When a service is considered insecure but required, what should be done?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Study for the PCI Data Security Standard Test. Utilize flashcards and multiple-choice questions, each offering hints and detailed explanations. Prepare thoroughly for your exam and ensure compliance with PCI DSS!

Multiple Choice

When a service is considered insecure but required, what should be done?

Explanation:
When a required service can’t meet security needs in its current form, you don’t leave it unprotected. The right approach is to apply compensating controls that reduce risk to an acceptable level. In this scenario, that means bolstering the insecure service with strong security measures for data in transit, such as adding encryption and secure channels. Using TLS to encrypt traffic, SSH for secure remote access, or IPSec to protect network communication helps ensure confidentiality, integrity, and authentication even though the service itself is inherently insecure. It’s important that these compensating controls are well-documented, tested, and maintained according to PCI DSS requirements. Leaving the service unprotected or enabling it as-is would expose cardholder data, which PCI DSS prohibits. Replacing it with a protocol that has no security features also fails to meet the standard, since data would remain unprotected in transit.

When a required service can’t meet security needs in its current form, you don’t leave it unprotected. The right approach is to apply compensating controls that reduce risk to an acceptable level. In this scenario, that means bolstering the insecure service with strong security measures for data in transit, such as adding encryption and secure channels. Using TLS to encrypt traffic, SSH for secure remote access, or IPSec to protect network communication helps ensure confidentiality, integrity, and authentication even though the service itself is inherently insecure. It’s important that these compensating controls are well-documented, tested, and maintained according to PCI DSS requirements.

Leaving the service unprotected or enabling it as-is would expose cardholder data, which PCI DSS prohibits. Replacing it with a protocol that has no security features also fails to meet the standard, since data would remain unprotected in transit.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy