Download PCI DSS Exam Questions and Answers and more Exams Physical Activity and Sport Sciences in PDF only on Docsity!
PCI - ISA Exam (100 OUT OF 100) Questions and
Verified Elaborations (GRADED A)
What makes up SAD?
- Track Data
- CAV2/CVC2/CVV2/CID)
- PINs & PIN Blocks Track 1 Contains all fields of both Track 1 and Track 2, up to 79 characters long 11.2 Internal Scans - Frequency and performed by who? Quarterly and after significant changes in the network - Performed by qualified, internal or external, resource 11.3 Penetration Tests (SERVICE PROVIDERS) - Frequency and performed by who? Every 6 months by a qualified, internal or external, resource 1 1.2 External Scans - Frequency and performed by who? Quarterly and after significant changes in the network - Performed by PCI SSC Approved Scanning Vendor (ASV) 11.3 Penetration Tests - Frequency and performed by who? At least annually and after significant changes in the network - Performed by qualified, internal or external, resource
11.2 Review scan reports and verify scan process includes rescans until:
- External scans: no vulnerabilities exists that scored 4.0 or higher by the CVSS
- Internal scans: all high-risk vulnerabilities as defined in PCI DSS requirement 6.1 are resolved Who decides if a ROC or SAQ is required? Payment Brands / Acquirers 10.2 Implement audit trails for all system components to reconstruct the following events:
- All individual accesses to CHD
- Actions taken by any individual with root or admin privileges
- Access to all audit trails
- Invalid logical access attempts
- Use of, and changes to, identification and authentication mechanisms
- Initialization, stopping, or pausing of the audit logs
- Creation and deleting of system-level objects How long must QSA's retain work papers? 3 years, recommend the same for ISAs Firewall and router rule sets must be reviewed every _____________________. 6 months
- Documentation of impact
- Documented change approval by authorized parties
- Functionality testing to verify change does not adversely impact security of the system
- Back-out procedures 6.5 Developers must be trained in up-to-date secure coding techniques at least ________. Annually 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods
- At least annually, and after any changes, review via manual or automated application vulnerability assessment tools/methods
- Automated technical solution that detects and prevents web-based attacks continuously 1.3.2 Examine firewall and router configurations to verify inbound traffic is: Limited to IP addresses within the DMZ 7.1.4 Select sample of user IDs and compare with documented approvals to verify:
- Documented approval exists for the assigned privileges
- Approved by authorized parties
- Specified privileges match the role of the user ID 8.1.4 Inactive user accounts ________________ should be removed or disabled. Over 90 days old
8.1.5 Accounts used by third-parties should be:
- Disabled when not in use
- Enabled only when needed, and disabled when not in use 8.1.6 Accounts should be locked out after _______________________. 6 failed login attempts 8.1.7 Locked out accounts remain locked out for __________ or _________________________. 30 minutes; administrator unlocks the account 8.1.8 Idle time-out set to _______________________. 15 minutes or less 8.2.1 Passwords must be protected with strong cryptography during _____________. Transmission & Storage 8.2.3 Passwords/passphrases must be at least ___ characters long and contain __________ and ________ characters. 7; alphabetic and numeric 8.2.5 Passwords/passphrases cannot be any of the previous _______________.
9.7.1 Media inventory logs should be maintained and media inventories conducted at least ________. Annually 10.6.1 The following should be reviewed at least daily:
- All security events
- Logs of system components that store, process, or transmit CHD and/or SAD
- Logs of all critical system components
- Logs of all servers and system components that perform security functions 10.6.2 Review logs for all other system components ____________. Periodically 10.7 Retain audit logs for at least _______, with a minimum of _________ immediately available. 1 year; 3 months 11.1 Implement processes to test for the presence of WAPs (802.11) and detect and identify all authorized/unauthorized WAP's on a __________ basis. Quarterly 11.4 IDS/IPS should be set up at: The perimeter of, and at critical points in, the CDE 11.5 Perform critical file comparisons at least ________.
Weekly 12.1.1 Information security policy should be reviewed: At least annually and after significant changes 12.8.5 Entities monitor service providers' PCI DSS compliance status at least: Annually 12.11 SERVICE PROVIDERS - perform reviews at least __________ to confirm personnel are following security policies and operational procedures. Quarterly Incident Response Plan should be tested at least: Annually A2.1 Where POS POI terminals (and the SSL/TLS termination points to which they connect) use SSL and/or early TLS, the entity must:
- Confirm the devices are not susceptible to any known exploits for those protocols OR
- Have a formal Risk Mitigation and Migration Plan in place A3 What does DESV stand for? Designated Entities Supplemental Validation
PCI PA-DSS
Covers secure payment applications to support PCI DSS compliance PCI P2PE Covers encryption, decryption, and key management requirements for point-to-point encryption solutions PCI PTS - POI Covers the protection of sensitive data at the point of interaction devices and their secure components, including cardholder PINs and account data, and the cryptographic keys used in connection with the protection of that cardholder data. PCI PTS - PIN Security Covers secure management, processing and transmission of personal identification number (PIN) data during online and offline payment card transaction processing. PCI PTS - HSM Covers physical, logical and device security requirements for securing Hardware Security Modules (HSM) PCI Card Production Covers physical and logical security requirements for systems and business processes.
Issuer Bank or other organization issuing a payment card on behalf of a payment brand Which Payment Brands issue credit cards directly? American Express, Discover, JCB Merchant Organization accepting the payment card for payment during a purchase Acquirer
- The bank or other entity the merchant has contractual relationship with to acquire their transactions involving the use of payment cards
- Known by different names - bank, merchant bank, processor, independent sales organization
- Can be a payment brand themselves Authorization Merchant requests and receives authorization Clearing Issuer and acquirer exchange purchase and reconciliation information Settlement
Payment Brands are responsible for:
- Defining rules for forensic investigations and responding to account data compromises
- Monitoring and facilitating investigations of account data compromises Payment Brands role includes:
- Accept validation documentation from QSA's, PA-QSA, and ASVs
- Develop and enforce compliance programs
- Endorse QSA, PA-QSA, and ASV company qualification criteria Merchant levels are defined by _ and based on _. Transaction volume is determined by the _
- Defined by payment brands, based on transaction volume
- Acquirer Service Provider levels: Are defined by _________________________________________________. Determined by the ______________________________________________________.
- Payment brands according to transaction volume and/or type of service provider
- Payment brands or acquirer and sometimes the service provider SAQ A Card-Not-Present (e-commerce or MO/TO) merchants, all cardholder data functions outsourced to PCI DSS compliant service providers. Not applicable to face-to-face channels.
SAQ A-EP
E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn't directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant's systems or premises. Applicable only to e-commerce channels. SAQ B Imprint only merchants with no electronic cardholder data storage or stand alone dial out terminals with no electronic cardholder data storage. Not applicable to e-commerce channels. SAQ B-IP Merchants using only stand-alone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels. SAQ C Merchants with segmented payment application systems connected to the internet, with no electronic CHD storage SAQ C-VT Merchants using only web-based virtual payment terminals, with no electronic cardholder data storage. Not applicable to e-commerce channels.
Samples must be __________________________________________. Representative of the entire population Six Goals of PCI DSS
- Build and Maintain a Secure Network and Systems
- Protect CHD
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy What is the purpose of the Prioritized Approach?
- Helps entities implementing PCI DSS to identify highest risk targets
- Enables entities to demonstrate progress
- Helps acquirers objectively measure compliance activities and risk reduction efforts Where on the PCI DSS website can information supplements, FAQs, and guidance documents be found? Document Library ROC Sections - (1) Contact Information and Report Date Contact info, date, timeframe of the assessment, and version of the PCI DAA used for the assessment. ROC Sections - (2) Executive Summary
- Description of entity's payment card business
- Types of payment channels served (i.e. card-not-present, card-present)
- High-level network diagram ROC Sections - (3) Description of Scope and Approach Taken
- Assessor's validation of scope accuracy
- Environment on which the assessment is focused (people, processes, technologies, and locations)
- Network segmentation (assessor attests segmentation verified to be adequate to reduce scope, or that whole network is included in scope (if segmentation not used))
- Description of in-scope and out-of-scope networks
- Locations or environments that store, process, or transmit CHD
- Other business entities that require compliance with the PCI DSS
- Wireless networks and technologies ROC Sections - (4) Details About Reviewed Environment
- Detailed network diagram and cardholder data flows
- CHD storage
- Info about sampling, including attestation if not used
- Service providers and third-parties with which the entity shares CHD; third-party payment apps
- Documentation reviewed
- Individuals interviewed
- If assessing a managed service provider
- Disclosure summary of any responses in the ROC ROC Sections - (5) Quarterly Scan Results
- Quarterly scan results (summarize four most recent quarterly ASV scan results)
