PCIP Study Questions with Complete and Certified Solutions

PCIP Study Questions with Complete and Certified Solutions How is skimming used to target PCI data? Copying payment card numbers by tampering with POS devices, ATMs, Kiosks or copying the magnetic stripe using handheld skimmers. How is phishing used to target PCI data? By doing reconnaissance work through social engineering and or breaking in using software vulnerabilities or e-mails. How can Payment Data be Monetized? By skimming the card to get the full track of data, and then making another like card. Using the card information in a "Card-not-present transactions such as e-commerce or mail order, Telephone order. Card data is also sold in bulk to other criminals who perform their own fraud using the stolen data. Who all are targeted ? Retail, Food and Beaverage, Hospitality, Financial Services, non-profit. EVERYONE! What is the PCI SSC ? Payment Card Industry Security Service Counsel is an independent industry standards body providing oversight of the development and management of Payment Card Industry Data Security Standards on a global basis. What are some of the PCI SSC founding payment brands. American Express, Discover Financial, JCB International, Master Card, Visa inc. What are the Resources provided by the PCI SSC? PCI DSS, PA-DSS, P2PE, PTS (POI, HSM and PIN) Card Production, and supporting documents. Roster of QSAs, PA-QSAs, PCIPs, ASVs, validated payment applications, PTS Devices, and P2PE solutions PCI Security Standards Counsil FAQs Education and Outreach programs Participating Organization Membership, Community Meetings, feedback. What is the overview of PCI DSS? Covers security of the envrionments that store, process or transmit account data. Environements receive account data from payment applications and other seoucres (e.g.., acquirers) what is the overview of PCI PA-DSS Covers secure payment applications to support PCI DSS compliance Payment application recieves account data from PIN-entry devices (PEDs) or other devices and begins payment transaction. What is the overview of PCI P2PE Covers encryption, decryption, and Key management requirements for point to point encryption solutions. What is the overview of PCI PTS-POI? Covers the protection of sensitive data at the point of interaction devices and their secure components, including cardholder PINs and account data, and the cryptographic keys used in connection with the protection of that cardholder data. What is the overview of PCI PTS-PIN Security? Covers secure management, processing and transmission of personal identification number (PIN) data during online and offline payment card transaction processing. What is the overview of PCI PTS-HSM Covers physical, logical and device security requirements for securiing hardware security modules. What is the overview of PCI Card Production Covers physical and logical security requirements for systems and business processes. What PCI DSS compliance program does American Express develop and maintain? Data Security Operating Policy (DSOP) What PCI DSS compliance program does Discover develop and maintain? Discover Information Security Compliance (DISC) What PCI does DSS compliance program does JCB develop and maintain? Data Security Program What PCI does DSS compliance program dose MasterCard develop and maintain? Site Data Protection What PCI does DSS compliance program dose VISA Inc develop and maintain?What PCI does DSS compliance program dose MasterCard develop and maintain? Cardholder Information Security Program (CISP) Account Information Security (AIS) program What is all included in the Payment brand Compliance programs? Tracking and enforcement Penalties, fees, compliance deadlines Validation process and who needs to validate. Approval and posting of compliant entities Definition of merchant and services provider levels. What are Payment brands responsible for Defining rules for forensic investigations and responding to account data compromises Monitoring and facilitation investigations of account data compromise to completion. What is PA-DSS? Payment Application Data Security Standard. What does PA-DSS applies to? Third party payment applications such as POS, shopping carts, etc..... What does a PA-DSS do? Ensures a payment application can function in a PCI DSS compliant manner. If a merchant uses a PA-DSS does it mean they are PCI-DSS compliant? No Are PA-DSS in scope for PCI DSS? Yes What is a PCI P2PE? Point to Point Encryption. What all must be included in a P2PE solution. Secure encryption of payment card at the point of interaction. P2PE-vallidated applications at the point of interaction. Secure management of encryption and decryption devices. Management of the decryption environment and all decrypted account data. Use of secure encryption methodolaogfies and cryptographic key operations, including key generation, distribution, loading/injection, administration and usage. What is the relationship between PA-DSS and PCI DSS? PA-DSS must facilitate and not prevent DSS compliance. What is the relationship between P2PE and PCI-DSS? Incorprates requirements from PTS, PCI=DSS, PA-DSS and PCI PIN to protect account data from the point of capture until it reaches the payment processor. What does PTS stand for? PIN Transaction Security what is PTS? PTS is a set of modular evaluation requirements managed by PCI SSC, for PIN acceptance POI terminals. What is the PTS program about? The program ensures terminals cannot be manipluated or attached to allow the capture of Sensitive Authentication data, nor allow access to clear-text PINs or Keys. What does SRED stand for? Secure Read and Exchange Module What does SRED allow? It allows terminals to b approved for the security encrption of cardholder data as part of the Point to Point Encryption prgram. What does PIN mean? Personal Identification Number. What are required in the PCI PIN security Requirements Management, processing and transmission. What is a Cardholder? Customer, individual making a purchase of goods or services. The process could involve a card present or not present transaction. Who is the Issuer? Bank or organization issuing a payment card on behalf of a Payment Brand (e.g. Visa, Master Card) Which Payment Brands issue credit cards directly? American Express, Discover, JCB Who is the Merchant? Organization accepting the payment card for payment during a purchase. What is an Acquirer? This is the Bank or entity the merchant uses to process their payment card transactions. What does the Acquirer do? It receives authorization request from the merchant and forwards it to the issuer for approval. Provides authorization, clearing and settlement services to merchants. What is the Acquirer also know by? Merchant Bank, ISO, Payment Brand - Amex, Discover, JCB. How does the Card Processing process work. 1. Cardholder presents their card. 2. Acquirer asks payment brand to determine issuer. 3. Payment brand network determines issuer and request approval. 4. Issuer approves purchase. 5.Payment brand network sends approval to acquirer 6. Acquirer sends approval to merchant 7. Cardholder completes purchase and receives receipt. What are or is a Service provider? Service provider(s) is or are businesses that are involved in processing, storing or transmitting cardholder information on behalf of another entity. What is does QIR stand for? Qualified Integrator Reseller What is the role of a QIR? Integrators and Resellers are those entities that sell, install, and /or service payment applications on behalf of software vendors or others. What are some of the responsibilities of a QIR? 1. Implementing the application into the merchant environment. 2. Intergrating the application into other software ans systems, where applicable. 3. Configuring the payment application (where configuration options are porvided) 4. Servicing the payment applications (for example, troubleshooting, delivering remote updates, and providing remote support? Why are QIRs so important to Data Security? 1. QIRs have an important role to play in securing account data. 2. Software vendors are responsible for developing applications 3. Applications usually have configuration or installation options which could impact security. How does a Qualified Installation impact the PCI DSS assessment ? 1. The documentation from a QIR provides useful information about how the application was installed. 2. Application configuration may have changed since the installation. 3.