PCI Study Master Set Questions and Answers

PCI Study Master Set Questions and Answers PCI DSS Payment Card Industry Data Security Standard For consistent data security measures globally 12 requirements in six groups PCI DSS is a minimum set of controls It is a contractual agreement, not a standard PCI-DSS only applies if PANs are stored, processed or transmitted PCI Goal 1 Build and Maintain a secure network Previous Play Next Rewind 10 seconds Move forward 10 seconds Unmute 0:12 / 0:15 Full screen Brainpower Read More PCI Goal 2 Protect Card Holder Data PCI Goal 3 Maintain a vulnerability program PCI Goal 4 Implement strong Access control measures PCI Goal 5 Regularly Monitor and Test networks PCI Goal 6 Maintain an Information Security Policy Cardholder data Primary Account Number (PAN) Cardholder name Expiration date Service Code Sensitive Authentication Data Magnetic stripe data or equivalent on a chip CAV2/CVC2/CVV2/CID PINs / PIN Blocks PA-DSS Payment Application Data Security Standard PA-DSS applies to software sold "off the shelf" by 3rd parties PA-DSS does not apply to applications developed by merchants and service providers for use in-house. (this is covered by PCI-DSS) Scope Is a primary requirement cardholder data flows help set scope business practices and processes need careful consideration and may need re-engineering. Network Segmentation is Recommended to reduce scope and risk When can Wireless be used? Use only for non-sensitive data Carefully consider the Risk MUST be tested Service Providers Need their own PCI-DSS compliance or will have their services reviewed as part of their customers audits. The Report on Compliance (ROC) documents the role of each service provider. Sampling Sampling of Business Facilities / System components is allowed, however all applicable PCI DSS requirements must be considered. Compensating Controls a Compensating Controls Worksheet must be completed for each compensating control. And documented in the ROC. Compliance Completion Steps 1.Complete the ROC 2. Provide evidence of passing scans from ASV 3. Complete the "Attestation of compliance" 4. Submit all to the Aquirer, or Payment Brand PCI SSC Payment card Industry Security Standards Council ASV Approved Scanning Vendors QSA Qualified Security Assessor PCI PA-DSS Payment card Industry Payment Application Data Security Standard PCI PED Payment Card Industry Pin Entry Devices Merchant levels Defined by payment brands. Levels 1 to 4 1 is the largets merchants or merchants who have been compromised. 6 Million transactions/year + Non-compliance consequences Fines according to Level and elapsed time determined by payment brands Breach Consequences Fine per cardholder data compromised / Loss of reputation / customer trust / suspension of service by credit card account provider Firewall and Router rule sets be reviewed at least every 6 Months It is required to install all critical new security patches within 1 Month Public facing web applications are to be reviewed at least annually Users are required to change passwords at least every 90 Days Remove or Disable inactive accounts over 90 Days New passwords cannot be the same as __________ previous passwords 4 Passwords Users accounts are to be locked out after more than ________ invalid logon attempts 6 System/session idle time out features should be set to _______ or less 15 Minutes Visitor log for physical access should be retained for at least 3 Months Video Cameras/access control mechanisms should be stored for at least 3 Months Back up media storage location should be reviewed at least Annually Periodic media inventories are to be performed at least Annually Audit logs should be retained for at least 1 Year Processes should be in place to immediately restore at least _______ audit logs for analysis 3 months Internal and external vulnerability scans are to be performed Quarterly Penetration testing should be performed at least Annually Tools are to be configured to perform critical file comparisons at least Weekly Passwords length are required to be 7 characters Requirement 1 Install and maintain a firewall configuration to protect cardholder data Requirement 2 Do not use vendor-supplied defaults for system passwords and other security parameters Requirement 3 Protect stored cardholder data Requirement 4 Encrypt transmission of cardholder data across open, public networks Requirement 5 Use and regularly update anti-virus software or programs Requirement 6 Develop and maintain secure systems and applications Requirement 7 Restrict access to cardholder data by business need to know Requirement 8 Assign a unique ID to each person with computer access Requirement 9 Restrict physical access to cardholder data