PCIP Already Graded A+
PCI DSS Requirement 1 Ans- Install and maintain a firewall configuration to protect cardholder data
PCI DSS Requirement 2 Ans- Do not use vendor supplied defaults for system passwords and other
security parameters
PCI DSS Requirement 3 Ans- Protect stored cardholder data by enacting a formal data retention policy
and implement secure deletion methods
PCI DSS Requirement 4 Ans- Protected Cardholder Data during transmission over the internet, wireless
networks or other open access networks or systems (GSM, GPRS, etc.)
PCI DSS Requirement 5 Ans- Use and regularly update anti-virus software or programs
PCI DSS Requirement 6 Ans- Develop and maintain secure systems and applications
PCI DSS Requirement 7 Ans- Restrict access to cardholder data by business need to know
PCI DSS Requirement 8 Ans- Assign a unique ID to each person with computer access
PCI DSS Requirement 9 Ans- Restrict physical access to cardholder data
PCI DSS Requirement 10 Ans- Track and monitor all access to network resources and cardholder data
PCI DSS Requirement 11 Ans- Regularly test secuirty systems and processes with wireless scans,
vulnerability scnas, log audits, ASV (Approved Scanning Vendor)
PCI DSS Requirement 12 Ans- Maintain a policy that addresses information security for all personnel
,ASV (Approved Scanning Vendor) Ans- Company approved by the PCI SSC to conduct external
vulnerability scanning services.
PCI Data Security Standards (PCI DSS) Ans- Covers the security of the environments that store, process
or transmit account data.
Environments receive account data from payment applications and other sources (e.g. acquirers)
PCI Payment Application Data Security Standards
(PCI PA-DSS) Ans- Covers secure payment applications to support PCI DSS compliance.
Applies to Third Party payment applications if the application performs authorization and/or settlement
(POS, shopping carts, etc.)
Ensures a payment application can function in a PCI DSS compliant manner
PA-DSS applications are in scope for PCI DSS
Payment application receives account data from PIN Entry Devices (PED) or other devices and begins
payment transaction
PCI PIN Transaction Security (PCI PTS) Ans- Covers device tamper detection, cryptographic processes and
other mechanisms to protect the Personal Identification Number (PIN).
Encrypted PIN is passed to payment application or hardware terminal.
PCI-PTS - PIN Security Ans- Covers secure management, processing and transmission of personal
identification number data during online and offline payment card transaction processing
PCI-PTS - HSM (Hardware Security Module or Host Security Module) Ans- A physically and logically
protected hardware device that provides a secure set of cryptographic services, used for cryptographic
key-management functions and/or the decryption of account data. Not required by DSS, but may help
with the management of keys.
, PCI Point to Point Encryption (PCI P2PE) Ans- Covers encryption, decryption and key management within
secure cryptographic devices (SCD). Not a requirement but may result in reduction of scope.
Secure Cryptographic Device (SCD) Ans- A set of hardware, software and firmware that implements
cryptographic processes (including cryptographic algorithms and key generation) and is contained within
a defined cryptographic boundary. Examples of secure cryptographic devices include host/hardware
security modules (HSMs) and point-of-interaction devices (POIs) that have been validated to PCI PTS.
POI - Point of Interaction Ans- The initial point where data is read from a card. An electronic transaction-
acceptance product, a POI consists of hardware and software and is hosted in acceptance equipment to
enable a cardholder to perform a card transaction. The POI may be attended or unattended. POI
transactions are typically integrated circuit (chip) and/or magnetic-stripe card-based payment
transactions.
PCI Card Production Ans- Covers physical and logical security requirements for systems and business
processes associated with card personalization, PIN generation, PIN mailers, and card carriers and
distribution.
CDE - Cardholder Data Environment Ans- The people, processes and technology that store, process, or
transmit cardholder data or sensitive authentication data.
Relationship between PTS and PCI DSS Ans- DSS prevents the storage of encrypted PIN blocks. PTS
supports the PIN encryption so there's no overlap.
Relationship between PCI DSS and PA-DSS Ans- Payment applications must support and not hinder PCI
DSS compliance
PCI DSS requirements mirrored in many payment application requirements in PA-DSS
Relationship between PCI DSS and P2PE Ans- Incorporates requirements from Pin Transaction Security,
PCI DSS, PA-DSS and PCI PIN to protect CHD from the point of capture until it reaches the payment
processor.
PCI DSS Requirement 1 Ans- Install and maintain a firewall configuration to protect cardholder data
PCI DSS Requirement 2 Ans- Do not use vendor supplied defaults for system passwords and other
security parameters
PCI DSS Requirement 3 Ans- Protect stored cardholder data by enacting a formal data retention policy
and implement secure deletion methods
PCI DSS Requirement 4 Ans- Protected Cardholder Data during transmission over the internet, wireless
networks or other open access networks or systems (GSM, GPRS, etc.)
PCI DSS Requirement 5 Ans- Use and regularly update anti-virus software or programs
PCI DSS Requirement 6 Ans- Develop and maintain secure systems and applications
PCI DSS Requirement 7 Ans- Restrict access to cardholder data by business need to know
PCI DSS Requirement 8 Ans- Assign a unique ID to each person with computer access
PCI DSS Requirement 9 Ans- Restrict physical access to cardholder data
PCI DSS Requirement 10 Ans- Track and monitor all access to network resources and cardholder data
PCI DSS Requirement 11 Ans- Regularly test secuirty systems and processes with wireless scans,
vulnerability scnas, log audits, ASV (Approved Scanning Vendor)
PCI DSS Requirement 12 Ans- Maintain a policy that addresses information security for all personnel
,ASV (Approved Scanning Vendor) Ans- Company approved by the PCI SSC to conduct external
vulnerability scanning services.
PCI Data Security Standards (PCI DSS) Ans- Covers the security of the environments that store, process
or transmit account data.
Environments receive account data from payment applications and other sources (e.g. acquirers)
PCI Payment Application Data Security Standards
(PCI PA-DSS) Ans- Covers secure payment applications to support PCI DSS compliance.
Applies to Third Party payment applications if the application performs authorization and/or settlement
(POS, shopping carts, etc.)
Ensures a payment application can function in a PCI DSS compliant manner
PA-DSS applications are in scope for PCI DSS
Payment application receives account data from PIN Entry Devices (PED) or other devices and begins
payment transaction
PCI PIN Transaction Security (PCI PTS) Ans- Covers device tamper detection, cryptographic processes and
other mechanisms to protect the Personal Identification Number (PIN).
Encrypted PIN is passed to payment application or hardware terminal.
PCI-PTS - PIN Security Ans- Covers secure management, processing and transmission of personal
identification number data during online and offline payment card transaction processing
PCI-PTS - HSM (Hardware Security Module or Host Security Module) Ans- A physically and logically
protected hardware device that provides a secure set of cryptographic services, used for cryptographic
key-management functions and/or the decryption of account data. Not required by DSS, but may help
with the management of keys.
, PCI Point to Point Encryption (PCI P2PE) Ans- Covers encryption, decryption and key management within
secure cryptographic devices (SCD). Not a requirement but may result in reduction of scope.
Secure Cryptographic Device (SCD) Ans- A set of hardware, software and firmware that implements
cryptographic processes (including cryptographic algorithms and key generation) and is contained within
a defined cryptographic boundary. Examples of secure cryptographic devices include host/hardware
security modules (HSMs) and point-of-interaction devices (POIs) that have been validated to PCI PTS.
POI - Point of Interaction Ans- The initial point where data is read from a card. An electronic transaction-
acceptance product, a POI consists of hardware and software and is hosted in acceptance equipment to
enable a cardholder to perform a card transaction. The POI may be attended or unattended. POI
transactions are typically integrated circuit (chip) and/or magnetic-stripe card-based payment
transactions.
PCI Card Production Ans- Covers physical and logical security requirements for systems and business
processes associated with card personalization, PIN generation, PIN mailers, and card carriers and
distribution.
CDE - Cardholder Data Environment Ans- The people, processes and technology that store, process, or
transmit cardholder data or sensitive authentication data.
Relationship between PTS and PCI DSS Ans- DSS prevents the storage of encrypted PIN blocks. PTS
supports the PIN encryption so there's no overlap.
Relationship between PCI DSS and PA-DSS Ans- Payment applications must support and not hinder PCI
DSS compliance
PCI DSS requirements mirrored in many payment application requirements in PA-DSS
Relationship between PCI DSS and P2PE Ans- Incorporates requirements from Pin Transaction Security,
PCI DSS, PA-DSS and PCI PIN to protect CHD from the point of capture until it reaches the payment
processor.
