PCI DSS Fundamentals Exam Questions and Answers 2022/2023

A Sustainable Compliance Program must: - ANSWER-Be implemented into Business-as-usual (BAU) activities as part of the organizations overall security strategy. True or False: The driving objective behind all PCI DSS compliance activities is to attain a compliant report. - ANSWER-False ongoing security of cardholder data is the driving objective which will lead to a compliant report Effective metrics program can provide useful data for: - ANSWER-Allocation of resources to minimize risk occurrence and measure the business consequences of security events. Security Goals should include: - ANSWER-Continuous monitoring, testing, documenting implementation, effectiveness, efficiency, impact, and status of controls and activities. Control-failure response processes should include: - ANSWER-minimizing the impact of the incident, restoring controls, performing root-cause analysis and remediation, implementing hardening standards and enhancing monitoring. True or False: 3rd party providers are monitored by issuers - ANSWER-False, Organizations should develop and implement processes to monitor the compliance status of its service providers to determine whether a change in status requires a change in the relationship. True or False: Organizations should evolve their controls with the threat landscape, changes in organizations structure, new business initiatives, and changes in business processes and technologies - ANSWER-True Evolving security reduces the negative impact on an organizations security posture. How can organizations prevent "fall-off" between assessments - ANSWER-Develop a well designed program of security controls and monitoring practices. True or False: Network segmentation is one method that can help reduce the number of system components in scope for PCI DSS - ANSWER-True, outsourcing to a 3rd party service provider and using P2PE are other methods of reducing scope. Who is ultimately responsible for making its own PCI DSS scoping decisions, designing effective segmentation and ensuring its own PCI DSS compliance and related validation requirements are met - ANSWER-Each entity is responsible for themselves. What does segmentation involve - ANSWER-additional controls to separate systems with different security needs. Segmentation can consist of: - ANSWER-logical controls, physical controls or a combination of both Name some commonly used segmentation methods - ANSWER-Firewalls and router configurations (preventing traffic in & out), network configurations (preventing communication) and physical controls E-commerce Payment Gateway/Payment Processor - ANSWER-may facilitate payment authorization by forwarding transactions to the processors/acquirers that perform the actual payment authorization. E-Commerce infrastructure may include: - ANSWER-consumers browser, application servers, database servers and any other underlying servers or devices such as network devices. Merchants infrastructure may include: - ANSWER-networking and operating system, firewalls, switches, routers and any virtual infrastructure such as hypervisors. E-commerce infrastructure typically follows what 3-tier computing model - ANSWER-1) Presentation layer (web) 2) processing layer (application) 3) data-storage layer Requirements for firewall configuration standards are: - ANSWER-a firewall at each internet connection and between any demilitarized zone (DMZ) and the internal network zone. Examine firewall and router configurations to verify that a DMZ is implemented to limit - ANSWER-inbound traffic to only a system components that provide authorized publicly accessible services, protocols, and ports Examine firewall and router configurations to verify that inbound internet traffic is limited to - ANSWER-IP addresses within the DMZ How often should information security policies and risk assessments be completed - ANSWER-Annually and with any changes Which items are included in a risk assessment - ANSWER-Identify critical assets, threats, vulnerabilities, formal documented analysis. National Institute of Standards and Technology (NIST) proposes what 3 security metrics - ANSWER-1) implementation measures 2) efficiency and effectiveness measures, 3) impact measures Access to queries and actions on data bases are through - ANSWER-programmatic methods only Direct access to data bases are restricted to - ANSWER-database administrators True or False: In a flat network, all systems are in scope if any single system stores, processes, or transmits account data - ANSWER-True this is why network segmentation is important Network segmentation (isolating) the cardholder data environment from the remainder of the entity's network may reduce - ANSWER-scope, cost, difficulty of implementing and maintaining PCI DSS controls, risk to the organization Which 3 servers are in scope for PCI DSS - ANSWER-1) Web servers 2) Application Servers 3) Database Servers True or False: There are no solutions or technologies that eliminates all PCI DSS requirements. - ANSWER-True encryption or tokenization may help reduce risk Critical vendor supplied security patches must be installed within - ANSWER-1 month Up-to-date training in secure coding techniques is required at least - ANSWER-Annually All segmentation controls must be penetration tested at least - ANSWER-Annually An indication that strong cryptography and security protocols like TLS, IPSEC, SSH are in place is - ANSWER-HTTPS E-Commerce supporting infrastructure includes all computers and networking technologies such as - ANSWER-web servers, application servers, database servers, routers, firewalls and intrusion-detection systems/intrusion-prevention systems (IDS/IDP) True or False If a system component does NOT process or transmit CHD/SAD, is NOT in same network segment or subnet and it cannot connect to any CDE, it is out-of-scope for PCI - ANSWER-True. If CHD never touches any system components anywhere it is out of scope. When should data storage amount and retention to that which is required for legal, regulatory and/or business requirements be removed? - ANSWER-Secure deletion takes place when no longer needed for legal, reg, and/or business reasons. Factors that can impact the scope of CDE: - ANSWER-changes to network infrastructure affecting segmentation controls, changes to operational processes, implementation of new business, in-sourcing, outsourcing, mergers and acquisitions. How often do compensating controls need to be assessed - ANSWER-Annually with validating the risk the compensating control was designed to address Name the 3 distinct corporate network zones - ANSWER-Corporate LAN, Shared Services, CDE Firewall and router rules ensure that: - ANSWER-Connections permitted into and out of the CDE are to Shared Services, via specifically designated ports and systems, and only where there is a documented business need. Can the Corporate LAN connect with the CDE - ANSWER-No, this is actively blocked, no traffic that originated in the Corporate LAN is allowed into the CDE. Common Shared Services may include: - ANSWER-Directory & authentication (e.g. Active Directory, LDAP/AAA) NTP-Network Time Protocol, DNS-Domain Name Service, SMTP- Simple Mail Transfer Protocol, monitoring and scanning tools, backup tools, anti-virus & patch deployment servers True or False Being Compliant is equivalent to being compliant - ANSWER-False Compliance must be documented and procedures that demonstrate compliance must be in place. Shared Hosting Providers must examine documented results of scope reviews at least - ANSWER-Quarterly- Merchant/Entity ensures scoping is correct. Quarterly Scoping examines: - ANSWER-All in-scope networks and system components and all out-of-scope system components. Penetration Testing for Service Providers segmentation is completed at least - ANSWER-Every 6 months Review of hardware and software technologies are to be completed annually, however the results should be reviewed: - ANSWER-Every 6 months to ensure no changes have been made. When a suspicious even has occurred, how often and what should be reviewed - ANSWER-Every 6 months, review of privileges, identify attack patterns and undesirable behavior. Shared Hosting processes run using: - ANSWER-the unique ID of the entity Security Providers review security P&P at least - ANSWER-quarterly The incident response plan is tested at least - ANSWER-annually In regards to shared hosting, verify that the user ID of any application process is - ANSWER-NOT a privilege user (root/admin) Executive management and board of directors meeting minutes regarding compliance should occur - ANSWER-At least every 6 months Examine software-development P&P & interview responsible personnel to verify that cross-site scripting (XSS) is addressed by coding techniques that in include - ANSWER-Validating all parameters before inclusion & utilizing context-sensitive escaping. A cross-site scripting (XSS) attacks happens when - ANSWER-A perpetrator discovers a website vulnerability and enables a script injection. An Admin workstation should be protected by: - ANSWER-firewall software, multi-factor authentication Corporate LAN is a - ANSWER-Untrusted Network Shared Services network zones acts like a DMZ by: - ANSWER-Providing services both to untrusted and trusted users with access to CDE. Manufactures PCI PTS is - ANSWER-PIN Entry Devices- Card Readers etc Software Developers PCI PA-DSS - ANSWER-Payment Applications Merchants & Service Providers PCI DSS - ANSWER-Secure Environments PTS - ANSWER-Pin Transaction Security Who sets the standards of PTS - ANSWER-PCI SSC What does PCI SSC stand for - ANSWER-Payment Card Industry Security Standard