PCIP EXAM STUDY GUIDE LATEST UPDATED
RATED A.
Payment Card Industry Security Standards for Manufacturers
PCI PTS- Pin Transaction Security
-governs manufacturers of the devices
Who does PCI TSP apply to?
Token Service Providers
EMV Chip
-prevents cards from being cloned
-creates a unique transaction code with each purchase
-is best for protecting card-present transactions
Ransomware
-fastest growing malware threat
-can be delivered by phishing email
PCI as a whole should be organized around what?
Business As Usual
If stored cardholder data cannot be encrypted or otherwise rendered
unreadable, you should refer to which PCI DSS appendix?
Appendix B and C--Compensating Controls
Does using a PA-DSS app reduce the merchant's CDE scope?
No
Penetration testing falls under which PCI DSS requirement?
3
Anti-virus refers to which PCI DSS requirement?
5
How frequently monitor service provider's compliance
,Annually
How frequently maintain and implement policies and procedures to manage
service providers you share CHD? Req. ?
Annually
Req. 12.8
How frequently do service providers have to perform and document reviews,
and why? Req?
Req. 12.11
-quarterly
-to make sure personnel are following security policies
Restrict access to publicly accessible network jacks, wireless access points,
gateways, telecom lines, handheld devices, etc.--req?
Req. 9
Lockout user ID--how many attempts? Req.?
no more than 6 attempts
Req. 8
Define access on a to CHD on a business need to know- req?
Req. 7
Systems only receive time from designated time servers- req?
10- Track and monitor all access to network resources and cardholder data.
Test, Development and Production environments are separately maintained-
req. ?
Req. 6
How frequently firewall rule set reviews? Req?
6 months, Req. 1
Change user passwords/passphrases every___days? Req.?
,90 days
Req. 8
How frequently run internal and external vulnerability scans? Req.
Quarterly and after significant network change
-Req. 11
Which req. only allows one primary function per server?
Req. 2.6
DESV (Designated Entity Supplemental Validation) requires a merchant to
perform BAU reviews how frequently?
At least quarterly
-applies only to entities designated by a payment brand
PCI SSC is a global open forum launched when?
2006
DESV requires the entity to document and confirm the accuracy of PCI DSS scope
(scoping validation) how frequently?
Quarterly
Can MFA and multi-step authentication be present in the same environment?
yes
Administrative access to the CDE is only permitted from systems within the CDE
or from where else?
from specific system in the shared services network
What is a secure way to manage recurring transactions?
Tokenization
Who sells, installs and/or services PA DSS payment apps?
QIR- Qualified Integrators and Resellers
What attacks a logged on victim's browser to send a pre-authenticated request
to a vulnerable web app?
, Cross Site Request Forgery (CRSF)
N/A on an ROC requires what?
Reporting must identify that the test was performed, which supports the N/A status
PCI SSC is responsible for doing what with the security standards?
Managing the security standards
Payment Brands are responsible for ?
SSC responsible for?
PB- Enforcing the Security Standards
SSC- managing standards
Payment Process- 3 main events
1) Authorization 2) Approval/Decline/ Referral 3) Settlement
All merchants not included in descriptions for various SAQ types are eligible to
complete which SAQ?
SAQ-D
Authorization is the process of confirming whether the customer has?
1) a credit card that is valid
2) has sufficient funds/credit to make purchase
Three ways authorizations are obtained?
1) payment device; 2) ecommerce web site; 3) over the phone
CVSS (Common Vulnerability Scoring System) Severity Levels for Vulnerability
scanning- what are they?
CVSS Score 7.0 through 10.0- High Severity- Scan Result-Fail
CVSS Score 4.0 through 6.9- Medium Severity- Scan Result-Fail
CVSS Score 0.0 through 3.9- Low Severity- Scan Result= Pass
What are the clear text protocols?
-like writing a letter on the outside of an envelope
-does not encrypt traffic or logon details
-Includes Telnet and HTTP
RATED A.
Payment Card Industry Security Standards for Manufacturers
PCI PTS- Pin Transaction Security
-governs manufacturers of the devices
Who does PCI TSP apply to?
Token Service Providers
EMV Chip
-prevents cards from being cloned
-creates a unique transaction code with each purchase
-is best for protecting card-present transactions
Ransomware
-fastest growing malware threat
-can be delivered by phishing email
PCI as a whole should be organized around what?
Business As Usual
If stored cardholder data cannot be encrypted or otherwise rendered
unreadable, you should refer to which PCI DSS appendix?
Appendix B and C--Compensating Controls
Does using a PA-DSS app reduce the merchant's CDE scope?
No
Penetration testing falls under which PCI DSS requirement?
3
Anti-virus refers to which PCI DSS requirement?
5
How frequently monitor service provider's compliance
,Annually
How frequently maintain and implement policies and procedures to manage
service providers you share CHD? Req. ?
Annually
Req. 12.8
How frequently do service providers have to perform and document reviews,
and why? Req?
Req. 12.11
-quarterly
-to make sure personnel are following security policies
Restrict access to publicly accessible network jacks, wireless access points,
gateways, telecom lines, handheld devices, etc.--req?
Req. 9
Lockout user ID--how many attempts? Req.?
no more than 6 attempts
Req. 8
Define access on a to CHD on a business need to know- req?
Req. 7
Systems only receive time from designated time servers- req?
10- Track and monitor all access to network resources and cardholder data.
Test, Development and Production environments are separately maintained-
req. ?
Req. 6
How frequently firewall rule set reviews? Req?
6 months, Req. 1
Change user passwords/passphrases every___days? Req.?
,90 days
Req. 8
How frequently run internal and external vulnerability scans? Req.
Quarterly and after significant network change
-Req. 11
Which req. only allows one primary function per server?
Req. 2.6
DESV (Designated Entity Supplemental Validation) requires a merchant to
perform BAU reviews how frequently?
At least quarterly
-applies only to entities designated by a payment brand
PCI SSC is a global open forum launched when?
2006
DESV requires the entity to document and confirm the accuracy of PCI DSS scope
(scoping validation) how frequently?
Quarterly
Can MFA and multi-step authentication be present in the same environment?
yes
Administrative access to the CDE is only permitted from systems within the CDE
or from where else?
from specific system in the shared services network
What is a secure way to manage recurring transactions?
Tokenization
Who sells, installs and/or services PA DSS payment apps?
QIR- Qualified Integrators and Resellers
What attacks a logged on victim's browser to send a pre-authenticated request
to a vulnerable web app?
, Cross Site Request Forgery (CRSF)
N/A on an ROC requires what?
Reporting must identify that the test was performed, which supports the N/A status
PCI SSC is responsible for doing what with the security standards?
Managing the security standards
Payment Brands are responsible for ?
SSC responsible for?
PB- Enforcing the Security Standards
SSC- managing standards
Payment Process- 3 main events
1) Authorization 2) Approval/Decline/ Referral 3) Settlement
All merchants not included in descriptions for various SAQ types are eligible to
complete which SAQ?
SAQ-D
Authorization is the process of confirming whether the customer has?
1) a credit card that is valid
2) has sufficient funds/credit to make purchase
Three ways authorizations are obtained?
1) payment device; 2) ecommerce web site; 3) over the phone
CVSS (Common Vulnerability Scoring System) Severity Levels for Vulnerability
scanning- what are they?
CVSS Score 7.0 through 10.0- High Severity- Scan Result-Fail
CVSS Score 4.0 through 6.9- Medium Severity- Scan Result-Fail
CVSS Score 0.0 through 3.9- Low Severity- Scan Result= Pass
What are the clear text protocols?
-like writing a letter on the outside of an envelope
-does not encrypt traffic or logon details
-Includes Telnet and HTTP
