PCI – DSS Exam with Complete Solutions

PCI – DSS Exam with Complete Solutions -Customer purchasing goods either as a "Card Present" or Card Not Present" transaction -Receives the payment card and bills from the issuer - Answer ️️ -Cardholder -Primary Account Number (PAN) -Cardholder Name -Expiration Date -Service Code - Answer ️️ -Cardholder Data Include: -Full track data (Magnetic-stripe data or equivalent on a chip) -CAV2/CVC2/CVV2/CID -PINs/PIN blocks - Answer ️️ -Sensitive Authentication Data includes: American Express Discover JCB International MasterCard Visa - Answer ️️ -Payment Brand -Bank or other organization issuing a payment card on behalf of a Payment Brand (e.g. MasterCard & Visa) -Payment Brand issuing a payment card directly (e.g. Amex, Discover, JCB) - Answer ️️ - Issuer Organization accepting the payment card for payment during a purchase - Answer ️️ - Merchant *Bank or entity the merchant uses to process their payment card transactions *Receive authorization request from merchant and forward to Issuer for approval *Provide authorization, clearing, and settlement services to merchants *Acquirer is also called --Merchant Bank --ISO --Payment Brand -Amex, Discover, JCB --Never Visa or MasterCard - Answer ️️ -Acquirer *Acquirer is responsible for merchant compliance --Know payment brand compliance programs and how they apply to merchants --Ensure that their merchants understand PCI DSS compliance requirements and track compliance efforts --Manage Merchant communications *work with merchants until compliance has been validated --Merchants are not compliant until all applicable requirements have been met and validated --Acquirer is responsible for providing merchant compliance status to payment brands *Incur any liability that may result from non-compliance with payment brand compliance programs - Answer ️️ -Common Acquirer Responsibilities *A service provider is a business that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. -Sometimes a service provider is a merchant *Service Provider also includes companies that provide services (to merchants, service providers, or other entities), which control or could impact the security of cardholder data - Answer ️️ -Service Providers 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters - Answer ️️ -Standard 1: Build and Maintain a Secure Network and Systems 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks - Answer ️️ -Standard 2: Protect Cardholder Data 5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications - Answer ️️ -Standard 3: Maintain a Vulnerability Management Program 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data - Answer ️️ -Standard 4: Implement Strong Access Control Measures 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes - Answer ️️ -Standard 5: Regularly Monitor and Test Networks 12. Maintain a policy that addresses information security for all personnel - Answer ️️ - Standard 6: Maintain an Information Security Policy Install and maintain a firewall configuration to protect cardholder data - Answer ️️ - Requirement 1 Do not use vendor-supplied defaults for system passwords and other security parameters - Answer ️️ -Requirement 2 Protect stored cardholder data - Answer ️️ -Requirement 3 Encrypt transmission of cardholder data across open, public networks - Answer ️️ - Requirement 4 Protect all systems against malware and regularly update anti-virus software or programs - Answer ️️ -Requirement 5 Develop and maintain secure systems and applications - Answer ️️ -Requirement 6 Restrict access to cardholder data by business need to know - Answer ️️ -Requirement 7 Identify and authenticate access to system components - Answer ️️ -Requirement 8 Restrict physical access to cardholder data - Answer ️️ -Requirement 9 Track and monitor all access to network resources and cardholder data - Answer ️️ - Requirement 10 Regularly test security systems and processes - Answer ️️ -Requirement 11 Maintain a policy that addresses information security for all personnel - Answer ️️ - Requirement 12 Establish and implement firewall and router configuration standards that include the following: - Answer ️️ -Requirement 1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations - Answer ️️ -Requirement 1.1.1 Current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks - Answer ️️ -Requirement 1.1.2 Current diagram that shows all cardholder data flows across systems and networks - Answer ️️ -Requirement 1.1.3 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone - Answer ️️ -Requirement 1.1.4 Description of groups, roles, and responsibilities for management of network components - Answer ️️ -Requirement 1.1.5 Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure. Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP v1 and v2. - Answer ️️ -Requirement 1.1.6 Requirement to review firewall and router rule sets at least every six months - Answer ️️ - Requirement 1.1.7 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. Note: An "untrusted network" is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity's ability to control or manage. - Answer ️️ -Requirement 1.2 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. - Answer ️️ -Requirement 1.2.1 Secure and synchronize router configuration files. - Answer ️️ -Requirement 1.2.2 Install perimeter firewalls between all wireless networks and the ca