand - If the transactions for different payment card brands are handled by the
same acquirer, the merchant level is determined by the total combined
transaction volume of the acquirer – ANS Transaction volume is
determined by each acquirer
Which of the following is true related to use of EMV chip technology? - PCI-DSS does not apply to the environment using EMV chip technology
- PCI-DSS applies to environments using EMV chip technology
- EMV chip technology increases the risk of fraudulent transactions in card
-present environment - Merchants are permitted to store the track equivalent data from EMV chip
after authorization – ANS PCI-DSS applies to environments using EMV
chip technology
Which of the following statement is true regarding card verification
values/codes (CAV2/CVC2/CVV2/CID)? - They are sensitive authentication data (SAD), and must not be stored after
authorization, even if encrypted - They are cardholder data and may be stored after authorization if
encrypted with strong cryptography - They are required for each recurring card-not-present transaction
- They are required for each recurring card-present transaction – ANS
They are sensitive authentication data (SAD), and must not be stored after
authorization, even if encrypted
In order to reduce PCI-DSS scope, what must adequate network
segmentation do? - Isolate systems that store, process, or transmit cardholder data from
those that do not
PCI Practice Test 2
Which of the below functions is associated with acquirers?
- Provide clearing services to a merchant
- Provide authorization services to the merchant
- All of the options
- Provide settlement services to the merchant – ANS All of the options
If virtualization technologies are used in cardholder data environment? - Virtualization technologies are not to be used in the cardholder data
environment - The virtualization technologies are not in scope for PCI-DSS
- Entities using virtualization technologies should be complete SAQ C
- The virtualization technologies are included in scope for PCI DSS – ANS
The virtualization technologies are included in scope for PCI DSS
Access to view audit trails should be granted _. - only to individuals with a job-related need
- So that no personnel can view the logs
- To all system operators
- To all personnel – ANS only to individuals with a job-related need
Audit logs must be immediately available for analysis for a period of _ and must be retained for a period of __. - 3 months and 1 year
- 6 months and 1 year
- 2 months and 2 years
- 2 months and 1 year – ANS 3 months and 1 year
Which of the following is true regarding protection of PAN? - PAN must be rendered unreadable during transmission over public ,
wireless networks - There are no PCI-DSS requirements for rendering PAN unreadable
- PAN must be rendered unreadable during transmission over private,
secure network - PAN must be rendered unreadable when present in volatile memory
during a transaction – ANS PAN must be rendered unreadable during
transmission over public , wireless networks
One of the principles to be used when granting user access to systems in
the CDE is: - Default allow all
- Equal privilege
- Least privilege
- Most privilege – ANS Least privilege
Storing track data “long term” or “persistently” is permitted when_______. - It is hashed by the merchants storing it.
- It is reported to the PCI SSC annually in a ROC
- It is encrypted by the merchant storing it.
- It is being stored by the issuers – ANS It is being stored by the issuers
The decision about a merchant’s level is made by the: - Merchant’s QSA
- Payment Brands
- Merchant
- Merchant’s acquirer – ANS Merchant’s acquirer
Which of the following is considered “sensitive authentication data”? - Cardholder name
- Expiration date
- Card verification value