Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
48 Cards in this Set
- Front
- Back
|
4 levels a Compensating Control must meet |
-Meet Intent and Rigor or original requirement -Offset the risk the prior PCI requirement was to mitigate -Above and Beyond -Be commensurate with additional risk imposed by not adhering to original requirement |
|
|
What one of two conditions must be met to allow for the consideration of Compensating Control |
- Legitimate Technical Constraint - Documented Business Constraint |
|
|
SAQ |
Self-Assessment Questionaire |
|
|
SAQ-A |
-Card not present Merchants |
|
|
SAQ-B |
-Imprint only / No Electronic Storage |
|
|
SAQ-C-VT |
Merchants using Web based virtual payment termnials - no Electronic Storage |
|
|
SAQ-C |
Merchants segmented Payment Application Systems connected to the internet |
|
|
SAQ-D |
All other merchants that do not meet any of the other requriments |
|
|
6 Milestones to PCI Prioritized Approach |
1 Remove Sensitive Authentication Data and Limit data retention 2 Protect Networks 3 Secure Payment Applications 4 Monitor and Control access to your systems 5 Protect Card Holder Data 6 Finalize Remaining compliance efforts |
|
|
Principles that apply to Virtualization and PCI |
-PCI DSS requirements apply to virtualization technologies. -Virtualization technology introduces new risks that may not be relevant to other technologies, and that must be assessed when adopting virtualization in cardholder data environments. -Implementations of virtual technologies can vary greatly -No one size fits all solution |
|
|
PED |
Pin Entry Device |
|
|
SCR |
Secure Card Reader |
|
|
Services Providers must meet PCI compliance through what 2 methods |
1) Undergo their own PCI assessment and provide documentation to their customers 2)have their services reviewed during the course of each of their customers PCI DSS assessment. |
|
|
Steps for Card Processing |
Authorization Clearing Settlement |
|
|
Disciplinary Actions for PCI-P |
Written Warning Suspension Revocation |
|
|
What is the limit for an inactive id to be enabled |
90 Days |
|
|
How many log on attempts can be made until the user id locked out |
6 |
|
|
password lockout duration |
30 minutes or Admin reset |
|
|
Inactivity Timer |
15 minutes |
|
|
Minimum Password History |
4 |
|
|
3.4 states you can protect the PAN in the following 4 ways |
(Stated in 3.4) 1 Encryption 2 Hashing 3 Tokenization 4 Truncation |
|
|
6 Required Steps of Compensating Controls |
(Appendix B) 1) Constraints 2) Objectives 3) Identified Risk 4) Define CC 5) Validate CC 6) Maintenance |
|
|
How long is the PCI DSS Standards lifecycle |
36 Months |
|
|
Minimum Password Length |
7 Characters - must contain Alpha and Numeric (8.2.3) |
|
|
Passwords must be changed how often |
90 days |
|
|
CDE |
Cardholder Data Environment |
|
|
How often should wireless networks be scanned for according to 11.1 |
Quaterly |
|
|
Which PCI vendors are considered OPEN LOOP |
VISA Master Card -They neither issue cards or provide authorization |
|
|
Which PCI Members are considered Close Loop |
Amex JCB Discover -They Issue cards and provide authorization |
|
|
How often should router and firewall configurations be reviewed |
6 months |
|
|
How often should look for data that exceeds defined retention time period |
Quarterly - 3.1 |
|
|
What is the maximum amount of the PAN that can be displayed to someone with out a business need |
First 6 and last 4 digits - 3.3 |
|
|
Split Knowledge |
The method of creating key owners that have components of an encryption key where as the piece they have is not actually part of the key itself (i.e. it is not split knowledge if you take a AES 128 bit key and break it up into two 64 bit parts) (3.6.6) |
|
|
Critical Patches should be installed how long after release |
1 month (6.2) |
|
|
ASV |
Application Vulnerability Assessment |
|
|
3 Types of Authentication Metrics |
1) Something you know 2) Something you have 3) Something you are (8.2) |
|
|
How long do you need to retain data from a video camera or a sign in log for sensitive areas |
Three Months (9.1) |
|
|
How often is inventory logs for media are needed be reviewed |
Annually (9.7.1) |
|
|
How long does an audit log need to be stored |
1 Year (10.7) |
|
|
How much of the Audit log needs to be immediately be available for analysis |
3 months (10.7) |
|
|
How often should wireless access points be scanned for |
Quarterly (11.1) |
|
|
How often should External and Internal ASV should be preformed |
Quarterly (11.2) |
|
|
How often should a Pen tested be done |
Annually or after any significant infrastructure or application changes have been done |
|
|
How often should security policy be reviewed and updated |
Reviewed Annually and update when the environment changes (12.1.1) |
|
|
How often should an Organization do a Risk Assessment |
Annually or when there are significant environment changes |
|
|
How often does security awareness must take place |
Annually and when first hired |
|
|
How often should a Service Providers PCI DSS compliance should be reviewed |
Annually (12.8.4) |
|
|
How often should an IRP be tested |
Annually (12.10.3)k t |
