For POS POI terminals using SSL/early TLS and asserted not susceptible to known exploits, what documentation must exist?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the PCI DSS Test with detailed questions and explanations. Use flashcards and quizzes to enhance knowledge. Ensure you're ready for your certification exam!

Multiple Choice

For POS POI terminals using SSL/early TLS and asserted not susceptible to known exploits, what documentation must exist?

Explanation:
The key idea is that when a POS POI terminal is used with SSL or early TLS, any claim that the device is not vulnerable to known exploits must be supported by concrete documentation. If you assert that these devices aren’t susceptible, you need credible evidence that backs that up—such as vendor security advisories or product documentation stating there are no known exploits for the specific firmware/hardware, results from independent security testing or vulnerability scans, or a formal risk assessment that demonstrates no applicable CVEs apply to the device. This kind of documentation is what PCI DSS expects to validate the claim and justify continuing to use SSL/early TLS. Note that a Migration Plan to deprecate SSL/early TLS by the June 2016 deadline is a separate requirement for phasing out the older protocols, but it’s not the documentation that directly proves non-susceptibility. A risk assessment can be part of the overall evidence, but the explicit, explicit documentation showing lack of known exploits is the core support for the assertion.

The key idea is that when a POS POI terminal is used with SSL or early TLS, any claim that the device is not vulnerable to known exploits must be supported by concrete documentation. If you assert that these devices aren’t susceptible, you need credible evidence that backs that up—such as vendor security advisories or product documentation stating there are no known exploits for the specific firmware/hardware, results from independent security testing or vulnerability scans, or a formal risk assessment that demonstrates no applicable CVEs apply to the device. This kind of documentation is what PCI DSS expects to validate the claim and justify continuing to use SSL/early TLS.

Note that a Migration Plan to deprecate SSL/early TLS by the June 2016 deadline is a separate requirement for phasing out the older protocols, but it’s not the documentation that directly proves non-susceptibility. A risk assessment can be part of the overall evidence, but the explicit, explicit documentation showing lack of known exploits is the core support for the assertion.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy