PCI DSS ISA Study Guide questions and answers 2022

Requirement 4 Encrypt transmission of cardholder data across open, public networks Strong cryptography and Security Protocols are to include the following Only trusted keys and certificates are accepted, protocol in use only supports secure versions or configurations, and encryption strength is appropriate for the encryption methodology in use. Examples of security protocols TLS, IPSEC, SSH Testing procedures for verifying secure transmission of sensitive cardholder data Observe a sample of inbound and outbound transmissions as they occur, Examine keys and certificates to ensure that only trusted keys and certificates are accepted, Examine system configurations to verify that the protocols in use do not support insecure versions or configurations, and examine system configurations to verify that proper encryption strength is implemented for the encryption methodology in use. What is the testing procedure for TLS implementations? Examine system configurations to verify that TLS is enabled. Wireless networks transmitting cardholder data or connected to the cardholder data environment must use what? Industry best practices (IEEE 802.11i) to implement strong encryption for authentication and transmission. Example of weak encryption WEP, SSL Unprotected PANs can be sent via end-user messaging technologies. False Examples of end-user messaging technologies e-mail, instant messaging, SMS, chat If end-user messaging technologies are used to send cardholder data, what must be observed? Sample of outbound transmissions as they occur to verify that PAN is rendered unreadable or secured with strong cryptography whenever it is sent via end-user messaging technologies. What must be reviewed regarding unprotected PANs related to end-user messaging technologies? That a written policy exists stating that unprotected PANs are not to be sent via end-user messaging technologies. What is considered in scope? System components that: - store, process, or transmit cardholder data - interact with cardholder data - have a connection to the CDE, - provide security services, facilitate segmentation Besides technologies, what else is considered in scope? People and Processes Examples of systems providing security services: - Authentication servers (LDAP) - Time management servers (NTP) - Patch deployment servers - Audit log servers and correlation servers - Anti-virus management servers - Routers and firewalls filtering network traffic - System performing cryptographic and/or key management functions - Systems controlling and/or monitoring physical access Examples of types of technologies - Servers, applications, networks, devices - Physical security systems - Logical security systems - Payment terminals and point of sale systems - Electronic communications - Backups and disaster recovery "hot" sites - Telecommunications - POTS vs. VOIP - Management systems - Remote access systems Sampling An option for assessors to facilitate the assessment process. Is NOT used to implement PCI DSS requirements or to select requirements to be assessed. Principles of Sampling - Must be representative of the entire population - Business facilities and system components must be considered - System components must include all combinations - Must be large enough to provide assurance that controls are implemented as expected - Sampling methodology must be documented in ROC Pre-assessment planning includes: List of interviewees, system components, documentation, facilities. Familiarity with technologies included in assessment. If sampling, verify sample selection and size is representative of the entire population. Identification of the roles and the individuals within each role to be interviewed as part of the assessment. What are the six goals of the PCI Data Security Standard? 1. Build and Maintain a Secure Network and Systems. 2. Protect Cardholder Data. 3. Maintain a Vulnerability Management Program. 4. Implement Strong Access Control Measures. 5. Regularly Monitor and Test Networks. 6. Maintain an Information Security Policy.