Download PCI Data Security Standard (PCI DSS) Exam Questions and Answers and more Exams Database Management Systems (DBMS) in PDF only on Docsity!
2025 - 2026 PCIP EXAM /ACTUAL184 Qs&As|LATEST
UPDATE|100% GENUINE EXAM|A+GRADE
PCI Data Security Standard (PCI DSS) – ANSWER ✅The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It coverstechnical and operational system components included in or connected to cardholderdata. If you accept or process payment cards, PCI DSS applies to you. Sensitive Authentication Data – ANSWER✅Merchants, service providers, and other entities involved with payment card processing must never store sensitiveauthentication data after authorization. This includes the 3- or 4- digit security code printed on the front or back of a card (CVD), the data stored on a card's magnetic stripe orchip (also called "Full Track Data") - and personal identification numbers (PIN) entered by the cardholder. Card Verification Data Codes (CVD) – ANSWER ✅ 3 or 4 digit code thatfurther authenticates a not-present cardholder Visa- CVV2MC- CVC Discover- CVD
JCB-CAV
AmEx- CID Requirement 1 – ANSWER ✅Install and maintain a firewall configuration toprotect cardholder data Network devices in scope for Requirement 1
- ANSWER ✅Firewalls and Routers- Routers connect traffic between networks, Firewalls control the traffic between networks and within internal network QIR Qualified Integrators & Resellers
- ANSWER ✅Qualified Integrators & Resellers- authorized by the SSC to implement, configure and/or support PA- DSS payment applications. Visa requires all level 4 merchants use QIRs for POS application and terminal installation and servicing Compensating Controls - ANSWER ✅An alternative control, put in place to satisfy the requirement for a security measure that is deemed too difficult or impractical to implement at the present time.
Compensating Controls Worksheet - ANSWER ✅1) Constraint; 2) Objective;
- Identified Risk; 4) Define Compensating Control; 5)Validate Controls; 6) Maintenance (COIDVM) Card Data that cannot be stored by Merchants, Service providers after authorization - ANSWER ✅Sensitive Authentication Data. i) 3- or 4- digit security code printed on the front or back of a card, ii) data stored on a card's magnetic stripe or chip (also called "Full Track Data"), and iii) personal identification numbers (PIN) entered by the cardholder Card Data that MAY be stored - ANSWER ✅i) cardholder name, ii) servicecode (identifies industry iii) Personal Account Number (PAN) iv) expiration date may be stored. Network Segmentation - ANSWER ✅The process of isolating the cardholder data environment from the remainder of an entity's network Not a requirement but strongly recommended. Report on Compliance (ROC) - ANSWER ✅Prepared at the time of the assessment of PCI compliance and comprehensively provides details about the assessment approach and compliance standing against each PCI DSS requirement What is included in the Report on Compliance (ROC)? - ANSWER ✅ROC includes (1) Executive summary, (2) description of scope of work and approach taken, (3) details about reviewed environment, (4) contact information and report date, (5) quarterly scan results and (6) findings and observations.
Steps to take for a PCI Assessment (hint: SARA's Remediation) - SOLUTION ✅1. Scope - determine which system components and networks are in scopefor PCI DSS
2. Assess - examine the compliance of system components in scope following the
testing procedures for each PCI DSS requirement
3. Report - assessor and/or entity completes required documentation (e.g.Self-
Assessment Questionnaire (SAQ) or Report on Compliance (ROC)), including documentation of all compensating controls
4. Attest - complete the appropriate Attestation of Compliance (AOC)
5. Submit - submit the SAQ, ROC, AOC and other requested supporting
documentation such as ASV scan reports to the acquirer (for merchants) or to the payment brand/requestor (for service providers)
6. Remediate - if required, perform remediation to address requirementsthat
are not in place, and Who can complete a Self Assessment Questionnaire (SAQ)? - ANSWER ✅i)the organization themselves, or ii) by a third party (e.g. IBM) Who MUST complete a Report on Compliance? - ANSWER ✅It MUST be completed by an approved Qualified Security Assessor (QSA) through the PCI
- Tokenization:Stores card numbers and other sensitive data such as social security numbers in an off-site highly secure data vault. The payment card numbers are replaced with tokens in all other databases and applications. Not storing cardholder data anywhere greatly simplifies the scope of PCI Requirement. Who makes up the PCI Security Standards Council? - ANSWER ✅1) Five payment brands (Am Ex, JCB, Visa, MC, Discover), and 2) Payment Organizations (merchants, banks, processors, hardware and software developers, point of sale vendors). Card Processing Authorization- who does the merchant request and receive authorization from to complete the purchase? What is provided to the merchant? - ANSWER ✅The Issuer provides an Authorization Code to the merchant Card Processing Clearing- who shares what? - ANSWER ✅Acquirer andIssuer exchange payment information- usually 24 hr period in U.S. Card Processing Settlement- who does acquirer pay? What does Issuer do? - ANSWER ✅1) Acquirer pays merchant and 2) Issuer bills cardholder (i.e. cardholder is charged)
- Reconciliation takes place, issuer records, posts the transaction which appears on the cardholder's monthly statement What are the 3 steps in Payment Card Processing? - ANSWER ✅1)Authorization
- Clearing 3) Settlement Functions associated with Acquirers - ANSWER ✅Authorize, Clear andSettle to merchant
Who ultimately approves the purchase? - ANSWER ✅Issuer Which step does the Payment Brand Network provide complete reconciliation to the merchant bank? - ANSWER ✅Clearing How long is PCIP qualification valid? - ANSWER ✅ 3 years Which takes precedence...local laws or PCI Standards? - ANSWER ✅Local Laws Payment Brand Network - ANSWER ✅The cc brands (e.g. Am Ex, Discover). Discover and Amex are BOTH the card network and issuing bank- havingtheir own financial institutions issue the cc's to consumers Visa and MasterCard are card networks only and do NOT issue cc's- theyhave third party issuing banks do it for them. What do Acquirer's do for their merchants? - ANSWER ✅Authorize--Clear-- Settle for their merchant Who ultimately approves the purchase? - ANSWER ✅Issuer In which step does the Payment Brand Network provide completereconciliation to the merchant bank? - ANSWER ✅Clearing (PA-DSS) Payment Application Data Security Standard - ANSWER ✅Third party payment applications that authorize and settle
(PA-DSS) Payment Application DSS - ANSWER ✅Most payment application (PA-DSS) requirements are equivalent of PCI-DSS
- Geared toward the Application providers P2PE - ANSWER ✅P2PE- Incorporates requirements from PTS, PCI-DSS, PA- DSS, and PCI-PIN Protects cc data from point of capture to processing (PCI-PTS) PIN- Transaction Security Devices - ANSWER ✅PCI-PTS applies to pin entry devices/ point of interaction devices (POI), Encrypting Pin Pads (EPP), Point of Sale devices (POS), Hardware (or host) security modules (HSMs), Unattended Payment Terminals (UPT)s, and non-PIN entry module
- Geared toward Device Manufacturers PCI-PTS - what does the program ensure against? - ANSWER ✅ 1 - Terminals cannot be manipulated or hacked, or access to pins/keys 2 - Secure Read and Exchange Module (SREM)- allows terminals to be approved for the secure encryption of cardholder data as part of the P2PE program
3 - PTS extended to allow non-PIN entry modules to be evaluated against the SRED module, allowing secure encryption at POI for non-chip and PIN cards PCI Pin Requirements provides for secure ........? - ANSWER ✅1) PIN management 2) processing and 3) transmission PCI PIN requirements protects PINs entered when and where? - SOLUTION ✅Online and offline payment card transactions at ATMs and attended and unattended POS Qualified Integrators and Resellers (QIR) - ANSWER ✅entities that sell,install or service payment applications on behalf of software vendors
- software vendors develop the app but QIRs need to make sure app is implemented properly to comply with PCI-DSS
- QIR cannot submit certification for PA-DSS validation, only software vendorcan file Where does cardholder data flow? - ANSWER ✅Between and through apps, systems and network infrastructure devices
What is an untrusted network? - ANSWER ✅An untrusted network is any network that is external to the networks of the entity being reviewed and/or which is out of the entity's ability to control or manage. Req. 1.2 Restrict Traffic - ANSWER ✅Restrict all traffic inbound and outbound from untrusted networks (including wireless) and hosts
- Deny all other traffic except protocols necessary for the CDE Req. 1.2.3 Where do firewalls have to be installed? - ANSWER ✅Between all wireless networks and the CDE Requirement 2 - ANSWER ✅Do NOT use vendor-supplied default passwords and other security parameters (ALL default passwords)
- inventory system components
- Ensure non-console access to network devices, servers and othercomponents is encrypted
- Sources of industry accepted system hardening (configuration) standards(Req. 2) - ANSWER ✅1) Center for Internet Security (CIS)
2) International Organization for Standardization (ISO)
3) SysAdmin Audit Network Security (SANS) Institute
4) National Institute of Standards Technology (NIST)
Req. 2.1 When should all vendor defaults be removed or disabled? - ANSWER ✅BEFORE installing a system on the network (includes wirelessdevices
connected to the CHD environment or used to transmit CHD data. (SSH) Secure Shell (Req. 2.2.2-2.2.3) - ANSWER ✅Considered secure Segmentation consists of what? - ANSWER ✅1)Logical Controls, or 2) physical controls or 3) a combo of both e.g. Firewalls/routers between CHD and corporate network Card holder data (CHD) environment is comprised of what? - SOLUTION ✅People, Processes and Technolo gies that store, transmit or process CHD or SAD Are untrusted networks (e.g. internet) in scope for PCI-DSS - SOLUTION ✅No, they are not in scope, but to protect in-scope systems and data fromuntrusted networks, PCI-DSS requirements must be implemented What is a flat network? - ANSWER ✅A network without adequatesegmentation
- results in the entire network being in scope for PCI DSS assessment How frequently does an entity have to confirm PCI DSS scope? - SOLUTION ✅Annually
- must identify locations and flows of CHD
- identify all systems connected to, or if compromised could impact the CDE
- Exception for Issuers- may store SAD if business need and secure Req. 3.2.2 Track Data - ANSWER ✅Track data located in magnetic stripeback of card
- Track equivalent data found on the Chip - but has a unique code Req. 3.4 If stored, PAN must be Unreadable - ANSWER ✅PAN must be unreadable if stored Tech. Solutions to make unreadable:
- One way hash functions of the entire PAN
- truncation
- index tokens w/ secure pads
- strong cryptography Req. 3.2.3 - ANSWER ✅Don't store PIN after authorization Req. 3.6.6 - ANSWER ✅Manual clear text cryptographic key management ifused, must be managed by: 1) Split Knowledge and 2) Dual Control
- One person alone cannot access the authentication materials of another Req. 4 - ANSWER ✅Protect card holder data transmitted across openpublic network (internet) using encryption
- use strong cryptography
- verify certificates
- use industry best practices (e.g. IEEE 802.11i) Req. 5 - ANSWER ✅Protect all systems against malware and regularlyupdate antivirus software
- deploy antivirus software on systems COMMONLY susceptible to malicious software (Malware)- not required on systems not commonly affected by malware Zero Day - ANSWER ✅Term for attacks on previously UNKNOWN vulnerabilities Req. 6.3 - ANSWER ✅Develop internal and external software securely
- include web based administrative access
Req. 6.4 Change control procedures and processes - ANSWER ✅Followchange control procedures and processes for ALL changes to system components
- separate development/test environments from production environmentsand enforce separation with access controls
- separate development/test duties from production duties (e.g. developeruses administrator level account to develop environment, and separate account with user level access to production environment) Req. 6.3.4 and 6.4.4 Live PANs-Testing/Development - ANSWER ✅Live PANs CANNOT be used for testing or development
- Remove even test data and test accounts before system component goes active (in production) Req. 6.5.1 through 6.5.10 Minimum Controls- Coding Vulnerabilities- Software Development - ANSWER ✅Minimum controls include:
1) Train developers (at least) annually- up to date coding techniques
2) Develop apps based on secure coding guidelines
3) Address common coding vulnerabilities (injection flaws, buffer overflows,
insecure cryptographic storage, insecure communications, improper error handling, and all high-risk vulnerabilities identified in Req. 6.1) Req. 6.6 Public Facing Web-Apps - ANSWER ✅1) Review public facing web-apps with manual or automated tools or methods at least annually and after any changes (different from vulnerability scan in Req. 11.2) OR
- Install an automated technical ANSWERto detect and prevent web basedattacks (e.g. web app firewall)- continuously checking all traffic Req. 7 Restrict access to cardholder data to whom? - ANSWER ✅Businessneed to know basis Req. 7.2 Use Access Control Systems to Restrict Access - ANSWER ✅Change "allow-all" setting to "deny all"
