PCI - ISA Exam Flash Cards
What makes up SAD? - answer- Track Data
- CAV2/CVC2/CVV2/CID)
- PINs & PIN Blocks
Track 1 - answer Contains all fields of both Track 1 and Track 2, up to 79 characters
long
11.2 Internal Scans - Frequency and performed by who? - answer Quarterly and after
significant changes in the network - Performed by qualified, internal or external,
resource
11.3 Penetration Tests (SERVICE PROVIDERS) - Frequency and performed by who? -
answer Every 6 months by a qualified, internal or external, resource
11.2 External Scans - Frequency and performed by who? - answer Quarterly and after
significant changes in the network - Performed by PCI SSC Approved Scanning Vendor
(ASV)
11.3 Penetration Tests - Frequency and performed by who? - answerAt least annually
and after significant changes in the network - Performed by qualified, internal or
external, resource
11.2 Review scan reports and verify scan process includes rescans until: - answer-
External scans: no vulnerabilities exists that scored 4.0 or higher by the CVSS
- Internal scans: all high-risk vulnerabilities as defined in PCI DSS requirement 6.1 are
resolved
Who decides if a ROC or SAQ is required? - answerPayment Brands / Acquirers
10.2 Implement audit trails for all system components to reconstruct the following
events: - answer- All individual accesses to CHD
- Actions taken by any individual with root or admin privileges
- Access to all audit trails
- Invalid logical access attempts
- Use of, and changes to, identification and authentication mechanisms
- Initialization, stopping, or pausing of the audit logs
- Creation and deleting of system-level objects
How long must QSA's retain work papers? - answer3 years, recommend the same for
ISAs
, Firewall and router rule sets must be reviewed every _____________________. -
answer6 months
Things to consider when assessing: - answerPeople, processes, technology
How often should an entity undergo a process to securely delete stored CHD that
exceeds defined retention requirements? - answerAt least quarterly
3.6 Key-management operations Dual Control vs Split Knowledge - answerDual
Control: At least two people are required to perform any key-management operations
and no one person has access to the authentication materials (e.g., passwords, keys) of
another
Split Knowledge: Key components are under the control of at least two people who only
have knowledge of their own key components
3.4 Pan is rendered unreadable in which ways? - answerHash, truncation, encrypt,
index token and pads
6.2 Critical Security patches should be installed
__________________________________. - answerWithin 1 month of release
6.2 Installation of applicable vendor-supplied security patches (non-critical) should be
installed: - answerWithin an appropriate time frame (e.g., 3 months)
6.4.5 Change control procedures must include the following - answer- Documentation of
impact
- Documented change approval by authorized parties
- Functionality testing to verify change does not adversely impact security of the system
- Back-out procedures
6.5 Developers must be trained in up-to-date secure coding techniques at least
________. - answerAnnually
6.6 For public-facing web applications, address new threats and vulnerabilities on an
ongoing basis and ensure these applications are protected against known attacks by
either of the following methods - answer- At least annually, and after any changes,
review via manual or automated application vulnerability assessment tools/methods
- Automated technical solution that detects and prevents web-based attacks
continuously
1.3.2 Examine firewall and router configurations to verify inbound traffic is: -
answerLimited to IP addresses within the DMZ
7.1.4 Select sample of user IDs and compare with documented approvals to verify: -
answer1) Documented approval exists for the assigned privileges
What makes up SAD? - answer- Track Data
- CAV2/CVC2/CVV2/CID)
- PINs & PIN Blocks
Track 1 - answer Contains all fields of both Track 1 and Track 2, up to 79 characters
long
11.2 Internal Scans - Frequency and performed by who? - answer Quarterly and after
significant changes in the network - Performed by qualified, internal or external,
resource
11.3 Penetration Tests (SERVICE PROVIDERS) - Frequency and performed by who? -
answer Every 6 months by a qualified, internal or external, resource
11.2 External Scans - Frequency and performed by who? - answer Quarterly and after
significant changes in the network - Performed by PCI SSC Approved Scanning Vendor
(ASV)
11.3 Penetration Tests - Frequency and performed by who? - answerAt least annually
and after significant changes in the network - Performed by qualified, internal or
external, resource
11.2 Review scan reports and verify scan process includes rescans until: - answer-
External scans: no vulnerabilities exists that scored 4.0 or higher by the CVSS
- Internal scans: all high-risk vulnerabilities as defined in PCI DSS requirement 6.1 are
resolved
Who decides if a ROC or SAQ is required? - answerPayment Brands / Acquirers
10.2 Implement audit trails for all system components to reconstruct the following
events: - answer- All individual accesses to CHD
- Actions taken by any individual with root or admin privileges
- Access to all audit trails
- Invalid logical access attempts
- Use of, and changes to, identification and authentication mechanisms
- Initialization, stopping, or pausing of the audit logs
- Creation and deleting of system-level objects
How long must QSA's retain work papers? - answer3 years, recommend the same for
ISAs
, Firewall and router rule sets must be reviewed every _____________________. -
answer6 months
Things to consider when assessing: - answerPeople, processes, technology
How often should an entity undergo a process to securely delete stored CHD that
exceeds defined retention requirements? - answerAt least quarterly
3.6 Key-management operations Dual Control vs Split Knowledge - answerDual
Control: At least two people are required to perform any key-management operations
and no one person has access to the authentication materials (e.g., passwords, keys) of
another
Split Knowledge: Key components are under the control of at least two people who only
have knowledge of their own key components
3.4 Pan is rendered unreadable in which ways? - answerHash, truncation, encrypt,
index token and pads
6.2 Critical Security patches should be installed
__________________________________. - answerWithin 1 month of release
6.2 Installation of applicable vendor-supplied security patches (non-critical) should be
installed: - answerWithin an appropriate time frame (e.g., 3 months)
6.4.5 Change control procedures must include the following - answer- Documentation of
impact
- Documented change approval by authorized parties
- Functionality testing to verify change does not adversely impact security of the system
- Back-out procedures
6.5 Developers must be trained in up-to-date secure coding techniques at least
________. - answerAnnually
6.6 For public-facing web applications, address new threats and vulnerabilities on an
ongoing basis and ensure these applications are protected against known attacks by
either of the following methods - answer- At least annually, and after any changes,
review via manual or automated application vulnerability assessment tools/methods
- Automated technical solution that detects and prevents web-based attacks
continuously
1.3.2 Examine firewall and router configurations to verify inbound traffic is: -
answerLimited to IP addresses within the DMZ
7.1.4 Select sample of user IDs and compare with documented approvals to verify: -
answer1) Documented approval exists for the assigned privileges
