PCI Knowledge Check
Methods for stealing payment card data - answer Methods for stealing payment card
data include physical skimming, malware and weak passwords.
The PCI DSS applies to: - answer The PCI DSS applies to any entity that stores,
processes, or transmits payment card account data.
The P2PE standard covers: - answer The P2PE Standard covers encryption,
decryption, key management requirements for point-to-point encryption solutions.
The standard for validating off-the-self payment applications used in authorization and
settlement - answer-DSS (Payment Application Data Security Standard) PA-DSS is the
standard used by PA-QSAs to validate payment applications.
Merchants using PA-DSS validated payment applications are automatically PCI DSS
compliant - answer False - Using PA-DSS validated applications is not the only
requirement for a merchant to become PCI DSS Compliant.
Which of the below functions is associated with acquirers? - answerAcquirers are
involved in authentication, clearing and statement for their merchant.
Which of the following entities will ultimately approve a purchase? - answerThe issuer
ultimately approves the purchase
In which step does the payment brand network provide complete recognition to the
merchant's bank. - answerDuring clearing, the processor provides complete
reconciliation to the merchant's bank.
A company that (blank) is considered to be a service to be a service provider. - answerA
company that controls impact the security of cardholder data is considered to be a
service provider.
Which of the following are parts of the examples of service providers? - answerData
Center Hosting Provides, Payment Gateways. and Independent Sales Organizations
(ISOs) or External Sales Agents (ESAs) are examples of Service Providers.
Which of the following are parts of the Payment Brand role? - answerThe role played by
the Payment Brands include developing and enforcing compliance programs, accepting
validation documentation from approved QSA, PA-QSA, and ASV companies and their
employees, and endorsing QSA, PA-QSA, and ASV company qualification criteria.
, Merchant obligation may include submitting their compliance status to multiple entities. -
answerTrue - Merchants may have to submit to multiple entities.
Level 1 and Level 2 merchants must include (blank) as part of their PCI DSS
compliance validation reporting process? - answerLevel 1 and Level 2 merchants need
quarterly external vulnerability scans to be performed by an ASV. Level 2 merchants
may use SAQ validate compliance.
SAQ D - answerService provider using only web based virtual terminal
SAQ A - answerMO/TO merchant with all payment functions outsourced to a compliant
service provider
SAQ C - answerMerchant with standalone payment application connected to the
internet
SAQ B - answerMerchant with only card-present dial-out terminals.
SAQ P2PE - answerMerchant who is using a validated P2PE solution listed on the PCI
SSC Website
SAQ A-EP - answerAn online merchant with a payment page that accepts cardholder
data, but transmits the data to a PCI DSS-compliant service provider
SAQ A - answerAn online merchant that displays a PCI DSS compliant service
providers payment page IFRAME, All page content is from the PSP.
SAQ B-IP - answerMerchants using an end-to-end encryption solution (E2EE) that
utilizes PCI PTS-Approved POI devices with communicate with acquirer over an IP
Network.
Which of the following could PA-DSS apply to? - answerThird party - off-the-self
payment application - PA-DSS only applies to applications that store, process, or
transmits cardholder data for authorization or settlement, and are sold, licensed or
distributed off-the-self to third parties.
Use of Qualified Integrator/Reseller(QIR) : - answerUse of Qualified
Integrator/Reseller(QIR) is a good step toward PCI DSS compliance.
The presumption of P2PE is that: - answerThe presumption of P2PE is that data cannot
be decrypted between the source and the destination point
Which entity is responsible for developing and enforcing compliance programs? -
answerPayment Brands are responsible for enforcing compliance.
Methods for stealing payment card data - answer Methods for stealing payment card
data include physical skimming, malware and weak passwords.
The PCI DSS applies to: - answer The PCI DSS applies to any entity that stores,
processes, or transmits payment card account data.
The P2PE standard covers: - answer The P2PE Standard covers encryption,
decryption, key management requirements for point-to-point encryption solutions.
The standard for validating off-the-self payment applications used in authorization and
settlement - answer-DSS (Payment Application Data Security Standard) PA-DSS is the
standard used by PA-QSAs to validate payment applications.
Merchants using PA-DSS validated payment applications are automatically PCI DSS
compliant - answer False - Using PA-DSS validated applications is not the only
requirement for a merchant to become PCI DSS Compliant.
Which of the below functions is associated with acquirers? - answerAcquirers are
involved in authentication, clearing and statement for their merchant.
Which of the following entities will ultimately approve a purchase? - answerThe issuer
ultimately approves the purchase
In which step does the payment brand network provide complete recognition to the
merchant's bank. - answerDuring clearing, the processor provides complete
reconciliation to the merchant's bank.
A company that (blank) is considered to be a service to be a service provider. - answerA
company that controls impact the security of cardholder data is considered to be a
service provider.
Which of the following are parts of the examples of service providers? - answerData
Center Hosting Provides, Payment Gateways. and Independent Sales Organizations
(ISOs) or External Sales Agents (ESAs) are examples of Service Providers.
Which of the following are parts of the Payment Brand role? - answerThe role played by
the Payment Brands include developing and enforcing compliance programs, accepting
validation documentation from approved QSA, PA-QSA, and ASV companies and their
employees, and endorsing QSA, PA-QSA, and ASV company qualification criteria.
, Merchant obligation may include submitting their compliance status to multiple entities. -
answerTrue - Merchants may have to submit to multiple entities.
Level 1 and Level 2 merchants must include (blank) as part of their PCI DSS
compliance validation reporting process? - answerLevel 1 and Level 2 merchants need
quarterly external vulnerability scans to be performed by an ASV. Level 2 merchants
may use SAQ validate compliance.
SAQ D - answerService provider using only web based virtual terminal
SAQ A - answerMO/TO merchant with all payment functions outsourced to a compliant
service provider
SAQ C - answerMerchant with standalone payment application connected to the
internet
SAQ B - answerMerchant with only card-present dial-out terminals.
SAQ P2PE - answerMerchant who is using a validated P2PE solution listed on the PCI
SSC Website
SAQ A-EP - answerAn online merchant with a payment page that accepts cardholder
data, but transmits the data to a PCI DSS-compliant service provider
SAQ A - answerAn online merchant that displays a PCI DSS compliant service
providers payment page IFRAME, All page content is from the PSP.
SAQ B-IP - answerMerchants using an end-to-end encryption solution (E2EE) that
utilizes PCI PTS-Approved POI devices with communicate with acquirer over an IP
Network.
Which of the following could PA-DSS apply to? - answerThird party - off-the-self
payment application - PA-DSS only applies to applications that store, process, or
transmits cardholder data for authorization or settlement, and are sold, licensed or
distributed off-the-self to third parties.
Use of Qualified Integrator/Reseller(QIR) : - answerUse of Qualified
Integrator/Reseller(QIR) is a good step toward PCI DSS compliance.
The presumption of P2PE is that: - answerThe presumption of P2PE is that data cannot
be decrypted between the source and the destination point
Which entity is responsible for developing and enforcing compliance programs? -
answerPayment Brands are responsible for enforcing compliance.
