PCI DSS Extra Questions and Answers 2023

PCI DSS Extra Questions and Answers 2023 Compensating controls can be documented in which section of the SAQ? Appendix B The following are examples of common PCI DSS control failures except: a) Inadequate access controls due to improperly installed point-of-sale (POS) systems, allowing malicious users in via paths intended for POS vendors (Requirements 7.1, &.2, *.2, and *.3). b) Storage of sensitive authentication data (SAD), such as track data, after authorization (Requirement 3.2). c) Unnecessary and insecure services not removed or secured when the system was installed (Requirements 2.2.2 and 2.2.3). d) Missing and outdated security patches (Requirement 6.2) e) Ensuring audit Logging is running (Requirement 10) A common error in scoping a PCI DSS assessment includes: Assuming encrypted data is out-of-scope GPRS Refers to: Acronym for "General Radio Service." Mobile data service available to users of GSM mobile phones. The PCI DSS Self-Assessment Questionnaires (SAQs) are validation tools intended to assist merchants and service providers in self-evaluating their compliance with PCI DSS. True The purpose of a Qualified Integrator and Reseller (QIR) reseller does not include: Being qualified to assess payment applications against the PA-DSS standard. This is hardware and/or software used to process payment card transactions at merchant locations. POS/POI - Point-of-Sale/Point-of-Interaction When assessing if a cardholder data should be stored, which should not be considered? If Payment brand rules allow for the storage of primary account number(PAN) ECC is an acronym for: "Elliptic Curve Cryptography." Approach to public-key cryptography based on elliptic curves over finite fields. A security subsequent compromise of payment card data has far-reaching consequences for affected organizations, including: (select all that apply) a) Loss of customers b) Potential financial liabilities (for example, regulatory and other fees and fines) c) Litigation d) Regulatory notification requirements e) Loss of reputation A Card Verification Code or Value: Is a data element on a card's magnetic stripe that uses secure cryptographic processes to protect data integrity. This SAQ should never be used for Merchants with Only Imprint Machines or Standalone, Dial-out Terminals - No Electronic Cardholder Data Storage SAQ B This SAQ should be used for Merchants with Standalone, IP-Connected PTS Point-of-Interaction (POI) Terminals – No Electronic Cardholder Data Storage. SAQ B-IP As an ISA, where can you go for professional assistance and training? (select all that apply) a) PCI SSC Training Programs (PCI Awareness, the PCI Professional (PCIP) program, and the Internal Security Assessor (ISA) program). b) Contact a Qualified Security Assessor (QSA) c) Payment-related training programs available from payment brands and/or your merchant acquirer d) The PCI SSC website The purpose of the Data Flow Diagram is for: Unique diagram that specifically describes the flow of card data elements through the system. Documents for your PCI DSS Self-Assessment does not include: NIST 800-53 guidelines Who should receive the completed SAQ? The acquiring bank or payment brand(s). PCI DSS is not applicable to: Acquiring Banks and Brands Typically, these accounts have elevated or increased privileges with more rights than a standard user account. Privileged User PA-DSS is applicable to: Payment applications that are sold "off-the-shelf" by software vendors. A compensating control is used when: An entity cannot meet a requirement explicitly as stated. Requirement 8.3.1 requiring multi-factor authentication for all non-console access into the CDE for personnel with administrative access is no longer required in version 3.2.1 False Which aspect of PCI DSS is not required of an ISA? Development and enforcement of compliance programs The purpose for the payment brands compliance programs are for: Tracking and enforcement, Levy penalties, fees, compliance deadlines, establish a validation process, define merchant and service provider levels. It is permissible to store track data only if: An issuer has a business reason Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks True With respect to Requirement 11.2, when working with an approved scanning vendor, an ISA must: Provide all IP ranges and domains of the external scanned environment Which are typical types of service providers? (Choose all that apply) a) Transaction Processors b) Payment Gateways c) Independent sales Organizations ISOs) d) Web hosting and data Center Hosting Providers TLS, IPSEC, SSH, HTTPS are considered: Network communications protocols designed to secure the transmission of data. The role of the Internal Security Assessor (ISA) does not include: Produce the final Report on Compliance (ROC) This SAQ should be used for all other SAQ-Eligible Merchants SAQ D for Merchants Authentication refers to: A process of verifying the identity of an individual, device or process. FTP, Telnet, POP3, IMAP, and SNMP v1 and v2 are considered: A protocol, service, or port that introduces security concerns due to the lack of controls over confidentiality and/or integrity. The assessment kickoff phase should include: Planning, PCI Updates, Approach review, Key Dates, Key Roles and Responsibilities, Project Governance A Risk Analysis / Risk Assessment is: Process that identifies valuable system resources and threats; quantifies loss exposures (that is, loss potential) based on estimated frequencies and costs of occurrence; and (optionally) recommends how to allocate resources to countermeasures so as to minimize total exposure. In the context of PCI DSS, Hashing: must be applied to the entire PAN for the hash code to be considered rendered unreadable Which is not one of the six primary security goals of PCI DSS? Maintain an Information Security Training Program Select a poor scoping decision: Excluding part of the network from PCI DSS scope due to inadequate network segmentation that was not verified to be effective. When properly reporting on each PCI DSS requirement you should: Read and understand the intent of each Requirement and Testing Procedure. Choose the best Card processing authorization flow: Cardholder Acquirer Brand Issuer Brand Acquirer Cardholder A Hosting Provider: Offers various services to merchants and other service providers. Sensitive Authentication Data (includes the full track contents of the magnetic stripe or equivalent data on a chip, card verification codes and values, PINs, and PIN blocks) should never: Be stored after authorization This SAQ should be used for Card-not-present Merchants where all cardholder data functions are fully outsourced. SAQ A Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. True Select the correct order for a compliance validation assessment Kickoff Meeting, Scope Definition, Assessment Planning, Onsite Interviews, Reporting (SAQ) writing This SAQ should be used for Service Providers SAQ D for eligible service providers A partially outsourced E-commerce Merchant using a Third-Party Website for Payment Processing should use which SAQ? SAQ A-EP A "Merchant Bank" is commonly referred to as: An Acquirer When creating an asset inventory of the cardholder data environment, it is a good idea for ISA's to include: System name, cardholder data stored, reason for storage, retention periods, protection mechanism.