PCI – DSS Exam UPDATED ACTUAL
QUESTIONS AND CORRECT ANSWERS
-Customer purchasing goods either as a "Card Present" or Card Not Present" transaction
-Receives the payment card and bills from the issuer - CORRECT
ANSWER Cardholder
-Primary Account Number (PAN)
-Cardholder Name
-Expiration Date
-Service Code - CORRECT ANSWER Cardholder Data Include:
-Full track data (Magnetic-stripe data or equivalent on a chip)
-CAV2/CVC2/CVV2/CID
-PINs/PIN blocks - CORRECT ANSWER Sensitive Authentication Data includes:
American Express
Discover
JCB International
MasterCard
Visa - CORRECT ANSWER Payment Brand
-Bank or other organization issuing a payment card on behalf of a Payment Brand (e.g.
MasterCard & Visa)
-Payment Brand issuing a payment card directly (e.g. Amex, Discover, JCB) - CORRECT
ANSWER Issuer
,Organization accepting the payment card for payment during a purchase - CORRECT
ANSWER Merchant
*Bank or entity the merchant uses to process their payment card transactions
*Receive authorization request from merchant and forward to Issuer for approval
*Provide authorization, clearing, and settlement services to merchants
*Acquirer is also called
--Merchant Bank
--ISO
--Payment Brand -Amex, Discover, JCB
--Never Visa or MasterCard - CORRECT ANSWER Acquirer
*Acquirer is responsible for merchant compliance
--Know payment brand compliance programs and how they apply to merchants
--Ensure that their merchants understand PCI DSS compliance requirements and track
compliance efforts
--Manage Merchant communications
*work with merchants until compliance has been validated
--Merchants are not compliant until all applicable requirements have been met and validated
--Acquirer is responsible for providing merchant compliance status to payment brands
*Incur any liability that may result from non-compliance with payment brand compliance
programs - CORRECT ANSWER Common Acquirer Responsibilities
*A service provider is a business that is not a payment brand, directly involved in the
processing, storage, or transmission of cardholder data on behalf of another entity.
-Sometimes a service provider is a merchant
,*Service Provider also includes companies that provide services (to merchants, service
providers, or other entities), which control or could impact the security of cardholder data -
CORRECT ANSWER Service Providers
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters -
CORRECT ANSWER Standard 1: Build and Maintain a Secure Network and Systems
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks - CORRECT
ANSWER Standard 2: Protect Cardholder Data
5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications - CORRECT
ANSWER Standard 3: Maintain a Vulnerability Management Program
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data - CORRECT ANSWER Standard 4:
Implement Strong Access Control Measures
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes - CORRECT ANSWER Standard 5:
Regularly Monitor and Test Networks
, 12. Maintain a policy that addresses information security for all personnel - CORRECT
ANSWER Standard 6: Maintain an Information Security Policy
Install and maintain a firewall configuration to protect cardholder data - CORRECT
ANSWER Requirement 1
Do not use vendor-supplied defaults for system passwords and other security parameters -
CORRECT ANSWER Requirement 2
Protect stored cardholder data - CORRECT ANSWER Requirement 3
Encrypt transmission of cardholder data across open, public networks - CORRECT
ANSWER Requirement 4
Protect all systems against malware and regularly update anti-virus software or programs -
CORRECT ANSWER Requirement 5
Develop and maintain secure systems and applications - CORRECT
ANSWER Requirement 6
Restrict access to cardholder data by business need to know - CORRECT
ANSWER Requirement 7
Identify and authenticate access to system components - CORRECT
ANSWER Requirement 8
Restrict physical access to cardholder data - CORRECT ANSWER Requirement 9
Track and monitor all access to network resources and cardholder data - CORRECT
ANSWER Requirement 10
QUESTIONS AND CORRECT ANSWERS
-Customer purchasing goods either as a "Card Present" or Card Not Present" transaction
-Receives the payment card and bills from the issuer - CORRECT
ANSWER Cardholder
-Primary Account Number (PAN)
-Cardholder Name
-Expiration Date
-Service Code - CORRECT ANSWER Cardholder Data Include:
-Full track data (Magnetic-stripe data or equivalent on a chip)
-CAV2/CVC2/CVV2/CID
-PINs/PIN blocks - CORRECT ANSWER Sensitive Authentication Data includes:
American Express
Discover
JCB International
MasterCard
Visa - CORRECT ANSWER Payment Brand
-Bank or other organization issuing a payment card on behalf of a Payment Brand (e.g.
MasterCard & Visa)
-Payment Brand issuing a payment card directly (e.g. Amex, Discover, JCB) - CORRECT
ANSWER Issuer
,Organization accepting the payment card for payment during a purchase - CORRECT
ANSWER Merchant
*Bank or entity the merchant uses to process their payment card transactions
*Receive authorization request from merchant and forward to Issuer for approval
*Provide authorization, clearing, and settlement services to merchants
*Acquirer is also called
--Merchant Bank
--ISO
--Payment Brand -Amex, Discover, JCB
--Never Visa or MasterCard - CORRECT ANSWER Acquirer
*Acquirer is responsible for merchant compliance
--Know payment brand compliance programs and how they apply to merchants
--Ensure that their merchants understand PCI DSS compliance requirements and track
compliance efforts
--Manage Merchant communications
*work with merchants until compliance has been validated
--Merchants are not compliant until all applicable requirements have been met and validated
--Acquirer is responsible for providing merchant compliance status to payment brands
*Incur any liability that may result from non-compliance with payment brand compliance
programs - CORRECT ANSWER Common Acquirer Responsibilities
*A service provider is a business that is not a payment brand, directly involved in the
processing, storage, or transmission of cardholder data on behalf of another entity.
-Sometimes a service provider is a merchant
,*Service Provider also includes companies that provide services (to merchants, service
providers, or other entities), which control or could impact the security of cardholder data -
CORRECT ANSWER Service Providers
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters -
CORRECT ANSWER Standard 1: Build and Maintain a Secure Network and Systems
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks - CORRECT
ANSWER Standard 2: Protect Cardholder Data
5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications - CORRECT
ANSWER Standard 3: Maintain a Vulnerability Management Program
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data - CORRECT ANSWER Standard 4:
Implement Strong Access Control Measures
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes - CORRECT ANSWER Standard 5:
Regularly Monitor and Test Networks
, 12. Maintain a policy that addresses information security for all personnel - CORRECT
ANSWER Standard 6: Maintain an Information Security Policy
Install and maintain a firewall configuration to protect cardholder data - CORRECT
ANSWER Requirement 1
Do not use vendor-supplied defaults for system passwords and other security parameters -
CORRECT ANSWER Requirement 2
Protect stored cardholder data - CORRECT ANSWER Requirement 3
Encrypt transmission of cardholder data across open, public networks - CORRECT
ANSWER Requirement 4
Protect all systems against malware and regularly update anti-virus software or programs -
CORRECT ANSWER Requirement 5
Develop and maintain secure systems and applications - CORRECT
ANSWER Requirement 6
Restrict access to cardholder data by business need to know - CORRECT
ANSWER Requirement 7
Identify and authenticate access to system components - CORRECT
ANSWER Requirement 8
Restrict physical access to cardholder data - CORRECT ANSWER Requirement 9
Track and monitor all access to network resources and cardholder data - CORRECT
ANSWER Requirement 10
