PCI DSS 3.0 Exam Questions with Complete Solutions

PCI DSS 3.0 Exam Questions with Complete Solutions What is PCI DSS ? - Answer-Payment Card Industry Data Security Standard For consistent data security measures globally 12 measures in six groups PCI DSS is a minimum set of controls It does not supercede local laws and regulations It is a contractual agreement, not a standard PCI-DSS only applies if PANs are stored, processed or transmitted 1. Build and Maintain a secure network - Answer-Install and maintain a Firewall configuration. Do not use vendor supplied defaults for passwords, and other security parameters. 2. Protect Card Holder Data - Answer-Protect stored cardholder data Encrypt transmission of cardholder data across open public networks 3. Maintain a vulnerability program - Answer-Use and regularly update anti-virus software or programs Develop and maintain secure systems and applications 4. Implement strong Access control measures - Answer-Restrict access to cardholder data by business need to know Assign a unique ID to each person with computer access Restrict physical access to cardholder data 5. Regularly Monitor and Test networks - Answer-Track and monitor all access to network resources and cardholder data. Regularly test security systems and processes 6. Maintain an Information Security Policy - Answer-Maintain a policy that addresses Information Security for all personnel Cardholder data - Answer-Primary Account Number (PAN) Cardholder name Expiration date Service Code Sensitive Authentication Data - Answer-Magnetic stripe data or equivalent on a chip CAV2/CVC2/CVV2/CID PINs / PIN Blocks What is PA-DSS ? - Answer-Payment Application Data Security Standard PA-DSS applies to software sold "off the shelf" by 3rd parties PA-DSS does not apply to applications developed by merchants and service providers for use in-house. (this is covered by PCI-DSS) PCI-DSS applies to - Answer-All system components (VMs, switches, routers, hypervisors, Firewalls, Wireless Access Points, Servers, Applications, Inc Internet based services, Network Services like NTP, DNS) Scope - Answer-IS a Primary requirement cardholder data flows help set scope business practices and processes need careful consideration and may need re-engineering. Network Segmentation is - Answer-Recommended Wireless - Answer-Use only for non-sensitive data Carefully consider the Risk MUST be tested