PCIP questions and answers graded A+ 2023
Requirement 1
Install and maintain a firewall configuration to protect cardholder data
Requirement 2
Do not use vendor supplied defaults for system passwords and other security
parameters
Requirement 3
Protect stored cardholder data by enacting a formal data retention policy and implement
secure deletion methods
Requirement 4
Encrypt transmission of cardholder data across open, public networks
Requirement 5
Protect all systems against malware and regularly update anti-virus software or
programs
Requirement 6
Develop and maintain secure systems and applications
Requirement 7
Restrict access to cardholder data by business need to know
Requirement 8
Identify and authenticate access to system components
Requirement 9
Restrict physical access to cardholder data
Requirement 10
Track and monitor all access to network resources and cardholder data
Requirement 11
Regularly test security systems and processes
Requirement 12
Maintain a policy that addresses information security for all personnel
Appendix A1
Shared hosting providers must protect the cardholder data environment
Appendix A2
Additional PCI DSS Requirements for Entities using SSL/early TLS
Appendix A3
Designated Entities Supplemental Validation (DESV)
Compensating Controls
1- Meet the intent and rigor of the original PCI requirement
2- Sufficiently offset the risk that the original PCI DSS requirement was designed to
defend against
3- Be "above and beyond" other PCI DSS requirements (i.e., not simply in compliance
with other requirements)
4- Be commensurate with additional risk imposed by not adhering to original
requirement
Compensating Controls -
To consider Compensating Controls, one of the following must exist that precludes
implementing the stated control:
, 1- Legitimate Technical Constraint
2- Documented Business Constraint
Compensating Controls :
Existing PCI DSS requirements CANNOT be considered as compensating controls if
they are already required for the
Compensating Controls ...
Existing PCI DSS requirements may be combined with new controls to become a
compensating control
SAQs
is a validation tool intended to assist merchants and service providers in self-evaluating
their compliance with the PCI DSS
SAQ A
Card-Not-Present (e-commerce or MO/TO) merchants, all cardholder data functions
outsourced to PCI DSS compliant service providers.
Not applicable to face-to-face channels.
SAQ A-EP
E-commerce merchants who outsource all payment processing to PCI DSS validated
third parties, and who have a website(s) that doesn't directly receive cardholder data but
that can impact the security of the payment transaction. No electronic storage,
processing, or transmission of any cardholder data on the merchant's systems or
premises.
Applicable only to
e-commerce channels.
SAQ B
Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-
out terminal merchants with no electronic cardholder data storage.
Not applicable to e-commerce channels.
SAQ B-IP
Merchants using only stand-alone, PTS-approved payment terminals with an IP
connection to the payment processor, with no electronic cardholder data storage.
Not applicable to e-commerce channels.
SAQ C
Merchants with segmented payment application systems connected to the Internet, with
no electronic cardholder data storage.
Not applicable to e-commerce channels.
SAQ C-VT
Merchants using only web-based virtual payment terminals, with no electronic
cardholder data storage.
Not applicable to e-commerce channels.
SAQ D
SAQ D for Merchants: All merchants not included in the descriptions for other SAQ
types.
SAQ D for Service Providers: All service providers identified by a payment brands as
eligible to complete a self-assessment questionnaire.
P2PE
Requirement 1
Install and maintain a firewall configuration to protect cardholder data
Requirement 2
Do not use vendor supplied defaults for system passwords and other security
parameters
Requirement 3
Protect stored cardholder data by enacting a formal data retention policy and implement
secure deletion methods
Requirement 4
Encrypt transmission of cardholder data across open, public networks
Requirement 5
Protect all systems against malware and regularly update anti-virus software or
programs
Requirement 6
Develop and maintain secure systems and applications
Requirement 7
Restrict access to cardholder data by business need to know
Requirement 8
Identify and authenticate access to system components
Requirement 9
Restrict physical access to cardholder data
Requirement 10
Track and monitor all access to network resources and cardholder data
Requirement 11
Regularly test security systems and processes
Requirement 12
Maintain a policy that addresses information security for all personnel
Appendix A1
Shared hosting providers must protect the cardholder data environment
Appendix A2
Additional PCI DSS Requirements for Entities using SSL/early TLS
Appendix A3
Designated Entities Supplemental Validation (DESV)
Compensating Controls
1- Meet the intent and rigor of the original PCI requirement
2- Sufficiently offset the risk that the original PCI DSS requirement was designed to
defend against
3- Be "above and beyond" other PCI DSS requirements (i.e., not simply in compliance
with other requirements)
4- Be commensurate with additional risk imposed by not adhering to original
requirement
Compensating Controls -
To consider Compensating Controls, one of the following must exist that precludes
implementing the stated control:
, 1- Legitimate Technical Constraint
2- Documented Business Constraint
Compensating Controls :
Existing PCI DSS requirements CANNOT be considered as compensating controls if
they are already required for the
Compensating Controls ...
Existing PCI DSS requirements may be combined with new controls to become a
compensating control
SAQs
is a validation tool intended to assist merchants and service providers in self-evaluating
their compliance with the PCI DSS
SAQ A
Card-Not-Present (e-commerce or MO/TO) merchants, all cardholder data functions
outsourced to PCI DSS compliant service providers.
Not applicable to face-to-face channels.
SAQ A-EP
E-commerce merchants who outsource all payment processing to PCI DSS validated
third parties, and who have a website(s) that doesn't directly receive cardholder data but
that can impact the security of the payment transaction. No electronic storage,
processing, or transmission of any cardholder data on the merchant's systems or
premises.
Applicable only to
e-commerce channels.
SAQ B
Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-
out terminal merchants with no electronic cardholder data storage.
Not applicable to e-commerce channels.
SAQ B-IP
Merchants using only stand-alone, PTS-approved payment terminals with an IP
connection to the payment processor, with no electronic cardholder data storage.
Not applicable to e-commerce channels.
SAQ C
Merchants with segmented payment application systems connected to the Internet, with
no electronic cardholder data storage.
Not applicable to e-commerce channels.
SAQ C-VT
Merchants using only web-based virtual payment terminals, with no electronic
cardholder data storage.
Not applicable to e-commerce channels.
SAQ D
SAQ D for Merchants: All merchants not included in the descriptions for other SAQ
types.
SAQ D for Service Providers: All service providers identified by a payment brands as
eligible to complete a self-assessment questionnaire.
P2PE
