1. Which organisation developed and maintains the PCI DSS standard?
A. VISA International
B. Payment Card Industry Security Standards Council (PCI SSC)
C. International Organization for Standardization (ISO)
D. National Institute of Standards and Technology (NIST)
✓ Correct Answer: B
2. What is the primary goal of PCI DSS?
A. To protect cardholder data and reduce credit card fraud
B. To increase transaction processing speed
C. To standardize payment terminal hardware
D. To regulate bank interest rates
✓ Correct Answer: A
3. PCI DSS version 4.0 was released in which year?
A. 2020
B. 2021
C. 2022
D. 2023
✓ Correct Answer: C
4. How many main requirements does PCI DSS v4.0 contain?
A. 10
B. 12
C. 15
D. 6
✓ Correct Answer: B
5. Which of the following entities are required to comply with PCI DSS?
A. Only banks and financial institutions
, B. Any entity that stores, processes, or transmits cardholder data
C. Only merchants with over 1 million transactions per year
D. Only e-commerce businesses
✓ Correct Answer: B
6. What does 'CDE' stand for in PCI DSS?
A. Card Data Environment
B. Cardholder Data Environment
C. Credit Data Encryption
D. Centralized Data Exchange
✓ Correct Answer: B
7. Which of the following is NOT a payment card brand that mandates PCI DSS
compliance?
A. Visa
B. Mastercard
C. PayPal
D. American Express
✓ Correct Answer: C
8. What is a 'merchant level' in PCI DSS compliance?
A. The security clearance level of a merchant's IT staff
B. A classification based on annual transaction volume
C. The physical security tier of payment terminals
D. The encryption strength used by a merchant
✓ Correct Answer: B
9. A Level 1 merchant under Visa's compliance program processes how many
transactions annually?
A. More than 1 million
B. More than 6 million
C. More than 500,000
D. More than 10 million
✓ Correct Answer: B
10. What document must Level 1 merchants submit annually to demonstrate PCI
DSS compliance?
A. Self-Assessment Questionnaire (SAQ)
, B. Report on Compliance (ROC)
C. Attestation of Compliance (AOC)
D. Vulnerability Assessment Report (VAR)
✓ Correct Answer: B
Section 2: Cardholder Data
11. Which of the following is considered 'cardholder data' under PCI DSS?
A. Primary Account Number (PAN)
B. Cardholder name only
C. Expiration date only
D. All of the above
✓ Correct Answer: D
12. What does 'SAD' stand for in PCI DSS terminology?
A. Sensitive Authentication Data
B. Secure Account Details
C. Standard Authorization Data
D. System Access Denial
✓ Correct Answer: A
13. Which of the following is an example of Sensitive Authentication Data (SAD)?
A. Cardholder name
B. Expiration date
C. Full magnetic stripe data
D. Primary Account Number
✓ Correct Answer: C
14. After transaction authorization, which SAD element is PROHIBITED from
being stored?
A. Cardholder name
B. PAN
C. CVV/CVC security codes
D. Expiration date
✓ Correct Answer: C
15. What is the maximum number of digits that may be displayed for a PAN in PCI
DSS v4.0?
A. First 4 and last 4
, B. First 6 and last 4
C. First 8 and last 4
D. Last 4 only
✓ Correct Answer: B
16. Which of the following best describes 'truncation' of cardholder data?
A. Encrypting the PAN with AES
B. Removing segments of data so it cannot be reconstructed
C. Hashing the PAN with SHA-256
D. Tokenizing the PAN in a vault
✓ Correct Answer: B
17. Tokenization in PCI DSS replaces a PAN with what?
A. An encrypted version of the PAN
B. A surrogate value with no exploitable meaning
C. A hashed version of the PAN
D. A randomly generated expiry date
✓ Correct Answer: B
18. Which of the following IS allowed to be stored after authorization under PCI
DSS?
A. Full track data
B. CVV2 codes
C. PINs
D. Cardholder name
✓ Correct Answer: D
19. What is the purpose of data minimization in PCI DSS v4.0?
A. To reduce the cost of compliance audits
B. To limit the amount of cardholder data stored to only what is necessary
C. To minimize the number of payment terminals used
D. To reduce encryption key sizes
✓ Correct Answer: B
20. Which PCI DSS requirement specifically addresses the protection of stored
cardholder data?
A. Requirement 1
B. Requirement 3
A. VISA International
B. Payment Card Industry Security Standards Council (PCI SSC)
C. International Organization for Standardization (ISO)
D. National Institute of Standards and Technology (NIST)
✓ Correct Answer: B
2. What is the primary goal of PCI DSS?
A. To protect cardholder data and reduce credit card fraud
B. To increase transaction processing speed
C. To standardize payment terminal hardware
D. To regulate bank interest rates
✓ Correct Answer: A
3. PCI DSS version 4.0 was released in which year?
A. 2020
B. 2021
C. 2022
D. 2023
✓ Correct Answer: C
4. How many main requirements does PCI DSS v4.0 contain?
A. 10
B. 12
C. 15
D. 6
✓ Correct Answer: B
5. Which of the following entities are required to comply with PCI DSS?
A. Only banks and financial institutions
, B. Any entity that stores, processes, or transmits cardholder data
C. Only merchants with over 1 million transactions per year
D. Only e-commerce businesses
✓ Correct Answer: B
6. What does 'CDE' stand for in PCI DSS?
A. Card Data Environment
B. Cardholder Data Environment
C. Credit Data Encryption
D. Centralized Data Exchange
✓ Correct Answer: B
7. Which of the following is NOT a payment card brand that mandates PCI DSS
compliance?
A. Visa
B. Mastercard
C. PayPal
D. American Express
✓ Correct Answer: C
8. What is a 'merchant level' in PCI DSS compliance?
A. The security clearance level of a merchant's IT staff
B. A classification based on annual transaction volume
C. The physical security tier of payment terminals
D. The encryption strength used by a merchant
✓ Correct Answer: B
9. A Level 1 merchant under Visa's compliance program processes how many
transactions annually?
A. More than 1 million
B. More than 6 million
C. More than 500,000
D. More than 10 million
✓ Correct Answer: B
10. What document must Level 1 merchants submit annually to demonstrate PCI
DSS compliance?
A. Self-Assessment Questionnaire (SAQ)
, B. Report on Compliance (ROC)
C. Attestation of Compliance (AOC)
D. Vulnerability Assessment Report (VAR)
✓ Correct Answer: B
Section 2: Cardholder Data
11. Which of the following is considered 'cardholder data' under PCI DSS?
A. Primary Account Number (PAN)
B. Cardholder name only
C. Expiration date only
D. All of the above
✓ Correct Answer: D
12. What does 'SAD' stand for in PCI DSS terminology?
A. Sensitive Authentication Data
B. Secure Account Details
C. Standard Authorization Data
D. System Access Denial
✓ Correct Answer: A
13. Which of the following is an example of Sensitive Authentication Data (SAD)?
A. Cardholder name
B. Expiration date
C. Full magnetic stripe data
D. Primary Account Number
✓ Correct Answer: C
14. After transaction authorization, which SAD element is PROHIBITED from
being stored?
A. Cardholder name
B. PAN
C. CVV/CVC security codes
D. Expiration date
✓ Correct Answer: C
15. What is the maximum number of digits that may be displayed for a PAN in PCI
DSS v4.0?
A. First 4 and last 4
, B. First 6 and last 4
C. First 8 and last 4
D. Last 4 only
✓ Correct Answer: B
16. Which of the following best describes 'truncation' of cardholder data?
A. Encrypting the PAN with AES
B. Removing segments of data so it cannot be reconstructed
C. Hashing the PAN with SHA-256
D. Tokenizing the PAN in a vault
✓ Correct Answer: B
17. Tokenization in PCI DSS replaces a PAN with what?
A. An encrypted version of the PAN
B. A surrogate value with no exploitable meaning
C. A hashed version of the PAN
D. A randomly generated expiry date
✓ Correct Answer: B
18. Which of the following IS allowed to be stored after authorization under PCI
DSS?
A. Full track data
B. CVV2 codes
C. PINs
D. Cardholder name
✓ Correct Answer: D
19. What is the purpose of data minimization in PCI DSS v4.0?
A. To reduce the cost of compliance audits
B. To limit the amount of cardholder data stored to only what is necessary
C. To minimize the number of payment terminals used
D. To reduce encryption key sizes
✓ Correct Answer: B
20. Which PCI DSS requirement specifically addresses the protection of stored
cardholder data?
A. Requirement 1
B. Requirement 3
