PCI DSS 3.0 correctly answered latest 2023

PCI DSS 3.0 correctly answered latest 2023What is PCI DSS ? Payment Card Industry Data Security Standard For consistent data security measures globally 12 measures in six groups PCI DSS is a minimum set of controls It does not supercede local laws and regulations It is a contractual agreement, not a standard PCI-DSS only applies if PANs are stored, processed or transmitted 1. Build and Maintain a secure network Install and maintain a Firewall configuration. Do not use vendor supplied defaults for passwords, and other security parameters. 2. Protect Card Holder Data Protect stored cardholder data Encrypt transmission of cardholder data across open public networks 3. Maintain a vulnerability program Use and regularly update anti-virus software or programs Develop and maintain secure systems and applications 4. Implement strong Access control measures Restrict access to cardholder data by business need to know Assign a unique ID to each person with computer access Restrict physical access to cardholder data 5. Regularly Monitor and Test networks Track and monitor all access to network resources and cardholder data. Regularly test security systems and processes 6. Maintain an Information Security Policy Maintain a policy that addresses Information Security for all personnel Cardholder data Primary Account Number (PAN) Cardholder name Expiration date Service Code Sensitive Authentication Data Magnetic stripe data or equivalent on a chip CAV2/CVC2/CVV2/CID PINs / PIN Blocks What is PA-DSS ? Payment Application Data Security Standard PA-DSS applies to software sold "off the shelf" by 3rd parties PA-DSS does not apply to applications developed by merchants and service providers for use in-house. (this is covered by PCI-DSS) PCI-DSS applies to All system components (VMs, switches, routers, hypervisors, Firewalls, Wireless Access Points, Servers, Applications, Inc Internet based services, Network Services like NTP, DNS) Scope IS a Primary requirement cardholder data flows help set scope business practices and processes need careful consideration and may need re-engineering. Network Segmentation is Recommended Wireless Use only for non-sensitive data Carefully consider the Risk MUST be tested Service Providers Need their own PCI-DSS compliance or will have their services reviewed as part of their customers audits. The Report on Compliance (ROC) documents the role of each service provider. Sampling Sampling of Business Facilities / System components is allowed, however all applicable PCI DSS requirements must be considered. Compensating Controls a Compensating Controls Worksheet must be completed for each compensating control. And documented in the ROC. Report on Compliance contains 1. Executive Summary Description of the entity's payment card business and the High Level network diagram. 2. Details of Scope of Work and approach taken Validation of the Scope Environment on which the assessment is focussed Segmentation Details of sampling Other related entities that require compliance Wireless Lans Version of requirements used 3. Details about the reviewed environment Cardholder data flows Hardware and Software (Assets) Services Providers Individuals Interviewed Documents reviewed For MSPs, which requirements apply (and which are the responsibility of the customer) 4. Contact Information and report date 5. Quarterly Scan results ASV scan results (for all external IP addresses) 6. Findings and Observations Compliance Completion Steps 1.Complete the ROC 2. Provide evidence of passing scans from ASV 3. Complete the "Attestation of compliance" 4. Submit all to the Aquirer, or Payment Brand PCI SSC Payment card Industry Security Standards Council ASV Approved Scanning Vendors QSA Qualified Security Assessor