






Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
An overview of the pci dss (payment card industry data security standard) and the various self-assessment questionnaires (saqs) that merchants and service providers can use to evaluate their compliance with the standard. It covers the basic payment processing workflow, common errors in scoping pci dss assessments, and the key requirements of the standard, such as installing and maintaining a firewall configuration, protecting stored cardholder data, encrypting transmission of cardholder data, and developing and maintaining secure systems and applications. The document also discusses segmentation of the cardholder data environment, the use of compensating controls, and the responsibilities of service providers and payment brands in the pci dss ecosystem. Overall, this document offers a comprehensive understanding of the pci dss and its application in the payment processing industry.
Typology: Study Guides, Projects, Research
1 / 11
This page cannot be seen from the preview
Don't miss anything!







is an independent industry standards body providing oversights of the development and management of Payment Card Industry Data Security Standards on a global basis. What are the founding payment brands? American express, Discover, JCB, Mastercard, and VISA What define the merchant levels? defined by the payment brands, based on transaction volume. Transaction volume determined by the acquirer) What define the service provider levels? Defined by the payment brands according to transaction volume and/or type of service provider. Determined by the payment brans or acquirer, or sometimes the service provider. SAQ-A Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS validated third-part service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant's systems or premises. SAQ A-EP E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn't directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant's systems or premises. SAQ-B Merchants using only:
merchant only accepts payments via the telephone and they enter the cardholder data directly into a webpage provided by their acquirer. PCI DSS covers security of the environments that store, process, or transmit account data. The scope of PCI DSS covers environments receiving account data from payment applications and other sources—acquirers, for example. PCI PA-DSS covers secure payment applications to support PCI DSS compliance. The scope of PA-DSS addresses when a payment application receives account data from cardholder-interface devices such as point-of sale-terminals or other devices and begins the payment transaction. PCI P2PE (Point-to-Point Encryption) covers secure encryption, decryption, and key management for point-to-point encryption solutions. Requirements for a P2PE solution will vary depending on the deployment environment and the technologies used for a specific implementation. PCI PTS (PIN Transaction Security) POI covers device tamper detection, cryptographic processes, and other mechanisms used to protect the PIN and other sensitive data, such as cryptographic keys. The PTS set of requirements addresses how cardholder PINs are protected at cardholder-interface devices such as point-of-sale terminals, as well as hardware security modules that are used for payment processing and cardholder authentication applications and processes. PCI PIN Security covers secure management, processing, and transmission of personal identification number (PIN) data during online and offline payment card transaction processing. PCI PTS HSM standard covers the design of hardware security modules and for securely protecting those devices until they are deployed. Card Production standards establish minimum security levels for card vendors involved in payment card manufacturing, card personalization, pre-personalization, chip embedding, data preparation , and fulfillment. Discover Compliance Program is called ______________. Information Security Compliance JCB Compliance Program is called ______________. Data Security Program MasterCard Compliance Program is called ______________. Site Data Protection Visa Inc. Compliance Program is called ______________. Information Security Program Visa Europe Compliance Program is called ______________. Account Information Security Program. The key thing to understand for payment brand compliance programs is _________. that they handle PCI DSS compliance tracking, enforcement, and any penalties or fees that might be assigned. In addition, payment brands are responsible for forensic response and investigation of account data compromises. What are the Payment Brand Roles? Develop and enforce compliance programs/Endorse QSA, PA-QSA and ASV company qualification criteria/ Accept validation documentation from QSAs, PA-QSAs, and ASVs.
Bank or entity the merchant uses to process their payment card transactions. AKA merchant bank, ISO (sometimes), payment brand (Amex, Discover, and JCB). Never VISAor MasterCard Service Providers is a business that is not a payment brand, directly involved in the processing, storage or transmission of cardholder data on behalf of another entity. SAQ-D SAQ-D for Merchants: All merchants not included in the description for other SAQ Types. SAQ-D for service providers: all service providers identified by a payment brands as eligible to complete a self-assessment questionnaire. SAQ-P2PE Merchants who have implemented a validated point-to-point encryption solution that is listed on the PCI SSC website, with no electronic cardholder data storage. Not applicable to e-commerce channels. Account data consists of ____________ and _______________? Cardholder data and sensitive authentication data When scoping an environment for PCI DSS, it is important to identify _______
Not using vendor supplied default passwords. Utilizing system configuration standards for all components. Maintaining an inventory of system components. Ensuring all non-console access to network devices, servers, and other components is encrypted. Requirement 2.2.2 and 2.2.3 cover the use of secure services, protocols, and daemons as required for the functions of a system. What is the following is considered secure? SSH What is requirement 3? Protect stored cardholder data; specifically primary account number (PANs) and sensitive authentication data (SAD). Minimize risk associated with the storage of cardholder data. Requirement 3. Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures, and processes. Requirement 3. Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process. Requirement 3.2.2. Do not store the card verification code or value after authorization. Requirement 3.2. Do not store the personal identification number (PIN) or the encrypted PIN block after authorization. Requirement 3. Mask PAN when displayed (the first six and last four digits are the maximum numbers of digits to be displayed), such that only personnel with a legitimate business need can see more than the first/last four of the PAN. Requirement 3.2. Do not store the full contents of any track (from the magnetic stripe located on the back of a card, equivalent data contained on a chip or elsewhere) after authorization. Requirement 3. Render PAN unreadable anywhere it is stored by using any one-way hashes, truncation, index token and pads, and strong cryptography with associated key-management processes and procedures. split knowledge is a method in which two or more people separately have key components, where each person knows only their own key component, and the individual key components convey no knowledge of the original cryptographic key. Dual control requires two or more people to perform a function, and no single person can access or use the authentication materials of another. Sensitive authentication data exists in the magnetic stripe or chip, and is also printed on the payment card. (T/F?) True Sensitive authentication data is required for recurring transaction. (T/F?) False Encryption sensitive authentication data removes it from PCI DSS scope. (T/F?) False Sensitive authentication data includes PAN and service code. (T/F?)
Restrict physical access to cardholder data Onsite personnel refers to full-time and part-time employees, temporary employees, contractors and consultants who are physically present on the entity's premises. A visitor refers to a vendor, guest of any onsite personnel, service workers, or anyone who needs to enter the facility for a short duration, usually not more than one day. Media refers to all paper and electronic media containing cardholder data. What is requirement 10? Track and monitor all access to network resources and cardholder data Requirement 10. Use time-synchronization technology, synchronize all critical system clocks and time. Requirement 10. Secure audit trails so they cannot be latered. What kind of logs need to be reviewed at least daily? All security events, logs of all systems components that store, process, or transmit CHD and/or SAD. Log of all critical system components. Logs of all servers and system components that perform security functions. Requirement 10.7 (Log retention) Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis. Requirement 10. For service provider, implement a process for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of: firewalls, IDS/IPS, FIM, anti-virus, physical access controls, logical access controls, audit logging mechanisms, and segmentation controls What is requirement 11? Regularly test security systems and processes. Requirement 11. Implement processes to test for the presence of wireless access point (802.aa) and detect and identify all authorized and unauthorized wireless access points on a quarterly basis. What is requirement 12? Maintain a policy that addresses information security for all personnel. Appendix A Additional PCI DSS Requirements for Shared Hosting Providers Appendix A Additional PCI DSS Requirement for Entities using SSL/early TLS Appendix A Designated Entities Supplemental Validation (DESV). An entity is required to undergo an assessment according to this appendix only if instructed to do so by an acquirer or a payment brand. Information Supplements provided by the PCI SSC may "supersede" or replace PCI DSS requirements. (T/F?) False In order to be considered a compensating control, which of the following must exist: a legitimate technical constraint or a documented business constraint
Non-console access refers to logical access to a system component that occurs over a network interface rather than via a direct, physical connection to the system component. Which scenario describes segmentation of the cardholder data environment (CDE) for the purposes of reducing PCI DSS scope? A network configuration that prevent all network traffic between the CDE and out-of-scope networks. Typical locations where card verification values/code may be found include which of the following? databases and log files from e-commerce systems Which of the following is true regarding compensating contorls A compensating control is not necessary if all other PCI DSS requirements are in place Which statement is true regarding storage of cardholder data? Stored cardholder data that exceeds retention requirements needs to be removed on a quarterly basis Which of the following statements about service providers is true? Transaction payment gateway are not considered service providers What activity occurs during the "settlement" step on the payment process? The merchant receives payment for the transaction Which statement is true regarding the use of PA-DSS validated applications? PA-DSS validated applications are in-scope for merchant's PCI DSS assessment which entity determines a merchant's transaction volume? the acquirer Who defines merchants and service provider levels? Payment brands which scenario meets the intents of PCI DSS requirements for assigning users access to cardholder data? Access is assigned to all users based on the access needs of the least-privileged user As defined in requirement 8, what is the minimum complexity of user passwords? 7 characters, both alphabetic and numeric characters As defined in PCI DSS requirement 1.2, firewall and router configurations must restrict connections between which of the following? Corporate networks and the cardholder data environment Contains all fields of Track 2 plus the cardholder's name and additional fields for proprietary use by the card issuer. It is the longer track, up to 79 characters Track 1 Authorization of a transaction usually takes place when? at the time of purchases Systems that commonly store track data is POS systems The Mod 10 formula double the values of alternate digits of the primary account number beginning with which digit? second from the right Which of the following is true regarding track data track 1 contains all track 2 data and additional fields for use by the card issuer which three processes provide for a secure PIN?
only trusted keys and certificates are accepted. The protocol is use only support secure versions or configuration. The encryption strength is appropriate for the encryption methodology in use. What triggers a log event? All individual access to CHD. All administrative actions. All access to audit trails. All invalid logical access attempts. Use of identification and authentication mechanisms. Initialization and stopping/pausing of audit logs. Creation and deletion of system-level objects. What information must be included in the logs? User Identification. Types of events. Date/Timestamp. Success/Failure. Origination. Identity of affected data, system or resource. Compensating controls must: meet the intent and rigor of the original control. Provide similar defense as the original requirement. Go "above and beyond" other PCI-DSS requirements. May be suitable for use year-after-year as long as each control is evaluated on its own merit for each assessment. A merchant only accepts payments via the telephone and they enter the cardholder data directly into a webpage provided by their acquirer. Which SAQ is most likely to be one the merchant should use? SAQ-C Which PCI standart helps secure physical devices used to read cardholder data such as magnetic stripe and EVM chip readers? PCI PTS HSM When can you use cardholder data in the test environments? Never How many hours of CPE must a PCIP accumulate each year? 20 Hours Which PCI standart would apply to a merchant that had purchased and was using a validated PCI P2PE solution? PCI P2PE Fill the blank: Are stateful firewalls .......................... for connections into the CDE? Required What sanction does the PCI SSC not have against a PCIP who is in contravention of the PCI SSC Code of Professional Responsibility? Revoke the PCIP qualification The Payment Card Brands are responsible for : penalty or fee assignment for non compliance If a suspected card account number passes the Mod 10 test it means: it may be a valid PAN Systems that commonly store track data: POS Systems Non-console administrator access to any web-based management interface must be encrypted with technology such as HTTPS Acceptable 16 digit PAN with 8 digit BIN Truncation Formats for MasterCard are: At least 6 digits removed. "First 6, any other 4"
Entities who handle point-of-sale devices must: verify the identity of any third-party persons claiming to be repair or maintenance personnel. Partially outsourced E-commerce Merchants using a third-party website for payment processing may be eligible to fill out: SAQ-A EP Which is a responsibility of the PCI DSS security council? Establish validation requirements for PA-DSS applications. Who shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program? Executive Management