PCIP Study Guide 2017 updated to pass
PA-DSS
Payment Application Data Security Standard (POS, shopping carts, etc.)
PTS (POI)
Pin Transaction Security Point of Interaction Standard (Attended and Unattended
Devices)
HSM (PIN)
Hardware Security Module Pin Standard (not required but may assist in becoming
compliant)
P2PE
Point to Point Encryption Standard (Most helpful standard to reduce scope)
SRED
Secure Read and Exchange Module allows terminals to be approved for secure
encryption of cardholder data.
POI Examples
Attended : Cash Registers
Unattended Encrypted PIN Pads : ATM
Unattended Payment Terminals : Gas Pump
PCI PIN Security Requirements
Management
Processing
Transmission
Payment Card Flow
Cardholder presents card -> Acquirer asks payment brand to determine issuer ->
Payment brand network determines issuer and requests approval-> Issuer approves
purchase-> Payment brand network sends approval to the acquirer -> Acquirer sends
approval to merchant-> Cardholder completes purchase and receives receipt.
Aquirer (Also Called?)
-Merchant Bank
-Independent Sale Organization (ISO)
-Payment Brand (Amex, Discover, JCB)
-Never Visa or Mastercard
Payment Card Flow (Clearing)
Acquirer sends purchase information to the payment brand network -> payment brand
network sends purchase information to the issuer -> issuer prepares data for cardholder
statement -> payment brand network provides complete reconciliation to acquirer.
Payment Card Flow (Settlement)
Issuer determines acquirer via the payment brand network -> Issuer sends payment to
acquirer -> Acquirer pays merchant for cardholders purchase -> Issuer bills cardholder
Service Provider
A business that is not a payment brand, directly involved in the processing, storage or
transmission of cardholder data on behalf of another entity. Sometimes a service
provider is a merchant.
QIR's
, Qualified Integrators and Resellers
-Assure quality and provide feedback
What QIR's do?
-Implementing applications into a merchant environment
-Integrating applications into new software or systems.
-Configuring the payment application
-Servicing payment applications to provide troubleshooting/remote updates or support.
PA-DSS Implementation Guide
-What the QIR uses in order to implement a PCI DSS compliant payment application
into a CDE environment.
-After installation the QIR creates an implementation statement and gives it to the
customer for their signature.
CID
Card Identification Number (American Express)
CAV2/CID/CVC2/CW2
Card specific code on back of card (Discover, JCB, Mastercard, Visa)
Cardholder Data
-PAN
-Cardholder Name
-Expiration Date
-Service Code
Sensitive Authentication Data
-Full magnetic stripe data or chip data
-CAV2/CVC2/CVV2/CID
-PINs/PIN blocks
-Cannot be stored after authorization
Track 1 Data
Contains all fields of Both Track 1 and Track 2
-Length up to 79 characters.
Track 2 Data
Provides shorter processing time for older dial up transmissions.
-Length up to 40 characters
Inventorying Cardholder Environment
-System Name
-Cardholder data stored
-Reason for storage
-Retention period
-Protection mechanism.
Is storing track data permitted after authorization?
No
PCI DSS Goals
-Build and maintain a secure network and systems
-Protect Cardholder Data
-Maintain a vulnerability management program
-Implement strong access control measures
PA-DSS
Payment Application Data Security Standard (POS, shopping carts, etc.)
PTS (POI)
Pin Transaction Security Point of Interaction Standard (Attended and Unattended
Devices)
HSM (PIN)
Hardware Security Module Pin Standard (not required but may assist in becoming
compliant)
P2PE
Point to Point Encryption Standard (Most helpful standard to reduce scope)
SRED
Secure Read and Exchange Module allows terminals to be approved for secure
encryption of cardholder data.
POI Examples
Attended : Cash Registers
Unattended Encrypted PIN Pads : ATM
Unattended Payment Terminals : Gas Pump
PCI PIN Security Requirements
Management
Processing
Transmission
Payment Card Flow
Cardholder presents card -> Acquirer asks payment brand to determine issuer ->
Payment brand network determines issuer and requests approval-> Issuer approves
purchase-> Payment brand network sends approval to the acquirer -> Acquirer sends
approval to merchant-> Cardholder completes purchase and receives receipt.
Aquirer (Also Called?)
-Merchant Bank
-Independent Sale Organization (ISO)
-Payment Brand (Amex, Discover, JCB)
-Never Visa or Mastercard
Payment Card Flow (Clearing)
Acquirer sends purchase information to the payment brand network -> payment brand
network sends purchase information to the issuer -> issuer prepares data for cardholder
statement -> payment brand network provides complete reconciliation to acquirer.
Payment Card Flow (Settlement)
Issuer determines acquirer via the payment brand network -> Issuer sends payment to
acquirer -> Acquirer pays merchant for cardholders purchase -> Issuer bills cardholder
Service Provider
A business that is not a payment brand, directly involved in the processing, storage or
transmission of cardholder data on behalf of another entity. Sometimes a service
provider is a merchant.
QIR's
, Qualified Integrators and Resellers
-Assure quality and provide feedback
What QIR's do?
-Implementing applications into a merchant environment
-Integrating applications into new software or systems.
-Configuring the payment application
-Servicing payment applications to provide troubleshooting/remote updates or support.
PA-DSS Implementation Guide
-What the QIR uses in order to implement a PCI DSS compliant payment application
into a CDE environment.
-After installation the QIR creates an implementation statement and gives it to the
customer for their signature.
CID
Card Identification Number (American Express)
CAV2/CID/CVC2/CW2
Card specific code on back of card (Discover, JCB, Mastercard, Visa)
Cardholder Data
-PAN
-Cardholder Name
-Expiration Date
-Service Code
Sensitive Authentication Data
-Full magnetic stripe data or chip data
-CAV2/CVC2/CVV2/CID
-PINs/PIN blocks
-Cannot be stored after authorization
Track 1 Data
Contains all fields of Both Track 1 and Track 2
-Length up to 79 characters.
Track 2 Data
Provides shorter processing time for older dial up transmissions.
-Length up to 40 characters
Inventorying Cardholder Environment
-System Name
-Cardholder data stored
-Reason for storage
-Retention period
-Protection mechanism.
Is storing track data permitted after authorization?
No
PCI DSS Goals
-Build and maintain a secure network and systems
-Protect Cardholder Data
-Maintain a vulnerability management program
-Implement strong access control measures
