AQSA Certification Exam Solution Manual Latest Update Graded A+
PCI SSC - Answers is an independent industry standards body providing oversights of the development
and management of Payment Card Industry Data Security Standards on a global basis.
What are the founding payment brands? - Answers American express, Discover, JCB, Mastercard, and
VISA
What define the merchant levels? - Answers defined by the payment brands, based on transaction
volume. Transaction volume determined by the acquirer)
What define the service provider levels? - Answers Defined by the payment brands according to
transaction volume and/or type of service provider. Determined by the payment brans or acquirer, or
sometimes the service provider.
SAQ-A - Answers Card-not-present merchants (e-commerce or mail/telephone-order) that have fully
outsourced all cardholder data functions to PCI DSS validated third-part service providers, with no
electronic storage, processing, or transmission of any cardholder data on the merchant's systems or
premises.
SAQ A-EP - Answers E-commerce merchants who outsource all payment processing to PCI DSS validated
third parties, and who have a website(s) that doesn't directly receive cardholder data but that can
impact the security of the payment transaction. No electronic storage, processing, or transmission of
any cardholder data on the merchant's systems or premises.
SAQ-B - Answers Merchants using only:
- Imprint machines with no electronic cardholder data storage; and/or
- Standalone, dial-out terminals with no electronic cardholder data storage.
SAQ-B-IP - Answers Merchants using only stand-alone, PTS-approved payment terminals with an IP
connection to the payment processor, with no electronic cardholder data storage.
Not applicable to e-commerce channels.
SAQ C-VT - Answers is for merchants using only web-based virtual payment terminals, where cardholder
data is manually entered into a secure website from a single system.
SAQ-C - Answers is for merchants with dedicated payment application systems segmented from all other
systems, and connected to the Internet for the purposes of transaction processing. SAQ C is not
applicable to e-commerce payment channels. A merchant only accepts payments via the telephone and
they enter the cardholder data directly into a webpage provided by their acquirer.
PCI DSS - Answers covers security of the environments that store, process, or transmit account data. The
scope of PCI DSS covers environments receiving account data from payment applications and other
sources—acquirers, for example.
, PCI PA-DSS - Answers covers secure payment applications to support PCI DSS compliance. The scope of
PA-DSS addresses when a payment application receives account data from cardholder-interface devices
such as point-of sale-terminals or other devices and begins the payment transaction.
PCI P2PE (Point-to-Point Encryption) - Answers covers secure encryption, decryption, and key
management for point-to-point encryption solutions. Requirements for a P2PE solution will vary
depending on the deployment environment and the technologies used for a specific implementation.
PCI PTS (PIN Transaction Security) POI - Answers covers device tamper detection, cryptographic
processes, and other mechanisms used to protect the PIN and other sensitive data, such as
cryptographic keys. The PTS set of requirements addresses how cardholder PINs are protected at
cardholder-interface devices such as point-of-sale terminals, as well as hardware security modules that
are used for payment processing and cardholder authentication applications and processes.
PCI PIN Security - Answers covers secure management, processing, and transmission of personal
identification number (PIN) data during online and offline payment card transaction processing.
PCI PTS HSM standard - Answers covers the design of hardware security modules and for securely
protecting those devices until they are deployed.
Card Production standards - Answers establish minimum security levels for card vendors involved in
payment card manufacturing, card personalization, pre-personalization, chip embedding, data
preparation , and fulfillment.
Discover Compliance Program is called ______________. - Answers Information Security Compliance
JCB Compliance Program is called ______________. - Answers Data Security Program
MasterCard Compliance Program is called ______________. - Answers Site Data Protection
Visa Inc. Compliance Program is called ______________. - Answers Information Security Program
Visa Europe Compliance Program is called ______________. - Answers Account Information Security
Program.
The key thing to understand for payment brand compliance programs is _________. - Answers that they
handle PCI DSS compliance tracking, enforcement, and any penalties or fees that might be assigned. In
addition, payment brands are responsible for forensic response and investigation of account data
compromises.
What are the Payment Brand Roles? - Answers Develop and enforce compliance programs/Endorse QSA,
PA-QSA and ASV company qualification criteria/ Accept validation documentation from QSAs, PA-QSAs,
and ASVs.
Merchant will generally report to their __________ where service providers will report to the
____________. - Answers acquirer/ payment brands.
PCI SSC - Answers is an independent industry standards body providing oversights of the development
and management of Payment Card Industry Data Security Standards on a global basis.
What are the founding payment brands? - Answers American express, Discover, JCB, Mastercard, and
VISA
What define the merchant levels? - Answers defined by the payment brands, based on transaction
volume. Transaction volume determined by the acquirer)
What define the service provider levels? - Answers Defined by the payment brands according to
transaction volume and/or type of service provider. Determined by the payment brans or acquirer, or
sometimes the service provider.
SAQ-A - Answers Card-not-present merchants (e-commerce or mail/telephone-order) that have fully
outsourced all cardholder data functions to PCI DSS validated third-part service providers, with no
electronic storage, processing, or transmission of any cardholder data on the merchant's systems or
premises.
SAQ A-EP - Answers E-commerce merchants who outsource all payment processing to PCI DSS validated
third parties, and who have a website(s) that doesn't directly receive cardholder data but that can
impact the security of the payment transaction. No electronic storage, processing, or transmission of
any cardholder data on the merchant's systems or premises.
SAQ-B - Answers Merchants using only:
- Imprint machines with no electronic cardholder data storage; and/or
- Standalone, dial-out terminals with no electronic cardholder data storage.
SAQ-B-IP - Answers Merchants using only stand-alone, PTS-approved payment terminals with an IP
connection to the payment processor, with no electronic cardholder data storage.
Not applicable to e-commerce channels.
SAQ C-VT - Answers is for merchants using only web-based virtual payment terminals, where cardholder
data is manually entered into a secure website from a single system.
SAQ-C - Answers is for merchants with dedicated payment application systems segmented from all other
systems, and connected to the Internet for the purposes of transaction processing. SAQ C is not
applicable to e-commerce payment channels. A merchant only accepts payments via the telephone and
they enter the cardholder data directly into a webpage provided by their acquirer.
PCI DSS - Answers covers security of the environments that store, process, or transmit account data. The
scope of PCI DSS covers environments receiving account data from payment applications and other
sources—acquirers, for example.
, PCI PA-DSS - Answers covers secure payment applications to support PCI DSS compliance. The scope of
PA-DSS addresses when a payment application receives account data from cardholder-interface devices
such as point-of sale-terminals or other devices and begins the payment transaction.
PCI P2PE (Point-to-Point Encryption) - Answers covers secure encryption, decryption, and key
management for point-to-point encryption solutions. Requirements for a P2PE solution will vary
depending on the deployment environment and the technologies used for a specific implementation.
PCI PTS (PIN Transaction Security) POI - Answers covers device tamper detection, cryptographic
processes, and other mechanisms used to protect the PIN and other sensitive data, such as
cryptographic keys. The PTS set of requirements addresses how cardholder PINs are protected at
cardholder-interface devices such as point-of-sale terminals, as well as hardware security modules that
are used for payment processing and cardholder authentication applications and processes.
PCI PIN Security - Answers covers secure management, processing, and transmission of personal
identification number (PIN) data during online and offline payment card transaction processing.
PCI PTS HSM standard - Answers covers the design of hardware security modules and for securely
protecting those devices until they are deployed.
Card Production standards - Answers establish minimum security levels for card vendors involved in
payment card manufacturing, card personalization, pre-personalization, chip embedding, data
preparation , and fulfillment.
Discover Compliance Program is called ______________. - Answers Information Security Compliance
JCB Compliance Program is called ______________. - Answers Data Security Program
MasterCard Compliance Program is called ______________. - Answers Site Data Protection
Visa Inc. Compliance Program is called ______________. - Answers Information Security Program
Visa Europe Compliance Program is called ______________. - Answers Account Information Security
Program.
The key thing to understand for payment brand compliance programs is _________. - Answers that they
handle PCI DSS compliance tracking, enforcement, and any penalties or fees that might be assigned. In
addition, payment brands are responsible for forensic response and investigation of account data
compromises.
What are the Payment Brand Roles? - Answers Develop and enforce compliance programs/Endorse QSA,
PA-QSA and ASV company qualification criteria/ Accept validation documentation from QSAs, PA-QSAs,
and ASVs.
Merchant will generally report to their __________ where service providers will report to the
____________. - Answers acquirer/ payment brands.
