PCIP Exam question n answers graded A+ 2023
PCI Data Security Standard (PCI DSS)
The PCI DSS applies to all entities that store, process, and/or transmit cardholder
data. It covers technical
and operational system components included in or connected to cardholder data. If you
accept or process payment cards, PCI DSS applies to you.
Sensitive Authentication Data
Merchants, service providers, and other
entities involved with payment card processing must never store sensitive
authentication data after
authorization. This includes the 3- or 4- digit security code printed on the front or back
of a card (CVD), the data stored on a card's magnetic stripe or chip (also called "Full
Track Data") - and personal identification numbers (PIN) entered by the cardholder.
Card Verification Data Codes (CVD)
3 or 4 digit code that further authenticates a not-present cardholder
Visa-CVV2
MC- CVC2
Discover- CVD
JCB-CAV2
AmEx- CID
Requirement 1
Install and maintain a firewall configuration to protect cardholder data
Network devices in scope for Requirement 1
Firewalls and Routers- Routers connect traffic between
networks, Firewalls control the traffic between networks and within internal network
QIR Qualified Integrators & Resellers
Qualified Integrators & Resellers- authorized by the SSC to implement, configure
and/or support PA-DSS payment applications. Visa requires all level 4 merchants use
QIRs for POS application and terminal installation and servicing
Compensating Controls
An alternative control, put in place to satisfy the requirement for a security measure
that is deemed too difficult or impractical to implement at the present time.
Permitted reasons for using Compensating Controls
Organizations needing an alternative to security requirements that could not be met due
to legitimate technological OR documented business constraints, but
has sufficiently mitigated the risk associated with the requirement through
implementation of other compensating controls
Examples of Compensating Controls
(i) Segregation of Duties (SOD) and (ii) Encryption
Compensating Controls must:
1) Meet the intent and rigor of the original stated requirement;
2) Provide a similar level of defense as the original stated requirement;
3) Be "above and beyond" other PCI DSS requirements (not simply in compliance with
,other PCI DSS requirements); and
4) Be commensurate with the additional risk imposed by not adhering to the original
stated requirement.
Compensating Controls Worksheet
1) Constraint; 2) Objective; 3) Identified Risk; 4) Define Compensating Control;
5)Validate Controls; 6) Maintenance (COIDVM)
Card Data that cannot be stored by Merchants, Service providers after
authorization
Sensitive Authentication Data. i) 3- or 4- digit security code printed on the front or back
of a card, ii) data stored on a card's magnetic stripe or chip (also called "Full Track
Data"), and iii) personal identification
numbers (PIN) entered by the cardholder
Card Data that MAY be stored
i) cardholder name, ii) service code (identifies industry iii) Personal Account Number
(PAN)
iv) expiration date may be stored.
Network Segmentation
The process of isolating the cardholder data environment from the remainder of an
entity's network
Not a requirement but strongly recommended.
Report on Compliance (ROC)
Prepared at the time of the assessment of PCI compliance and comprehensively
provides details about the assessment approach and compliance standing against each
PCI DSS requirement
What is included in the Report on Compliance (ROC)?
ROC includes (1) Executive summary, (2) description of scope of work and approach
taken, (3) details about reviewed environment, (4) contact information and report date,
(5) quarterly scan results and (6) findings and observations.
Steps to take for a PCI Assessment (hint: SARA's Remediation)
1. Scope - determine which system components and networks are in scope for PCI
DSS
2. Assess - examine the compliance of system components in scope following the
testing
procedures for each PCI DSS requirement
3. Report - assessor and/or entity completes required documentation (e.g. Self-
Assessment
Questionnaire (SAQ) or Report on Compliance (ROC)), including documentation of all
compensating controls
4. Attest - complete the appropriate Attestation of Compliance (AOC)
5. Submit - submit the SAQ, ROC, AOC and other requested supporting documentation
such as
ASV scan reports to the acquirer (for merchants) or to the payment brand/requestor (for
service
providers)
, 6. Remediate - if required, perform remediation to address requirements that are not in
place, and
Who can complete a Self Assessment Questionnaire (SAQ)?
i) the organization themselves, or ii) by a third party (e.g. IBM)
Who MUST complete a Report on Compliance?
It MUST be completed by an approved Qualified Security Assessor (QSA) through the
PCI Security Standards Council
What is included in PCI Scope Review?
1) Document the cardholder data flow; 2)develop a network diagram that documents all
of the firewalls, routers, switches, access points, servers and other network devices and
how they are architected; 3) scan your entire network to confirm that cardholder data is
not stored anywhere outside of the CDE (Generally, you need to identify all locations
and flows and ensure that they are included in scope.)
Steps to reduce scope of Cardholder Data Environment ("CDE")
1. Consolidation: Identifying and eliminating redundant data sets and consolidating
applications and information storage can reduce scope.
2.Centralization:Encrypted data stored in a highly secure on-site central data vault.
The payment card numbers are replaced with tokens in other applications or databases.
Since cardholder data is only stored in one central location, PCI DSS Scope is
minimized
3.End-To-End Encryption (E2EE) or Point-To-Point Encryption (P2PE):Ensures that
card numbers are encrypted from first card swipe at the point-of-sale (POS),
and while in transit all the way to the payment processor eliminating most PCI
requirements.
4.Outsourcing: Outsourcing all or some of your payment card processing
capabilities to a PCI DSS compliant service provider can reduce PCI scope. This is
especially relevant to companies conducting eCommerce transactions only.
5.Tokenization:Stores card numbers and other sensitive data such as social security
numbers in an off-site highly secure data vault. The payment card numbers are
replaced with tokens in all other databases and applications. Not storing cardholder
data anywhere greatly simplifies the scope of PCI Requirement.
Who makes up the PCI Security Standards Council?
1) Five payment brands (Am Ex, JCB, Visa, MC, Discover), and 2) Payment
Organizations (merchants, banks, processors, hardware and software developers,
point of sale vendors).
Card Processing Authorization- who does the merchant request and receive
authorization from to complete the purchase? What is provided to the merchant?
The Issuer provides an Authorization Code to the merchant
Card Processing Clearing- who shares what?
Acquirer and Issuer exchange payment information- usually 24 hr period in U.S.
Card Processing Settlement- who does acquirer pay? What does Issuer do?
1) Acquirer pays merchant and 2) Issuer bills cardholder (i.e. cardholder is charged)
-Reconciliation takes place, issuer records, posts the transaction which appears on the
cardholder's monthly statement
What are the 3 steps in Payment Card Processing?
1) Authorization 2) Clearing 3) Settlement
PCI Data Security Standard (PCI DSS)
The PCI DSS applies to all entities that store, process, and/or transmit cardholder
data. It covers technical
and operational system components included in or connected to cardholder data. If you
accept or process payment cards, PCI DSS applies to you.
Sensitive Authentication Data
Merchants, service providers, and other
entities involved with payment card processing must never store sensitive
authentication data after
authorization. This includes the 3- or 4- digit security code printed on the front or back
of a card (CVD), the data stored on a card's magnetic stripe or chip (also called "Full
Track Data") - and personal identification numbers (PIN) entered by the cardholder.
Card Verification Data Codes (CVD)
3 or 4 digit code that further authenticates a not-present cardholder
Visa-CVV2
MC- CVC2
Discover- CVD
JCB-CAV2
AmEx- CID
Requirement 1
Install and maintain a firewall configuration to protect cardholder data
Network devices in scope for Requirement 1
Firewalls and Routers- Routers connect traffic between
networks, Firewalls control the traffic between networks and within internal network
QIR Qualified Integrators & Resellers
Qualified Integrators & Resellers- authorized by the SSC to implement, configure
and/or support PA-DSS payment applications. Visa requires all level 4 merchants use
QIRs for POS application and terminal installation and servicing
Compensating Controls
An alternative control, put in place to satisfy the requirement for a security measure
that is deemed too difficult or impractical to implement at the present time.
Permitted reasons for using Compensating Controls
Organizations needing an alternative to security requirements that could not be met due
to legitimate technological OR documented business constraints, but
has sufficiently mitigated the risk associated with the requirement through
implementation of other compensating controls
Examples of Compensating Controls
(i) Segregation of Duties (SOD) and (ii) Encryption
Compensating Controls must:
1) Meet the intent and rigor of the original stated requirement;
2) Provide a similar level of defense as the original stated requirement;
3) Be "above and beyond" other PCI DSS requirements (not simply in compliance with
,other PCI DSS requirements); and
4) Be commensurate with the additional risk imposed by not adhering to the original
stated requirement.
Compensating Controls Worksheet
1) Constraint; 2) Objective; 3) Identified Risk; 4) Define Compensating Control;
5)Validate Controls; 6) Maintenance (COIDVM)
Card Data that cannot be stored by Merchants, Service providers after
authorization
Sensitive Authentication Data. i) 3- or 4- digit security code printed on the front or back
of a card, ii) data stored on a card's magnetic stripe or chip (also called "Full Track
Data"), and iii) personal identification
numbers (PIN) entered by the cardholder
Card Data that MAY be stored
i) cardholder name, ii) service code (identifies industry iii) Personal Account Number
(PAN)
iv) expiration date may be stored.
Network Segmentation
The process of isolating the cardholder data environment from the remainder of an
entity's network
Not a requirement but strongly recommended.
Report on Compliance (ROC)
Prepared at the time of the assessment of PCI compliance and comprehensively
provides details about the assessment approach and compliance standing against each
PCI DSS requirement
What is included in the Report on Compliance (ROC)?
ROC includes (1) Executive summary, (2) description of scope of work and approach
taken, (3) details about reviewed environment, (4) contact information and report date,
(5) quarterly scan results and (6) findings and observations.
Steps to take for a PCI Assessment (hint: SARA's Remediation)
1. Scope - determine which system components and networks are in scope for PCI
DSS
2. Assess - examine the compliance of system components in scope following the
testing
procedures for each PCI DSS requirement
3. Report - assessor and/or entity completes required documentation (e.g. Self-
Assessment
Questionnaire (SAQ) or Report on Compliance (ROC)), including documentation of all
compensating controls
4. Attest - complete the appropriate Attestation of Compliance (AOC)
5. Submit - submit the SAQ, ROC, AOC and other requested supporting documentation
such as
ASV scan reports to the acquirer (for merchants) or to the payment brand/requestor (for
service
providers)
, 6. Remediate - if required, perform remediation to address requirements that are not in
place, and
Who can complete a Self Assessment Questionnaire (SAQ)?
i) the organization themselves, or ii) by a third party (e.g. IBM)
Who MUST complete a Report on Compliance?
It MUST be completed by an approved Qualified Security Assessor (QSA) through the
PCI Security Standards Council
What is included in PCI Scope Review?
1) Document the cardholder data flow; 2)develop a network diagram that documents all
of the firewalls, routers, switches, access points, servers and other network devices and
how they are architected; 3) scan your entire network to confirm that cardholder data is
not stored anywhere outside of the CDE (Generally, you need to identify all locations
and flows and ensure that they are included in scope.)
Steps to reduce scope of Cardholder Data Environment ("CDE")
1. Consolidation: Identifying and eliminating redundant data sets and consolidating
applications and information storage can reduce scope.
2.Centralization:Encrypted data stored in a highly secure on-site central data vault.
The payment card numbers are replaced with tokens in other applications or databases.
Since cardholder data is only stored in one central location, PCI DSS Scope is
minimized
3.End-To-End Encryption (E2EE) or Point-To-Point Encryption (P2PE):Ensures that
card numbers are encrypted from first card swipe at the point-of-sale (POS),
and while in transit all the way to the payment processor eliminating most PCI
requirements.
4.Outsourcing: Outsourcing all or some of your payment card processing
capabilities to a PCI DSS compliant service provider can reduce PCI scope. This is
especially relevant to companies conducting eCommerce transactions only.
5.Tokenization:Stores card numbers and other sensitive data such as social security
numbers in an off-site highly secure data vault. The payment card numbers are
replaced with tokens in all other databases and applications. Not storing cardholder
data anywhere greatly simplifies the scope of PCI Requirement.
Who makes up the PCI Security Standards Council?
1) Five payment brands (Am Ex, JCB, Visa, MC, Discover), and 2) Payment
Organizations (merchants, banks, processors, hardware and software developers,
point of sale vendors).
Card Processing Authorization- who does the merchant request and receive
authorization from to complete the purchase? What is provided to the merchant?
The Issuer provides an Authorization Code to the merchant
Card Processing Clearing- who shares what?
Acquirer and Issuer exchange payment information- usually 24 hr period in U.S.
Card Processing Settlement- who does acquirer pay? What does Issuer do?
1) Acquirer pays merchant and 2) Issuer bills cardholder (i.e. cardholder is charged)
-Reconciliation takes place, issuer records, posts the transaction which appears on the
cardholder's monthly statement
What are the 3 steps in Payment Card Processing?
1) Authorization 2) Clearing 3) Settlement
