QSAs must retain work papers for a minimum of _ years. It is a recommendation for ISAs to do the same.
3
According to PCI DSS requirement 1, Firewall and router rule sets need to be reviewed every _ months.
6
At least __ and prior to the annual assessment the assessed entity:
- Identifies all locations and flows of cardholder data to verify they are included in the CDE
- Confirms the accuracy of their PCI DSS scope
- Retains their scoping documentation for assessor reference
annually
scope includes
ppl process, tech
Evidence Retention
It is recommended that the ISA secure and maintain digital and/or hard copies of case logs, audit results and work papers, notes, and any technical information that was created and/or obtained during the PCI Data Security Assessment for a minimum of __ or as applicable to company data retention policies
of three (3) years
A (time) __ process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements.
quarterly
Do not store SAD after __ (even if encrypted). (track data / cvc / pin)
authorization
manual clear-text key-management procedures specify processes for the use of the following
Split knowledge.Dual control
Dual control
least two people are required to perform any key-management operations and no one person has access to the authentication materials (for example, passwords or keys) of another
Split knowledge
key components are under the control of at least two people who only have knowledge of their own key components
PAN is rendered unreadable in which ways
hash
mask
encrypt
pad
Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within _ of release.
one month
Installation of all applicable vendor-supplied security patches within an _______
appropriate time frame (for example, within three months)
makes sure change control has these 4 things
impack
testing (PCI review)
backout
approval
Train developers at least __ in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory.
annually
Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least _______
or
automated technical solution that detects and prevents web-based attacks active _
annually and after any changes
all the time
Observe user accounts to verify that any inactive accounts over __ are either removed or disabled.
90 days old
For a sample of system components, inspect system configuration settings to verify that authentication parameters are set to require that user accounts be locked out after not more than _ invalid logon attempts.
6
once a user account is locked out, it remains locked for a minimum of _ or __
30 mins or until a system administrator resets the account
idle time out features have been set to __
15 mins or less
For a sample of system components, inspect system configuration settings to verify that user password/passphrase parameters are set to require users to change passwords at least once every __.
90 days
new passwords/passphrases cannot be the same as the __ previously used passwords/passphrases
4
Verify that data from video cameras and/or access control mechanisms is reviewed, and that data is stored for __
at least three months.
visitor log is
retains for 3 month
name,
firm,
escort
Verify that the storage location security is reviewed at least _ to confirm that backup media storage is secure.
annually
Review media inventory logs to verify that logs are maintained and media inventories are performed at least _
annually
reviewing the following at least __, either manually or via log tools:
All security events
Logs of all system components that store, process, or transmit CHD and/or SAD
Logs of all critical system components
Logs of all servers and system components that perform security functions
daily
reviewing logs of all other system components _—either manually or via log tools—based on the organization’s policies and risk management strategy.
periodically
retaining audit logs for at least , with a minimum of _______ immediately available online
one year
3 months
Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a ___ basis
quarterly
Run internal and external network vulnerability scans at least _ and __________ in the network
quarterly and after any significant change
verify that _ internal/(external ASV) scans occurred in the most recent
four quarterly
12-month period
penetration testing when?
how about service providers on seg controls??
quarterly and after sig changes
6 months and sig changes
IDS/IPS where?
at perimeter of CDE and at crit points in CDE
perform critical file comparisons at least _
weekly
information security policy reviewed when?
annually and sig changes
entities monitor its service providers’ PCI DSS compliance status at least __
annually
incident response plan tested when?
annually
service providers only: Perform reviews at least _ to confirm personnel are following security policies and operational procedures.
quarterly
Where POS POI terminals (and the SSL/TLS termination points to which they connect) use SSL and/or early TLS, the entity must either:
Confirm the devices are not susceptible to any known exploits for those protocols, or
Have a formal Risk Mitigation and Migration Plan in place
DESV User accounts and access privileges are reviewed at least every _
six months
PCI DSS requirements are applicable wherever ___ is stored, processed, or transmitted
PAN or SAD
Contains all fields of both Track 1 and Track 2
track 1 (Length up to 79 characters)
track 2 contains?
Provides shorter processing time for older dial-up transmissions
Length up to 40 characters
If you find a potential card number, you can use a __ check to see if it is a valid card number
mod 10 (luhn)
Examine documented results of scope reviews and interview personnel to verify that the reviews are performed:
At least quarterly
After significant changes to the in-scope environment
processes are defined and implemented to review hardware and software technologies when?
annually