PCI STUDY MASTER SET QUESTIONS AND ANSWER1

PCI STUDY MASTER SET QUESTIONS AND ANSWERS
PCI DSS - CORRECT ANSWER✅✅Payment Card Industry Data Security Standard

For consistent data security measures globally

12 requirements in six groups

PCI DSS is a minimum set of controls



It is a contractual agreement, not a standard

PCI-DSS only applies if PANs are stored, processed or transmitted



PCI Goal 1 - CORRECT ANSWER✅✅Build and Maintain a secure network



PCI Goal 2 - CORRECT ANSWER✅✅Protect Card Holder Data



PCI Goal 3 - CORRECT ANSWER✅✅Maintain a vulnerability program



PCI Goal 4 - CORRECT ANSWER✅✅Implement strong Access control measures



PCI Goal 5 - CORRECT ANSWER✅✅Regularly Monitor and Test networks



PCI Goal 6 - CORRECT ANSWER✅✅Maintain an Information Security Policy



Cardholder data - CORRECT ANSWER✅✅Primary Account Number (PAN)

Cardholder name

Expiration date

Service Code



Sensitive Authentication Data - CORRECT ANSWER✅✅Magnetic stripe data or equivalent on a chip

CAV2/CVC2/CVV2/CID

,PINs / PIN Blocks



PA-DSS - CORRECT ANSWER✅✅Payment Application Data Security Standard

PA-DSS applies to software sold "off the shelf" by 3rd parties

PA-DSS does not apply to applications developed by merchants and service providers for use in-house.
(this is covered by PCI-DSS)



Scope - CORRECT ANSWER✅✅Is a primary requirement

cardholder data flows help set scope

business practices and processes need careful consideration and may need re-engineering.



Network Segmentation is - CORRECT ANSWER✅✅Recommended to reduce scope and risk



When can Wireless be used? - CORRECT ANSWER✅✅Use only for non-sensitive data

Carefully consider the Risk

MUST be tested



Service Providers - CORRECT ANSWER✅✅Need their own PCI-DSS compliance or will have their services
reviewed as part of their customers audits.



The Report on Compliance (ROC) documents the role of each service provider.



Sampling - CORRECT ANSWER✅✅Sampling of Business Facilities / System components is allowed,
however all applicable PCI DSS requirements must be considered.



Compensating Controls - CORRECT ANSWER✅✅a Compensating Controls Worksheet must be
completed for each compensating control. And documented in the ROC.



Compliance Completion Steps - CORRECT ANSWER✅✅1.Complete the ROC

2. Provide evidence of passing scans from ASV

, 3. Complete the "Attestation of compliance"

4. Submit all to the Aquirer, or Payment Brand



PCI SSC - CORRECT ANSWER✅✅Payment card Industry Security Standards Council



ASV - CORRECT ANSWER✅✅Approved Scanning Vendors



QSA - CORRECT ANSWER✅✅Qualified Security Assessor



PCI PA-DSS - CORRECT ANSWER✅✅Payment card Industry Payment Application Data Security Standard



PCI PED - CORRECT ANSWER✅✅Payment Card Industry Pin Entry Devices



Merchant levels - CORRECT ANSWER✅✅Defined by payment brands.

Levels 1 to 4

1 is the largets merchants or merchants who have been compromised. 6 Million transactions/year +



Non-compliance consequences - CORRECT ANSWER✅✅Fines according to Level and elapsed time
determined by payment brands



Breach Consequences - CORRECT ANSWER✅✅Fine per cardholder data compromised / Loss of
reputation / customer trust / suspension of service by credit card account provider



Firewall and Router rule sets be reviewed at least every - CORRECT ANSWER✅✅6 Months



It is required to install all critical new security patches within - CORRECT ANSWER✅✅1 Month



Public facing web applications are to be reviewed - CORRECT ANSWER✅✅at least annually