PCI ISA Questions and Answers with Certified Solutions

Document Content and Description Below

PCI ISA Questions and Answers with Certified Solutions QSAs must retain work papers for a minimum of _______ years. It is a recommendation for ISAs to do the same. ✔✔3 According to PCI DSS req... uirement 1, Firewall and router rule sets need to be reviewed every _____ months. ✔✔6 At least ______________ and prior to the annual assessment the assessed entity: - Identifies all locations and flows of cardholder data to verify they are included in the CDE - Confirms the accuracy of their PCI DSS scope - Retains their scoping documentation for assessor reference ✔✔annually scope includes ✔✔ppl process, tech Evidence Retention It is recommended that the ISA secure and maintain digital and/or hard copies of case logs, audit results and work papers, notes, and any technical information that was created and/or obtained during the PCI Data Security Assessment for a minimum of ________ or as applicable to company data retention policies ✔✔of three (3) years A (time) ______ process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements. ✔✔quarterly Do not store SAD after ____________ (even if encrypted). (track data / cvc / pin) ✔✔authorization manual clear-text key-management procedures specify processes for the use of the following ✔✔Split knowledge.Dual control Dual control ✔✔least two people are required to perform any key-management operations and no one person has access to the authentication materials (for example, passwords or keys) of another Split knowledge ✔✔key components are under the control of at least two people who only have knowledge of their own key components PAN is rendered unreadable in which ways ✔✔hash mask encrypt pad Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within _____ of release. ✔✔one month Installation of all applicable vendor-supplied security patches within an ___________________ ✔✔appropriate time frame (for example, within three months) makes sure change control has these 4 things ✔✔impack testing (PCI review) backout approval Train developers at least ________ in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory. ✔✔annually Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least ___________________ or automated technical solution that detects and prevents web-based attacks active _________ ✔✔annually and after any changes all the time Observe user accounts to verify that any inactive accounts over __________ are either removed or disabled. ✔✔90 days old For a sample of system components, inspect system configuration settings to verify that authentication parameters are set to require that user accounts be locked out after not more than ___________ invalid logon attempts. ✔✔6 once a user account is locked out, it remains locked for a minimum of _____________ or ____________ ✔✔30 mins or until a system administrator resets the account idle time out features have been set to ________ ✔✔15 mins or less For a sample of system components, inspect system configuration settings to verify that user password/passphrase parameters are set to require users to change passwords at least once every ______. ✔✔90 days new passwords/passphrases cannot be the same as the ____________ previously used passwords/passphrases ✔✔4 Verify that data from video cameras and/or access control mechanisms is reviewed, and that data is stored for ______________ ✔✔at least three months. visitor log is ✔✔retains for 3 month name, firm, escort Verify that the storage location security is reviewed at least _________ to confirm that backup media storage is secure. ✔✔annually Review media inventory logs to verify that logs are maintained and media inventories are performed at least _____________ ✔✔annually reviewing the following at least __________, either manually or via log tools: All security events Logs of all system components that store, process, or transmit CHD and/or SAD Logs of all critical system components Logs of all servers and system components that perform security functions ✔✔daily reviewing logs of all other system components _______—either manually or via log tools— based on the organization's policies and risk management strategy. ✔✔periodically retaining audit logs for at least _________, with a minimum of ________________ immediately available online ✔✔one year 3 months Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a _______________ basis ✔✔quarterly Run internal and external network vulnerability scans at least _____ and __________________ in the network ✔✔quarterly and after any significant change verify that __________ internal/(external ASV) scans occurred in the most recent _________ ✔✔four quarterly 12-month period penetration testing when? how about service providers on seg controls?? ✔✔quarterly and after sig changes 6 months and sig changes IDS/IPS where? ✔✔at perimeter of CDE and at crit points in CDE perform critical file comparisons at least ___________ ✔✔weekly information security policy reviewed when? ✔✔annually and sig changes entities monitor its service providers' PCI DSS compliance status at least ________ ✔✔annually incident response plan tested when? ✔✔annually service providers only: Perform reviews at least _____ to confirm personnel are following security policies and operational procedures. ✔✔quarterly Where POS POI terminals (and the SSL/TLS termination points to which they connect) use SSL and/or early TLS, the entity must either: ✔✔Confirm the devices are not susceptible to any known exploits for those protocols, or Have a formal Risk Mitigation and Migration Plan in place DESV User accounts and access privileges are reviewed at least every _________ ✔✔six months PCI DSS requirements are applicable wherever _______________ is stored, processed, or transmitted ✔✔PAN or SAD Contains all fields of both Track 1 and Track 2 ✔✔track 1 (Length up to 79 characters) track 2 contains? ✔✔Provides shorter processing time for older dial-up transmissions Length up to 40 characters If you find a potential card number, you can use a ________ check to see if it is a valid card number ✔✔mod 10 (luhn) Examine documented results of scope reviews and interview personnel to verify that the reviews are performed: ✔✔At least quarterly After significant changes to the in-scope environment processes are defined and implemented to review hardware and software technologies when? ✔✔annually [Show More]

Last updated: 2 years ago

Preview 1 out of 10 pages