AND ANSWERS RATED A+
✔✔Acquirer - ✔✔Bank or entity the merchant uses to process their payment card
transactions
Acquirer is also called:
Merchant Bank
ISO (sometimes)
Payment Brand - Amex, Discover, JCB
Never Visa or MasterCard
✔✔only one primary function - ✔✔Verify system configurations that
________________________________ is implemented per server.
✔✔Do not store _____ AFTER authorization even if ___________. - ✔✔sensitive
authentication data; encrypted
(sensitive auth data: track data, verification code, PIN)
✔✔Req 3.3: Protection of PAN that displayed on screens, paper receipts, etc. by
_____________________ - ✔✔masking the PAN and only show first 6 digits and last 4
digits.
✔✔Req 3.4: Protection of PAN when stored in files, databases, etc. by
______________.
(hint: do what to the information?) - ✔✔render the information unreadable.
✔✔Disk Encryption - ✔✔Must verify that logical access to encrypted file systems is
implemented via a mechanism that is separate from the native operating system's
authentication mechanism.
, ✔✔Key-encrypting keys are ___________________ as data-encrypting keys and
___________________. - ✔✔at least as strong; stored separately.
✔✔Key Management documentation must specifies the following: - ✔✔Procedures to:
1. Generate strong keys
2. Securely distribute keys
3. Securely store keys
4. Defined cryptoperiod
✔✔PAN must be - ✔✔render unreadable during transmission over PUBLIC wireless
network.
✔✔Split knowledge - ✔✔Two or more entities need to separately have key components
that individually convey no knowledge of the resultant cryptographic key
✔✔Dual control - ✔✔Required the present of two individuals to perform a task
✔✔Critical vendor supplied patches should be installed within_______________. - ✔✔1
month
✔✔What is the proper handling of displaying an error message? - ✔✔by returning
generic rather than specific error details (to not leak too much information about the
system)
✔✔For public web facing application, do we use both or either one of these methods?
1) Use either manual or automated vulnerability security assessment tools or methods
at least annually and after any changes.
2) Use of automated technical solution that detects and prevents web-based attacks
(WAP) - ✔✔Either One
✔✔Req 7.1 - Limited access to what user roles based on _______________. -
✔✔Least privileges and need-to-know basis based on job functions.
✔✔Req 7.2 - Access control system must be set to _____________ by default. -
✔✔deny-all
✔✔Multi-factor authentication is required for: ______________________ and
_________. - ✔✔All remote access by personnel (user and administrator) and all third-
party/vendor remote access
✔✔An example of a "one-way" cryptographic function used to render data unreadable
is: - ✔✔SHA-2