PCI ISA LATEST 2023 RATED A+
SAQ-A ✔✔e-commerce or telephone order merchants; processing fully outsourced to validated
3rd party. No processing, transmitting, storing done by merchant
SAQ-B ✔✔merchants with imprint ma
...
PCI ISA LATEST 2023 RATED A+
SAQ-A ✔✔e-commerce or telephone order merchants; processing fully outsourced to validated
3rd party. No processing, transmitting, storing done by merchant
SAQ-B ✔✔merchants with imprint machines and/or merchant with only standalone dial-out
terminals
SAQ-B-IP ✔✔Same as SAQ-B but the terminals not dial-out, the terminals have an IP
connection
SAQ-C ✔✔Merchants with payment apps connected to the Internet but have no CHD storage.
Not available if doing ecommerce
SAQ-C-VT ✔✔Merchants who only use virtual terminals from a validated 3rd party. Do
transactions one at a time. Not available if doing ecommerce
SAQ-A-EP ✔✔Same as SAQ-A but web site could affect the security of outsourced 3rd party
solution.
SAQ-D ✔✔Used by merchants not eligible for any other SAQ. Service providers must always
use SAQ-D
Where are firewalls required ✔✔Between Internet and CHD, between DMZ and internal
network, between wireless networks and CHD
How often must firewall rules be reviewed ✔✔6 months and after significant environment
change
Non-Console admin access must be ______ ✔✔encrypted
CHD data can only be stored for how long? ✔✔based on merchant documented policy based on
biz, regulatory, legal requirements
CHD that has exceeded its defined retention period must be deleted based on a ________ process
✔✔quarterly
When is it OK to store sensitive authentication date (SAD)? ✔✔temporarily prior to
authorization. Issuers can store SAD based on business need
Sensitive Authentication Data ✔✔Full Track, Track 1, Track 2, CVV, PIN. Any equivalent from
chip
When masking a card number what can be shown ✔✔first 6 and last 4
Acceptable methods for making PAN unreadable ✔✔Hash, Truncation, Tokenized, strong key
cryptography
Secret/Private keys must be protected by what method(s) ✔✔1) key-encrypting key, stored
separately. 2) Hardware Security Module (HSM) 3) two full length key components (aka split
knowledge)
Spit Knowledge ✔✔two or more people separately have key components; knowing only their
half
List 3 or more open public networks ✔✔Internet, wireless networks (802.11 and Bluetooth),
Cellular networks, Satellite networks
WEP ✔✔Wired Equivalent Privacy - 802.11 encryption. Very weak. Retired in 2004. Use
WPA2+AES instead
Anitvirus must be installed on what systems ✔✔Those commonly affected by malware
Systems considered not commonly affected by malware must be reviewed
____________________ ✔✔Periodically
CVSS ✔✔Common Vulnerability Scoring System; Open protocol for scoring new
vulnerabilities.
Critical security patches must be installed how soon after their release ✔✔within one month
When can live PAN data be used for development and testing ✔✔NEVER
Change Management process must include the following ✔✔1) Impact 2)Approval 3)Testing
4)Backout
Developers must be trained at least _____________ on secure coding practices ✔✔annually
Access for terminated employees must be removed within ___________ ✔✔immediately
Accounts inactive for ___________ must be removed/disabled ✔✔90 days
Allowed # of invalid login attempts before lockout ✔✔6
Account Lockout Duration ✔✔30 minutes
Lock or terminate sessions after this period of innactivity ✔✔15 minutes
Password minimum length ✔✔7 characters
Password complexity requirements ✔✔numeric and alpha characters. That's it
Change password every _________ ✔✔90 days
Password can't match the last _______ passwords used ✔✔4
Maintain data center visitor logs for at least ____________ ✔✔3 months
Security logs must be reviewed how often? ✔✔Daily
Audit trail logs must be retained for what period of time? ✔✔1 year
Audit logs must be immediately accessible if they are newer/younger than? ✔✔the last 3 months
Check for unauthorized WAP at least _______ ✔✔quarterly
Vulnerability scans both internal and external must be done _______ ✔✔quarterly and after
significant change
ASV ✔✔Authorized Scan Vendor - must use one of these for quarterly external scans
Pen Test ✔✔Required annually. Different and more intense that vulnerability scan. Required
every 6 months for service providers
File Integrity Monitoring (FIM) must be reviewed ___________ ✔✔Weekly
PCI SSC's founding payment brands ✔✔AMEX, Visa, MasterCard, Discover, JCB
PA-DSS ✔✔Payment Application - Digital Security Standard
P2PE ✔✔Point-to-Point Encryption Standard
PTS ✔✔Pin Transaction Security Standard
POI ✔✔Point of Interaction Standard
HSM ✔✔Hardware Security Module Standard
PCI-DSS, PA-DSS, PTS, POI, HSM ✔✔Security standards published by the PCI SSC
QIR ✔✔Qualified Integrator Reseller
Who might install a payment application for a merchant ✔✔QIR-Qualified Integrator Reseller
Authorization ✔✔Merchant request to Acquirer
Clearing ✔✔Acquirer and Issuer exchange purchase and reconciliation info
Settlement ✔✔Issuer pays Acquirer; Acquirer pays Merchant; Issuer bills cardholder
Issuer ✔✔Entity that issues cards to cardholders. Usually a bank but AMEX, JBC, Discover
issue directly to cardholders
[Show More]