PCI DSS Exam with complete solutions

Requirement 1 - ANSWER-Firewall - Install and maintain firewall configuration Requirement 2 - ANSWER-Change defaults - e.g. vendor-supplied defaults Requirement 3 - ANSWER-Data-at-rest - Protect stored cardholder data Requirement 4 - ANSWER-Encrypt data in transit - over public networks Requirement 5 - ANSWER-Anti-virus - use and regularly updated anti-virus Requirement 6 - ANSWER-Secure SDLC - Develop and maintain secure systems and applications Requirement 7 - ANSWER-Need to know - Restrict access to cardholder data to business need to know Requirement 8 - ANSWER-Unique ID - Identify and authenticate access Requirement 9 - ANSWER-Physical security - restrict physical access to cardholder data Requirement 10 - ANSWER-Log and monitor - all access to network resources and cardholder data Requirement 11 - ANSWER-Test security - of systems and processes regularly Requirement 12 - ANSWER-Policy - have one that addresses InfoSec 1.1 - ANSWER-Build standards 1.2 - ANSWER-No untrusted CDE connections 1.3 - ANSWER-No direct CDE access from internet 1.4 - ANSWER-Personal firewalls for laptops that connect to CDE 1.5 - ANSWER-Policies & procedures for firewall management 2.1 - ANSWER-Change default passwords & remove or disable default accounts 2.2 - ANSWER-Build standards 2.3 - ANSWER-Encrypt non-console admin access 2.4 - ANSWER-Asset inventory 2.5 - ANSWER-Policies & procedures for managing vendor defaults 2.6 - ANSWER-Shared hosting providers must protect hosted data (Appendix A1) 3.1 - ANSWER-Data retention & destruction policies/procedures 3.2 - ANSWER-Render SAD unreadable upon receipt and don't store it 3.3 - ANSWER-Mask displayed PAN unless documented business need 3.4 - ANSWER-Render PAN unreadable when stored 3.5 - ANSWER-Procedures for protecting encryption keys 3.6 - ANSWER-Key management policies & procedures 3.7 - ANSWER-Policies & procedures for protecting stored CHD 4.1 - ANSWER-Strong cryptography & protocols 4.2 - ANSWER-No unprotected PANs 4.3 - ANSWER-Policies & procedures for encrypting data transmissions 5.1 - ANSWER-Install on commonly affected systems 5.2 - ANSWER-Keep current, run scans, generate audit logs 5.3 - ANSWER-Keep actively running, don't allow users to disable or change settings 5.4 - ANSWER-Policies & procedures for anti-virus 6.1 - ANSWER-Identify vulnerabilities & assign risk ratings 6.2 - ANSWER-Install security patches - critical w/in one month 6.3 - ANSWER-Develop applications securely 6.4 - ANSWER-Change control 6.5 - ANSWER-Use secure coding guidelines & train developers annually 6.6 - ANSWER-Review web-facing applications on an ongoing basis 6.7 - ANSWER-Policies & procedures for developing and maintaining secure systems and and applications 7.1 - ANSWER-Limit CDE access to business need to know 7.2 - ANSWER-Access control Systems 7.3 - ANSWER-Policies & procedures for restricting access to CHD 8.1 - ANSWER-Policies & procedures for user management 8.2 - ANSWER-Authenticate w/something you know, have, or are 8.3 - ANSWER-Multi-factor for non-console admin & remote CDE access 8.4 - ANSWER-Policies & procedures for authentication 8.5 - ANSWER-No shared user IDs or passwords 8.6 - ANSWER-No shared authentication mechanisms 8.7 - ANSWER-Restrict database access 8.8 - ANSWER-Policies & procedures for identification and authentication 9.1 - ANSWER-Limit & monitor facility access 9.2 - ANSWER-Procedures to distinguish visitors from staff 9.3 - ANSWER-Physical access based on job function & revoked immediately upon termination 9.4 - ANSWER-Procedures for visitor authorization & access 9.5 - ANSWER-Physically secure media 9.6 - ANSWER-Policy for distributing media 9.7 - ANSWER-Media inventory logs reviewed annually 9.8 - ANSWER-Medeia destruction policy 9.9 - ANSWER-Protect devices that capture payment data (list of devices, inspections, training) 9.10 - ANSWER-Policies & procedures for restricting physical access to CHD 10.1 - ANSWER-Logs to link activity to users 10.2 - ANSWER-Log all CHD access, all root/admin user activity, access to logs, invalid access attempts, creation of new accounts or elevated permissions, changes to root/admin user accounts, creation/deletion of database tables or stored procedures 10.3 - ANSWER-Logs must contain: user ID, type of event, date & time, success/failure indicator, origination of event, and affected data, system component, or resource 10.4 - ANSWER-Synchronize all critical system clocks 10.5 - ANSWER-Configure logs so they can't be altered 10.6 - ANSWER-Review lots regularly. Daily for security events, systems in CDE, and systems/servers that perform security functions for CDE 10.7 - ANSWER-Retain logs for at least one year & immediately available for 3 months 10.8 - ANSWER-Service providers - process for timely detecting and reporting of critical security system failures 10.9 - ANSWER-Policies & procedures for monitoring access to network resources and CHD 11.1 - ANSWER-Test for wireless access points quarterly 11.2 - ANSWER-Internal & external vulnerability scans quarterly or after significant changes. External by ASV 11.3 - ANSWER-Have pen test methodology. Pen test annually, every six months for service providers 11.4 - ANSWER-Use IDS/IPS to detect/prevent network intrusions and update regularly 11.5 - ANSWER-File integrity monitoring for critical system files, config files, content files 11.6 - ANSWER-Policies & procedures for testing 12.1 - ANSWER-Have a security policy, keep it updated, and make sure people have it 12.2 - ANSWER-Perform a risk assessment annually 12.3 - ANSWER-Acceptable use policy 12.4 - ANSWER-Defined security roles & responsbilities 12.5 - ANSWER-Assign information security management to an individual or team 12.6 - ANSWER-Security awareness program w/annual training and upon hire 12.7 - ANSWER-Background checks for new hires 12.8 - ANSWER-Program to manage service providers that CHD is shared with 12.9 - ANSWER-Service providers: language in agreements that they are responsible for CHD of customers 12.10 - ANSWER-Incident response - have and test annually 12.11 - ANSWER-Service providers: quarterly reviews to confirm daily log reviews, firewall rule-set reviews, config standards for new systems, response to security alerts, & change management SAQ A - ANSWER-Card not present merchants w/all data functions outsourced SAQ A-EP - ANSWER-E-commerce merchants w/outsourced payment processing. Website doesn't receive CHD, but could impact security of transaction SAQ B - ANSWER-Imprint machines or stand alone dial-out terminals SAQ B-IP - ANSWER-Stand alone IP connected to POI terminals SAQ C - ANSWER-Payment application systems connected to the internet SAQ C-VT - ANSWER-Web-based virtual terminals SAQ P2PE - ANSWER-Hardware payment terminals in a PCI SSC-listed P2PE solution SAQ D for Merchants - ANSWER-All other merchants SAQ D for Service Providers - ANSWER-Service providers the payment brands define as SAQ eligible Sensitive authentication data - ANSWER-Security-related info used to authenticate and/or authorize