According to the PCI DSS v3.2.1 Quick Reference Guide 1 , any in-scope system except for those identified as not at risk from malware must have anti-malware solutions installed and configured according to best practices. This is one of the requirements for preventing malware infections that could compromise cardholder data.

when disk encryption is used to protect account data, access to the disk encryption must be managed independently of the operating system access control mechanisms, which means it should not be affected by changes in the operating system settings or permissions. This is one of the requirements for ensuring that disk encryption is secure and effective.

classifying media that contains cardholder data is intended to ensure that media is property protected according to the sensitivity of the data it contains, which means it should be marked with labels or tags that indicate its level of confidentiality or integrity. This is one of the requirements for ensuring that media containing cardholder data is properly labeled.

According to the PCI DSS v3.2.1 Quick Reference Guide 1 , a user password and a PIN-activated smart card is an example of multi-factor authentication. This is one of the requirements for preventing unauthorized access to cardholder data using digital certificates.

According to the PCI DSS v3.2.1 Quick Reference Guide 1 , private or secret keys must be encrypted, stored within an SCD or stored as key components. This is one of the requirements for ensuring secure encryption and authentication.

The key-encrypting key (KEK) is used to protect the data-encrypting key (DEK) from unauthorized access or disclosure. The KEK should have a strength that is equal to or greater than the DEK, to prevent a weaker link in the encryption chain. According to the PCI Card Production Logical Security Requirements, section 4.1.1, “The key-encrypting key (KEK) must be at least as strong as the data-encrypting key (DEK) it protects.” Furthermore, section 4.1.2 states, “The KEK must be generated using a secure random number generator (RNG) that meets the requirements of NIST SP 800-90A or equivalent.” AES 128 is a symmetric encryption algorithm that uses a 128-bit key and meets the NIST standards. Therefore, it would be an appropriate strength for the KEK used to protect an AES 128-bit DEK. The other options are either weaker or asymmetric encryption algorithms, which are not suitable for the KEK.  References :  PCI Card Production Logical Security Requirements , [NIST SP 800-90A]

  One of the best practices for hardening a firewall is to disable any firewall functions that are not needed in production, such as unused services, ports, protocols, or features. This reduces the attack surface and minimizes the potential for exploitation. According to the PCI Card Production Logical Security Requirements, section 3.2.1, “The firewall must be configured to deny all traffic by default and allow only traffic that is explicitly required for the card production environment.” Furthermore, section 3.2.2 states, “The firewall must be configured to block all unnecessary services, ports, protocols, and IP addresses.”  References :  PCI Card Production Logical Security Requirements ,  Card Production Security Assessor - Logical - Credly