PCI-DSS v3.2.1 Standard Flashcards

1
Q

Requirement 1

A

Install and maintain a firewall configuration to protect cardholder data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Requirement 1.1

A

Inspect the firewall and router configuration stnadards and other documentation specified below and verify that standards are complete and implmeneted as follows.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Requirement 1.1.1

A

A formal process for approving and testing all network connections and changes to the firewall and router configurations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Requirement 1.1.1.a

A

Examine documented procedures to verify there is a formal process for testing and approval of all network connections and changes to firewall and router configurations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Requirement 1.1.1.b

A

For a sample of network connections, interview responsible personnel and examine records to verify that network connections were approved and tested.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Requirement 1.1.1.c

A

Identify a sample of actual changes made to firewall and router configurations, compare to the change records, and interview responsible personnel to verify the changes were approved and tested.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Requirement 1.1.2

A

Current diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Requirement 1.1.2.a

A

Examine the diagram(s) and observer network configurations to verify that a current network diagram exists and that it documents all connections to the cardholder data environment, including any wireless networks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Requirement 1.1.2.b

A

Interview responsible personnel to verify that the diagram is kept current.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Requirement 1.1.3

A

Current diagram that shows all cardholder data flows across systems and networks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Requirement 1.1.3.a

A

Examine data flow diagrams and interview personnel to verify the diagram shows all cardholder dta flows across systems and networks and is kept current and updated as needed upon changes to the environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Requirement 1.1.4

A

Requirements for a firewall at each internet connection and between any demilitarized zone (DMZ) and the internal network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Requirement 1.1.4.a

A

Examine the firewall configuration standards and verfiy that they include requirements for a firewall at each internet connection and between any DMZ and the internal network zone.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Requirement 1.1.4.b

A

Verify that the current network diagram is consistent with the firewall configuration standards.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Requirement 1.1.4.c

A

Observe network configurations to verify that a firewall is in place at each internet connection and between any demilitarized zone (DMZ) and the internal network zone, per the documented configuration standards and network zone.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Requirement 1.1.5

A

Description of groups, roles, and responsibilities for management of network components.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Requirement 1.1.5.a

A

Verify that firewall and router configuration standards include a description of groups, roles, and responsibilites for management of network components.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Requirement 1.1.5.b

A

Interview personnel responsible for management of network components to confirm that roles and responsibilities are assigned as documented.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Requirement 1.1.6

A

Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure (examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP v1 and v2)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Requirement 1.1.6.a

A

Verify that firewall and router configuration standards include a documented list of all services, protocols, and ports, including business justification for each - for example, hypertext transfer protocol (HTTP) and Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Requirement 1.1.6.b

A

Identify insecure services, protocols, and ports allowed; and verify that security features are documented for each service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Requirement 1.1.6.c

A

Examine firewall and router configurations to verify that the documented security features are implemented for each insecure service, protocol, and port.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Requirement 1.1.7

A

Requirement to review firewall and router rule sets at least every six months.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Requirement 1.1.7.a

A

Verify that firewall and router configuration standards require review of firewall and router rule sets at least every six months.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Requirement 1.1.7.b

A

Examine documentation relating to rule set reviews and interview responsible personnel to verify that rule sets are reviewed at least every six months.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Requirement 1.2

A

Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. // Note: an untrusted network is any network that is external to the networks belonging to the entity under review and/or which is out of the entity’s ability to control or manage. // Examien firewall and router configurations and perform the following to verify that connections are restricted between untrusted networks and system components in teh cardholder data environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Requirement 1.2.1

A

Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically denty all other traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Requirement 1.2.1.a

A

Examine firewall and router configuration standards to verify that they identify inbound and outboud traffic necessary for the cardholder data environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Requirement 1.2.1.b

A

Examine firewall and router configurations to verify that inbound and outboud traffic is limited to that which is necessary for the cardholder data environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Requirement 1.2.1.c

A

Examine firewall and router configurations to verify that all other inbound and outbound traffic is specifically denied, for example by using an explicit “deny all” or an implicit deny after allow statement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Requirement 1.2.2

A

Secure and synchronise router configuration files

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Rquirement 1.2.2.a

A

Examine router configuration files to verify they are secured from unauthorised access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Requirement 1.2.2.b

A

Examine router configurations to verify they are synchronized - for example, the running (or active) configuration matches the start-up configuration (used when machines are booted)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Requirement 1.2.3

A

Install perimeter firewalls between all wireless networks and the cardholder data environment, and configure these firewalls to deny or, if traffic is necessary for business purposes, permit only authorised traffic between the wireless environment and the cardholder data environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Requirement 1.2.3.a

A

Examine fireall and router configurations to verify that there are perimeter firewalls installed between all wireless networks and the cardholder data environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Requirement 1.2.3.b

A

Verify that the firewalls deny or, if traffic is necessary for business purposes, permit only authorised traffic between the wireless environment and the cardholder data environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Requirement 1.3

A

Prohibit direct public access between the internet and any sysstem component in the cardholder data environment // Examine firewall and router configurations 0 including but not limited ot the choke router at the internet, the DMZ router and firewall, the DMZ cardholder segment, the perimeter router, and the internal cardholder network segment - and perform the following to determine that there is no direct access between the internet and system components in the internal carholder network segment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Requirement 1.3.1

A

Implement a DMZ to limit inbound traffic on only system components that provide authorised publically accessible srvices, protocols, and ports // Examine firewall and router configurations to verify that a DMZ is implemented to limit inbound traffic to only system components that provide authorised publically accessible services, protocols, and ports.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Requirement 1.3.2

A

Limit inbound internet traffic to IP addresses within the DMZ // Examine firewall and router configurations to verify that inbound internet traffic is limited to IP addresses within the DMZ.

40
Q

Requirement 1.3.3

A

Do not allow any direction connections inbound or outbound for traffic between the internet and the cardholder data environment // Examine firewall and router configurations to verify direct connections inbound or outbound are not allowed for traffic between the internet and the cardholder data environment.

41
Q

Requirement 1.3.4

A

Implement anti-spoofing measures to detect and block forged source IP addresses from entering the network (for example, block traffic irginating from the internet with an internal source address) // Eamine firewall and router configurations to verify that anti-spoofing measures are implemented, for example internal addresses cannot pass from the internet into the DMZ.

42
Q

Requirement 1.3.5

A

Do not allow unauthorised outbound traffic from the cardholder data environment to the internet // Examine firewall and router configurations to verify that outbound traffic from the cardholder data environment to the internet is explicitly authorised.

43
Q

Requirement 1.3.6

A

Implement stateful inspection, also known as dynamic packet filtering (that is, only “established” connections are allowed into the network.) // Examien firewall and router configurations to verify that the firewall performs stateful inpsection (dyynamic packet filtering). Only established connections should be allowed in, and only if they are associated with a previously established session.

44
Q

Requirement 1.3.7

A

Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks // Examien firewall and router configurations to verify that system components that store cardholder data are on an internal network zone, segregated from the DMZ and other untrusted networks.

45
Q

Requirement 1.3.8

A

Do not disclose private IP addresses and routing information to unauthorised parties (methods to obscure IP addressing may include, but are not limited to: network address translation (NAT), placing servers containing cardholder data behind proxy servers / firewalls, removal or filtering of route advertisements for private networks that employ registered addressing, internal use of RFC1918 address space instead of registered addresses).

46
Q

Requirement 1.3.8.a

A

Examine firewall and router configurations to verify that methods are in place to prevent the disclosure of private IP addresses and routing information from internal networks to the internet.

47
Q

Requirement 1.3.8.b

A

Interview personnel and examine documentation to verify that any disclosure of private IP adresses and routing information to external entities is authorised.

48
Q

Requirement 1.4

A

Install personal firewall software on any mobile and/or employee-owned devices that connect to the internet when outside the network (for example, laptops used by employees), and which are also used to access the network. Firewall configurations include: specific configuration settings are defined for firewall software, personal firewall software is actively running, and personal firewall software is not alterable by users of mobile and/or employee-owned devices.

49
Q

Requirement 1.4.a

A

Examine policies and configuration standards to verify personal firewall software is required for all mobile and/or employee owned devices that connect to the internet (for example laptops used by employees) when outside the network, and which are also used to access the network; specific configuration settings are defined for personal firewall software; personal firewall software is configured to actively run; and personal firewall software is configured to not be alterable by users of mobile and/or employee-owned devices.

50
Q

Requirement 1.4.b

A

Inspect a sample of mobile and/or employee owned devices to verify that personal firewall software is installed and configured per the organisation’s specific configuration settings; personal firewall software is actively running; and personal firewall software is not alterable by users of mobile and/or employee owned devices.

51
Q

Requirement 1.5

A

Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.

52
Q

Requirement 2

A

Do not use vendor-supplied efaults for system passwords and other security parameters.

53
Q

Requirement 2.1

A

Always change vendor supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. This applies to ALL default passwords including, but not lmited to those used by operating systems, software that provides security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.

54
Q

Requirement 2.1.a

A

Choose a sample of system components and attempt to log on (with system administrator help) to the devices and applications using default vendor supplied accounts and passwords to verify that ALL default passwords have been changed. Use vendor manuals and sources on the internet to find vendor supplied accounts / passwords).

55
Q

Requirement 2.1.b

A

For the sample of system components, verify that all unnecessary default accounts (including accounts used by operating systems, security software, applications systems, POS terminals, SNMP, etc.) are removed or disabled.

56
Q

Requirement 2.1.c

A

Interview personnel and examine supporting documentation to verfiy that all vendor defaults are changed before a system is installed on the network and that unecessary default accounts are removed or disabled before a system is insalled on the network.

57
Q

Requirement 2.1.1

A

For wireless environments connected to the cardholder data environment or transmitting cardholder dta, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP commuinty strings.

58
Q

Requirement 2.1.1.a

A

Interview responsible personnel and examine supporting documentationt o verify that encryption keys were changed from default at installation and are changed any time anyone with knowledge of the keys leaves the company or changes position.

59
Q

Requirement 2.1.1.b

A

Interview personenl and examien policies and procedures to verify default SNMP community strings are requirement to be changed upon installation and default passwords/prhases on access points are required to be changed upon installation.

60
Q

Requirement 2.1.1.c

A

Examine vendor documentation and login to wireles devices, with system administrator help, to verify default SNMP community strings are not used and default passwords/passphrases on access points are not used.

61
Q

Requirement 2.1.1.d

A

Examine vendor documentation and observe wireless configuration settings to verify firmware on wireless devices is updated to support strong encryption for authentication over wireless networks and transmission over wireless networks.

62
Q

Requirement 2.1.1.e

A

Examine vendor documentation and observe wireless configuration settings to verify other security-related wireless vendor defaults were changed if applicable.

63
Q

Requirement 2.2

A

Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted ssytem hardening standards. Sources of industry accepted system hardenign standards may include but are not limited to the Center for Internet Security (CIS), International Organisation for Standarisation (ISO), SysAdmin Audit Network Security (SANS) institute, and National Institute of Standards Technology (NIST)

64
Q

Requirement 2.2.a

A

Examine the organisation’s system configuration standards for all types of system components and verify the system configuration standards are consistent with industry accepted hardening standards.

65
Q

Requirement 2.2.b

A

Examien policies and interview personnel to verify that system configuration standards are updated as new vulnerability issues are identified, as defined in Requirement 6.1.

66
Q

Requirement 2.2.c

A

Examien policies and interview personnel to verify that system configuration standards are applied when new systems are configured and verified as being in place before a system is installed on the network.

67
Q

Requirement 2.2.d

A

Verify that system configuration standards include the folloing procedures for all types of system components: changing of all vendor supplied defaults and elimination of all unnecessary default accounts; implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server; enabling only necessary services, protocols, daemons, etc., as required for the function of the system; implementing additional security features for any required services, protocols, or daemons that are considered to be insecure; configuring system security parameters to prevent misuse; and removing all unnecesary functionality, such as scripts, drivers, features, subsystems, fie systems, and unnecessary web servers.

68
Q

Requirement 2.2.1

A

Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server (for example, web servers, database servers, and DNS should be implemented on separate servers). Note: where virtaulisation technologies are in use, implement only one primary function per virtual system component.

69
Q

Requirement 2.2.1.a

A

Select a sample of system components and inspect the system configurations to verify that only one primary function is implemented per server.

70
Q

Requirement 2.2.1.b

A

If virtualisation technologies are used, inspect the system configurations to verify that only one primary function is implemented per virtual system component or device.

71
Q

Requirement 2.2.2

A

Enable only necessary services, protocols, daemons, etc., as required for the function of the system.

72
Q

Requirement 2.2.2.a

A

Select a sample of system components and inspect enabled system services, daemons, and protocols to verify that only necessary services or protocols are neabled.

73
Q

Requirement 2.2.2.b

A

Identify any enabled insecure services, daemons, or protocols and interview personnel to verify they are justified per documented configuraiton standards.

74
Q

Requirement 2.2.3

A

Implement additional security features for any required services, protocols, or daemons that are considered to be insecure - for example, use secured technologies such as SSH, S=FTP, SSL, or IPSec VPN to protect insecure services such as NetBUIS, file-sharing, Telnet, FTP, etc. // Inspect configuration settings to verify that security features are documented and implemented for all insecure services, daemons, or protocols.

75
Q

Requirement 2.2.4

A

Configure system security parameters to prevent misuse.

76
Q

Requirement 2.2.4.a

A

Interview system administrators and/or security managers to verify that they have knowledge of common security parameter settings for system components.

77
Q

Requirement 2.2.4.b

A

Examine the system configuration standards to verify that common security parameter settings are included.

78
Q

Requirement 2.2.4.c

A

Select a sample of system components and inspect the common security parameters to verify that they are set appropriately and in accordance with the configuration standards.

79
Q

Requirement 2.2.5

A

Remove all unnecessary functionality such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.

80
Q

Requirement 2.2.5.a

A

Select a sample of system components and inspect the configurations to verify that all unnecessary functionality (for example, scripts, drivers, features, subsystems, file systems, etc.) is removed.

81
Q

Requirement 2.2.5.b

A

Examien the documentation and security parameters to verify that only documented functionality is present on the sampled system components.

82
Q

Requirement 2.3

A

Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access. // Select a sample of system components and verify that non-console administrative access is encrypted by performing the following.

83
Q

Requirement 2.3.a

A

Observe an administrator log on to each system and examine system configurations to verify that a strong encryption method is invoked before the administrator’s password is requested.

84
Q

Requirement 2.3.b

A

Review services and parameter files on systems to determine that Telnet and other insecure remote-login commands are not available for non-console access.

85
Q

Requirement 2.3.c

A

Observe an administrator log on to each system to verify that administrator access to any web-based management interfaces is encrypted with strong cryptography.

86
Q

Requirement 2.3.d

A

Examien vendor documentation and interview personnel to verify that strong cryptography for the technology in use is implememented acording to industry best practices and/or vendor recommendations.

87
Q

Requirement 2.4

A

Maintain an inventory of system components that are in scope for PCI DSS.

88
Q

Requirement 2.4.a

A

Examine system inventory to verify that a list of hardware and software components is maintained and includes a description of each function/use for each.

89
Q

Requirement 2.4.b

A

Interview personnel to verify the documented inventory is kept current.

90
Q

Requirement 2.5

A

Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.

91
Q

Requirement 2.6

A

Shared hosting providers must protect each entity’s hosted environment and cardholder data. These providers must meet specific requirements as detailed in Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers.

92
Q

Requirement 3

A

Protect stored cardholder data.

93
Q

<p>Define an Issuing Bank.</p>

A

<p>An issuing bank, also known as an issuer, is a bank or financial institution that offers payment cards to consumers on behalf of card networks such as Visa, MasterCard, or American Express.</p>

<p></p>

94
Q

<p>What is MOTO credit card processing?</p>

A

<p>MOTO stands for Mail Order/Telephone Order.
<br></br>
<br></br>MOTO credit card processing is best suited for businesses that primarily accept card-not-present transactions: Examples include e-commerce and delivery-based businesses. In contrast, Retail pricing is appropriate when the majority of transactions occur in person.</p>

95
Q

<p>What is an EMV card?</p>

A

<p>EMV stands for Europay, MasterCard and Visa and refers to the increased security of payment card transactions through the use of a chip embedded in credit, debit, and prepaid cards.</p>

96
Q

<p>Define an Acquiring Bank (also known as an acquirer)?</p>

A

<p>An acquiring bank (also known simply as an acquirer) is a bank or financial institution that processes credit or debit card payments on behalf of a merchant. The acquirer allows merchants to accept credit card payments from the card-issuing banks within an association.</p>