Detailed PCI DSS Requirements || 100% Exact Answers.
Build & Maintain a Secure Network and Systems correct answers Req 1 - Install and maintain a
firewall configuration to protect cardholder data
Req 2 - Do not use vendor supplied defaults for system passwords
Protect Cardholder Data correct answers Req 3 - Protected stored cardholder data
Req 4 - Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program correct answers Req 5 - Protect all systems
against malware and regularly update AV software or programs
Req 6 - Develop & maintain secure systems & applications
Implement Strong Access Control Measures correct answers Req 7 - Restrict access to
cardholder data by business need-to-know
Req 8 - Identify & authenticate access to system components
Req 9 - Restrict physical access to cardholder data
Regularly Monitor and Test Networks correct answers Req 10 - Track & monitor all access to
network resources and cardholder data
Req 11 - Regularly test security systems & processes
Maintain an Information Security Policy correct answers Req 12 - Maintain a policy that
addresses information security for all personnel
Requirement 1.1 correct answers Establish firewall and router configuration standards that
formalize testing whenever configurations change; that identify all connections to cardholder
data (including wireless); that use various technical settings for each implementation; and
stipulate a review of configuration rule sets at least every six months.
Requirement 1.2 correct answers Build firewall and router configurations that restrict all traffic
from "untrusted" networks and hosts, except for protocols necessary for the cardholder data
environment.
Requirement 1.3 correct answers Prohibit direct public access between the Internet and any
system component in the cardholder data environment
Requirement 1.4 correct answers Install personal firewall software on any mobile and/or
employee-owned computers with direct connectivity to the Internet that are used to access the
organization's network.
Requirement 2.1 correct answers Always change vendor-supplied defaults before installing a
system on the network. This includes wireless devices that are connected to the cardholder data
environment or are used to transmit cardholder data.
, Requirement 2.2 correct answers Develop configuration standards for all system components that
address all known security vulnerabilities and are consistent with industry-accepted definitions.
Update system configuration
standards as new vulnerability issues are identified.
Requirement 2.3 correct answers 3 Encrypt using strong cryptography all non-console
administrative access such as browser/webbased management tools
Requirement 2.4 correct answers Shared hosting providers must protect each entity's hosted
environment and cardholder data (details are in PCI DSS Appendix A: "Additional PCI DSS
Requirements for Shared Hosting Providers.")
Requirement 3.1 correct answers Limit cardholder data storage and retention time to that
required for business, legal, and/or regulatory purposes, as documented in your data retention
policy. Purge unnecessary stored data at least quarterly.
Requirement 3.2 correct answers Do not store sensitive authentication data after authorization
(even if it is encrypted). See guidelines in table below. Issuers and related entities may store
sensitive authentication data if there is a business justification, and the data is stored securely.
Requirement 3.3 correct answers Mask PAN when displayed; the first six and last four digits are
the maximum number of digits you may display. Not applicable for authorized people with a
legitimate business need to see the full PAN. Does not supersede stricter requirements in place
for displays of cardholder data such as on a point-of-sale receipt.
Requirement 3.4 correct answers Render PAN unreadable anywhere it is stored - including on
portable digital media, backup media, in logs, and data received from or stored by wireless
networks. Technology solutions for this requirement may include strong one-way hash functions
of the entire PAN, truncation, index tokens with securely stored pads, or strong cryptography.
(See PCI DSS Glossary for definition of strong cryptography.)
Requirement 3.5 correct answers Protect any keys used for encryption of cardholder data from
disclosure and misuse.
Requirement 3.6 correct answers Fully document and implement all appropriate key
management processes and procedures for cryptographic keys used for encryption of cardholder
data.
Requirement 4.1 correct answers Use strong cryptography and security protocols such as
SSL/TLS, SSH or IPSec to safeguard sensitive cardholder data during transmission over open,
public networks (e.g. Internet, wireless technologies, Global System for Mobile communications
[GSM], General Packet Radio Service [GPRS]). Ensure wireless networks transmitting
cardholder data or connected to the cardholder data environment use industry best practices (e.g.,
IEEE 802.11i) to implement strong encryption for authentication and transmission. The use of
WEP as a security control is prohibited.
Build & Maintain a Secure Network and Systems correct answers Req 1 - Install and maintain a
firewall configuration to protect cardholder data
Req 2 - Do not use vendor supplied defaults for system passwords
Protect Cardholder Data correct answers Req 3 - Protected stored cardholder data
Req 4 - Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program correct answers Req 5 - Protect all systems
against malware and regularly update AV software or programs
Req 6 - Develop & maintain secure systems & applications
Implement Strong Access Control Measures correct answers Req 7 - Restrict access to
cardholder data by business need-to-know
Req 8 - Identify & authenticate access to system components
Req 9 - Restrict physical access to cardholder data
Regularly Monitor and Test Networks correct answers Req 10 - Track & monitor all access to
network resources and cardholder data
Req 11 - Regularly test security systems & processes
Maintain an Information Security Policy correct answers Req 12 - Maintain a policy that
addresses information security for all personnel
Requirement 1.1 correct answers Establish firewall and router configuration standards that
formalize testing whenever configurations change; that identify all connections to cardholder
data (including wireless); that use various technical settings for each implementation; and
stipulate a review of configuration rule sets at least every six months.
Requirement 1.2 correct answers Build firewall and router configurations that restrict all traffic
from "untrusted" networks and hosts, except for protocols necessary for the cardholder data
environment.
Requirement 1.3 correct answers Prohibit direct public access between the Internet and any
system component in the cardholder data environment
Requirement 1.4 correct answers Install personal firewall software on any mobile and/or
employee-owned computers with direct connectivity to the Internet that are used to access the
organization's network.
Requirement 2.1 correct answers Always change vendor-supplied defaults before installing a
system on the network. This includes wireless devices that are connected to the cardholder data
environment or are used to transmit cardholder data.
, Requirement 2.2 correct answers Develop configuration standards for all system components that
address all known security vulnerabilities and are consistent with industry-accepted definitions.
Update system configuration
standards as new vulnerability issues are identified.
Requirement 2.3 correct answers 3 Encrypt using strong cryptography all non-console
administrative access such as browser/webbased management tools
Requirement 2.4 correct answers Shared hosting providers must protect each entity's hosted
environment and cardholder data (details are in PCI DSS Appendix A: "Additional PCI DSS
Requirements for Shared Hosting Providers.")
Requirement 3.1 correct answers Limit cardholder data storage and retention time to that
required for business, legal, and/or regulatory purposes, as documented in your data retention
policy. Purge unnecessary stored data at least quarterly.
Requirement 3.2 correct answers Do not store sensitive authentication data after authorization
(even if it is encrypted). See guidelines in table below. Issuers and related entities may store
sensitive authentication data if there is a business justification, and the data is stored securely.
Requirement 3.3 correct answers Mask PAN when displayed; the first six and last four digits are
the maximum number of digits you may display. Not applicable for authorized people with a
legitimate business need to see the full PAN. Does not supersede stricter requirements in place
for displays of cardholder data such as on a point-of-sale receipt.
Requirement 3.4 correct answers Render PAN unreadable anywhere it is stored - including on
portable digital media, backup media, in logs, and data received from or stored by wireless
networks. Technology solutions for this requirement may include strong one-way hash functions
of the entire PAN, truncation, index tokens with securely stored pads, or strong cryptography.
(See PCI DSS Glossary for definition of strong cryptography.)
Requirement 3.5 correct answers Protect any keys used for encryption of cardholder data from
disclosure and misuse.
Requirement 3.6 correct answers Fully document and implement all appropriate key
management processes and procedures for cryptographic keys used for encryption of cardholder
data.
Requirement 4.1 correct answers Use strong cryptography and security protocols such as
SSL/TLS, SSH or IPSec to safeguard sensitive cardholder data during transmission over open,
public networks (e.g. Internet, wireless technologies, Global System for Mobile communications
[GSM], General Packet Radio Service [GPRS]). Ensure wireless networks transmitting
cardholder data or connected to the cardholder data environment use industry best practices (e.g.,
IEEE 802.11i) to implement strong encryption for authentication and transmission. The use of
WEP as a security control is prohibited.
