PCI DSS defines 6 objectives for securing credit card data, which are covered by 12 technical requirements shown below. Show
To achieve compliance, PCI DSS requires at least quarterly external and internal vulnerability scans and yearly external and internal penetration tests. Based on type of solution (i.e. no internal CDE infrastructure), some tests might not be applicable). Based on the number of payment card transactions, it is also required to perform yearly on-site QSA audits (more than 1 million transactions per year) or fulfill self-assessment questionnaires (SAQ). Details are given below.
ScopeSystems that store, process or transmit cardholder data are part of the CDE, or cardholder data environment, and are therefore in scope. However, PCI DSS scope is not limited to just the CDE. Systems with a connection to the CDE must also be included in scope to ensure that appropriate security controls are in place to prevent an attacker using the connected system to gain access to the CDE, and thus to cardholder data. Vulnerability scans (ASV)Vulnerability scans identify known vulnerabilities and issues in security configuration on the system
and service level. External vulnerability scans must be performed by an accredited ASV company (Approved Scanning Vendor).
During the reconnaissance phase, public services and likely operating systems are identified. As a general rule, all unnecessary services should be disabled, and only necessary public services should be allowed through a firewall or other filtering device and visible from the internet. Penetration testsA penetration test differs from a vulnerability scan, as a penetration test is an active process that includes exploiting identified vulnerabilities. The intent of a penetration test is to simulate a real-world attack situation with a goal of identifying how far an attacker would be able to penetrate into an environment. This is a highly manual process and requires significantly more time.
The following systems and services are part of the testing:
Assessment can utilize sampling principle if all representative network segments and equipment of CDE infrastructure is included in the scope. Gap analysis / QSA auditGap analysis is used to identify deviations from the PCI DSS requirements. The assessors help the organization to identify all areas of non-compliance and offer recommendations to help meet the requirements. The outcome of the gap analysis is also the
determination of the scope of the infrastructure that is subject to the PCI DSS requirements. Security policy and procedures to protect IT infrastructure:
Information system review and management:
Information system review and management:
Information system review and management:
Protection of IT infrastructure:
Develop and maintain secure systems and applications:
Identification and authentication:
Physical access control :
Which of the following merchant levels must scan the networks at least quarterly to be in compliance with PCI DSS?Which of the following merchant levels must scan the networks at least quarterly to be in compliance with PCI DSS? All merchants, no matter the size, must scan at least quarterly.
Which of the following applies to an online merchant that experiences a security breach and that is found not to be in compliance with PCI DSS?If a merchant experiences a security breach and is found to be non-compliant with PCI rules, they may be subject to fines. These fines are not assessed by the PCI DSS. The payment card brands penalize the merchant's bank. The bank then passes that cost along by assessing a fine on the non-compliant merchant.
Which of the following merchant level categories includes any merchant regardless of acceptance channel processing one million to six million visa transactions per year?A level 2 merchant is one, regardless of acceptance channel, processing 1,000,000 to 6,000,000 Visa or MasterCard transactions per year.
What is the first step when performing a web site security assessment?1. Determine potential threat actors. The first step when conducting an application security assessment is to determine who is most likely to pose a threat to your application. This could be anonymous online users, customers, or even employees.
|