PCI ISA Latest 2023 with Complete Answers

Document Content and Description Below

PCI ISA Latest 2023 with Complete Answers SAQ-A ✔✔e-commerce or telephone order merchants; processing fully outsourced to validated 3rd party. No processing, transmitting, storing done by merch... ant SAQ-B ✔✔merchants with imprint machines and/or merchant with only standalone dial-out terminals SAQ-B-IP ✔✔Same as SAQ-B but the terminals not dial-out, the terminals have an IP connection SAQ-C ✔✔Merchants with payment apps connected to the Internet but have no CHD storage. Not available if doing ecommerce SAQ-C-VT ✔✔Merchants who only use virtual terminals from a validated 3rd party. Do transactions one at a time. Not available if doing ecommerce SAQ-A-EP ✔✔Same as SAQ-A but web site could affect the security of outsourced 3rd party solution. SAQ-D ✔✔Used by merchants not eligible for any other SAQ. Service providers must always use SAQ-D Where are firewalls required ✔✔Between Internet and CHD, between DMZ and internal network, between wireless networks and CHD How often must firewall rules be reviewed ✔✔6 months and after significant environment change Non-Console admin access must be ______ ✔✔encrypted CHD data can only be stored for how long? ✔✔based on merchant documented policy based on biz, regulatory, legal requirements CHD that has exceeded its defined retention period must be deleted based on a ________ process ✔✔quarterly When is it OK to store sensitive authentication date (SAD)? ✔✔temporarily prior to authorization. Issuers can store SAD based on business need Sensitive Authentication Data ✔✔Full Track, Track 1, Track 2, CVV, PIN. Any equivalent from chip When masking a card number what can be shown ✔✔first 6 and last 4 Acceptable methods for making PAN unreadable ✔✔Hash, Truncation, Tokenized, strong key cryptography Secret/Private keys must be protected by what method(s) ✔✔1) key-encrypting key, stored separately. 2) Hardware Security Module (HSM) 3) two full length key components (aka split knowledge) Spit Knowledge ✔✔two or more people separately have key components; knowing only their half List 3 or more open public networks ✔✔Internet, wireless networks (802.11 and Bluetooth), Cellular networks, Satellite networks WEP ✔✔Wired Equivalent Privacy - 802.11 encryption. Very weak. Retired in 2004. Use WPA2+AES instead Anitvirus must be installed on what systems ✔✔Those commonly affected by malware Systems considered not commonly affected by malware must be reviewed ____________________ ✔✔Periodically CVSS ✔✔Common Vulnerability Scoring System; Open protocol for scoring new vulnerabilities. Critical security patches must be installed how soon after their release ✔✔within one month When can live PAN data be used for development and testing ✔✔NEVER Change Management process must include the following ✔✔1) Impact 2)Approval 3)Testing 4)Backout Developers must be trained at least _____________ on secure coding practices ✔✔annually Access for terminated employees must be removed within ___________ ✔✔immediately Accounts inactive for ___________ must be removed/disabled ✔✔90 days Allowed # of invalid login attempts before lockout ✔✔6 Account Lockout Duration ✔✔30 minutes Lock or terminate sessions after this period of innactivity ✔✔15 minutes Password minimum length ✔✔7 characters Password complexity requirements ✔✔numeric and alpha characters. That's it Change password every _________ ✔✔90 days Password can't match the last _______ passwords used ✔✔4 Maintain data center visitor logs for at least ____________ ✔✔3 months Security logs must be reviewed how often? ✔✔Daily Audit trail logs must be retained for what period of time? ✔✔1 year Audit logs must be immediately accessible if they are newer/younger than? ✔✔the last 3 months Check for unauthorized WAP at least _______ ✔✔quarterly Vulnerability scans both internal and external must be done _______ ✔✔quarterly and after significant change ASV ✔✔Authorized Scan Vendor - must use one of these for quarterly external scans Pen Test ✔✔Required annually. Different and more intense that vulnerability scan. Required every 6 months for service providers File Integrity Monitoring (FIM) must be reviewed ___________ ✔✔Weekly PCI SSC's founding payment brands ✔✔AMEX, Visa, MasterCard, Discover, JCB PA-DSS ✔✔Payment Application - Digital Security Standard P2PE ✔✔Point-to-Point Encryption Standard PTS ✔✔Pin Transaction Security Standard POI ✔✔Point of Interaction Standard HSM ✔✔Hardware Security Module Standard PCI-DSS, PA-DSS, PTS, POI, HSM ✔✔Security standards published by the PCI SSC QIR ✔✔Qualified Integrator Reseller Who might install a payment application for a merchant ✔✔QIR-Qualified Integrator Reseller Authorization ✔✔Merchant request to Acquirer Clearing ✔✔Acquirer and Issuer exchange purchase and reconciliation info Settlement ✔✔Issuer pays Acquirer; Acquirer pays Merchant; Issuer bills cardholder Issuer ✔✔Entity that issues cards to cardholders. Usually a bank but AMEX, JBC, Discover issue directly to cardholders [Show More]

Last updated: 1 year ago

Preview 1 out of 8 pages