PCI fundamentals (2022/2023) Graded A

Document Content and Description Below

PCI fundamentals (2022/2023) Graded A ASV ✔✔Approved Scanning Vendor PCI ✔✔Payment Card Industry PTS ✔✔PIN Transaction Security (device) QSA ✔✔Qualified Security Assessor ... ROC ✔✔Report on Compilance ROV ✔✔Report on Validation QIR ✔✔Qualified Integrator Reseller Which entity is responsible for developing and enforcing compliance programs? ✔✔Payment Brands Which entity is responsible for forensic investigations of account data compromise? ✔✔Payment Brands Which entity is response to Accept validation documentation from QSAs, PA-QSAs and ASVs ✔✔Payment Brands Which entity is response Endorse QSA, PA-QSA and ASV company qualification criteria ✔✔Payment Brands Merchant obligations may include submitting their compliance status to multiple entities. True or false? ✔✔True The decision about a merchant's level is made by the ✔✔Merchant's aquirer Level 1 and 2 merchants must include ___________ as part of their PCI DSS compliance validation reporting process? ✔✔Level 1 and 2 merchants need quarterly external vulnerability scans to be performed by an ASV. Level 2 merchants may use SAQs to validate compliance. SAQ ✔✔Self-assessment Questionaire Type of SAQ? Card-Not-Present (e-commerce or MO/TO) merchants, all cardholder data functions outsourced to PCI DSS compliant service providers. Not applicable to face-to-face channels. ✔✔A Type of SAQ? E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn't directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant's systems or premises. Applicable only to e-commerce channels. ✔✔A-EP Type of SAQ? Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage. Not applicable to e-commerce channels. ✔✔B Type of SAQ? Merchants using only stand-alone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels. ✔✔B-IP Type of SAQ? Merchants with segmented payment application systems connected to the Internet, with no electronic cardholder data storage. Not applicable to e-commerce channels. ✔✔C Type of SAQ? Merchants using only web-based virtual payment terminals, with no electronic cardholder data storage. Not applicable to e-commerce channels. ✔✔C-VT TYPE of SAQ? All merchants not included in the descriptions for other SAQ types. ✔✔D for Merchants Type SAQ? All service providers identified by a payment brand as eligible to complete a SAQ ✔✔D for providers Type of SAQ? Merchants who have implemented a validated Point-to-Point Encryption Solution that is listed on the PCI SSC website, with no electronic cardholder data storage. Not applicable to e-commerce channels. ✔✔P2Pe Does PA-DSS apply to Custom payment applications endorsed by the PCI SSC. ✔✔False Does PA-DSS apply to Custom payment application used by one company? ✔✔No Does PA-DSS apply to Third-party payment application designed for one company? ✔✔no Does PA-DSS apply to Third-party, "off-the-shelf" payment application? ✔✔True Use of a Qualified Integrator/Reseller (QIR) is required by PCI DSS ✔✔false Use of a Qualified Integrator/Reseller (QIR) Ensures PCI DSS compilance ✔✔false Use of a Qualified Integrator/Reseller (QIR) Replaces the need for PCI DSS ✔✔false Use of a Qualified Integrator/Reseller (QIR) is a good step towards PCI DSS compilance ✔✔true Which entity is responsible for developing and enforcing compliance programs? ✔✔Payment card Brands Which entity is responsible for forensic investigations of account data compromise? ✔✔Payment card Brands Which entity is responsible for Determine merchant levels and reporting process ✔✔Aquirers covers security of the environments that store, process, or transmit account data Environments receive account data from payment applications and other sources (e.g., acquirers) ✔✔PCI DSS covers secure payment applications to support PCI DSS compliance Payment application receives account data from PIN-entry devices (PEDs) or other devices and begins payment transaction ✔✔PA-DSS covers the protection of sensitive data at point-of-interaction devices and their secure components, including cardholder PINs and account data, and the cryptographic keys used in connection with the protection of that cardholder data ✔✔PCI PTS - POI covers secure management, processing and transmission of personal identification number (PIN) data during online and offline payment card transaction processing ✔✔PCI PTS - PIN Security covers physical, logical and device security requirements for securing Hardware Security Modules (HSM) ✔✔PCI PTS - HSM: covers physical and logical security requirements for systems and business processes ✔✔PCI Card Production EPP ✔✔Encrypting PIN Pads UPTS ✔✔Unattended Payment Terminals The ___ program ensures terminals cannot be manipulated or attacked to allow the capture of Sensitive Authentication data, nor allow access to clear-text PINs or Keys ✔✔PTS The ___ allows terminals to be approved for the secure encryption of cardholder data as part of the Point to Point Encryption program ✔✔Secure Read and Exchange Module, (SRED) These requirements provide for secure PIN: ✔✔management processing transmission The PCI DSS applies to: ✔✔any entity that stores, processes, or transmits payment card account data. The standard for validating off-the-shelf payment applications used in authorization and settlement is: ✔✔PA-DSS is the standard used by PA-QSAs to validate payment applications. Authorization ✔✔Merchant requests and receives authorization ultimately from the issuer Customer purchasing goods either as a "Card Present" or "Card Not Present" transaction Receives the payment card and bills from the issuer ✔✔Cardholder Bank or other organization issuing a payment card on behalf of a Payment Brand (e.g. MasterCard & Visa) Payment Brand issuing a payment card directly (e.g. Amex, Discover, JCB) ✔✔Issuer Organization accepting the payment card for payment during a purchase ✔✔Merchant Bank or entity the merchant uses to process their payment card transactions Receive authorization request from merchant and forward to Issuer for approval Provide authorization, clearing and settlement services to merchants ✔✔Aquirer Merchant Bank ISO (sometimes) Payment Brand - Amex, Discover, JCB Never Visa or MasterCard [Show More]

Last updated: 2 years ago

Preview 1 out of 16 pages