PCI DSS QSA Questions and Answers

PCI DSS QSA Questions and Answers Who is Acquirer Also referred to as "merchant bank," "acquiring bank," or "acquiring financial institution". Entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer. Acquirers are subject to payment brand rules and procedures regarding merchant compliance AOC Acronym for "attestation of compliance". The AOC is a form for merchants and service providers to attest to the results of a PCI DSS assessment, as documented in the Self-Assessment Questionnaire or Report on Compliance Previous Play Next Rewind 10 seconds Move forward 10 seconds Unmute 0:00 / 0:15 Full screen Brainpower Read More ASV Acronym for "approved Scanning Vendor". Company approved by the PCI SSC to conduct external vulnerability scanning services. What is Authorization? Cardholder swipes card at merchant, acquirer asks payment brand network to determine issuer, issuer approves purchase, payment network sends the approval to acquirer, acquirer sends approval to merchant, merchant displays "approved" and completes purchase. What is Settlement? Issuer determines acquirer via payment network, issuer sends payment to acquirer, acquirer pay merchant for cardholder's purchases, issuer bills the cardholder. Who is Service Provider? A business that is not a payment brand, directly involved in the processing, storage or transmission of cardholder data on behalf of another entity. SAQ A Card not Present (e commerce or MO/TO) merchants, all cardholder data functions outsourced to compliant service providers. SAQ A-EP Applies to E-Commerce merchants who outsoruce all payment processing to PCI DSS validated third parties, and who have website(s) that doesn't directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing or transmission of any cardholder data on the merchants systems and premises. SAQ B Applies to Imprint only merchants with no electronic cardholder data storage or standalone, dial out terminal merchants with no electronic cardholder data storage. SAQ B-IP Used for merchants who process payments via standalone PTS-approved point-of-interaction (POI) devices with an IP connection to the payment processor with no electronic cardholder data storage. SAQ C-VT Merchants using only web based virtual payment terminals, with no electronic cardholder data storage. SAQ C Applies to merchants with segmented payment application systems connected to the internet, with no electronic cardholder data storage. SAQ P2PE Merchants who have implemented a validated P2PE solution taht is listed on the website, with no electronic cardholder data storage. SAQ D Applies to any merchants who do not meet the criteria for other SAQs, as well as all service providers. Truncation Method of rendering the full PAN unreadable by permanently removing a segment of PAN data QIR Qualified Integrator or Reseller Network Segmentation Isolates system components that store, process, or transmit cardholder data from system components that store, process, or transmit cardholder data from systems that do not. Merchant Defined as any entity that accepts payment cards bearing the logos of any of the five members of PCISSC as payment for goods or services. Masking A method of concealing a segment of data when displayed or printed Issuer Entity that issues payment cards or performs, facilitates, or supports issuing services including but not limited to issuing banks and issuing processors. Card Skimmer A physical device, often attached to legitimate card-reading device, designed to illegitimately capture and/or store the information from a payment card. How many characters are on Track 2 Up to 40 How many characters are on Track 1 Up to 79 Requirement 1 Install and maintain a firewall configuration to protect cardholder data Requirement 2 Do not use vendor-supplied defaults for system passwords and other security parameters Requirement 3 Protect stored cardholder data Requirement 4 Encrypt transmission of cardholder data across open, public networks Requirement 5 Protect all systems against malware and regularly update anti-virus software or programs Requirement 6 Develop and maintain secure systems and applications Requirement 7 Restrict access to cardholder data by business need to know Requirement 8 Identify and authenticate access to system components Requirement 9 Restrict physical access to cardholder data Requirement 10 Track and monitor all access to network resources and cardholder data Requirement 11 Regularly test security systems and processes Requirement 12 Maintain a policy that addresses information security for all personnel Goal 1 Build and Maintain a Secure Network and Systems Goal 2 Protect Cardholder Data Goal 3 Maintain a Vulnerability Management Program Goal 4 Implement Strong Access Control Measures Goal 5 Regularly Monitor and Test Networks Goal 6 Maintain an Information Security Program Passwords length are required to be 7 Characters Penetration testing should be performed at least Annually Tools are to be configured to perform critical file comparisons at least Weekly