PCIP All Answers Correct
Requirement 1 Ans- Install and maintain a firewall configuration to protect cardholder data
Requirement 2 Ans- Do not use vendor supplied defaults for system passwords and other security
parameters
Requirement 3 Ans- Protect stored cardholder data by enacting a formal data retention policy and
implement secure deletion methods
Requirement 4 Ans- Encrypt transmission of cardholder data across open, public networks
Requirement 5 Ans- Protect all systems against malware and regularly update anti-virus software or
programs
Requirement 6 Ans- Develop and maintain secure systems and applications
Requirement 7 Ans- Restrict access to cardholder data by business need to know
Requirement 8 Ans- Identify and authenticate access to system components
Requirement 9 Ans- Restrict physical access to cardholder data
Requirement 10 Ans- Track and monitor all access to network resources and cardholder data
Requirement 11 Ans- Regularly test security systems and processes
Requirement 12 Ans- Maintain a policy that addresses information security for all personnel
Appendix A1 Ans- Shared hosting providers must protect the cardholder data environment
, Appendix A2 Ans- Additional PCI DSS Requirements for Entities using SSL/early TLS
Appendix A3 Ans- Designated Entities Supplemental Validation (DESV)
Compensating Controls Ans- 1- Meet the intent and rigor of the original PCI requirement
2- Sufficiently offset the risk that the original PCI DSS requirement was designed to defend against
3- Be "above and beyond" other PCI DSS requirements (i.e., not simply in compliance with other
requirements)
4- Be commensurate with additional risk imposed by not adhering to original requirement
Compensating Controls - Ans- To consider Compensating Controls, one of the following must exist that
precludes implementing the stated control:
1- Legitimate Technical Constraint
2- Documented Business Constraint
Compensating Controls : Ans- Existing PCI DSS requirements CANNOT be considered as compensating
controls if they are already required for the
Compensating Controls ... Ans- Existing PCI DSS requirements may be combined with new controls to
become a compensating control
SAQs Ans- is a validation tool intended to assist merchants and service providers in self-evaluating their
compliance with the PCI DSS
SAQ A Ans- Card-Not-Present (e-commerce or MO/TO) merchants, all cardholder data functions
outsourced to PCI DSS compliant service providers.
Not applicable to face-to-face channels.
SAQ A-EP Ans- E-commerce merchants who outsource all payment processing to PCI DSS validated third
parties, and who have a website(s) that doesn't directly receive cardholder data but that can impact the
Requirement 1 Ans- Install and maintain a firewall configuration to protect cardholder data
Requirement 2 Ans- Do not use vendor supplied defaults for system passwords and other security
parameters
Requirement 3 Ans- Protect stored cardholder data by enacting a formal data retention policy and
implement secure deletion methods
Requirement 4 Ans- Encrypt transmission of cardholder data across open, public networks
Requirement 5 Ans- Protect all systems against malware and regularly update anti-virus software or
programs
Requirement 6 Ans- Develop and maintain secure systems and applications
Requirement 7 Ans- Restrict access to cardholder data by business need to know
Requirement 8 Ans- Identify and authenticate access to system components
Requirement 9 Ans- Restrict physical access to cardholder data
Requirement 10 Ans- Track and monitor all access to network resources and cardholder data
Requirement 11 Ans- Regularly test security systems and processes
Requirement 12 Ans- Maintain a policy that addresses information security for all personnel
Appendix A1 Ans- Shared hosting providers must protect the cardholder data environment
, Appendix A2 Ans- Additional PCI DSS Requirements for Entities using SSL/early TLS
Appendix A3 Ans- Designated Entities Supplemental Validation (DESV)
Compensating Controls Ans- 1- Meet the intent and rigor of the original PCI requirement
2- Sufficiently offset the risk that the original PCI DSS requirement was designed to defend against
3- Be "above and beyond" other PCI DSS requirements (i.e., not simply in compliance with other
requirements)
4- Be commensurate with additional risk imposed by not adhering to original requirement
Compensating Controls - Ans- To consider Compensating Controls, one of the following must exist that
precludes implementing the stated control:
1- Legitimate Technical Constraint
2- Documented Business Constraint
Compensating Controls : Ans- Existing PCI DSS requirements CANNOT be considered as compensating
controls if they are already required for the
Compensating Controls ... Ans- Existing PCI DSS requirements may be combined with new controls to
become a compensating control
SAQs Ans- is a validation tool intended to assist merchants and service providers in self-evaluating their
compliance with the PCI DSS
SAQ A Ans- Card-Not-Present (e-commerce or MO/TO) merchants, all cardholder data functions
outsourced to PCI DSS compliant service providers.
Not applicable to face-to-face channels.
SAQ A-EP Ans- E-commerce merchants who outsource all payment processing to PCI DSS validated third
parties, and who have a website(s) that doesn't directly receive cardholder data but that can impact the
