PA-DSS Quiz January 2013

1. Secure coding includes securiing communications, cryptographic storage and checking for injection and buffer overflow flaws

True

False

The given statement is true because secure coding practices involve various measures to protect the integrity and confidentiality of communications. This includes using encryption and secure protocols to ensure that data is transmitted securely. Additionally, cryptographic storage techniques are employed to safeguard sensitive information such as passwords or credit card details. Furthermore, secure coding involves implementing input validation and sanitization techniques to prevent injection attacks and buffer overflow vulnerabilities, which can be exploited by malicious actors to gain unauthorized access or execute arbitrary code. Therefore, the statement accurately describes the key aspects of secure coding.

Explanation

The given statement is true because secure coding practices involve various measures to protect the integrity and confidentiality of communications. This includes using encryption and secure protocols to ensure that data is transmitted securely. Additionally, cryptographic storage techniques are employed to safeguard sensitive information such as passwords or credit card details. Furthermore, secure coding involves implementing input validation and sanitization techniques to prevent injection attacks and buffer overflow vulnerabilities, which can be exploited by malicious actors to gain unauthorized access or execute arbitrary code. Therefore, the statement accurately describes the key aspects of secure coding.

2. Payment applications logs can contain date, time, store location, register, amount and the full 16 digit PAN.

True

False

To reduce the risk of PAN's being recovered by fraudsters, the PAN in logs is truncated, typicallyt the first 6 and last 4 digits (i.e. ******7890123****)

Explanation

To reduce the risk of PAN's being recovered by fraudsters, the PAN in logs is truncated, typicallyt the first 6 and last 4 digits (i.e. ******7890123****)

3. When storing card holder data on disk, sensitive authorization data (SAD) can be stored on disk after authorization as long as it is encrypted.

True

False

Sensitive authentication data must not be stored after authorization (even if encrypted).

Explanation

Sensitive authentication data must not be stored after authorization (even if encrypted).

4. Secure delete refers to process rendering card data unrecoverable after it's been deleted. Typically, unlinking the file from the file system alone is considered unrecoverable

True

False

Secure Delete consists of multiple steps: 1. Overwriting contents with random numbers 2. Rewriting with zeros 3. Unlinking from file system

Explanation

Secure Delete consists of multiple steps: 1. Overwriting contents with random numbers 2. Rewriting with zeros 3. Unlinking from file system

5. The purpose of regular payment application encryption key rotation is to mitigate the risk of the key being guessed by a fraudster using a brute force attack. In the context of PCI, if a manual key change is performed, 2 or more key custodians are required to change a key. However if a key change is automated (i.e. through software), multiple key custodians are not required.

True

False

Regular payment application encryption key rotation is necessary to reduce the likelihood of a fraudster guessing the key through a brute force attack. In the context of PCI, manual key changes require the involvement of 2 or more key custodians to ensure security. However, if the key change process is automated through software, the involvement of multiple key custodians is not necessary. Therefore, the statement that regular payment application encryption key rotation helps mitigate the risk of key guessing and that multiple key custodians are not required for automated key changes is true.

Explanation

Regular payment application encryption key rotation is necessary to reduce the likelihood of a fraudster guessing the key through a brute force attack. In the context of PCI, manual key changes require the involvement of 2 or more key custodians to ensure security. However, if the key change process is automated through software, the involvement of multiple key custodians is not necessary. Therefore, the statement that regular payment application encryption key rotation helps mitigate the risk of key guessing and that multiple key custodians are not required for automated key changes is true.

Pa-dss Quiz January 2013