Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community for help and clear up your study doubts
Discover the best universities in your country according to Docsity users
Free resources
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
This document provides a comprehensive overview of the Payment Card Industry (PCI) compliance and security requirements. It covers key entities responsible for developing and enforcing compliance programs, various standards and validation processes, merchant levels, self-assessment questionnaires, and the roles of qualified security assessors, approved scanning vendors, and qualified integrator resellers. It also examines the payment processing flow and the responsibilities of entities like issuers, acquirers, and service providers, as well as key PCI DSS requirements.
Typology: Exams
1 / 16
This page cannot be seen from the preview
Don't miss anything!
ASV ✔✔Approved Scanning Vendor PCI ✔✔Payment Card Industry PTS ✔✔PIN Transaction Security (device) QSA ✔✔Qualified Security Assessor ROC ✔✔Report on Compilance ROV ✔✔Report on Validation QIR ✔✔Qualified Integrator Reseller Which entity is responsible for developing and enforcing compliance programs? ✔✔Payment Brands
Which entity is responsible for forensic investigations of account data compromise? ✔✔Payment Brands Which entity is response to Accept validation documentation from QSAs, PA-QSAs and ASVs ✔✔Payment Brands Which entity is response Endorse QSA, PA-QSA and ASV company qualification criteria ✔✔Payment Brands Merchant obligations may include submitting their compliance status to multiple entities. True or false? ✔✔True The decision about a merchant's level is made by the ✔✔Merchant's aquirer Level 1 and 2 merchants must include as part of their PCI DSS compliance validation reporting process? ✔✔Level 1 and 2 merchants need quarterly external vulnerability scans to be performed by an ASV. Level 2 merchants may use SAQs to validate compliance.
Type of SAQ? Merchants using only stand-alone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels. ✔✔B-IP Type of SAQ? Merchants with segmented payment application systems connected to the Internet, with no electronic cardholder data storage. Not applicable to e-commerce channels. ✔✔C Type of SAQ? Merchants using only web-based virtual payment terminals, with no electronic cardholder data storage. Not applicable to e-commerce channels. ✔✔C-VT TYPE of SAQ? All merchants not included in the descriptions for other SAQ types. ✔✔D for Merchants
Type SAQ? All service providers identified by a payment brand as eligible to complete a SAQ ✔✔D for providers Type of SAQ? Merchants who have implemented a validated Point-to-Point Encryption Solution that is listed on the PCI SSC website, with no electronic cardholder data storage. Not applicable to e-commerce channels. ✔✔P2Pe Does PA-DSS apply to Custom payment applications endorsed by the PCI SSC. ✔✔False Does PA-DSS apply to Custom payment application used by one company? ✔✔No Does PA-DSS apply to Third-party payment application designed for one company? ✔✔no Does PA-DSS apply to Third-party, "off-the-shelf" payment application? ✔✔True Use of a Qualified Integrator/Reseller (QIR) is required by PCI DSS ✔✔false
Environments receive account data from payment applications and other sources (e.g., acquirers) ✔✔PCI DSS covers secure payment applications to support PCI DSS compliance Payment application receives account data from PIN-entry devices (PEDs) or other devices and begins payment transaction ✔✔PA-DSS covers the protection of sensitive data at point-of-interaction devices and their secure components, including cardholder PINs and account data, and the cryptographic keys used in connection with the protection of that cardholder data ✔✔PCI PTS - POI covers secure management, processing and transmission of personal identification number (PIN) data during online and offline payment card transaction processing ✔✔PCI PTS - PIN Security covers physical, logical and device security requirements for securing Hardware Security Modules (HSM) ✔✔PCI PTS - HSM:
covers physical and logical security requirements for systems and business processes ✔✔PCI Card Production EPP ✔✔Encrypting PIN Pads UPTS ✔✔Unattended Payment Terminals The program ensures terminals cannot be manipulated or attacked to allow the capture of Sensitive Authentication data, nor allow access to clear-text PINs or Keys ✔✔PTS The allows terminals to be approved for the secure encryption of cardholder data as part of the Point to Point Encryption program ✔✔Secure Read and Exchange Module, (SRED) These requirements provide for secure PIN: ✔✔management processing transmission
Receive authorization request from merchant and forward to Issuer for approval Provide authorization, clearing and settlement services to merchants ✔✔Aquirer Merchant Bank ISO (sometimes) Payment Brand - Amex, Discover, JCB Never Visa or MasterCard Acquirer and issuer exchange purchase information ✔✔Clearing Acquirer pays merchant for cardholder purchase Issuer bills cardholder ✔✔Settlement Which of the following entities will ultimately approve a purchase? ✔✔Issuer Which step does the payment brand network provide complete reconciliation to the merchant's bank? ✔✔clearing
A is a business that is not a payment brand, directly involved in the processing, storage or transmission of cardholder data on behalf of another entity. Sometimes a service provider is a merchant Includes companies that provide services (to merchants, service providers or other entities) which control or could impact the security of cardholder data. ✔✔service provider Knowledge Check A company that is considered to be a service provider. ✔✔control or could impact the security of cardholder data. Data center hosting provider a service provider? ✔✔yes ISOs a service provider? ✔✔yes
Which of these devices can be used to provide network segmentation controls? ✔✔switches firewakk routers If virtualization technologies are used in a cardholder data environment: ✔✔If virtualization technologies are used in the cardholder data environment, the virtualization technologies are included in scope for PCI DSS Entities involved in payment card processing via mobile devices (like a phone or tablet) can reduce the risks to the security of cardholder data by: ✔✔Entities involved in payment card processing via mobile devices can reduce the risks to the security of cardholder data by encrypting account data at the point of capture using an approved point of interaction device. Requirement 1 ✔✔Install and maintain a firewall configuration to protect cardholder data requirement 2 ✔✔Do not use vendor-supplied defaults for system passwords and other security parameters _ exists in the magnetic stripe or chip, and is also printed on the payment card ✔✔Sensitive authentication data
Storing track data "long-term" or "persistently" is permitted when. ✔✔by issuer PCI DSS Requirement 3.4 states that PAN must be rendered unreadable when stored. Which of the following may be used to meet this requirement? ✔✔a) Hashing the entire PAN using strong cryptography REQUIREMENT 4 ✔✔Encrypt transmission of cardholder data across open, public networks req3 ✔✔Protect Stored Cardholder Data REQUIREMENT 5: ✔✔Protect all systems against malware and regularly update anti-virus software or programs PCI DSS Requirements 5 state that anti-virus software must be ✔✔installed on all systems commonly affected by malware. REQUIREMENT 6: ✔✔Develop and maintain secure systems and applications
Information Supplements provided by the PCI SSC may "supersede" or replace PCI DSS requirements. ✔✔false In order to be considered a compensating control, which of the following must exist ✔✔c) A legitimate technical constraint or a documented business constraint.
