Download PCI Fundamentals Questions | 100% Correct Answers | Verified | Latest 2024 Version and more Exams Information Technology in PDF only on Docsity!
PCI Fundamentals Questions | 100% Correct
Answers | Verified | Latest 2024 Version
The payment card brands are responsible for: - ✔✔penalty or fee assignment for non-compliance Authorization of a transaction usually takes place: - ✔✔within one day If a suspected card account number passes the Mod 10 test it means: - ✔✔it is definitely a valid PAN Which of the following is true regarding network segmentation? - ✔✔Network segmentation is not a PCI DSS requirement Which of the following is true related to the tracks of data on the magnetic stripe of a payment card? - ✔✔Track 1 contains all the fields of both track 1 and track 2 How Often should the firewall and router rule sets be reviewed? - ✔✔Every six months Which Of the following statements is true concerning transaction volumes for merchants? - ✔✔Transaction volume is determined by each acquirer Storing full track data after authorization is permitted under the following circumstances: - ✔✔NEVER In order to reduce PCI DSS scope, adequate network segmentation should: - ✔✔isolate systems that store, process, or transmit cardholder data from those that do not Systems that commonly store track data: - ✔✔POSsystems Which Of the following is true, regarding an entity sharing cardholder data with a service provider? - ✔✔The entity must have an established process for engaging service providers, including proper due diligence prior to engagement.
When must critical new security patches be installed? - ✔✔Within one month of release Which Of the following statements is true? - ✔✔PA-DSS compliant payment applications are in scope for a merchant's PCI DSS assessment In accordance with PCI DSS Requirement 1, firewalls are required: - ✔✔between the cardholder environment and Other internal networks Which party is responsible for merchant compliance validation and merchant communications? - ✔✔Acquirer The Mod 10 formula doubles the value of alternate digits of the primary account number beginning with which digit? - ✔✔Second from the left Strong access control lists include the following: - ✔✔Do not allow "risky" protocols such as FTP or Telnet. Which of the following is true? - ✔✔A PA-DSS application installed by a QIR must still be reviewed during the PCI DSS assessment. PCI SSC Community Meetings: - ✔✔provide opportunity for PCI stakeholders to provide suggestions for changes and improvements. Which of the following is true regarding Track data: - ✔✔Track 1 contains all Track 2 data and additional fields for use by the card issuer Which of the following statements is true? - ✔✔All systems on a "flat network" are in scope for the PCI DSS assessment. Assessors must always use DSS requirements have been met. - ✔✔independent judgment
A compensating control is used when: - ✔✔An entity cannot a requirement explicitly as stated Documents for your PCI DSS Self-Assessment does not include: - ✔✔NIST 800-53 guidelines This is a Firewall capability that provides enhanced security by keeping track of the state of network connections: - ✔✔Stateful Inspection The role of the Internal Security Assessor (ISA) does not include: - ✔✔Produce the final Report on Compliance (ROC). The ISA produces the SAQ, a QSA produces the ROC. Who should receive the completed SAQ?: - ✔✔The acquiring bank or payment brand(s) With respect to Requirement 11.2, when working with an approved scanning vendor, an ISA must: - ✔✔Provide all IP ranges and domains of the external scanned environment The purpose of a Qualified Integrator and Reseller (QIR) reseller does not include: - ✔✔Being qualified to assess payment applications against the PA-DSS standard A "Merchant Bank" is commonly referred to as: - ✔✔An Acquirer A Hosting Provider: - ✔✔Offers various services to merchants and other service providers One process that must be included when changing the cardholder data environment are: - ✔✔Policies and procedures must define: A separation of duties between personnel assigned to the development/test environments and those assigned to the production environment Which aspect of PCI DSS is not required of an ISA?: - ✔✔Development and enforcement of compliance programs
To meet PCI DSS Requirement 1.2.1, an entity may install a network firewall between the CDE and corporate network to ensure only designated systems in the corporate network can communicate, via approved ports, to systems in the CDE. This is an example of: - ✔✔Segmentation GPRS Refers to: - ✔✔Acronym for "General Packet Radio Service." Mobile data service available to users of GSM mobile phones. Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks: - ✔✔TRUE This SAQ should be used for Card-not-present Merchants where all cardholder data functions are fully outsourced: - ✔✔SAQ A Select the correct order for a compliance validation assessment: - ✔✔Kickoff Meeting, Scope Definite, Assessment Planning, onsite interviews, reporting (SAQ) writing Authentication refers to: - ✔✔A process of verifying the identity of an individual, device or process ECC is an acronym for: - ✔✔Elliptic Curve Crypotography. Approach to public-key cryptography based on elliptic over finite fields. A Risk Analysis / Risk Assessment is: - ✔✔Process that identified valuable system resources and threats; quantifies loss exposures (that is, loss potential) based on estimated frequencies and costs of occurrence; and (optionally) recommends how to allocate resources to countermeasures so as to minimize total exposure For all requirements that were met with the assistance of a compensating control, respond to the SAQ question by checking the "YES with CCW" column: - ✔✔TRUE PCI DSS is not applicable to: - ✔✔Acquiring Banks and Brands Account Data Includes: - ✔✔Primary Account number, Cardholder Name, Expiration Date, Service Codes
Sensitive Authentication Data (includes the full track contents of the magnetic stripe or equivalent data on a chip, card verification codes and values, PINs, and PIN blocks) should never: - ✔✔Be stored after authorization A Card Verification Code or Value: - ✔✔Is a data element on a card's magnetic stripe that uses secure cryptographic processes to protect data integrity. Default Accounts are: - ✔✔A login account predefined in a system application or device from the vendor or installation process. Which is not one of the six primary security goals of PCI DSS?: - ✔✔Maintain an Information Security Training Program Which Scoping concept does not apply: - ✔✔Public, or untrusted networks (for example, the INTERNET) are in scope of PCI DSS Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls: - ✔✔TRUE CD-ROM, DVD-ROM, USB flash drives and external/portable hard drives are examples of: - ✔✔Removeable Electronic Media This is Hardware and/or software used to process payment card transactions at merchant locations: - ✔✔POS/POI This can be the magnetic-stripe image on a chip or the data on the track 1 and/or track 2 portion of the magnetic stripe: - ✔✔Track Data This SAQ should be used for all other SAQ-Eligible Merchants: - ✔✔SAQ D for Merchants
A partially outsourced E-commerce Merchant using a Third-Party Website for Payment Processing should use which SAQ?: - ✔✔SAQ A-EP This SAQ should be used for Merchants with Only Imprint Machines or Only Standalone, Dial-out Terminals - No Electronic Cardholder Data Storage: - ✔✔SAQ B The purpose for the payment brands compliance programs are for: - ✔✔Tracking and enforcement, Levy penalties, fees, compliance deadlines, establish a validation process, define merchant and service provider levels FTP, Telnet, POP3, IMAP, and SNMP v1 and v2 are considered: - ✔✔A protocol, service, or port that introduces security concerns due to the lack of controls over confidentiality and/or integrity PA-DSS is applicable to: - ✔✔Payment applications that are sol "off-the-shelf" by software vendors A poor scoping decision: - ✔✔Excluding part of the network from PCI DSS scope due to inadequate network segmentation that was not verified to be effective This SAQ should be used for Service Providers: - ✔✔SAQ D for eligible service providers Merchant levels are determined by: - ✔✔Its Acquiring Bank
