PCIP Exam Study Pack | 2025/2026 Updated Edition |
Verified Questions & Correct Expert Answers |
Complete Certification Prep
1. PCI Data Security Standard (PCI DSS): The PCI DSS applies to all entities
that store, process, and/or transmit cardholder data. It covers technical
and operational system components included in or connected to cardholder data.
If you accept or process payment cards, PCI DSS applies to you.
2. Sensitive Authentication Data: Merchants, service providers, and other
entities involved with payment card processing must never store sensitive authen-
tication data after
authorization. This includes the 3- or 4- digit security code printed on the front or
back of a card (CVD), the data stored on a card's magnetic stripe or chip (also
called "Full Track Data") - and personal identification numbers (PIN) entered by
the cardholder.
3. Card Verification Data Codes (CVD): 3 or 4 digit code that further authenti-
cates a not-present cardholder
Visa-CVV2
MC- CVC2
Discover- CVD
JCB-CAV2
AmEx- CID
,4. Requirement 1: Install and maintain a firewall configuration to protect cardhold-
er data
5. Network devices in scope for Requirement 1: Firewalls and Routers- Routers
connect traffic between networks, Firewalls control the traffic between networks
and within internal network
6. QIR Qualified Integrators & Resellers: Qualified Integrators & Resellers- au-
thorized by the SSC to implement, configure and/or support PA-DSS payment
applications. Visa requires all level 4 merchants use QIRs for POS application and
terminal installation and servicing
7. Compensating Controls: An alternative control, put in place to satisfy the
requirement for a security measure that is deemed too difficult or impractical to
implement at the present time.
8. Permitted reasons for using Compensating Controls: Organizations need-
ing an alternative to security requirements that could not be met due to legitimate
technological OR documented business constraints, but has sufficiently mitigated
the risk associated with the requirement through implementation of other compen-
sating controls
,9. Examples of Compensating Controls: (i) Segregation of Duties (SOD) and (ii)
Encryption
10. Compensating Controls must:: 1) Meet the intent and rigor of the original
stated requirement;
2) Provide a similar level of defense as the original stated requirement;
3) Be "above and beyond" other PCI DSS requirements (not simply in compliance
with other PCI DSS requirements); and
4) Be commensurate with the additional risk imposed by not adhering to the original
stated requirement.
11. Compensating Controls Worksheet: 1) Constraint; 2) Objective; 3) Identified
Risk; 4) Define Compensating Control; 5)Validate Controls; 6) Maintenance (COID-
VM)
12. Card Data that cannot be stored by Merchants, Service providers after
authorization: Sensitive Authentication Data. i) 3- or 4- digit security code printed
on the front or back of a card, ii) data stored on a card's magnetic stripe or chip
(also called "Full Track Data"), and iii) personal identification
numbers (PIN) entered by the cardholder
13. Card Data that MAY be stored: i) cardholder name, ii) service code (identifies
industry iii) Personal Account Number (PAN)
iv) expiration date may be stored.
14. Network Segmentation: The process of isolating the cardholder data environ-
, ment from the remainder of an entity's network
Not a requirement but strongly recommended.
15. Report on Compliance (ROC): Prepared at the time of the assessment of PCI
compliance and comprehensively provides details about the assessment approach
and compliance standing against each PCI DSS requirement
16. What is included in the Report on Compliance (ROC)?: ROC includes (1)
Executive summary, (2) description of scope of work and approach taken, (3)
details about reviewed environment, (4) contact information and report date, (5)
quarterly scan results and (6) findings and observations.
17. Steps to take for a PCI Assessment (hint: SARA's Remediation): 1. Scope
- determine which system components and networks are in scope for PCI DSS
2. Assess - examine the compliance of system components in scope following the
Verified Questions & Correct Expert Answers |
Complete Certification Prep
1. PCI Data Security Standard (PCI DSS): The PCI DSS applies to all entities
that store, process, and/or transmit cardholder data. It covers technical
and operational system components included in or connected to cardholder data.
If you accept or process payment cards, PCI DSS applies to you.
2. Sensitive Authentication Data: Merchants, service providers, and other
entities involved with payment card processing must never store sensitive authen-
tication data after
authorization. This includes the 3- or 4- digit security code printed on the front or
back of a card (CVD), the data stored on a card's magnetic stripe or chip (also
called "Full Track Data") - and personal identification numbers (PIN) entered by
the cardholder.
3. Card Verification Data Codes (CVD): 3 or 4 digit code that further authenti-
cates a not-present cardholder
Visa-CVV2
MC- CVC2
Discover- CVD
JCB-CAV2
AmEx- CID
,4. Requirement 1: Install and maintain a firewall configuration to protect cardhold-
er data
5. Network devices in scope for Requirement 1: Firewalls and Routers- Routers
connect traffic between networks, Firewalls control the traffic between networks
and within internal network
6. QIR Qualified Integrators & Resellers: Qualified Integrators & Resellers- au-
thorized by the SSC to implement, configure and/or support PA-DSS payment
applications. Visa requires all level 4 merchants use QIRs for POS application and
terminal installation and servicing
7. Compensating Controls: An alternative control, put in place to satisfy the
requirement for a security measure that is deemed too difficult or impractical to
implement at the present time.
8. Permitted reasons for using Compensating Controls: Organizations need-
ing an alternative to security requirements that could not be met due to legitimate
technological OR documented business constraints, but has sufficiently mitigated
the risk associated with the requirement through implementation of other compen-
sating controls
,9. Examples of Compensating Controls: (i) Segregation of Duties (SOD) and (ii)
Encryption
10. Compensating Controls must:: 1) Meet the intent and rigor of the original
stated requirement;
2) Provide a similar level of defense as the original stated requirement;
3) Be "above and beyond" other PCI DSS requirements (not simply in compliance
with other PCI DSS requirements); and
4) Be commensurate with the additional risk imposed by not adhering to the original
stated requirement.
11. Compensating Controls Worksheet: 1) Constraint; 2) Objective; 3) Identified
Risk; 4) Define Compensating Control; 5)Validate Controls; 6) Maintenance (COID-
VM)
12. Card Data that cannot be stored by Merchants, Service providers after
authorization: Sensitive Authentication Data. i) 3- or 4- digit security code printed
on the front or back of a card, ii) data stored on a card's magnetic stripe or chip
(also called "Full Track Data"), and iii) personal identification
numbers (PIN) entered by the cardholder
13. Card Data that MAY be stored: i) cardholder name, ii) service code (identifies
industry iii) Personal Account Number (PAN)
iv) expiration date may be stored.
14. Network Segmentation: The process of isolating the cardholder data environ-
, ment from the remainder of an entity's network
Not a requirement but strongly recommended.
15. Report on Compliance (ROC): Prepared at the time of the assessment of PCI
compliance and comprehensively provides details about the assessment approach
and compliance standing against each PCI DSS requirement
16. What is included in the Report on Compliance (ROC)?: ROC includes (1)
Executive summary, (2) description of scope of work and approach taken, (3)
details about reviewed environment, (4) contact information and report date, (5)
quarterly scan results and (6) findings and observations.
17. Steps to take for a PCI Assessment (hint: SARA's Remediation): 1. Scope
- determine which system components and networks are in scope for PCI DSS
2. Assess - examine the compliance of system components in scope following the
