PCIP questions with verified solution 2023
PCI DSS Area 1
Build and Maintain a Secure Network and Systems
PCI DSS Requirement One
Install and maintain a firewall configuration to protect cardholder data
PCI DSS Requirement 1.1
Establish and implement firewall and router configuration standards that include the
following:
1-A Formal Process for Change Management
2-A Current Network Diagram, process to keep current
3-A Cardholder Data Flows
4-Firewall at all access points to the network (DMZ or Internet Connections)
5-Groups, Roles, and Responsibilities for managing network components
6-Documentation of business justification for all open ports
7-Review Firewall rules every 6 months
PCI DSS Requirement 1.2
Build firewall and router configurations that restrict connections between untrusted
networks and any system components in the cardholder data environment.
1-Deny any inbound or outbound traffic that is not required for CDE
2-Router configuration should be secured and startup configuration should be
synchronized with going config.
3-Install firewall between all wireless networks and the CDE
PCI DSS Requirement 1.3
Prohibit direct public access between the Internet and any system component in the
cardholder data environment.
1-Implement a DMZ
2-limit inbound traffic to only those systems in the DMZ
3-Implement anti-spoof techniques
4-outboard traffic from CDE to internet should be explicitly authorized
5-Only allow established connections
6-Store systems holding cardholder data separate from the DMZ and other untrusted
networks
7-Do not disclose network configuration (e.g. private IPs and routing information)
PCI DSS Requirement 1.4
Install personal firewall software or equivalent functionality on any portable computing
devices (including company and/or employee-owned) that connect to the Internet when
outside the network (for example, laptops used by employees), and which are also used
to access the CDE.
PCI DSS Requirement 1.5
Ensure that security policies and operational procedures for managing firewalls are
documented, in use, and known to all affected parties.
PCI DSS Requirement Two
Do not use vendor-supplied defaults for system passwords and other security
parameters
PCI DSS Requirement 2.1
,Always change vendor-supplied defaults and remove or disable unnecessary default
accounts before installing a system on the network.
1-Change ALL wireless vendor defaults at installation, including but not limited to default
wireless encryption keys, passwords, and SNMP community strings.
PCI DSS Requirement 2.2
Develop configuration standards for all system components and apply appropriate
hardening
1-Implement one primary function per server to prevent co-existence of services that
require different security levels
2- Enable only necessary services
3- Implement additional security features for required services that are considered
insecure (e.g. SSL/Early TLS)
4- Systems should be configured
5-Remove all unnecessary functionality
PCI DSS Requirement 2.3
Encrypt all non-console administrative access using strong cryptography.
PCI DSS Requirement 2.4
Maintain an inventory of system components that are in scope for PCI DSS.
PCI DSS Requirement 2.5
Ensure that security policies and operational procedures for managing vendor defaults
and other security parameters are documented, in use, and known to all affected
parties.
PCI DSS Requirement 2.6
Shared hosting providers must protect each entity's hosted environment and cardholder
data. These providers must meet specific requirements as detailed in Appendix A:
Additional PCI DSS Requirements for Shared Hosting Providers.
PCI DSS Area 2
Protect Cardholder Data
PCI DSS Requirement Three
Protect Stored Cardholder Data
PCI DSS Requirement 3.1
Keep cardholder data storage to a minimum by implementing data retention and
disposal policies, procedures and processes that include at least the following for all
cardholder data (CHD) storage:
Should include:
-limiting retention limit to that which is required for legal, regulatory, business
requriements
-specific for CHD
-Secure Delete
-Quarterly process to review actual vs. retention limit
PCI DSS Requirement 3.2
Do not store sensitive authentication data after authorization (even if encrypted). If
sensitive authentication data is received, render all data unrecoverable upon completion
of the authorization process.
1- Do not store the full contents of any track. Can store PAN, Expiry, Name, Service
Code
, 2-Do not store CVC after auth
3-Do not store Pin or Encrypted Pin Block
PCI DSS Requirement 3.3
Mask PAN when displayed (the first six and last four digits are the maximum number of
digits to be displayed)
PCI DSS Requirement 3.4
Render PAN unreadable anywhere it is stored (including on portable digital media,
backup media, and in logs) by using any of the following approaches:
One-way hashes based on strong cryptography, (hash must be of the entire PAN)
Truncation (hashing cannot be used to replace the truncated segment of PAN)
Index tokens and pads (pads must be securely stored)
Strong cryptography with associated key-management processes and procedures.
1- If disk encryption is used, logical access must be managed separately and
independent of the native operating system. Decryption keys must not be associated
with user accouts
PCI DSS Requirement 3.5
Document and implement procedures to protect keys used to secure stored cardholder
data against disclosure and misuse:
1- Service providers must document cryptographic architecture Best Practice until Jan 1
2018
2- Restrict access to keys to the fewest number possible
3- Store keys securely: Encypt with a key that is stored separately, or with a
cryptographic device, or in a full length key share or component
4- Store keys in the fewest possible locations
PCI DSS Requirement 3.6
Fully Document and implement all key management processes and procedures
1- Generate strong keys in accordance with Exhibit A
2-Secure Key Distribution, only to proper custodians and never in the clear
3-Securely store with key encrypting key
4- Change regularly according to best practice
5- Retire when necessary
6- For manual clear text, use split knowledge and dual control
7- Prevent unauthorized substitution of keys
8- Require custodians to acknowledge that they understand requirements
PCI DSS Requirement 3.7
Ensure that security policies and operational procedures for protecting stored
cardholder data are documented, in use, and known to all affected parties.
PCI DSS Requirement Four
Encrypt transmission of cardholder data across open, public networks
PCI DSS Requirement 4.1
Use strong cryptography and security protocols to safeguard sensitive cardholder data
during transmission over open, public networks, including the following:
- use only trusted keys
-use secure protocols
- use appropriate encryption strength
PCI DSS Area 1
Build and Maintain a Secure Network and Systems
PCI DSS Requirement One
Install and maintain a firewall configuration to protect cardholder data
PCI DSS Requirement 1.1
Establish and implement firewall and router configuration standards that include the
following:
1-A Formal Process for Change Management
2-A Current Network Diagram, process to keep current
3-A Cardholder Data Flows
4-Firewall at all access points to the network (DMZ or Internet Connections)
5-Groups, Roles, and Responsibilities for managing network components
6-Documentation of business justification for all open ports
7-Review Firewall rules every 6 months
PCI DSS Requirement 1.2
Build firewall and router configurations that restrict connections between untrusted
networks and any system components in the cardholder data environment.
1-Deny any inbound or outbound traffic that is not required for CDE
2-Router configuration should be secured and startup configuration should be
synchronized with going config.
3-Install firewall between all wireless networks and the CDE
PCI DSS Requirement 1.3
Prohibit direct public access between the Internet and any system component in the
cardholder data environment.
1-Implement a DMZ
2-limit inbound traffic to only those systems in the DMZ
3-Implement anti-spoof techniques
4-outboard traffic from CDE to internet should be explicitly authorized
5-Only allow established connections
6-Store systems holding cardholder data separate from the DMZ and other untrusted
networks
7-Do not disclose network configuration (e.g. private IPs and routing information)
PCI DSS Requirement 1.4
Install personal firewall software or equivalent functionality on any portable computing
devices (including company and/or employee-owned) that connect to the Internet when
outside the network (for example, laptops used by employees), and which are also used
to access the CDE.
PCI DSS Requirement 1.5
Ensure that security policies and operational procedures for managing firewalls are
documented, in use, and known to all affected parties.
PCI DSS Requirement Two
Do not use vendor-supplied defaults for system passwords and other security
parameters
PCI DSS Requirement 2.1
,Always change vendor-supplied defaults and remove or disable unnecessary default
accounts before installing a system on the network.
1-Change ALL wireless vendor defaults at installation, including but not limited to default
wireless encryption keys, passwords, and SNMP community strings.
PCI DSS Requirement 2.2
Develop configuration standards for all system components and apply appropriate
hardening
1-Implement one primary function per server to prevent co-existence of services that
require different security levels
2- Enable only necessary services
3- Implement additional security features for required services that are considered
insecure (e.g. SSL/Early TLS)
4- Systems should be configured
5-Remove all unnecessary functionality
PCI DSS Requirement 2.3
Encrypt all non-console administrative access using strong cryptography.
PCI DSS Requirement 2.4
Maintain an inventory of system components that are in scope for PCI DSS.
PCI DSS Requirement 2.5
Ensure that security policies and operational procedures for managing vendor defaults
and other security parameters are documented, in use, and known to all affected
parties.
PCI DSS Requirement 2.6
Shared hosting providers must protect each entity's hosted environment and cardholder
data. These providers must meet specific requirements as detailed in Appendix A:
Additional PCI DSS Requirements for Shared Hosting Providers.
PCI DSS Area 2
Protect Cardholder Data
PCI DSS Requirement Three
Protect Stored Cardholder Data
PCI DSS Requirement 3.1
Keep cardholder data storage to a minimum by implementing data retention and
disposal policies, procedures and processes that include at least the following for all
cardholder data (CHD) storage:
Should include:
-limiting retention limit to that which is required for legal, regulatory, business
requriements
-specific for CHD
-Secure Delete
-Quarterly process to review actual vs. retention limit
PCI DSS Requirement 3.2
Do not store sensitive authentication data after authorization (even if encrypted). If
sensitive authentication data is received, render all data unrecoverable upon completion
of the authorization process.
1- Do not store the full contents of any track. Can store PAN, Expiry, Name, Service
Code
, 2-Do not store CVC after auth
3-Do not store Pin or Encrypted Pin Block
PCI DSS Requirement 3.3
Mask PAN when displayed (the first six and last four digits are the maximum number of
digits to be displayed)
PCI DSS Requirement 3.4
Render PAN unreadable anywhere it is stored (including on portable digital media,
backup media, and in logs) by using any of the following approaches:
One-way hashes based on strong cryptography, (hash must be of the entire PAN)
Truncation (hashing cannot be used to replace the truncated segment of PAN)
Index tokens and pads (pads must be securely stored)
Strong cryptography with associated key-management processes and procedures.
1- If disk encryption is used, logical access must be managed separately and
independent of the native operating system. Decryption keys must not be associated
with user accouts
PCI DSS Requirement 3.5
Document and implement procedures to protect keys used to secure stored cardholder
data against disclosure and misuse:
1- Service providers must document cryptographic architecture Best Practice until Jan 1
2018
2- Restrict access to keys to the fewest number possible
3- Store keys securely: Encypt with a key that is stored separately, or with a
cryptographic device, or in a full length key share or component
4- Store keys in the fewest possible locations
PCI DSS Requirement 3.6
Fully Document and implement all key management processes and procedures
1- Generate strong keys in accordance with Exhibit A
2-Secure Key Distribution, only to proper custodians and never in the clear
3-Securely store with key encrypting key
4- Change regularly according to best practice
5- Retire when necessary
6- For manual clear text, use split knowledge and dual control
7- Prevent unauthorized substitution of keys
8- Require custodians to acknowledge that they understand requirements
PCI DSS Requirement 3.7
Ensure that security policies and operational procedures for protecting stored
cardholder data are documented, in use, and known to all affected parties.
PCI DSS Requirement Four
Encrypt transmission of cardholder data across open, public networks
PCI DSS Requirement 4.1
Use strong cryptography and security protocols to safeguard sensitive cardholder data
during transmission over open, public networks, including the following:
- use only trusted keys
-use secure protocols
- use appropriate encryption strength
