PCI (ISA) EXAM QUESTIONS AND ANSWERS
RATED A.
Payment Brands are responsible for:
- Defining rules for forensic investigations and responding to account data
compromises
- Monitoring and facilitating investigations of account data compromises
Payment Brands role includes:
- Accept validation documentation from QSA's, PA-QSA, and ASVs
- Develop and enforce compliance programs
- Endorse QSA, PA-QSA, and ASV company qualification criteria
Merchant levels are defined by _ and based on _. Transaction volume is
determined by the _
- Defined by payment brands, based on transaction volume
- Acquirer
Service Provider levels:
Are defined by _________________________________________________.
Determined by the
______________________________________________________.
- Payment brands according to transaction volume and/or type of service provider
- Payment brands or acquirer and sometimes the service provider
SAQ A
Card-Not-Present (e-commerce or MO/TO) merchants, all cardholder data functions
outsourced to PCI DSS compliant service providers.
Not applicable to face-to-face channels.
SAQ A-EP
E-commerce merchants who outsource all payment processing to PCI DSS validated
third parties, and who have a website(s) that doesn't directly receive cardholder
data but that can impact the security of the payment transaction. No electronic
storage, processing, or transmission of any cardholder data on the merchant's
, systems or premises.
Applicable only to e-commerce channels.
SAQ B
Imprint only merchants with no electronic cardholder data storage or stand alone
dial out terminals with no electronic cardholder data storage. Not applicable to e-
commerce channels.
SAQ B-IP
Merchants using only stand-alone, PTS-approved payment terminals with an IP
connection to the payment processor, with no electronic cardholder data storage.
Not applicable to e-commerce channels.
SAQ C
Merchants with segmented payment application systems connected to the internet,
with no electronic CHD storage
SAQ C-VT
Merchants using only web-based virtual payment terminals, with no electronic
cardholder data storage.
Not applicable to e-commerce channels.
SAQ D
Merchants & Service Providers with all other payment solutions
SAQ P2PE
Merchants who have implemented a valid Point-to-point Encryption Solution that is
listed on the PCI SSC website, with no electronic cardholder data storage. Not
Applicable to e-commerce channels.
QIR Program (Qualified Integrators and Resellers) Responsibilities
Those entities that sell, install, and/or service payment applications on behalf of
software vendors or others.
Authorized by the software vendor.
RATED A.
Payment Brands are responsible for:
- Defining rules for forensic investigations and responding to account data
compromises
- Monitoring and facilitating investigations of account data compromises
Payment Brands role includes:
- Accept validation documentation from QSA's, PA-QSA, and ASVs
- Develop and enforce compliance programs
- Endorse QSA, PA-QSA, and ASV company qualification criteria
Merchant levels are defined by _ and based on _. Transaction volume is
determined by the _
- Defined by payment brands, based on transaction volume
- Acquirer
Service Provider levels:
Are defined by _________________________________________________.
Determined by the
______________________________________________________.
- Payment brands according to transaction volume and/or type of service provider
- Payment brands or acquirer and sometimes the service provider
SAQ A
Card-Not-Present (e-commerce or MO/TO) merchants, all cardholder data functions
outsourced to PCI DSS compliant service providers.
Not applicable to face-to-face channels.
SAQ A-EP
E-commerce merchants who outsource all payment processing to PCI DSS validated
third parties, and who have a website(s) that doesn't directly receive cardholder
data but that can impact the security of the payment transaction. No electronic
storage, processing, or transmission of any cardholder data on the merchant's
, systems or premises.
Applicable only to e-commerce channels.
SAQ B
Imprint only merchants with no electronic cardholder data storage or stand alone
dial out terminals with no electronic cardholder data storage. Not applicable to e-
commerce channels.
SAQ B-IP
Merchants using only stand-alone, PTS-approved payment terminals with an IP
connection to the payment processor, with no electronic cardholder data storage.
Not applicable to e-commerce channels.
SAQ C
Merchants with segmented payment application systems connected to the internet,
with no electronic CHD storage
SAQ C-VT
Merchants using only web-based virtual payment terminals, with no electronic
cardholder data storage.
Not applicable to e-commerce channels.
SAQ D
Merchants & Service Providers with all other payment solutions
SAQ P2PE
Merchants who have implemented a valid Point-to-point Encryption Solution that is
listed on the PCI SSC website, with no electronic cardholder data storage. Not
Applicable to e-commerce channels.
QIR Program (Qualified Integrators and Resellers) Responsibilities
Those entities that sell, install, and/or service payment applications on behalf of
software vendors or others.
Authorized by the software vendor.
