PCI ISA Flashcards 3.2.1 Exam Q’s and A’s
Non-console administrator access to any web-based management interfaces must be
encrypted with technology such as......... - -HTTPS
-Requirements 2.2.2 and 2.2.3 cover the use of secure services, protocols and daemons.
Which of the following is considered to be secure? - -SSH
-Which of the following is considered "Sensitive Authentication Data"? - -Card Verification
Value (CAV2/CVC2/CVV2/CID), Full Track Data, PIN/PIN Block
-True or False: It is acceptable for merchants to store Sensitive Authentication after
authorization as long as it is strongly encrypted? - -False
-When a PAN is displayed to an employee who does NOT need to see the full PAN, the
minimum digits to be masked are: - -All digits between the first six and last four
-Which of the following is true regarding protection of PAN? - -PAN must be rendered
unreadable during transmission over public, wireless networks
-Which of the following may be used to render PAN unreadable in order to meet
requirement 3.4? - -Hashing the entire PAN using strong cryptography
-True or False Where keys are stored on production systems, split knowledge and dual
control is required? - -True
-When assessing requirement 6.5, testing to verify secure coding techniques are in place to
address common coding vulnerabilities includes: - -Reviewing software development
policies and procedures
-One of the principles to be used when granting user access to systems in CDE is: - -Least
privilege
-An example of a "one-way" cryptographic function used to render data unreadable is: - -
SHA-2
-A set of cryptographic hash functions designed by the National Security Agency (NS). - -
SHA-2 (Secure Hash Algorithm
-True or False: Procedures must be developed to easily distinguish the difference between
onsite personnel and visitors. - -True
-When should access be revoked of recently terminated employees? - -immediately
, -True or False: A visitor with a badge may enter sensitive area unescorted. - -False,
visitors must be escorted at all times.
-Protection of keys used for encryption of cardholder data against disclosure must include
at least: (4 items) - -*Access to keys is restricted to the fewest number of custodians
necessary
*Key-encrypting keys are at least as strong as the data-encrypting keys they protect
*Key encrypting keys are stored separately from data-encrypting keys
*Keys are stored securely in the fewest possible locations
-Description of cryptographic architecture includes: - -*Details of all algorithms, protocols,
and keys used for the protection of cardholder data, including key strength and expiry date
*Description of the key usage for each key
*Inventory of any HSMs and other SCDs used for key management
-What 2 methods must NOT be used to be disk-level encryption compliant - -*Cannot use
the same user account authenticator as the operating system
*Cannot use a decryption key that is associated with or derived from the systems local user
account database or general network login credentials.
-6 months - -DESV User accounts and access privileges are reviewed at least every______
-Track 1 (Length up to 79 characters) - -Contains all fields of both Track 1 and Track 2
-Track 2 (Length up to 40 characters) - -Provides shorter processing time for older dial-up
transmissions.
-DESV - -Designated Entities Supplemental Validation
-DESV Requirements: - -*Implementing a PCI DSS Compliance program
*Document and validate PCI DSS Scope
*Validate PCI DSS is incorporated into business-as-usual (BAU) activities
*Control and manage logical access to cardholder data environment
*Identify and respond to suspicious events
-Who could DESV requirements apply to? - -Those that have suffered significant or
repeated breaches of cardholder data.
-PCI DSS requirements apply to_____ - -people, processes, and technologies
-When planning for an assessment what 4 activities should be included during planning? -
-*List of people to be interviewed, system components used, documentation (training,
payment logs), facilities (physical security)
*Ensure assessor is familiar with technologies in assessment
*If sampling, verify sample section and size is representative of the entire population
Non-console administrator access to any web-based management interfaces must be
encrypted with technology such as......... - -HTTPS
-Requirements 2.2.2 and 2.2.3 cover the use of secure services, protocols and daemons.
Which of the following is considered to be secure? - -SSH
-Which of the following is considered "Sensitive Authentication Data"? - -Card Verification
Value (CAV2/CVC2/CVV2/CID), Full Track Data, PIN/PIN Block
-True or False: It is acceptable for merchants to store Sensitive Authentication after
authorization as long as it is strongly encrypted? - -False
-When a PAN is displayed to an employee who does NOT need to see the full PAN, the
minimum digits to be masked are: - -All digits between the first six and last four
-Which of the following is true regarding protection of PAN? - -PAN must be rendered
unreadable during transmission over public, wireless networks
-Which of the following may be used to render PAN unreadable in order to meet
requirement 3.4? - -Hashing the entire PAN using strong cryptography
-True or False Where keys are stored on production systems, split knowledge and dual
control is required? - -True
-When assessing requirement 6.5, testing to verify secure coding techniques are in place to
address common coding vulnerabilities includes: - -Reviewing software development
policies and procedures
-One of the principles to be used when granting user access to systems in CDE is: - -Least
privilege
-An example of a "one-way" cryptographic function used to render data unreadable is: - -
SHA-2
-A set of cryptographic hash functions designed by the National Security Agency (NS). - -
SHA-2 (Secure Hash Algorithm
-True or False: Procedures must be developed to easily distinguish the difference between
onsite personnel and visitors. - -True
-When should access be revoked of recently terminated employees? - -immediately
, -True or False: A visitor with a badge may enter sensitive area unescorted. - -False,
visitors must be escorted at all times.
-Protection of keys used for encryption of cardholder data against disclosure must include
at least: (4 items) - -*Access to keys is restricted to the fewest number of custodians
necessary
*Key-encrypting keys are at least as strong as the data-encrypting keys they protect
*Key encrypting keys are stored separately from data-encrypting keys
*Keys are stored securely in the fewest possible locations
-Description of cryptographic architecture includes: - -*Details of all algorithms, protocols,
and keys used for the protection of cardholder data, including key strength and expiry date
*Description of the key usage for each key
*Inventory of any HSMs and other SCDs used for key management
-What 2 methods must NOT be used to be disk-level encryption compliant - -*Cannot use
the same user account authenticator as the operating system
*Cannot use a decryption key that is associated with or derived from the systems local user
account database or general network login credentials.
-6 months - -DESV User accounts and access privileges are reviewed at least every______
-Track 1 (Length up to 79 characters) - -Contains all fields of both Track 1 and Track 2
-Track 2 (Length up to 40 characters) - -Provides shorter processing time for older dial-up
transmissions.
-DESV - -Designated Entities Supplemental Validation
-DESV Requirements: - -*Implementing a PCI DSS Compliance program
*Document and validate PCI DSS Scope
*Validate PCI DSS is incorporated into business-as-usual (BAU) activities
*Control and manage logical access to cardholder data environment
*Identify and respond to suspicious events
-Who could DESV requirements apply to? - -Those that have suffered significant or
repeated breaches of cardholder data.
-PCI DSS requirements apply to_____ - -people, processes, and technologies
-When planning for an assessment what 4 activities should be included during planning? -
-*List of people to be interviewed, system components used, documentation (training,
payment logs), facilities (physical security)
*Ensure assessor is familiar with technologies in assessment
*If sampling, verify sample section and size is representative of the entire population
