PCI STUDY MASTER SET QUESTIONS AND ANSWERS
PCI DSS - CORRECT ANSWER✅✅Payment Card Industry Data Security Standard
For consistent data security measures globally
12 requirements in six groups
PCI DSS is a minimum set of controls
It is a contractual agreement, not a standard
PCI-DSS only applies if PANs are stored, processed or transmitted
PCI Goal 1 - CORRECT ANSWER✅✅Build and Maintain a secure network
PCI Goal 2 - CORRECT ANSWER✅✅Protect Card Holder Data
PCI Goal 3 - CORRECT ANSWER✅✅Maintain a vulnerability program
PCI Goal 4 - CORRECT ANSWER✅✅Implement strong Access control measures
PCI Goal 5 - CORRECT ANSWER✅✅Regularly Monitor and Test networks
PCI Goal 6 - CORRECT ANSWER✅✅Maintain an Information Security Policy
Cardholder data - CORRECT ANSWER✅✅Primary Account Number (PAN)
Cardholder name
Expiration date
Service Code
Sensitive Authentication Data - CORRECT ANSWER✅✅Magnetic stripe data or equivalent on a chip
CAV2/CVC2/CVV2/CID
,PINs / PIN Blocks
PA-DSS - CORRECT ANSWER✅✅Payment Application Data Security Standard
PA-DSS applies to software sold "off the shelf" by 3rd parties
PA-DSS does not apply to applications developed by merchants and service providers for use in-house.
(this is covered by PCI-DSS)
Scope - CORRECT ANSWER✅✅Is a primary requirement
cardholder data flows help set scope
business practices and processes need careful consideration and may need re-engineering.
Network Segmentation is - CORRECT ANSWER✅✅Recommended to reduce scope and risk
When can Wireless be used? - CORRECT ANSWER✅✅Use only for non-sensitive data
Carefully consider the Risk
MUST be tested
Service Providers - CORRECT ANSWER✅✅Need their own PCI-DSS compliance or will have their services
reviewed as part of their customers audits.
The Report on Compliance (ROC) documents the role of each service provider.
Sampling - CORRECT ANSWER✅✅Sampling of Business Facilities / System components is allowed,
however all applicable PCI DSS requirements must be considered.
Compensating Controls - CORRECT ANSWER✅✅a Compensating Controls Worksheet must be
completed for each compensating control. And documented in the ROC.
Compliance Completion Steps - CORRECT ANSWER✅✅1.Complete the ROC
2. Provide evidence of passing scans from ASV
, 3. Complete the "Attestation of compliance"
4. Submit all to the Aquirer, or Payment Brand
PCI SSC - CORRECT ANSWER✅✅Payment card Industry Security Standards Council
ASV - CORRECT ANSWER✅✅Approved Scanning Vendors
QSA - CORRECT ANSWER✅✅Qualified Security Assessor
PCI PA-DSS - CORRECT ANSWER✅✅Payment card Industry Payment Application Data Security Standard
PCI PED - CORRECT ANSWER✅✅Payment Card Industry Pin Entry Devices
Merchant levels - CORRECT ANSWER✅✅Defined by payment brands.
Levels 1 to 4
1 is the largets merchants or merchants who have been compromised. 6 Million transactions/year +
Non-compliance consequences - CORRECT ANSWER✅✅Fines according to Level and elapsed time
determined by payment brands
Breach Consequences - CORRECT ANSWER✅✅Fine per cardholder data compromised / Loss of
reputation / customer trust / suspension of service by credit card account provider
Firewall and Router rule sets be reviewed at least every - CORRECT ANSWER✅✅6 Months
It is required to install all critical new security patches within - CORRECT ANSWER✅✅1 Month
Public facing web applications are to be reviewed - CORRECT ANSWER✅✅at least annually
PCI DSS - CORRECT ANSWER✅✅Payment Card Industry Data Security Standard
For consistent data security measures globally
12 requirements in six groups
PCI DSS is a minimum set of controls
It is a contractual agreement, not a standard
PCI-DSS only applies if PANs are stored, processed or transmitted
PCI Goal 1 - CORRECT ANSWER✅✅Build and Maintain a secure network
PCI Goal 2 - CORRECT ANSWER✅✅Protect Card Holder Data
PCI Goal 3 - CORRECT ANSWER✅✅Maintain a vulnerability program
PCI Goal 4 - CORRECT ANSWER✅✅Implement strong Access control measures
PCI Goal 5 - CORRECT ANSWER✅✅Regularly Monitor and Test networks
PCI Goal 6 - CORRECT ANSWER✅✅Maintain an Information Security Policy
Cardholder data - CORRECT ANSWER✅✅Primary Account Number (PAN)
Cardholder name
Expiration date
Service Code
Sensitive Authentication Data - CORRECT ANSWER✅✅Magnetic stripe data or equivalent on a chip
CAV2/CVC2/CVV2/CID
,PINs / PIN Blocks
PA-DSS - CORRECT ANSWER✅✅Payment Application Data Security Standard
PA-DSS applies to software sold "off the shelf" by 3rd parties
PA-DSS does not apply to applications developed by merchants and service providers for use in-house.
(this is covered by PCI-DSS)
Scope - CORRECT ANSWER✅✅Is a primary requirement
cardholder data flows help set scope
business practices and processes need careful consideration and may need re-engineering.
Network Segmentation is - CORRECT ANSWER✅✅Recommended to reduce scope and risk
When can Wireless be used? - CORRECT ANSWER✅✅Use only for non-sensitive data
Carefully consider the Risk
MUST be tested
Service Providers - CORRECT ANSWER✅✅Need their own PCI-DSS compliance or will have their services
reviewed as part of their customers audits.
The Report on Compliance (ROC) documents the role of each service provider.
Sampling - CORRECT ANSWER✅✅Sampling of Business Facilities / System components is allowed,
however all applicable PCI DSS requirements must be considered.
Compensating Controls - CORRECT ANSWER✅✅a Compensating Controls Worksheet must be
completed for each compensating control. And documented in the ROC.
Compliance Completion Steps - CORRECT ANSWER✅✅1.Complete the ROC
2. Provide evidence of passing scans from ASV
, 3. Complete the "Attestation of compliance"
4. Submit all to the Aquirer, or Payment Brand
PCI SSC - CORRECT ANSWER✅✅Payment card Industry Security Standards Council
ASV - CORRECT ANSWER✅✅Approved Scanning Vendors
QSA - CORRECT ANSWER✅✅Qualified Security Assessor
PCI PA-DSS - CORRECT ANSWER✅✅Payment card Industry Payment Application Data Security Standard
PCI PED - CORRECT ANSWER✅✅Payment Card Industry Pin Entry Devices
Merchant levels - CORRECT ANSWER✅✅Defined by payment brands.
Levels 1 to 4
1 is the largets merchants or merchants who have been compromised. 6 Million transactions/year +
Non-compliance consequences - CORRECT ANSWER✅✅Fines according to Level and elapsed time
determined by payment brands
Breach Consequences - CORRECT ANSWER✅✅Fine per cardholder data compromised / Loss of
reputation / customer trust / suspension of service by credit card account provider
Firewall and Router rule sets be reviewed at least every - CORRECT ANSWER✅✅6 Months
It is required to install all critical new security patches within - CORRECT ANSWER✅✅1 Month
Public facing web applications are to be reviewed - CORRECT ANSWER✅✅at least annually
