qsa

Question 1

developers attend secure coding class 6.5

Answer 1

1 year - anually

Question 2

characters for a password

Answer 2

7 characters

Question 3

lock out attempts 8.1

Answer 3

6 attempts then locked out for 30 min or administrator unlocks it.

Question 4

idle timeout 8.1

Answer 4

15 minutes

Question 5

Log Reviews, Security Events, Critical System Security Patches 10.1

Answer 5

Check Every Day

Question 6

Service Provider

Answer 6

Processing, Storage, or transmission of cardholder data on behalf on another entity. I managed firewall company or something along those line can be one too

Question 7

scoping

Answer 7

trust buy verify

Question 8

3 types of evidence when scoping

Answer 8

Documentation - Policy Procedures, Interviews, Observations

Question 9

pci dss 6 things

Answer 9

1. build and maintain secure network
2. protect cardholder data
3. maintain a vulnerability management program
4. implement strong access control measures.
5. regularly monitor and test network
6. maintain an infosec policy

Question 10

review firewall rules 1.1

Answer 10

every 6 months

Question 11

data retention policy

Answer 11

limit data storage to minimums which is required for legal, regulatory or biz requirements.

Question 12

install critical security patches 6.2

Answer 12

critical patches within 1 month other patches within an appropriate time frame

Question 13

custom code changes 6.3.2

Answer 13

reviewed by individuals other than the author according to secure coding guidelines

Question 14

vulnerability assesments of public facing websites 6.6

Answer 14

every year or if there is a change

Question 15

users terminated in the past 6 months 8.1

Answer 15

verify id’s have been deactivated or removed & physical auth methods removed.

Question 16

inactive accounts 8.1

Answer 16

disable within 90 days

Question 17

audit trail 10.7

Answer 17

3 months online and 1 year retention

Question 18

Vulnerability Scans 11.2

Answer 18

quarterly or if significant change

Question 19

penetration scans 11.3

Answer 19

annually or if there is significant change

Question 20

risk assessment 12.2

Answer 20

at least annually or significant change

Question 21

information security policy 12.2

Answer 21

reviewed annually or significant change

Question 22

camera data 9.11

Answer 22

3 months

Question 23

media inventories 9.7.1

Answer 23

anually

Question 24

SAQ A

Answer 24

intended for merchants that accept only card-not-present transactions (that is, e-commerce, mail order or telephone order), and that outsource all their cardholder data functions to PCI DSS compliant service providers. For e-commerce merchants, this means that all elements of the payment page (or payment pages) that are delivered to the consumer’s browser must originate only and directly from a PCI DSS validated third-party service provider. SAQ A is not applicable to face-to-face payment channels.

Question 25

SAQ A-EP

Answer 25

developed for e-commerce merchants with a website that does not itself receive cardholder data, but that directly affects the security of the payment transaction. To be eligible for this SAQ, each element of every payment page delivered to the consumer’s browser must originate from either the merchant’s website or from a PCI DSS validated service provider.

Question 26

SAQ B

Answer 26

merchants who process cardholder data using only imprint machines or using only dial-out terminals.

Question 27

SAQ B-IP

Answer 27

developed for merchants who process cardholder data only via standalone, PTS-approved point-of-interaction devices that have an IP connection to the payment processor. To be eligible for this SAQ, the payment terminal must be listed on the PCI SSC website as an approved device. Merchants using the Secure Card Reader (SCR) category of devices are not eligible for SAQ B-IP.

Question 28

SAQ C

Answer 28

merchants with dedicated payment application systems segmented from all other systems, and connected to the Internet for the purposes of transaction processing. SAQ C is not applicable to e-commerce payment channels

Question 29

SAQ C-VT

Answer 29

for merchants using only web-based virtual payment terminals, where cardholder data is manually entered into a secure website from a single system.

Question 30

SAQ-D

Answer 30

all other SAQ-eligible merchants that do not fall into any of the other SAQ categories, and for any service providers defined by a payment brand as eligible to complete the SAQ. Service providers only use this one if they do a SAQ

Question 31

SAQ-P2PE

Answer 31

merchants using a validated P2PE solution that is listed on the PCI SSC website.

Question 32

minimum password age

Answer 32

1 day

Question 33

change password

Answer 33

90 days

Question 34

track data

Answer 34

79 character limit track 1 - format code seperator PAN suffix sirname service code cvv cvc reserved for card issuers 40 track 2 PAN

Question 35

Typical Location of Track Data

Answer 35

Database files, Flat Files, Log files, debug files

Question 36

Systems that commonly store track data

Answer 36

POS systems. POS servers. Authorization Servers

Question 37

Typical location of card verification value or code

Answer 37

Paper, Databases, Log Files, Flat files, Debug files.

Question 38

Systems that commonly store card verification value or code data

Answer 38

Authorization servers. Web Servers. Kiosk

Question 39

maximum masked characters in PAN

Answer 39

first 6 last 4

Question 40

MOD-10 (The Luhn Formula)

Answer 40

Step 1: Double the value of alternate digits of the primary account number beginning with the second digit from the right. For any Resulting value >=10, subtract 9. Step 2: Add calculated values as well as the values skipped in Step 1 together. Step 3: The total obtained in Step 2 must be divisible by 10.