Module 5 - Payment Card Industry (PCI) Data Security Standards (DSS)

Question 1

what is PCIDSS

Answer 1

Payment Card Industry Data Security Standards

Question 2

why was PCIDSS developed

Answer 2

The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance payment card account data security and facilitate the broad adoption of consistent data security measures globally.

Question 3

what are 2 items that PCIDSS provide

Answer 3

• PCI DSS provides a baseline of technical and operational requirements designed to protect account data
• Consists of the 12 PCI DSS principal requirements

Question 4

what else can PCIDSS be used for

Answer 4

to protect against threats and secure other elements in
the payment ecosystem.

Question 5

who is PCIDSS intended for

Answer 5

• PCI DSS is intended for all entities that store, process, or
  transmit CHD and/or SAD or could impact the security of
  the CDE.
• includes all entities involved in payment card account processing

Question 6

what is considered CHD with regards to PCIDSS

Answer 6

• Primary Account Number (PAN)
• Cardholder Name
• Expiration Date
• Service Code

Question 7

what does CHD stand for when referencing PCIDSS

Answer 7

Cardholder data

Question 8

what does SAD stand for when talking abut PCIDSS

Answer 8

Sensitive authentication Data

Question 9

what is considered SAD when talking about PCIDSS

Answer 9

• Full track data (magnetic-stripe data or equivalent on a chip)
• Card verification code
• PINs/PIN blocks

Question 10

what does PAN mean with PCIDSS

Answer 10

Primary Account Number

Question 11

IF PAN is stored with other elements of CHD, what is required
1. all information is rendered unreadable
2. only the CHD is rendered unreadable
3. only the PAN is rendered unreadable
4. this does not fit a requirement

Answer 11

only the PAN is required to be rendeared unreadable

Question 12

thoughts about wireless networks being part of the PCIDSS network

Answer 12

1. PCI DSS requirements and testing procedures for securing wireless environments apply and must be performed.
2. Rogue wireless detection must be performed per PCI DSS Requirement 11.2.1 even when wireless is not used within the CDE and the entity has a policy that prohibits the use of wireless technology within its environment.
3. This is because of the ease with which a wireless access point can be attached to a network, the difficulty in detecting its presence, and the increased risk presented
4. Before wireless technology is implemented, an entity should carefully evaluate the need for the technology against the risk
5. Consider deploying wireless technology only for non-sensitive data transmission

Question 13

what are the 3 steps to testing PCIDSS

Answer 13

1. Examine
2. Observe
3. Interview

Question 14

what is in the examine testing phase of PCIDSS testing

Answer 14

The assessor critically evaluates data evidence. Common examples include documents (electronic or physical), screenshots, configuration files, audit logs, and data files.

Question 15

what is in the observe phase of PCIDSS testing

Answer 15

The assessor watches an action or views something in the environment. - Examples: include personnel performing a task or process, system components performing a function

Question 16

what is in the interview phase of PCIDSS testing

Answer 16

The assessor converses with individual personnel. Interviews might include confirmation of whether an activity is performed, descriptions of how an activity is performed, do personnel have the knowledge and understanding