PCI ISA Flashcards 3.2.1 questions and answers

For PCI DSS requirement 1, firewall and router rule sets need to be reviewed every _____________ months 6 months Non-console administrator access to any web-based management interfaces must be encrypted with technology such as......... HTTPS Requirements 2.2.2 and 2.2.3 cover the use of secure services, protocols and daemons. Which of the following is considered to be secure? SSH Which of the following is considered "Sensitive Authentication Data"? Card Verification Value (CAV2/CVC2/CVV2/CID), Full Track Data, PIN/PIN Block True or False: It is acceptable for merchants to store Sensitive Authentication after authorization as long as it is strongly encrypted? False When a PAN is displayed to an employee who does NOT need to see the full PAN, the minimum digits to be masked are: All digits between the first six and last four Which of the following is true regarding protection of PAN? PAN must be rendered unreadable during transmission over public, wireless networks Which of the following may be used to render PAN unreadable in order to meet requirement 3.4? Hashing the entire PAN using strong cryptography True or False Where keys are stored on production systems, split knowledge and dual control is required? True When assessing requirement 6.5, testing to verify secure coding techniques are in place to address common coding vulnerabilities includes: Reviewing software development policies and procedures One of the principles to be used when granting user access to systems in CDE is: Least privilege An example of a "one-way" cryptographic function used to render data unreadable is: SHA-2 A set of cryptographic hash functions designed by the National Security Agency (NS). SHA-2 (Secure Hash Algorithm Inactive user accounts should be either removed or disabled within___ 90 days True or False: Procedures must be developed to easily distinguish the difference between onsite personnel and visitors. True When should access be revoked of recently terminated employees? immediately True or False: A visitor with a badge may enter sensitive area unescorted. False, visitors must be escorted at all times. Protection of keys used for encryption of cardholder data against disclosure must include at least: (4 items) *Access to keys is restricted to the fewest number of custodians necessary *Key-encrypting keys are at least as strong as the data-encrypting keys they protect *Key encrypting keys are stored separately from data-encrypting keys *Keys are stored securely in the fewest possible locations Description of cryptographic architecture includes: *Details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date *Description of the key usage for each key *Inventory of any HSMs and other SCDs used for key management What 2 methods must NOT be used to be disk-level encryption compliant *Cannot use the same user account authenticator as the operating system *Cannot use a decryption key that is associated with or derived from the systems local user account database or general network login credentials. 6 months DESV User accounts and access privileges are reviewed at least every______ Track 1 (Length up to 79 characters) Contains all fields of both Track 1 and Track 2 Track 2 (Length up to 40 characters) Provides shorter processing time for older dial-up transmissions. DESV Designated Entities Supplemental Validation DESV Requirements: *Implementing a PCI DSS Compliance program *Document and validate PCI DSS Scope *Validate PCI DSS is incorporated into business-as-usual (BAU) activities *Control and manage logical access to cardholder data environment *Identify and respond to suspicious events Who could DESV requirements apply to? Those that have suffered significant or repeated breaches of cardholder data. PCI DSS requirements apply to_____ people, processes, and technologies When planning for an assessment what 4 activities should be included during planning? *List of people to be interviewed, system components used, documentation (training, payment logs), facilities (physical security) *Ensure assessor is familiar with technologies in assessment *If sampling, verify sample section and size is representative of the entire population *Identify the roles and the individuals within each role to be interviewed as part of the assessment What pre-assessment activities should an assessor consider when preparing for an assessment? *Ensure assessor(s) has competent knowledge of the technologies being assessed *Identify types of system components and locations of facilities to be reviewed *Consider size and complexity of the environment to be assessed. When does authorization occur At time of purchase When does clearing occur usually within one day When does settlement occur Usually within 2 days Where does an assessor document their sampling methodology? Report on Compliance (ROC) Manual clear-text key-management procedures specify processes for the use of the following Split knowledge & Dual Control