Which of the following merchant levels requires an annual onsite audit and quarterly network scans?

PCI DSS defines 6 objectives for securing credit card data, which are covered by 12 technical requirements shown below.

To achieve compliance, PCI DSS requires at least quarterly external and internal vulnerability scans and yearly external and internal penetration tests. Based on type of solution (i.e. no internal CDE infrastructure), some tests might not be applicable).

Based on the number of payment card transactions, it is also required to perform yearly on-site QSA audits (more than 1 million transactions per year) or fulfill self-assessment questionnaires (SAQ). Details are given below.

Scope

Systems that store, process or transmit cardholder data are part of the CDE, or cardholder data environment, and are therefore in scope. However, PCI DSS scope is not limited to just the CDE. Systems with a connection to the CDE must also be included in scope to ensure that appropriate security controls are in place to prevent an attacker using the connected system to gain access to the CDE, and thus to cardholder data.
There are also other types of systems that need to be included in the scope, such as: systems providing security services to the CDE, systems that provide or facilitate segmentation between the CDE and any out-of-scope networks, and, generally, any other system that has the ability to directly impact the security of the CDE or of cardholder data.

Vulnerability scans (ASV)

Vulnerability scans identify known vulnerabilities and issues in security configuration on the system and service level. External vulnerability scans must be performed by an accredited ASV company (Approved Scanning Vendor).
Scanning results are presented according to ASV Program Guide requirements. The following PCI severity levels are used to categorize the vulnerabilities and to determine compliance status:

During the reconnaissance phase, public services and likely operating systems are identified. As a general rule, all unnecessary services should be disabled, and only necessary public services should be allowed through a firewall or other filtering device and visible from the internet.
Vulnerability details give detailed explanations of found vulnerabilities and proposed measures for vulnerability risk mitigation. Where applicable, vulnerability evidence is provided as well.

Penetration tests

A penetration test differs from a vulnerability scan, as a penetration test is an active process that includes exploiting identified vulnerabilities. The intent of a penetration test is to simulate a real-world attack situation with a goal of identifying how far an attacker would be able to penetrate into an environment. This is a highly manual process and requires significantly more time.
According to PCI DSS requirements, the following activities are performed:

• Testing external and internal network infrastructure
• Testing the adequacy of segmentation and other mechanisms to reduce the scope
• Tests include active network equipment and operating systems
• Special attention is required for known attacks and exploits in the last 12 months

The following systems and services are part of the testing:

Assessment can utilize sampling principle if all representative network segments and equipment of CDE infrastructure is included in the scope.

Gap analysis / QSA audit

Gap analysis is used to identify deviations from the PCI DSS requirements. The assessors help the organization to identify all areas of non-compliance and offer recommendations to help meet the requirements. The outcome of the gap analysis is also the determination of the scope of the infrastructure that is subject to the PCI DSS requirements.
The audit is carried out by accredited QSA professionals (Qualified Security Assessors). An assessor determines whether the organization has met the PCI DSS 12 requirements, either directly or through a control that provides a level of security that is similar to the requirement. It includes a thorough review of the infrastructure that is subject to the PCI DSS requirements and concludes with a Report of Compliance (RoC). An example of an audit plan is given below.

Security policy and procedures to protect IT infrastructure:

• information security policy, risk analysis, incidents – Requirement 11, 12

Information system review and management:

• Inventory of information systems and components – Requirement 8
• default passwords and other vendor defaults – Requirement 2
• secure configuration best practices
• protect cardholder data (PAN, SAD) – Requirement 3

Information system review and management:

• protect cardholder data during the transfer on public networks – Requirement 4
• strong encryption protocols and algorithms – Requirement 4
• secure implementation of wireless networks – Requirement 4
• secure remote administration – Requirement 4

Information system review and management:

• firewall (traffic between internal and public segment and other zones of CDE environment) – Requirement 1
• access control and restrictions – Requirement 7

Protection of IT infrastructure:

• antivirus protection, intrusion detection, and prevention (IPS, IDS) – Requirement 5
• regularly update protection systems (vulnerability management) – Requirement 5
• audit logs – Requirement 10

Develop and maintain secure systems and applications:

• secure development (managing bugs in source code) – Requirement 6
• Restrict access to cardholder data – Requirement 7

Identification and authentication:

• giving access to information resources – Requirement 8

Physical access control :

• access to premises and information infrastructure – Requirement 9
• security screening of personnel – Requirement 12

Which of the following merchant levels must scan the networks at least quarterly to be in compliance with PCI DSS?

Which of the following applies to an online merchant that experiences a security breach and that is found not to be in compliance with PCI DSS?

Which of the following merchant level categories includes any merchant regardless of acceptance channel processing one million to six million visa transactions per year?

What is the first step when performing a web site security assessment?