PCI SSC Certification Assessor_New_V4 Updated Exam

According to the PCI DSS v3.2.1 Quick Reference Guide1, visitors are escorted at all times within areas where cardholder data is processed or maintained, visitor badges are identical to badges used by onsite personnel, visitor log includes visitor name, address, and contact phone number, visitors retain their identification (for example a visitor badge) for 30 days after completion of the visit. These are some examples of procedures that must be included in an organization’s procedures for managing visitors who access in-scope systems where cardholder data is processed or maintained.

PCI DSS Requirement 12.10.1 requires entities to implement an incident response plan that includes roles, responsibilities, and communication and contact strategies for a data security incident, including notification of relevant payment brands1. This is important because each payment card brand has its own policies and procedures for dealing with a security breach, and failing to follow them or meet reporting deadlines could result in fines or loss of authority to process payment card transactions2. Therefore, an incident response plan must include procedures for notifying PCI SSC of the security incident, as well as any other entities that may require notification, whether by contract or law1. References:

• Guidance for PCI DSS Scoping and Network Segmentation
• Responding to a Cardholder Data Breach

According to the PCI DSS v3.2.1 Quick Reference Guide1, active network connections are tracked so that invalid response traffic can be identified. This is one of the requirements for preventing replay attacks and ensuring secure communication.