PCI ISA Flashcards 3.2.1 100% correct

PCI ISA Flashcards 3.2.1 100% correct For PCI DSS requirement 1, firewall and router rule sets need to be reviewed every _____________ months -CORRECT ANSWER- 6 months Non-console administrator access to any web-based management interfaces must be encrypted with technology such as......... -CORRECT ANSWER- HTTPS Requirements 2.2.2 and 2.2.3 cover the use of secure services, protocols and daemons. Which of the following is considered to be secure? -CORRECT ANSWER- SSH Which of the following is considered "Sensitive Authentication Data"? -CORRECT ANSWER- Card Verification Value (CAV2/CVC2/CVV2/CID), Full Track Data, PIN/PIN Block True or False: It is acceptable for merchants to store Sensitive Authentication after authorization as long as it is strongly encrypted? -CORRECT ANSWER- False When a PAN is displayed to an employee who does NOT need to see the full PAN, the minimum digits to be masked are: -CORRECT ANSWER- All digits between the first six and last four Which of the following is true regarding protection of PAN? -CORRECT ANSWER- PAN must be rendered unreadable during transmission over public, wireless networks Which of the following may be used to render PAN unreadable in order to meet requirement 3.4? -CORRECT ANSWER- Hashing the entire PAN using strong cryptography True or False Where keys are stored on production systems, split knowledge and dual control is required? -CORRECT ANSWER- True When assessing requirement 6.5, testing to verify secure coding techniques are in place to address common coding vulnerabilities includes: -CORRECT ANSWER- Reviewing software development policies and procedures One of the principles to be used when granting user access to systems in CDE is: -CORRECT ANSWER- Least privilege An example of a "one-way" cryptographic function used to render data unreadable is: -CORRECT ANSWER- SHA-2 A set of cryptographic hash functions designed by the National Security Agency (NS). -CORRECT ANSWER- SHA-2 (Secure Hash Algorithm Inactive user accounts should be either removed or disabled within___ -CORRECT ANSWER- 90 days True or False: Procedures must be developed to easily distinguish the difference between onsite personnel and visitors. -CORRECT ANSWER- True When should access be revoked of recently terminated employees? -CORRECT ANSWER- immediately True or False: A visitor with a badge may enter sensitive area unescorted. -CORRECT ANSWER- False, visitors must be escorted at all times. Protection of keys used for encryption of cardholder data against disclosure must include at least: (4 items) -CORRECT ANSWER- *Access to keys is restricted to the fewest number of custodians necessary *Key-encrypting keys are at least as strong as the data-encrypting keys they protect *Key encrypting keys are stored separately from data-encrypting keys *Keys are stored securely in the fewest possible locations Description of cryptographic architecture includes: -CORRECT ANSWER- *Details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date *Description of the key usage for each key *Inventory of any HSMs and other SCDs used for key management What 2 methods must NOT be used to be disk-level encryption compliant -CORRECT ANSWER- *Cannot use the same user account authenticator as the operating system *Cannot use a decryption key that is associated with or derived from the systems local user account database or general network login credentials. 6 months -CORRECT ANSWER- DESV User accounts and access privileges are reviewed at least every______ Track 1 (Length up to 79 characters) -CORRECT ANSWER- Contains all fields of both Track 1 and Track 2 Track 2 (Length up to 40 characters) -CORRECT ANSWER- Provides shorter processing time for older dial-up transmissions. DESV -CORRECT ANSWER- Designated Entities Supplemental Validation DESV Requirements: -CORRECT ANSWER- *Implementing a PCI DSS Compliance program *Document and validate PCI DSS Scope *Validate PCI DSS is incorporated into business-as-usual (BAU) activities *Control and manage logical access to cardholder data environment *Identify and respond to suspicious events Who could DESV requirements apply to? -CORRECT ANSWER- Those that have suffered significant or repeated breaches of cardholder data. PCI DSS requirements apply to_____ -CORRECT ANSWER- people, processes, and technologies When planning for an assessment what 4 activities should be included during planning? -CORRECT ANSWER- *List of people to be interviewed, system components used, documentation (training, payment logs), facilities (physical security) *Ensure assessor is familiar with technologies in assessment *If sampling, verify sample section and size is representative of the entire population *Identify the roles and the individuals within each role to be interviewed as part of the assessment What pre-assessment activities should an assessor consider when preparing for an assessment? -CORRECT ANSWER- *Ensure assessor(s) has competent knowledge of the technologies being assessed *Identify types of system components and locations of facilities to be reviewed *Consider size and complexity of the environment to be assessed. When does authorization occur -CORRECT ANSWER- At time of purchase