PCIP exam questions and answers
acquirer - ANSWER>>party is responsible for merchant compliance validation and
merchant communications
Which statement is correct regarding the internal vulnerability scans and/or
rescans? - ANSWER>>They must be performed after an upgrade to a server that
impacts the cardholder data environment
When confirming PCI DSS requirements have been met, assessors must always
use which of the following? - ANSWER>>independent judgment
Typical locations where track data may be found include which of the following? -
ANSWER>>databases and log files from point-of-sales terminals
Which of the following statements about "flat networks" is true? - ANSWER>>All
systems on flat network are in scope for the PCI DSS assessments
If network segmentation is being used to reduce the scope of the PCI DSS
assessment, what must the assessor verify? - ANSWER>>All controls used for
segmentation are configured properly
PCI DSS requirement 10.2 defines the types of events to be logged. -
ANSWER>>Audit trails, user identification, type of event, date and time, success
and failure indications, source IP address (origination of event), data and systems
touched, time synchronization technology in use.
The payment card brands are responsible for which of the following? -
ANSWER>>Penalties or fee assignment for non-compliance
,Which of the following is related to the use of EMV chip technology? -
ANSWER>>PCI DSS applies to environments using EMV chip technology
In order for PCI DSS scope to be reduced, what must adequate network
segmentation do? - ANSWER>>Isolate systems that store, process, or transmit
cardholder data from those that do not
The Mod 10 formula doubles the value of every other digit of the primary account
number beginning with which digit? - ANSWER>>Second from the right
What is the Mod 10 or Luhn formula? - ANSWER>>The algorithm used to validate
PAN (primary account numbers)
What is required regarding the entity sharing cardholder data with a service
provider? - ANSWER>>The entity must have an established process of engaging
service provider, including proper due diligence prior to engagement
Who is responsible for setting compliance deadlines and fines? -
ANSWER>>Payment brands
In accordance with the requirement 12.3.8, usage policies must be defined to
automatically disconnect remote-access sessions. When should the remote-
access sessions be disconnected? - ANSWER>>After a specific period if inactivity
the following statements is correct regarding a PA-DSS application? -
ANSWER>>PA-DSS compliant payment applications are in scope for the
merchant's PCI DSS assessment
What does it mean if a suspected card number passes Mod 10? - ANSWER>>It is
definitely a valid PAN
, Which of the following is correct related to the tracks of the data on the magnetic
stripe of a payment card? - ANSWER>>Track 1 contains all the field of both Track
1 and Track 2
Which of the following is a responsibility of the PCI SSC? - ANSWER>>Define
validation requirements of ASVs (Approved scanning vendors
When should penetration testing be performed? - ANSWER>>At least annually,
and after any significant changes to infrastructure or applications
How often are risk assessments required? - ANSWER>>At least annually
This statement about the transaction process is true - ANSWER>>The card holder
receives the type of payment, the card, and the bills from the issuers
Which of the following statements accurately describes the service providers? -
ANSWER>>A service provider processes, stores, or transmits card holder's data on
the behalf of another entity
A service provider with no electric cardholder data storage may be eligible to
complete the SAQ? - ANSWER>>SAQ B
SAQ A - ANSWER>>If your organization only accepts card-not-present transactions
(e-commerce or phone/mail order)
If the processing of cardholder data is entirely outsourced to third-party service
providers approved by PCI DSS
Your organization does not electronically store, process, or transmit any
cardholder data across your networks or facilities, but only rely on a third party to
perform all these functions.
If your organization indicates that any third party that performs the storage,
processing or transmission of cardholder data is PCI DSS compliant
If the cardholder information kept by the organization is on paper and the
documents are not received electronically
acquirer - ANSWER>>party is responsible for merchant compliance validation and
merchant communications
Which statement is correct regarding the internal vulnerability scans and/or
rescans? - ANSWER>>They must be performed after an upgrade to a server that
impacts the cardholder data environment
When confirming PCI DSS requirements have been met, assessors must always
use which of the following? - ANSWER>>independent judgment
Typical locations where track data may be found include which of the following? -
ANSWER>>databases and log files from point-of-sales terminals
Which of the following statements about "flat networks" is true? - ANSWER>>All
systems on flat network are in scope for the PCI DSS assessments
If network segmentation is being used to reduce the scope of the PCI DSS
assessment, what must the assessor verify? - ANSWER>>All controls used for
segmentation are configured properly
PCI DSS requirement 10.2 defines the types of events to be logged. -
ANSWER>>Audit trails, user identification, type of event, date and time, success
and failure indications, source IP address (origination of event), data and systems
touched, time synchronization technology in use.
The payment card brands are responsible for which of the following? -
ANSWER>>Penalties or fee assignment for non-compliance
,Which of the following is related to the use of EMV chip technology? -
ANSWER>>PCI DSS applies to environments using EMV chip technology
In order for PCI DSS scope to be reduced, what must adequate network
segmentation do? - ANSWER>>Isolate systems that store, process, or transmit
cardholder data from those that do not
The Mod 10 formula doubles the value of every other digit of the primary account
number beginning with which digit? - ANSWER>>Second from the right
What is the Mod 10 or Luhn formula? - ANSWER>>The algorithm used to validate
PAN (primary account numbers)
What is required regarding the entity sharing cardholder data with a service
provider? - ANSWER>>The entity must have an established process of engaging
service provider, including proper due diligence prior to engagement
Who is responsible for setting compliance deadlines and fines? -
ANSWER>>Payment brands
In accordance with the requirement 12.3.8, usage policies must be defined to
automatically disconnect remote-access sessions. When should the remote-
access sessions be disconnected? - ANSWER>>After a specific period if inactivity
the following statements is correct regarding a PA-DSS application? -
ANSWER>>PA-DSS compliant payment applications are in scope for the
merchant's PCI DSS assessment
What does it mean if a suspected card number passes Mod 10? - ANSWER>>It is
definitely a valid PAN
, Which of the following is correct related to the tracks of the data on the magnetic
stripe of a payment card? - ANSWER>>Track 1 contains all the field of both Track
1 and Track 2
Which of the following is a responsibility of the PCI SSC? - ANSWER>>Define
validation requirements of ASVs (Approved scanning vendors
When should penetration testing be performed? - ANSWER>>At least annually,
and after any significant changes to infrastructure or applications
How often are risk assessments required? - ANSWER>>At least annually
This statement about the transaction process is true - ANSWER>>The card holder
receives the type of payment, the card, and the bills from the issuers
Which of the following statements accurately describes the service providers? -
ANSWER>>A service provider processes, stores, or transmits card holder's data on
the behalf of another entity
A service provider with no electric cardholder data storage may be eligible to
complete the SAQ? - ANSWER>>SAQ B
SAQ A - ANSWER>>If your organization only accepts card-not-present transactions
(e-commerce or phone/mail order)
If the processing of cardholder data is entirely outsourced to third-party service
providers approved by PCI DSS
Your organization does not electronically store, process, or transmit any
cardholder data across your networks or facilities, but only rely on a third party to
perform all these functions.
If your organization indicates that any third party that performs the storage,
processing or transmission of cardholder data is PCI DSS compliant
If the cardholder information kept by the organization is on paper and the
documents are not received electronically
