PCI ISA Fundamentals Exam |
Verified Questions with Complete
Solutions |
Meth0ds identified as being used t0 rem0ve st0len data fr0m the envir0nments: -
ANSWER-- Use 0f st0len credentials t0 access the P0S envir0nment
- 0utdated patches 0r p00r system patching pr0cesses
- The use 0f default 0r static vend0r credentials / brute f0rce
- P0S skimming malware being installed 0n P0S c0ntr0llers
- P0I physical skimming devices
95% 0f breaches feature - ANSWER-The use 0f st0len credentials leveraging vend0r
rem0te access t0 hack int0 cust0mers P0S envir0nments.
Skimming - ANSWER-C0pying payment card numbers either by tampering with:
- P0S Devices
- ATMs
- Ki0sks
0r by c0pying the card's magnetic stripe manually using handheld skimmers.
Phishing - ANSWER-Rec0nnaissance
- Inf0rmati0n gathering fr0m vari0us 0nline s0urces and s0cial netw0rking sites
- Business applicati0ns and s0ftware
S0cial Engineering
- Phishing emails 0r messages c0ming fr0m a target's s0cial netw0rk
- Ph0ne call fr0m an assumed kn0wn entity
Break-In
- Delivery thr0ugh email
- S0ftware vulnerabilities
C0mm0n meth0ds f0r m0netizing st0len card data: - ANSWER-- Skimmed full track data
and transacti0n inf0rmati0n used t0 replicate a physical payment card, which can then
be used f0r fraudulent transacti0ns in face-t0-face envir0nments, 0r ATM transacti0ns
- Captured cardh0lder data is used where card-n0t-present transacti0ns are accepted,
such as e-c0mmerce 0r mail-0rder / teleph0ne 0rder (M0/T0) transacti0ns
,- St0len cardh0lder data and sensitive authenticati0n data are s0ld in bulk t0 0ther
criminals wh0 perf0rm their 0wn fraud using the st0len data
C0mm0nly targeted industries - ANSWER-- Retail - 45% 0f breaches
- F00d and Beverage - 24% 0f breaches
- H0spitality - 9% 0f breaches
- Financial Services - 7% 0f breaches
- N0npr0fit - 3%
PCI SSC f0unding payment brands include: - ANSWER-- American Express
- Disc0ver Financial
- JCB Internati0nal
- MasterCard
- Visa, Inc.
PCI DSS: - ANSWER-C0vers security 0f the envir0nments that st0re, pr0cess, 0r
transmit acc0unt data
- Envir0nments receive acc0unt data fr0m payment applicati0ns and 0ther s0urces (e.g.,
acquirers)
PCI PA-DSS - ANSWER-C0vers secure payment applicati0ns t0 supp0rt PCI DSS
c0mpliance
Payment applicati0n receives acc0unt data fr0m PIN-entry devices (PEDs) 0r 0ther
devices and begins payment transacti0n
PCI P2PE - ANSWER-C0vers encrypti0n, decrypti0n, and key management
requirements f0r p0int-t0-p0int encrypti0n s0luti0ns
PCI PTS - P0I - ANSWER-C0vers the pr0tecti0n 0f sensitive data at p0int-0f-interacti0n
devices and their secure c0mp0nents, including cardh0lder PINs and acc0unt data, and
the crypt0graphic keys used in c0nnecti0n with the pr0tecti0n 0f that cardh0lder data
PCI PTS - PIN Security - ANSWER-C0vers secure management, pr0cessing and
transmissi0n 0f pers0nal identificati0nnumber (PIN) data during 0nline and 0ffline
payment card transacti0n pr0cessing
PCI PTS - HSM - ANSWER-C0vers physical, l0gical and device security requirements
f0r securing Hardware Security
M0dules (HSM)
PCI Card Pr0ducti0n - ANSWER-C0vers physical and l0gical security requirements f0r
systems and business pr0cesses
,PA-DSS applies t0 third party payment applicati0ns if? - ANSWER-An applicati0n
perf0rms auth0rizati0n and/0r settlement (P0S, sh0pping carts, etc.)
PA-DSS ensures a payment applicati0n can functi0n in a PCI DSS c0mpliant manner -
ANSWER-- T0 supp0rt the PCI DSS c0mpliance 0f th0se that use the applicati0n
- Use 0f a PA-DSS applicati0n al0ne d0es n0t guarantee PCI DSS c0mpliance
Are PA-DSS applicati0ns in sc0pe f0r PCI DSS? - ANSWER-Yes
PA DSS assess0r must validate that payment applicati0n is installed: - ANSWER-- Per
instructi0ns in the PA-DSS Implementati0n Guide pr0vided by payment applicati0n
vend0r
- In a PCI DSS c0mpliant manner
A PCI P2PE s0luti0n must include all 0f the f0ll0wing: - ANSWER-- Secure encrypti0n 0f
payment card data at the p0int-0f-interacti0n (P0I)
- Validated applicati0n(s) at the p0int-0f-interacti0n
- Secure management 0f encrypti0n and decrypti0n devices
- Management 0f the decrypti0n envir0nment and all decrypted acc0unt data
- Use 0f secure encrypti0n meth0d0l0gies and crypt0graphic key 0perati0ns, including
key generati0n, distributi0n, l0ading/injecti0n, administrati0n and usage
Merchants may be able t0 reduce their PCI DSS sc0pe when using C0uncil-listed P2PE
s0luti0ns - ANSWER-- Merchant has n0 access t0 acc0unt data within encrypti0n device
(P0I) 0r decrypti0n envir0nment (at S0luti0n Pr0vider)
- Merchant has n0 inv0lvement in encrypti0n 0r decrypti0n 0perati0ns, 0r crypt0graphic
key management
- All crypt0graphic 0perati0ns managed by third party S0luti0n Pr0vider
PTS requirements apply t0: - ANSWER-P0int 0f Interacti0n (P0I) devices; Encrypting PIN
Pads (EPP); P0int 0f Sale devices (P0S); Hardware (0r h0st) Security M0dules (HSMs);
Unattended Payment Terminals, (UPTs) and n0n-PIN Entry m0dule
The PTS pr0gram ensures - ANSWER-Terminals cann0t be manipulated 0r attacked t0
all0w the capture 0f Sensitive Authenticati0n data, n0r all0w access t0 clear-text PINs 0r
Keys
The Secure Read and Exchange M0dule, (SRED) - ANSWER-All0ws terminals t0 be
appr0ved f0r the secure encrypti0n 0f cardh0lder data as part 0f the P0int t0 P0int
Encrypti0n pr0gram
, PTS has been extended t0 all0w - ANSWER-N0n-PIN entry m0dules t0 be evaluated
against the SRED m0dule t0 all0w secure encrypti0n at the p0int 0f interacti0n f0r n0n-
chip and PIN cards
PCI PIN Security Requirements - ANSWER-These requirements pr0vide f0r secure PIN:
- management
- pr0cessing
- transmissi0n
Pr0tecti0n 0f pers0nal identificati0n number (PIN) data during 0nline and 0ffline payment
card transacti0n pr0cessing at:
- ATMs
- attended p0int-0f-sale (P0S) terminals
- unattended p0int-0f-sale (P0S) terminals
The requirements als0 pr0vide guidance 0n key management and key handling
ass0ciated with the PIN
PCI PTS - P0I and PCI DSS - ANSWER-- PCI DSS requires that acc0unt data be
pr0tected b0th when st0red and when transmitted acr0ss 0pen, public netw0rks
- PCI PTS P0I validates h0w P0Is pr0tect PIN and acc0unt data and manage
crypt0graphic keys
- PCI PTS P0I-appr0ved devices may f0rm part 0f a PCI DSS-c0mpliant envir0nment
PCI PTS - PIN Security Standard and PCI DSS - ANSWER-- PCI DSS pr0hibits st0rage 0f
encrypted PIN bl0cks
- N0 0verlap
PCI Card Pr0ducti0n and PCI DSS - ANSWER-- N0 0verlap
- Pr0cedures f0r assessing card pr0ducti0n facilities are defined and managed by the
payment brands, n0t by PCI SSC
PCI PTS - HSM and PCI DSS - ANSWER-- PCI DSS requires that st0red cardh0lder data
be pr0tected and crypt0graphic keys be managed in a secure manner
- Use 0f a Hardware Security M0dule is n0t required by PCI DSS, but may help with
handling and managing keys used t0 pr0tect st0red cardh0lder data
Payment Industry Termin0l0gy - ANSWER-Cardh0lder
- Cust0mer purchasing g00ds either as a "Card Present" 0r "Card N0t Present"
transacti0n
- Receives the payment card and bills fr0m the issuer
Issuer
- Bank 0r 0ther 0rganizati0n issuing a payment card 0n behalf 0f a Payment Brand (e.g.
MasterCard & Visa)
Verified Questions with Complete
Solutions |
Meth0ds identified as being used t0 rem0ve st0len data fr0m the envir0nments: -
ANSWER-- Use 0f st0len credentials t0 access the P0S envir0nment
- 0utdated patches 0r p00r system patching pr0cesses
- The use 0f default 0r static vend0r credentials / brute f0rce
- P0S skimming malware being installed 0n P0S c0ntr0llers
- P0I physical skimming devices
95% 0f breaches feature - ANSWER-The use 0f st0len credentials leveraging vend0r
rem0te access t0 hack int0 cust0mers P0S envir0nments.
Skimming - ANSWER-C0pying payment card numbers either by tampering with:
- P0S Devices
- ATMs
- Ki0sks
0r by c0pying the card's magnetic stripe manually using handheld skimmers.
Phishing - ANSWER-Rec0nnaissance
- Inf0rmati0n gathering fr0m vari0us 0nline s0urces and s0cial netw0rking sites
- Business applicati0ns and s0ftware
S0cial Engineering
- Phishing emails 0r messages c0ming fr0m a target's s0cial netw0rk
- Ph0ne call fr0m an assumed kn0wn entity
Break-In
- Delivery thr0ugh email
- S0ftware vulnerabilities
C0mm0n meth0ds f0r m0netizing st0len card data: - ANSWER-- Skimmed full track data
and transacti0n inf0rmati0n used t0 replicate a physical payment card, which can then
be used f0r fraudulent transacti0ns in face-t0-face envir0nments, 0r ATM transacti0ns
- Captured cardh0lder data is used where card-n0t-present transacti0ns are accepted,
such as e-c0mmerce 0r mail-0rder / teleph0ne 0rder (M0/T0) transacti0ns
,- St0len cardh0lder data and sensitive authenticati0n data are s0ld in bulk t0 0ther
criminals wh0 perf0rm their 0wn fraud using the st0len data
C0mm0nly targeted industries - ANSWER-- Retail - 45% 0f breaches
- F00d and Beverage - 24% 0f breaches
- H0spitality - 9% 0f breaches
- Financial Services - 7% 0f breaches
- N0npr0fit - 3%
PCI SSC f0unding payment brands include: - ANSWER-- American Express
- Disc0ver Financial
- JCB Internati0nal
- MasterCard
- Visa, Inc.
PCI DSS: - ANSWER-C0vers security 0f the envir0nments that st0re, pr0cess, 0r
transmit acc0unt data
- Envir0nments receive acc0unt data fr0m payment applicati0ns and 0ther s0urces (e.g.,
acquirers)
PCI PA-DSS - ANSWER-C0vers secure payment applicati0ns t0 supp0rt PCI DSS
c0mpliance
Payment applicati0n receives acc0unt data fr0m PIN-entry devices (PEDs) 0r 0ther
devices and begins payment transacti0n
PCI P2PE - ANSWER-C0vers encrypti0n, decrypti0n, and key management
requirements f0r p0int-t0-p0int encrypti0n s0luti0ns
PCI PTS - P0I - ANSWER-C0vers the pr0tecti0n 0f sensitive data at p0int-0f-interacti0n
devices and their secure c0mp0nents, including cardh0lder PINs and acc0unt data, and
the crypt0graphic keys used in c0nnecti0n with the pr0tecti0n 0f that cardh0lder data
PCI PTS - PIN Security - ANSWER-C0vers secure management, pr0cessing and
transmissi0n 0f pers0nal identificati0nnumber (PIN) data during 0nline and 0ffline
payment card transacti0n pr0cessing
PCI PTS - HSM - ANSWER-C0vers physical, l0gical and device security requirements
f0r securing Hardware Security
M0dules (HSM)
PCI Card Pr0ducti0n - ANSWER-C0vers physical and l0gical security requirements f0r
systems and business pr0cesses
,PA-DSS applies t0 third party payment applicati0ns if? - ANSWER-An applicati0n
perf0rms auth0rizati0n and/0r settlement (P0S, sh0pping carts, etc.)
PA-DSS ensures a payment applicati0n can functi0n in a PCI DSS c0mpliant manner -
ANSWER-- T0 supp0rt the PCI DSS c0mpliance 0f th0se that use the applicati0n
- Use 0f a PA-DSS applicati0n al0ne d0es n0t guarantee PCI DSS c0mpliance
Are PA-DSS applicati0ns in sc0pe f0r PCI DSS? - ANSWER-Yes
PA DSS assess0r must validate that payment applicati0n is installed: - ANSWER-- Per
instructi0ns in the PA-DSS Implementati0n Guide pr0vided by payment applicati0n
vend0r
- In a PCI DSS c0mpliant manner
A PCI P2PE s0luti0n must include all 0f the f0ll0wing: - ANSWER-- Secure encrypti0n 0f
payment card data at the p0int-0f-interacti0n (P0I)
- Validated applicati0n(s) at the p0int-0f-interacti0n
- Secure management 0f encrypti0n and decrypti0n devices
- Management 0f the decrypti0n envir0nment and all decrypted acc0unt data
- Use 0f secure encrypti0n meth0d0l0gies and crypt0graphic key 0perati0ns, including
key generati0n, distributi0n, l0ading/injecti0n, administrati0n and usage
Merchants may be able t0 reduce their PCI DSS sc0pe when using C0uncil-listed P2PE
s0luti0ns - ANSWER-- Merchant has n0 access t0 acc0unt data within encrypti0n device
(P0I) 0r decrypti0n envir0nment (at S0luti0n Pr0vider)
- Merchant has n0 inv0lvement in encrypti0n 0r decrypti0n 0perati0ns, 0r crypt0graphic
key management
- All crypt0graphic 0perati0ns managed by third party S0luti0n Pr0vider
PTS requirements apply t0: - ANSWER-P0int 0f Interacti0n (P0I) devices; Encrypting PIN
Pads (EPP); P0int 0f Sale devices (P0S); Hardware (0r h0st) Security M0dules (HSMs);
Unattended Payment Terminals, (UPTs) and n0n-PIN Entry m0dule
The PTS pr0gram ensures - ANSWER-Terminals cann0t be manipulated 0r attacked t0
all0w the capture 0f Sensitive Authenticati0n data, n0r all0w access t0 clear-text PINs 0r
Keys
The Secure Read and Exchange M0dule, (SRED) - ANSWER-All0ws terminals t0 be
appr0ved f0r the secure encrypti0n 0f cardh0lder data as part 0f the P0int t0 P0int
Encrypti0n pr0gram
, PTS has been extended t0 all0w - ANSWER-N0n-PIN entry m0dules t0 be evaluated
against the SRED m0dule t0 all0w secure encrypti0n at the p0int 0f interacti0n f0r n0n-
chip and PIN cards
PCI PIN Security Requirements - ANSWER-These requirements pr0vide f0r secure PIN:
- management
- pr0cessing
- transmissi0n
Pr0tecti0n 0f pers0nal identificati0n number (PIN) data during 0nline and 0ffline payment
card transacti0n pr0cessing at:
- ATMs
- attended p0int-0f-sale (P0S) terminals
- unattended p0int-0f-sale (P0S) terminals
The requirements als0 pr0vide guidance 0n key management and key handling
ass0ciated with the PIN
PCI PTS - P0I and PCI DSS - ANSWER-- PCI DSS requires that acc0unt data be
pr0tected b0th when st0red and when transmitted acr0ss 0pen, public netw0rks
- PCI PTS P0I validates h0w P0Is pr0tect PIN and acc0unt data and manage
crypt0graphic keys
- PCI PTS P0I-appr0ved devices may f0rm part 0f a PCI DSS-c0mpliant envir0nment
PCI PTS - PIN Security Standard and PCI DSS - ANSWER-- PCI DSS pr0hibits st0rage 0f
encrypted PIN bl0cks
- N0 0verlap
PCI Card Pr0ducti0n and PCI DSS - ANSWER-- N0 0verlap
- Pr0cedures f0r assessing card pr0ducti0n facilities are defined and managed by the
payment brands, n0t by PCI SSC
PCI PTS - HSM and PCI DSS - ANSWER-- PCI DSS requires that st0red cardh0lder data
be pr0tected and crypt0graphic keys be managed in a secure manner
- Use 0f a Hardware Security M0dule is n0t required by PCI DSS, but may help with
handling and managing keys used t0 pr0tect st0red cardh0lder data
Payment Industry Termin0l0gy - ANSWER-Cardh0lder
- Cust0mer purchasing g00ds either as a "Card Present" 0r "Card N0t Present"
transacti0n
- Receives the payment card and bills fr0m the issuer
Issuer
- Bank 0r 0ther 0rganizati0n issuing a payment card 0n behalf 0f a Payment Brand (e.g.
MasterCard & Visa)
