PCI Standard & Your Professional Role

Question 1

An independent industry standards body providing oversight of the development and management of Payment Card Industry Data Security Standards on a global basis.

Answer 1

PCI SSC

Question 2

PCI SSC founding payment brands include:

Answer 2

• American Express
• Discover Financial
• JCB International
• MasterCard
• Visa

Question 3

The resources provided by PCI SSC:

Answer 3

• PCI DSS, PA-DSS, P2PE, PTS(POI, HSM and PIN),Card Production, and supporting documents - PCI Security Standards Council FAQs
• Education and outreach programs
• Roster of QSAs, PA-QSAs, PCIPs, ASVs, validated payment applications, PTS Devices, and P2PE solutions
• Participating organization membership, community meetings, feedback

Question 4

Each payment brand develops and maintain its own ————— programs in accordance with its own security risk management policies

Answer 4

PCI DSS compliance

Question 5

Data Security Operating Policy (DSOP)

Answer 5

American Express

Question 6

Discover Information Security Compliance (DISC)

Answer 6

Discover

Question 7

Data Security Program

Answer 7

JCB

Question 8

Site Data Protection(SDP)

Answer 8

MasterCard

Question 9

Cardholder Information Security Program (CISP) Account Information Security (AIS) Program

Answer 9

VISA

Question 10

Payment brands’ compliance programs include:

Answer 10

• Tracking and enforcement - Penalties, feed, compliance deadlines
• Validation process and who needs to validate
• Definition of merchant and service provider levels

Question 11

Payment brands are also responsible for:

Answer 11

• Defining rules for forensic investigations and responding to account data compromises
• Monitoring and facilitating investigations of account data compromises to completion

Question 12

Covers Security of the environments that store, process, or transmit account data

Answer 12

PCI DSS

Question 13

Covers secure payment applications to support PCI DSS compliance

Answer 13

PCI PA-DSS

Question 14

Covers encryption, decryption, and key management requirements for point-to-point encryption solutions

Answer 14

PCI P2PE

Question 15

Covers the protection of sensitive data at point-of-interaction devices and their secure components

Answer 15

PCI PTS-POI

Question 16

Covers secure management,processing and transmission of personal identification number (PIN) data

Answer 16

PCI PTS-PIN Security

Question 17

Covers physical,logical,and device security requirements for securing Hardware Security Modules (HSM)

Answer 17

PCI PTS-HSM

Question 18

Covers physical and logical security requirements for entities involved in producing payment cards

Answer 18

PCI Card Production

Question 19

Covers physical and logical security requirements for Token Service Providers that generate and issue EMV Payment Tokens

Answer 19

PCI Token Service Provider Requirements (TSP)

Question 20

Covers the risk framework to protect the confidentiality and integrity of sensitive payment information captured and processed on a cardholder verification method (CVM) solution

Answer 20

PCI Software-Based PIN Entry on COTS Security Requirements (SPoC)

Question 21

Covers the secure design and development processes of payment software. (Transition Plan for PA-DSS)

Answer 21

PCI Software Security Standard (S3)

Question 22

Covers the security requirements for assessing 3-D Secure (3DS) entities that perform the following 3DS functions:

• Access Control Server(ACS)
• Directory Server (DS)
• 3DS Server (3DSS)

Answer 22

PCI 3DS Core Security Standard

Question 23

Covers the security requirements for “app based” 3-D Secure Software Development Kits(SDK) as defined in the 3-D Secure SDL Specification managed and maintained by EMVCo

Answer 23

PCI 3DS SDK Standard

Question 24

Functions of Payment Application Data Security Standard (PA-DSS)

Answer 24

• Provides a list of validated applications to choose from
• Validated applications are proven to facilitate PCI DSS compliance
  
  • Does it guarantee compliance?
• For applications that are sold/licensed to others
• Must have a PA-DSS Implementation Guide

Question 25

Roles of Qualified Integrator and Reseller (QIR)

Answer 25

• Are certified to perform Qualified Installations of Payment applications
• Focus on 3 problems: remote access, accounts and passwords, patching.
• Leave behind an Implementation statement saying what they did
• The Implementation statement is not an evaluation or certification of compliance
• Purely Informational
• Could list problems found

Note: Even though the software vendor may have developed an application which is capable of being secure, the integrator/Reseller must ensure it is implemented properly and in a secure manner to facilitate PCI DSS compliance

Question 26

Is the algorithm process of transforming plaintext into unreadable cipher text, and is the core technology for any point-to-point encryption solution

Answer 26

Encryption

Question 27

In _______________ encryption occurs at one designated and independently validated encryption device or location in a card transaction (the source or encryption point), and the data is sent as unreadable cipher text for decryption to another designated and independently validated decryption device (the destination or decryption point). The data remains encrypted between the source and the destination, with no decryption of the data feasible at any point between the two points

Answer 27

P2PE solutions

Question 28

The __________ is that encrypted cardholder data in transit is protected to the extent that an entity in possession of the cipher text alone cannot reverse the encryption process

Answer 28

Presumption of P2PE

Question 29

A PCI P2PE solution must include all of the following:

Answer 29

• Secure encryption of payment card data at the point-of-interaction (POI)
• P2PE-validated application(s) at the point-of-interaction
• Secure management of encryption and decryption devices
• Management of the decryption environment and all decrypted account data
• Use of secure encryption methodologies and cryptographic key operations, including key generation, distribution, loading/injection, administration and usage

Question 30

Merchants may be able to reduce their PCI DSS scope when using Council-listed P2PE solutions:

Answer 30

• Merchant has no access to account data within encryption device (POI) or decryption environment (at Solution Provider) - Merchant has no involvement in encryption or decryption operations, or cryptographic key management - All cryptographic operations managed by third party Solution Provider

Question 31

PCI DSS applies to all entities involved in payment card processing, and any entity that _______,_______, or _______ account data

Answer 31

Stores, processes, or transmits

Question 32

___________ covers security for any system components included in or connected to a merchant’s or service provider’s cardholder data environment (CDE)

Answer 32

PCI DSS

Question 33

What are the relationships to PA-DSS and PCI DSS

Answer 33

• Payment applications must facilitate and not prevent PCI DSS compliance - Many payment application requirements in PA-DSS address equivalent PCI DSS requirements

Question 34

What are the relationships to P2PE and PCI DSS?

Answer 34

• Incorporates requirements from PTS, PCI DSS, PA-DSS, and PCI PIN to protect account data from the point of capture until it reaches the payment processor - When properly implemented and maintained, Council-listed P2PE solutions may help reduce work involved during a merchant’s PCI DSS assessment

Question 35

PTS requirements apply to….

Answer 35

• Point of Interaction (POI) Devices - Encrypting PIN Pads (EPP) - Point of Sale devices (POS) - Hardware (or host) Security Modules (HSMs) - Unattended Payment Terminals (UPTs) - Non-PIN Entry module

Question 36

The PTS Program ensures terminals cannot be 1️⃣________ or 2️⃣__________ to allow the capture of 3️⃣_____________, nor allow access to 4️⃣_________ PINs or keys

Answer 36

1️⃣ manipulated 2️⃣ attacked 3️⃣ Sensitive Authentication data 4️⃣ clear-text

Question 37

The 1️⃣________________, allows terminals to be approved for the secure encryption of cardholder data as part of the point to point encryption program

Answer 37

1️⃣ Secure Read and Exchange Module (SRED)

Question 38

1️⃣_____ has been extended to allow non-PIN entry modules to be evaluated against the SRED module to allow secure encryption at the point of interaction for non-chip and PIN cards

Answer 38

PTS

Question 39

These requirements provide for secure PIN:

Answer 39

✔️Management ✔️Processing ✔️Transmission

Question 40

Protection of personal identification number (PIN) data during online and offline payment card transaction processing at:

Answer 40

🔹ATMs 🔹Attended point-of-sale (POS) terminals 🔹Unattended point-of-sale (POS) terminals

Question 41

The ______________ also provide guidance on key management and key handling associated with the PIN

Answer 41

PCI PIN Security requirements

Question 42

PCI PTS-POI and PCI DSS

Answer 42

💬PCI DSS requires that account data be protected both when stored and when transmitted across open, public networks

💬PCI PTS POI validates how POIs protect PIN and account data and manage cryptographic keys

💬PCI PTS POI approved devices may form part of a PCI DSS compliant environment

Question 43

PCI PTS -PIN Security Standard and PCI DSS

Answer 43

💬PCI DSS prohibits storage of encrypted PIN blocks 💬No overlap

Question 44

PCI Card Production and PCI DSS

Answer 44

💬No overlap

💬Procedures for assessing Card production facilities are defined and managed by the payment brands, not by PCI SSC

Question 45

PCI PTS-HSM and PCI DSS

Answer 45

💬PCI DSS requires that stored cardholder data be protected and cryptographic keys be managed in a secure manner

💬Used of a Hardware Security Module is not required by PCI DSS, but may help with handling and managing keys used to protect stored cardholder data

Question 46

To ensure information security professionals adhere to the highest standards of ethical and professional conduct

Answer 46

Code of Professional Responsibility

Question 47

All PCI SSC Qualified individuals and all PCI SSC qualification candidates must agree to advocate, adhere to, and support the following Code of Professional Responsibility include:

Answer 47

🔸Professional Competence and Due Care 🔸Security and Confidentiality 🔸Integrity 🔸Compliance with Industry Laws and Standards

Question 48

A PCIP qualification is valid for _________

Answer 48

3 years

Question 49

Payment Card Industry Terminology

Answer 49

Question 50

Customer purchasing goods either as a “Card Present” or “Card Not Present” transaction Receives the payment card and bills from the issuer

Answer 50

Cardholder

Question 51

Bank or other organization issuing a payment card on behalf of a Payment Brand (e.g. MasterCard & Visa) Payment Brand issuing a payment card directly (e.g. Amex, Discover, JCB)

Answer 51

Issuer

Question 52

Organization accepting the payment card for payment during a purchase

Answer 52

Merchant

Question 53

Bank or entity the merchant uses to process their payment card transactions Receive authorization request from merchant and forward to Issuer for approval Provide authorization, clearing and settlement services to merchants

Answer 53

Acquirer

Question 54

Acquirer is also called:

Answer 54

• Merchant Bank
• ISO(sometimes)
• Payment Brand-Amex, Discover, JCB
• Never Visa or MasterCard

Question 55

Draw the diagram of Card Processing-Authorization steps

Answer 55

Question 56

Draw the diagram of Card Processing-Clearing steps

Answer 56

Question 57

Draw the diagram of Card Processing-Settlement steps

Answer 57

Question 58

A business that is not a payment brand, directly involved in the processing, storage or transmission of cardholder data on behalf of another entity.

Answer 58

Service Providers

Question 59

Sometimes a service provider is a _________

Answer 59

merchant

Question 60

There are two options for third-party service providers to validate compliance:

Answer 60

• Undergo a PCI DSS assessment on their own and provide evidence to their customers demonstrating their compliance

or

• Have their services reviewed during the course of each of their customers’ PCI DSS assessments

Question 61

It’s important to understand where the service provider’s scope begins and ends for PCI DSS, for example:

Answer 61

• The service(s) included in the service provider’s PCI DSS validation.
• The PCI DSS requirements covered by the service provider’s PCI DSS validation.
• Any PCI DSS requirements related to the service which are the responsibility of the service provider’s customers to maintain.
• The date of the service provider’s last PCI DSS validation.
• The type and frequency of evidence provided by the service provider to their customers will depend on the agreement between those parties.
• Entities must monitor the PCI DSS compliance of their third-party service providers per PCI DSS Requirement 12.8 (Maintain and implement policies and procedures to manage service providers with which cardholder data is shared, or that could affect the security of cardholder data)