PCI - ISA Exam
1. What makes up SAD? - Track Data
- CAV2/CVC2/CVV2/CID)
- PINs & PIN Blocks
2. Track 1 Contains all fields of both Track
1 and Track 2, up to 79 charac-
ters long
3. 11.2 Internal Scans - Frequency and performed by Quarterly and after significant
who? changes in the network - Per-
formed by qualified, internal or
external, resource
4. 11.3 Penetration Tests (SERVICE PROVIDERS) - Fre- Every 6 months by a qualified,
quency and performed by who? internal or external, resource
5. 11.2 External Scans - Frequency and performed by Quarterly and after significant
who? changes in the network - Per-
formed by PCI SSC Approved
Scanning Vendor (ASV)
6. 11.3 Penetration Tests - Frequency and performed At least annually and after signif-
by who? icant changes in the network -
Performed by qualified, internal
or external, resource
7. 11.2 Review scan reports and verify scan process - External scans: no vulnerabil-
includes rescans until: ities exists that scored 4.0 or
higher by the CVSS
- Internal scans: all high-risk
vulnerabilities as defined in PCI
DSS requirement 6.1 are re-
solved
, PCI - ISA Exam
8. Who decides if a ROC or SAQ is required? Payment Brands / Acquirers
9. 10.2 Implement audit trails for all system compo- - All individual accesses to CHD
nents to reconstruct the following events: - Actions taken by any individual
with root or admin privileges
- Access to all audit trails
- Invalid logical access at-
tempts
- Use of, and changes to,
identification and authentica-
tion mechanisms
- Initialization, stopping, or
pausing of the audit logs
- Creation and deleting of sys-
tem-level objects
10. How long must QSA's retain work papers? 3 years, recommend the same
for ISAs
11. Firewall and router rule sets must be reviewed 6 months
every _____________________.
12. Things to consider when assessing: People, processes, technology
13. How often should an entity undergo a process to At least quarterly
securely delete stored CHD that exceeds defined
retention requirements?
14. 3.6 Key-management operations Dual Control vs Dual Control: At least two peo-
Split Knowledge ple are required to perform
any key-management opera-
tions and no one person has ac-
, PCI - ISA Exam
cess to the authentication ma-
terials (e.g., passwords, keys) of
another
Split Knowledge: Key compo-
nents are under the control of
at least two people who only
have knowledge of their own
key components
15. 3.4 Pan is rendered unreadable in which ways? Hash, truncation, encrypt, index
token and pads
16. 6.2 Critical Security patches should be installed Within 1 month of release
__________________________________.
17. 6.2 Installation of applicable vendor-supplied se- Within an appropriate time
curity patches (non-critical) should be installed: frame (e.g., 3 months)
18. 6.4.5 Change control procedures must include the - Documentation of impact
following - Documented change approval
by authorized parties
- Functionality testing to verify
change does not adversely im-
pact security of the system
- Back-out procedures
19. 6.5 Developers must be trained in up-to-date se- Annually
cure coding techniques at least ________.
20. 6.6 For public-facing web applications, address - At least annually, and after any
new threats and vulnerabilities on an ongoing ba- changes, review via manual or
sis and ensure these applications are protected automated application vulner-
1. What makes up SAD? - Track Data
- CAV2/CVC2/CVV2/CID)
- PINs & PIN Blocks
2. Track 1 Contains all fields of both Track
1 and Track 2, up to 79 charac-
ters long
3. 11.2 Internal Scans - Frequency and performed by Quarterly and after significant
who? changes in the network - Per-
formed by qualified, internal or
external, resource
4. 11.3 Penetration Tests (SERVICE PROVIDERS) - Fre- Every 6 months by a qualified,
quency and performed by who? internal or external, resource
5. 11.2 External Scans - Frequency and performed by Quarterly and after significant
who? changes in the network - Per-
formed by PCI SSC Approved
Scanning Vendor (ASV)
6. 11.3 Penetration Tests - Frequency and performed At least annually and after signif-
by who? icant changes in the network -
Performed by qualified, internal
or external, resource
7. 11.2 Review scan reports and verify scan process - External scans: no vulnerabil-
includes rescans until: ities exists that scored 4.0 or
higher by the CVSS
- Internal scans: all high-risk
vulnerabilities as defined in PCI
DSS requirement 6.1 are re-
solved
, PCI - ISA Exam
8. Who decides if a ROC or SAQ is required? Payment Brands / Acquirers
9. 10.2 Implement audit trails for all system compo- - All individual accesses to CHD
nents to reconstruct the following events: - Actions taken by any individual
with root or admin privileges
- Access to all audit trails
- Invalid logical access at-
tempts
- Use of, and changes to,
identification and authentica-
tion mechanisms
- Initialization, stopping, or
pausing of the audit logs
- Creation and deleting of sys-
tem-level objects
10. How long must QSA's retain work papers? 3 years, recommend the same
for ISAs
11. Firewall and router rule sets must be reviewed 6 months
every _____________________.
12. Things to consider when assessing: People, processes, technology
13. How often should an entity undergo a process to At least quarterly
securely delete stored CHD that exceeds defined
retention requirements?
14. 3.6 Key-management operations Dual Control vs Dual Control: At least two peo-
Split Knowledge ple are required to perform
any key-management opera-
tions and no one person has ac-
, PCI - ISA Exam
cess to the authentication ma-
terials (e.g., passwords, keys) of
another
Split Knowledge: Key compo-
nents are under the control of
at least two people who only
have knowledge of their own
key components
15. 3.4 Pan is rendered unreadable in which ways? Hash, truncation, encrypt, index
token and pads
16. 6.2 Critical Security patches should be installed Within 1 month of release
__________________________________.
17. 6.2 Installation of applicable vendor-supplied se- Within an appropriate time
curity patches (non-critical) should be installed: frame (e.g., 3 months)
18. 6.4.5 Change control procedures must include the - Documentation of impact
following - Documented change approval
by authorized parties
- Functionality testing to verify
change does not adversely im-
pact security of the system
- Back-out procedures
19. 6.5 Developers must be trained in up-to-date se- Annually
cure coding techniques at least ________.
20. 6.6 For public-facing web applications, address - At least annually, and after any
new threats and vulnerabilities on an ongoing ba- changes, review via manual or
sis and ensure these applications are protected automated application vulner-
