PCIP Practice Questions

PCIP - Payment Card Industry Professional Certification Number: 101 Passing Score: 800 Time Limit: 90 min File Version:

Views 154 Downloads 1 File size 118KB

Report DMCA / Copyright

DOWNLOAD FILE

Recommend stories
Practice Questions 1
Practice Questions 1

50 1 176KB Read more

BLS Practice Test Questions
BLS Practice Test Questions

1) The 2010 AHA Guidelines for CPR recommended BLS sequence of steps are: a. b. c. d. 2) Airway, Breathing, Check Pul

31 0 129KB Read more

Indirect Questions Practice - 36738
Indirect Questions Practice - 36738

Complete the indirect questions using the correct structure. * In an indirect wh-question, the subject comes before the

6 0 350KB Read more

CSWA Exam Practice Questions
CSWA Exam Practice Questions

75 0 3MB Read more

05. Practice Questions 3
05. Practice Questions 3

Supplemental Material for Elementary Principles of Chemical Processes Chapter 7 Energy and Energy Balances Name: ______

20 0 125KB Read more

Subnetting Practice Questions & Answers
Subnetting Practice Questions & Answers

VLSM & IP ADDRESSING EXAMPLE QUESTIONS with answers; 1 Given the network address of 112.44.0.0 and the network mask of

299 50 130KB Read more

Capital Budgeting Practice Questions Que
Capital Budgeting Practice Questions Que

CAPITAL BUDGETING: PRACTICE QUESTIONS QUESTION 1 (BH-539) B. Davis Industries must choose between a gas-powered and an

0 0 620KB Read more

GRE Verbal Analogy Practice Questions
GRE Verbal Analogy Practice Questions

15 0 273KB Read more

Practice Questions IB Biology Proteins
Practice Questions IB Biology Proteins

1. The diagram below represents part of the DNA molecule. What are the parts labelled I, II and III? I II III A. h

34 0 113KB Read more

Data Center 300-160 Practice Questions - PDF + Online Practice Test
Data Center 300-160 Practice Questions - PDF + Online Practice Test

Cisco CCNP Data Center 300-160 Exam Practice Test Pass4leads' Practice exams are best source of practising your Cisco 30

30 1 748KB Read more

Citation preview

PCIP - Payment Card Industry Professional Certification Number: 101 Passing Score: 800 Time Limit: 90 min File Version: 1.0

The PCI SSC Payment Card Industry Professional (PCIP) ™ Program provides a foundational credential for industry practitioners who demonstrate their professional knowledge and understanding of PCI SSC standards (“PCI Standards”) and supporting materials. The PCI Security Standards Council, LLC (“PCI SSC”) sponsors this qualification and serves as an impartial, third-party evaluator of each candidate’s knowledge and understanding of PCI Standards. PCI SSC is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.

Exam A QUESTION 1 Which of the following items are included in the Compensating Controls worksheet: A. B. C. D. E.

Constraints, assumptions, identified risks and definition of compensating controls Constraints, objectives, identified risks and definition of compensating controls Constraints, assumptions, mitigated risks and definition of compensating controls Constraints, objectives, mitigated risks and maintenance None of the above items are included in the Compensating Controls worksheet.

Correct Answer: B Section: (none) Explanation Explanation/Reference: Constraints, objectives, identified risk, definition of compensating controls, validation of compensating controls and maintenance are all requirements from Appendix C of the PCI Data Security Standard. QUESTION 2 Which of the following items CANNOT be stored: A. B. C. D. E. F.

Cardholder name Service code PIN Personal Account Number All of the above items may be stored None of the above items may be stored

Correct Answer: C Section: (none) Explanation Explanation/Reference: PCI Data Security Standard page 8 tells us that cardholder name, service code and Personal Account Number and expiration date may be stored. Full magnetic stripe data, CAV2/CVC2/CVV2/CID and PIN/PIN block cannot be stored per requirement 3.2 QUESTION 3 The process of isolating the cardholder data environment from the remainder of an entity’s network is called: A. B. C. D. E.

Network segmentation Network virtualization Data isolation Access controls None of the above is correct

Correct Answer: A Section: (none) Explanation Explanation/Reference: PCI Data Security Standard page 10 states that network segmentation is not a requirement but is e strongly recommended

QUESTION 4 For those entities that outsource storage, processing or transmission of cardholder data to third party service providers which of the following must be completed: A. B. C. D. E.

Report on Compliance (ROC) PCI Forensics Investigation Compensation Controls worksheet All of the above Since the processes have been outsourced, there is no further compliance obligation

Correct Answer: A Section: (none) Explanation Explanation/Reference: Per the PCI Data Security Standard page 11, a Report on Compliance must document the role of each service provider. QUESTION 5 Which of the following are NOT a part of the Report on Compliance (ROC): A. B. C. D. E.

Executive summary Contact information and report date Findings and observations All of the above are required None of the above are required

Correct Answer: D Section: (none) Explanation Explanation/Reference: The Report on Compliance (ROC) includes (1) Executive summary, (2) description of scope of work and approach taken, (3) details about reviewed environment, (4) contact information and report date, (5) quarterly scan results and (6) findings and observations. This information is in the PCI Data Security Standard pages 14 - 17 QUESTION 6 The first step of a PCI assessment is to: A. B. C. D.

Define a comprehensive list of stakeholders Assess risk Develop a timeline of the assessment Determine the scope of the review

Correct Answer: D Section: (none) Explanation Explanation/Reference: Identify all locations and flows and ensure that they are included in scope. This information is in the PCI Data Security Standard page 10 QUESTION 7 Steps to reducing the scope of the cardholder data environment may include all items below EXCEPT:

A. B. C. D. E.

Reducing the number of locations where cardholder data is present Eliminate unnecessary data Purge all data that is older than 1 week Consolidation of necessary data All the above items are correct

Correct Answer: C Section: (none) Explanation Explanation/Reference: Reducing the number of locations where cardholder data is present, Eliminate unnecessary data and Consolidation of necessary data are all steps in reducing scope or "Network Segmentation" per the PCI Data Security Standard page 11 QUESTION 8 Before wireless technology is implemented: A. B. C. D. E.

Establish all WEP and WPA security keys and disseminate only on a "need to know" basis An entity should carefully evaluate the need for the technology against the risk Run penetration tests on the entity's network Secure the locations of all Wireless Access Points All the above items should be addressed and documented

Correct Answer: B Section: (none) Explanation Explanation/Reference: The PCI Data Security Standard states on page 11 an entity should carefully evaluate the need for the wireless technology against the risk. Also, consider deploying wireless technology only for non-sensitive data transmission. QUESTION 9 The P2PE Standard covers: A. B. C. D.

Secure payment applications Mechanisms used to protect the PIN Encryption, decryption, and key management within secure cryptographic devices (SCD) None of the above

Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 10 The PCI DSS applied to any entity that ______________,_______________,or ______________ cardholder data. A. stores, processes, transmits B. accepts, processes, transmits

C. accepts, transacts, processes D. processes, transmits, transacts Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 11 The PCI DSS standard follows a defined _____________ lifecycle. A. B. C. D.

12 month 2 year 36 month 48 month

Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 12 Which of the below functions is associated with Acquirers? A. B. C. D.

Provide settlement services to a merchant Provide authorization services to a merchant Provide clearing services to a merchant All of the options

Correct Answer: D Section: (none) Explanation Explanation/Reference: QUESTION 13 Which of the following entities will actually approve a purchase? A. B. C. D.

Non-Issuing Merchant Bank Issuing Bank Payment Transaction Gateway Acquiring Bank

Correct Answer: B Section: (none) Explanation Explanation/Reference:

QUESTION 14 Which of the following lists the correct “order” for the flow of a payment card transaction? A. B. C. D.

Clearing, Settlement, Authorization Clearing, Authorization, Settlement Authorization, Clearing, Settlement Authorization, Settlement, Clearing

Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 15 Service Providers include companies which_____________or could______________the security of cardholder data. A. B. C. D.

are PCI compliant, prove effective controls for control, impact manage, test control, subrogate

Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 16 Cardholder Data may be stored in “KNOWN” and “UNKNOWN” locations. A. True B. False Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 17 Storing Track Data “Long-Term” or “persistently” may be permitted if_______________. A. B. C. D.

it is being stored by issuers it is reported to the PCI SSC annually in a RoC it is encrypted by the merchant storing it it is hashed by the merchant storing it

Correct Answer: A Section: (none) Explanation

Explanation/Reference: QUESTION 18 PCI DSS Requirement 3.4 states the PAN must be rendered unreadable when stored, using___________. A. B. C. D.

Encryption, Truncation, or Obfuscating Hashing, Scrambling, or Encrypting Encryption, Hashing, or Truncation Truncation, Scrambling, or Encrypting

Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 19 Requirement 2.2.2 states “Enable only necessary and secure services, protocols, daemons, etc., as required for the function of the system”. Which of the following is considered secure? A. B. C. D.

SSH RLogon Telnet FTP

Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 20 When scoping an environment for a PCI DSS assessment, it is important to identify _______________. A. B. C. D.

All flows of cardholder data All of the options Components that store cardholder data Business facilities involved in processing transactions

Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 21 Merchants involved with only e-commerce transactions that are completely outsourced to a PCI DSS compliant service provider would use which SAQ? A. SAQ C/VT

B. SAQ B C. SAQ D D. SAQ A Correct Answer: D Section: (none) Explanation Explanation/Reference: QUESTION 22 Imprint-Only Merchants with no electronic storage of cardholder data would use which SAQ? A. B. C. D.

SAQ C/VT SAQ B SAQ A SAQ D

Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 23 When a Service Provider has been defined by a payment brand as eligible to complete a SAQ, which SAQ is used? A. B. C. D.

SAQ D SAQ B SAQ A SAQ C

Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 24 Information Supplements provided by the PCI SSC may “supersede” requirements. A. True B. False Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 25

If virtualization technologies are used in a cardholder data environment, PCI DSS requirements apply to those virtualization technologies. A. False B. True Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 26 The presumption of P2PE is that cardholder data in transit is protected when it is encrypted to the extent that an entity in possession of the ciphertext alone can easily reverse the encryption process A. False B. True Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 27 Encrypting account data at the point of capture is one way an entity involved in payment card processing via mobile devices can actively help in controlling risks to the security of cardholder data. A. True B. False Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 28 In order to be considered a compensating control, which of the following must exist? A. B. C. D.

A legitimate technical constraint and a documented business constraint. A legitimate technical constraint. A legitimate technical constraint of a documented business constraint. A documented business constraint.

Correct Answer: C Section: (none) Explanation Explanation/Reference:

QUESTION 29 PCI DSS Requirement 1 A. Install and maintain a firewall configuration to protect cardholder data B. Do not use vendor supplied defaults for system passwords and other security parameters C. Protect stored cardholder data by enacting a formal data retention policy and implement secure deletion methods D. Protected Cardholder Data during transmission over the internet, wireless networks or other open access networks or systems (GSM, GPRS, etc.) Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 30 PCI DSS Requirement 2 A. Install and maintain a firewall configuration to protect cardholder data B. Do not use vendor supplied defaults for system passwords and other security parameters C. Protect stored cardholder data by enacting a formal data retention policy and implement secure deletion methods D. Protected Cardholder Data during transmission over the internet, wireless networks or other open access networks or systems (GSM, GPRS, etc.) Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 31 PCI DSS Requirement 3 A. Install and maintain a firewall configuration to protect cardholder data B. Do not use vendor supplied defaults for system passwords and other security parameters C. Protect stored cardholder data by enacting a formal data retention policy and implement secure deletion methods D. Protected Cardholder Data during transmission over the internet, wireless networks or other open access networks or systems (GSM, GPRS, etc.) Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 32 PCI DSS Requirement 4 A. Install and maintain a firewall configuration to protect cardholder data B. Protect stored cardholder data by enacting a formal data retention policy and implement secure deletion

methods C. Protected Cardholder Data during transmission over the internet, wireless networks or other open access networks or systems (GSM, GPRS, etc.) D. Use and regularly update anti-virus software or programs Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 33 PCI DSS Requirement 5 A. Use and regularly update anti-virus software or programs B. Protected Cardholder Data during transmission over the internet, wireless networks or other open access networks or systems (GSM, GPRS, etc.) C. Protect stored cardholder data by enacting a formal data retention policy and implement secure deletion methods D. Do not use vendor supplied defaults for system passwords and other security parameters Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 34 PCI DSS Requirement 6 A. B. C. D.

Use and regularly update anti-virus software or programs Develop and maintain secure systems and applications Assign a unique ID to each person with computer access Restrict access to cardholder data by business need to know

Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 35 PCI DSS Requirement 8 A. B. C. D.

Assign a unique ID to each person with computer access Restrict physical access to cardholder data Develop and maintain secure systems and applications Use and regularly update anti-virus software or programs

Correct Answer: A Section: (none) Explanation

Explanation/Reference: QUESTION 36 PCI DSS Requirement 9 A. B. C. D.

Use and regularly update anti-virus software or programs Track and monitor all access to network resources and cardholder data Restrict physical access to cardholder data Protect stored cardholder data by enacting a formal data retention policy and implement secure deletion methods

Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 37 PCI DSS Requirement 10 A. Track and monitor all access to network resources and cardholder data B. Regularly test security systems and processes with wireless scans, vulnerability scans, log audits, ASV (Approved Scanning Vendor) C. Maintain a policy that addresses information security for all personnel D. Develop and maintain secure systems and applications Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 38 PCI DSS Requirement 11 A. Maintain a policy that addresses information security for all personnel B. Regularly test security systems and processes with wireless scans, vulnerability scans, log audits, ASV (Approved Scanning Vendor) C. Install and maintain a firewall configuration to protect cardholder data D. Protect stored cardholder data by enacting a formal data retention policy and implement secure deletion methods Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 39 PCI DSS Requirement 12

A. Regularly test security systems and processes with wireless scans, vulnerability scans, log audits, ASV (Approved Scanning Vendor) B. Restrict physical access to cardholder data C. Maintain a policy that addresses information security for all personnel D. Protect stored cardholder data by enacting a formal data retention policy and implement secure deletion methods Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 40 What PCI Data Security Standards (PCI DSS) covers? A. Covers the security of the environments that store, process or transmit account data. Environments receive account data from payment applications and other sources (e.g. acquirers) B. Covers secure payment applications to support PCI DSS compliance. Payment application receives account data from PIN Entry Devices (PED) or other devices and begins payment transaction C. Covers device tamper detection, cryptographic processes and other mechanisms to protect the Personal Identification Number (PIN). Encrypted PIN is passed to payment application or hardware terminal. D. Covers secure management, processing and transmission of personal identification number data during online and offline payment card transaction processing Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 41 What is covered by the PCI Payment Application Data Security Standards (PCI PA-DSS)? A. Covers the security of the environments that store, process or transmit account data. Environments receive account data from payment applications and other sources (e.g. acquirers) B. Covers secure payment applications to support PCI DSS compliance. Payment application receives account data from PIN Entry Devices (PED) or other devices and begins payment transaction C. Covers device tamper detection, cryptographic processes and other mechanisms to protect the Personal Identification Number (PIN). Encrypted PIN is passed to payment application or hardware terminal. D. Covers encryption, decryption and key management within secure cryptographic devices (SCD). Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 42

What is covered by PCI PIN Transaction Security (PCI PTS)? A. Covers encryption, decryption and key management within secure cryptographic devices (SCD). B. Covers the security of the environments that store, process or transmit account data. Environments receive account data from payment applications and other sources (e.g. acquirers) C. Covers device tamper detection, cryptographic processes and other mechanisms to protect the Personal Identification Number (PIN). Encrypted PIN is passed to payment application or hardware terminal. D. Covers secure management, processing and transmission of personal identification number data during online and offline payment card transaction processing Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 43 What the PCI PIN Security covers? A. Covers encryption, decryption and key management within secure cryptographic devices (SCD). B. Covers secure payment applications to support PCI DSS compliance. Payment application receives account data from PIN Entry Devices (PED) or other devices and begins payment transaction C. Covers device tamper detection, cryptographic processes and other mechanisms to protect the Personal Identification Number (PIN). Encrypted PIN is passed to payment application or hardware terminal. D. Covers secure management, processing and transmission of personal identification number data during online and offline payment card transaction processing Correct Answer: D Section: (none) Explanation Explanation/Reference: QUESTION 44 What the PCI Point to Point Encryption (PCI P2PE) covers? A. Covers encryption, decryption and key management within secure cryptographic devices (SCD). B. Cardholder Data Environment C. Covers secure payment applications to support PCI DSS compliance. Payment application receives account data from PIN Entry Devices (PED) or other devices and begins payment transaction D. Covers the security of the environments that store, process or transmit account data. Environments receive account data from payment applications and other sources (e.g. acquirers) Correct Answer: A Section: (none) Explanation Explanation/Reference:

QUESTION 45 A commercial payment product has been PA-DSS 1.2.1 validated by a PA-QSA. It is also listed on the PCI Security Standards Council Website as a validated payment application. As a result, the product is guaranteed to be PCI-DSS compliant when deployed in the merchant’s environment. A. True B. False Correct Answer: B Section: (none) Explanation Explanation/Reference: Payment application vendors can only state in the engagement contracts that products are PA-DSS validated when installed correctly in the customers CDE. Vendor can not guarantee that merchants who use vendor payment products will be PCI-DSS validated since a ‘PASS’ PCI-DSS report of compliance (RoC) is at the discretion of the merchant QSA. QUESTION 46 Track Data can not be stored in a payment application after authorization. A. True B. False Correct Answer: A Section: (none) Explanation Explanation/Reference: Do not store sensitive authentication data after authorization (even if encrypted). Sensitive authentication data consists of magnetic stripe (or track) data6, card validation code or value7, and PIN data8. Storage of sensitive authentication data after authorization is prohibited! This data is very valuable to malicious individuals as it allows them to generate counterfeit payment cards and create fraudulent transactions QUESTION 47 A customer is using an operating system (OS) that is no longer supported by the OS vendor. However, payment vendor can PA-DSS validate payment product on the unsupported OS using compensating controls which is allowed under the rules of PA-DSS A. True B. False Correct Answer: B Section: (none) Explanation Explanation/Reference: If an OS is no longer supported by an OS vendor, an application can not be PA-DSS validated against it. PADSS does not allow compensating controls. QUESTION 48 It is acceptable to store the PAN# in clear text as long as the PAN# is purged after authorization. A. True B. False Correct Answer: B

Section: (none) Explanation Explanation/Reference: Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: • One-way hashes based on strong cryptography (hash must be of the entire PAN) • Truncation (hashing cannot be used to replace the truncated segment of PAN) • Index tokens and pads (pads must be securely stored) • Strong cryptography with associated key-management processes and procedures QUESTION 49 Strong passwords are used to mitigate brute force attacks. Typically strong passwords are at least 7 characters long, contain alpha, numeric, special and upper lower case A. True B. False Correct Answer: A Section: (none) Explanation Explanation/Reference: Require a minimum password length of at least seven characters QUESTION 50 Encryption key management is an optional PA-DSS requirement to be used only if the customer requests encryption requirements above and beyond PCI. A. True B. False Correct Answer: B Section: (none) Explanation Explanation/Reference: Payment application must implement key management processes and procedures for cryptographic keys used for encryption of cardholder data QUESTION 51 Starting January 1, 2012, merchants will have to validate their CDE to PCI-DSS 2.0. As a result, payment software validated against PA-DSS 1.2.1 will no longer be valid after December 31, 2011. A. True B. False Correct Answer: B Section: (none) Explanation Explanation/Reference: Payment software validated validated to PA-DSS 1.2.1 software can still be used as long as it has not yet expired and no modifcations have been made to the paymemt application covered in the RoV. For example, for software PA-DSS validated on December 1, 2009, the expiry will be December 1, 2012 if the validated software has not changed from a PCI requirements point of view.

QUESTION 52 If a payment product is deployed in such away at the customers CDE, that the payment product never stores,processes or handles credit card data, PA-DSS is not in scope. Examples of this include products that only process loyalty cards. A. True B. False Correct Answer: A Section: (none) Explanation Explanation/Reference: Only card holder data (i.e. PAN and track data) is in PCI scope. QUESTION 53 A PA-DSS policy exception should be used to document a security breach when card data is stolen. A. True B. False Correct Answer: B Section: (none) Explanation Explanation/Reference: A payment vendor PA-DSS policy exception should be used when a customer can not meet PA-DSS requirements due to business, operational or technical constraints. For example, disable PAN encryption at the PIN PAD to perform transaction troubleshooting. A policy exception is used to state to the customer, that a risk of a card breach is increased, not that a breach has already occured. QUESTION 54 A PCI pre-engagement check list form is used to determine if a payment vendor's PA-DSS validated application can meet the PCI-DSS requirements of a merchant customer. For example, determine if the customer is using an OS that the vendor's payment application was PA-DSS validated against. A. True B. False Correct Answer: A Section: (none) Explanation Explanation/Reference: The main purpose of PA-DSS validation from a customers point of view is liability shift. When installed correctly in the customers CDE as per the payment vendors installation guide, card fraud liability shifts from the merchants PCI-DSS to the payment vendors PA-DSS if a forensic audit proves that the vendors payment application was at fault. QUESTION 55 A payment application stores the full PAN 1234567890123456 on disk in clear text. When the application outputs the PAN to a screen or log file it masks the middle 6 digits as 123456******3456. Under the rules of PA-DSS Req 2. Protect Stored card holder data, the full clear text PAN can be stored on disk as long as it is masked during output. A. True B. False

Correct Answer: B Section: (none) Explanation Explanation/Reference: As per PCI-DSS req 3.4 The intent of truncation is that only a portion (not to exceed the first six and last four digits) of the PAN is stored. This is different from masking, where the whole PAN is stored but the PAN is masked when displayed (i.e., only part of the PAN is displayed on screens, reports, receipts, etc.). This requirement relates to protection of PAN when stored in files, databases, etc.,and is not to be confused with Requirement 3.3 for protection of PAN displayed on screens, paper receipts, etc. QUESTION 56 It is possible for a PA-DSS validated payment application to be annually revalidated without a full PA-QSA lead report of compliance audit as long as no changes have been made to application covered by the last report of validation. However changes related to security such as encryption methodology, will trigger a full RoC A. True B. False Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 57 Sensitive authentication data can be stored after authorization. However, prior to authorization, sensitive authentication data such as track 2 data can be stored as long it is encrypted. A. True B. False Correct Answer: B Section: (none) Explanation Explanation/Reference: PA-DSS 2.0 Req 1.1 Do not store sensitive authentication data after authorization (even if encrypted): PA-DSS 2.0 Req 1.1.1 After authorization, do not store the full contents of any track from the magnetic stripe (located on the back of a card, equivalent data contained on a chip, or elsewhere). This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data. QUESTION 58 Merchants using EMV (Chip & PIN) to secure their payment transactions are exempt from PCI-DSS compliance as demonstrated by VISA's TIPS program. In this program, if 75% of your card transactions are EMV, you are exempt from annual PCI-DSS report of compliance. A. True B. False Correct Answer: B Section: (none) Explanation

Explanation/Reference: While EMV helps to minimize the risk of card fraud, typical EMV equipment still passes card data in the clear to downstream payment apps. These payment apps still have to be PA-DSS validated. QUESTION 59 A commercial payment product has been PA-DSS 1.2.1 validated by a PA-QSA. It is also listed on the PCI Security Standards Council Website as a validated payment application. As a result, the product is guaranteed to be PCI-DSS compliant when deployed in the merchant’s environment. A. True B. False Correct Answer: B Section: (none) Explanation Explanation/Reference: Payment application vendors can only state in the engagement contracts that products are PA-DSS validated when installed correctly in the customers CDE. Vendor can not guarantee that merchants who use vendor payment products will be PCI-DSS validated since a ‘PASS’ PCI-DSS report of compliance (RoC) is at the discretion of the merchant QSA. QUESTION 60 Track Data can not be stored in a payment application after authorization A. True B. False Correct Answer: A Section: (none) Explanation Explanation/Reference: Do not store sensitive authentication data after authorization (even if encrypted). Sensitive authentication data consists of magnetic stripe (or track) data6, card validation code or value7, and PIN data8. Storage of sensitive authentication data after authorization is prohibited! This data is very valuable to malicious individuals as it allows them to generate counterfeit payment cards and create fraudulent transactions QUESTION 61 According to the requirement 11.1 a wireless scanning must be performed at all locations connected to the cardholder data environment. What is the time span that the scan must occur? A. B. C. D.

Semiannually Annually Quartely Monthly

Correct Answer: C Section: (none) Explanation Explanation/Reference: Detection and identification of wireless access points must occur at least quarterly and this requirement is for ALL locations including those where no authorized wireless technologies are deployed. Quarterly wireless scanning must be performed at all locations connected to the cardholder data environment.

QUESTION 62 The use of WEP as a security control was prohibited as of June 30, 2010 - true or false? A. True B. False Correct Answer: A Section: (none) Explanation Explanation/Reference: Requirement 4.1.1 applies security for wireless networks, including the use of industry best practices (such as I-”Triple-E” 802.11i ) for any wireless networks transmitting cardholder data or connected to the cardholder data environment. As of June 30 2010, WEP must never be used as a security control since it is not considered strong cryptography. If WEP is present in the environment, additional technologies must be implemented to provide the required level of security for both transmission and authentication. QUESTION 63 If virtualization is used in a CDE, PCI DSS requirements do not apply. A. True B. False Correct Answer: B Section: (none) Explanation Explanation/Reference: If virtualization technologies are used in a cardholder data environment, PCI DSS requirements apply to those virtualization technologies. Virtualization technology introduces new risks that may not be relevant to other technologies, and that must be assessed when adopting virtualization in cardholder data environments. QUESTION 64 Service providers can control or impact the security of the cardholder data? A. True B. False Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 65 What is the name of the organization accepting the payment card for payment during a purchase? A. B. C. D.

Merchant Issuer Acquirer Payment Brand Network

Correct Answer: A Section: (none) Explanation Explanation/Reference: Merchants are the organizations accepting payment. QUESTION 66 Visa and MasterCard support a closed-loop network because they are responsible for issuing and providing authorization A. True B. False Correct Answer: B Section: (none) Explanation Explanation/Reference: Visa and MasterCard support an open-loop network because they neither issue cards nor provide authorization QUESTION 67 Visa and MasterCard support an open-loop network because they neither issue cards nor provide authorization A. True B. False Correct Answer: A Section: (none) Explanation Explanation/Reference: Visa and MasterCard support an open-loop network because they neither issue cards nor provide authorization QUESTION 68 What are the three disciplinary actions taken by PCI SSC in case o violation of the Code of Professional Responsibility? A. B. C. D.

Warning Suspension Fine Revocation

Correct Answer: ABD Section: (none) Explanation Explanation/Reference: QUESTION 69 Amex, Discover, and JCB International are part of a closed-loop network because they acquire transactions, and issue cards directly. A. True B. False

Correct Answer: A Section: (none) Explanation Explanation/Reference: Amex, Discover, and JCB International will also acquire those transactions, so by issuing and acquiring, they are part of a closed-loop network. QUESTION 70 CardHolder data should never be stored; however, in certain situations the merchant is allowed to store sensitive cardholder data pre-authorization. In this case the PCI DSS controls should not be applied A. True B. False Correct Answer: B Section: (none) Explanation Explanation/Reference: If the merchant is allowed to store sensitive cardholder data pre-authorization, remember that the controls in PCI DSS still apply, as well as any additional controls imposed by the acquirer and the card brands. QUESTION 71 What is the name of the process in which the PAN is replaced by a surrogate value? A. B. C. D.

Compensating control Tokenization PCI DSS PTS Virtualization

Correct Answer: B Section: (none) Explanation Explanation/Reference: Tokenization is a process by which the primary account number (PAN) is replaced with a surrogate value called a "TOKEN". De-tokenization is the reverse process of redeeming a token for its associated PAN value. The security of an individual token relies predominantly on the unfeasibility of determining the original PAN knowing only the surrogate value. QUESTION 72 Compensating controls can be used due: A. B. C. D.

Budget constraints Malicious attacks Legitimate technical or business constraints Legal requirements

Correct Answer: C Section: (none) Explanation Explanation/Reference: Compensating controls may be considered for most PCI DSS requirements when an entity cannot meet a

requirement explicitly as stated due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of a compensating control. QUESTION 73 Select three key points to be considered for a compensating control: A. B. C. D.

Must meet the intent and rigor of the original PCI DSS requirement The control must not exceed other PCI DSS requirements Must sufficiently offset the risk that the original PCI DSS requirement was designed to defend against Commensurate with additional risk imposed by not adhering to original requirement

Correct Answer: ACD Section: (none) Explanation Explanation/Reference: First, it must meet the intent and rigor of the original PCI DSS requirement. This is the most important test. Second, it must sufficiently offset the risk that the original PCI DSS requirement was designed to defend against. You should look at a compensating control worksheet as a risk assessment. You are doing a risk assessment to identify the risk of not implementing this control as written, how the control reduces the risk, and whether that is an acceptable level of risk reduction to you and your customer. Third, the control must be above and beyond other PCI DSS requirements, not simply in compliance with other requirements. Two examples of "above and beyond": First example, if an entity can't implement 7-character passwords on a mainframe, compensating controls can be: 12-character password required for network authentication prior to mainframe authentication, change mainframe password every 30 days, make mainframe password more complex (for example, use special characters). A second example, if an entity can't encrypt cardholder data on a storage system, they might implement controls that enforce internal network segmentation for the system, IP address or MAC address filtering to that system, and two-factor authentication for access from within the internal network (beyond that which is already required for remote network access). And then fourth, the control must be commensurate with the additional risk imposed by not adhering to the original requirements. QUESTION 74 A company is unable to render cardholder data unreadable through encryption as per requirement 3.4. A compensating control could consist of a device or a combination of devices, applications, and controls. Which three of the below options, could be implemented as a compensating control to protect cardholder data? A. B. C. D.

Internal network segmentation IP address or MAC address filtering PKI - Public Key Infrastructure Two-factor authentication from within the internal network

Correct Answer: ABD Section: (none) Explanation Explanation/Reference: When evaluating “above and beyond” for compensating controls, consider the following: Existing PCI DSS requirements may be combined with new controls to become a compensating contorl.

- For example, if a company is unable to render cardholder data unreadable per requirement 3.4 (for example, by encryption), a compensating control could consist of a device or combination of devices, applications, and controls that address all of the following: - Internal network segmentation; - IP address or MAC address filtering; - Two-factor authentication from within the internal network The items at a) through c) are intended as examples only. All compensating controls must be reviewed and validated for sufficiency by the assessor who conducts the PCI DSS review. The effectiveness of a compensating control is dependent on the specifics of the environment in which the control is implemented, the surrounding security controls, and the configuration of the control. Companies should be aware that a particular compensating control will not be effective in all environments. QUESTION 75 Which of the following applies to third-party payment applications that perform authorization and/or settlement. Example: Point of Sale, shopping carts etc. A. B. C. D.

PCI PTS PCI DSS PA-DSS PCI P2PE

Correct Answer: C Section: (none) Explanation Explanation/Reference: PA-DSS applies to third-party payment applications that perform authorization and/or settlement. Example: Point of Sale, shopping carts etc. QUESTION 76 This requirement applies to Point of Interaction (POI) devices; Encrypting PIN Pads (EPP). It also ensures terminals cannot be manipulated or attacked to allow the capture of Sensitive Authentication data. A. B. C. D.

PCI DSS PCIA PA-DSS PCI P2PE PCI PTS

Correct Answer: D Section: (none) Explanation Explanation/Reference: PTS applies to point of interaction (POI) devices including both attended and unattended POS terminals that accept cardholder PINs, and to hardware security modules used for the protection of sensitive data during activities such as payment processing or the production of payment cards. If a PTS device is integrated into a POS or other payment system’s implementation, PTS applies only to the PTS features, and PA-DSS applies to payment application features. QUESTION 77 The PCI PIN Security provides protection of personal identification number (PIN) during online and offline payment transactions processed at:

A. B. C. D.

ATMs Attended point-of-sale (POS) terminals Unattended point-of-sale (POS) terminals Internet transactions

Correct Answer: ABC Section: (none) Explanation Explanation/Reference: QUESTION 78 Which of the following may reduce the scope of the cardholder data environment (CDE)? A. B. C. D.

PA-DSS application P2PE hardware-hardware solution PCI-PTS PCI-PIN security

Correct Answer: Section: (none) Explanation Explanation/Reference: Using a P2PE hardware-hardware solution may reduce the scope of the cardholder data environment (CDE). The P2PE scenario addresses merchants who do not store or decrypt encrypted data within their P2PE environment, and who use validated solutions consisting of hardware-based encryption and third-party hardware-based decryption. QUESTION 79 A merchant can have their validation scope reduced when using validated P2PE solutions where the merchant has no access to account data within encryption device. A. True B. False Correct Answer: A Section: (none) Explanation Explanation/Reference: P2PE may allow merchants to reduce their validation scope when using validated P2PE solutions where the merchant has no access to account data within the encryption device (POI) or decryption environment provided to them by the Solution Provider, where the merchant has no involvement in any encryption or decryption operations or cryptographic key management, and all cryptographic operations are managed by the P2PE Solution Provider. QUESTION 80 What a merchant should do in order to be eligible for PCI DSS scope reduction via use of a validated P2PE solution? A. Ensure that any other payment channels within the merchant environment is adequately segmented (isolated) B. Ensure that VLANs are properly configured C. Ensure that firewall is correctly configured with unauthorized ports blocked

D. Implement encryption in the card holder environment via AES-256 Correct Answer: A Section: (none) Explanation Explanation/Reference: To be eligible for PCI DSS scope reduction via use of a validated P2PE solution, merchants must ensure that any other payment channels within the merchant environment are adequately segmented (isolated) from the P2PE environment. QUESTION 81 In the context of PCI DSS, this is a method of concealing a segment of data when displayed or printed. This technique is used when there is no business requirement to view the entire PAN. It relates to protection of PAN when displayed or printed. See Truncation for protection of PAN when stored in files, databases, etc. A. B. C. D.

Masking Hosting Segmenting Hashing

Correct Answer: A Section: (none) Explanation Explanation/Reference: https://www.pcisecuritystandards.org/security_standards/glossary.php QUESTION 82 Hardware and/or software technology that protects network resources from unauthorized access. This item permits or denies computer traffic between networks with different security levels based upon a set of rules and other criteria. A. B. C. D.

Router Firewall Switch Bridge

Correct Answer: B Section: (none) Explanation Explanation/Reference: https://www.pcisecuritystandards.org/security_standards/glossary.php QUESTION 83 This test attempts to exploit vulnerabilities to determine whether unauthorized access or other malicious activity is possible. A. B. C. D.

Vulnerability analysis Scanning Penetration Test Vulnerability research

Correct Answer: C Section: (none)

Explanation Explanation/Reference: https://www.pcisecuritystandards.org/security_standards/glossary.php QUESTION 84 For the purposes of the PCI DSS, a ___________ is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. A. B. C. D.

Payment Brand Network Acquirer Issuer Merchant

Correct Answer: D Section: (none) Explanation Explanation/Reference: https://www.pcisecuritystandards.org/security_standards/glossary.php QUESTION 85 Process of rendering cardholder data unreadable by converting data into a fixed-length message digest via Strong Cryptography. This is a (mathematical) function in which a non-secret algorithm takes any arbitrary length message as input and produces a fixed length output A. B. C. D.

Hashing Encryption Truncation Tokenization

Correct Answer: A Section: (none) Explanation Explanation/Reference: https://www.pcisecuritystandards.org/security_standards/glossary.php QUESTION 86 Flaw or weakness which, if exploited, may result in an intentional or unintentional compromise of a system. A. B. C. D.

Open ports Vulnerability Virus Worm

Correct Answer: B Section: (none) Explanation Explanation/Reference: https://www.pcisecuritystandards.org/security_standards/glossary.php QUESTION 87 Which documents have been published by the Council on a variety of topics designed to provide additional

direction for stakeholders on specific technologies? A. B. C. D.

Information Supplements PCI DSS requirements SAQ EMV

Correct Answer: A Section: (none) Explanation Explanation/Reference: The Council has published a number of information supplements on varying topics, which are designed to provide additional guidance for all stakeholders on specific technologies. These information supplements can help merchants, service providers, and assessors identify the considerations that certain technologies may have for PCI DSS. They are not intended to replace technical training nor do they provide additional testing procedures, but they can help point you in the right direction. The assessor will still need to thoroughly understand the environment they are reviewing in order to ensure cardholder data is protected and PCI DSS control objectives are met. QUESTION 88 By implementing the tokenization solution, a company may eliminate the need to maintain and validate PCI DSS compliance. A. True B. False Correct Answer: B Section: (none) Explanation Explanation/Reference: Tokenization solutions do not eliminate the need to maintain and validate PCI DSS compliance, but they may simplify a merchant’s validation efforts by reducing the number of system components for which PCI DSS requirements apply. QUESTION 89 When merchants and service providers are not required to submit a Report on Compliance (RoC) as part of an on-site assessment, which validation tool can they use to self-evaluate their compliance with PCI-DSS? A. B. C. D.

S-A-Q RoC Penetration test Information Supplements

Correct Answer: A Section: (none) Explanation Explanation/Reference: The self-assessment questionnaire often referred to as the S-A-Q or sometimes called the “sack”, is a validation tool for merchants and service providers self-evaluating their compliance with PCI DSS. It is a validation tool for those entities not required to submit a Report on Compliance as part of an on-site assessment. QUESTION 90

According to Requirement 13.2, which of the following is true: A. B. C. D.

Covers information security policy requirements for all personnel Concerns itself with regular testing of all system components comprising the cardholder data environment Concerns itself with assigning a unique ID to each person None of the above

Correct Answer: D Section: (none) Explanation Explanation/Reference: There is no Requirement 13.2 QUESTION 91 PCI DSS Requirement 7 A. B. C. D.

Regularly test security systems and processes Do not user vendor supplied defaults for system passwords and other security parameters. Maintain a policy that addresses information security for all personnel. Restrict access to cardholder data by business need to know.

Correct Answer: D Section: (none) Explanation Explanation/Reference: QUESTION 92 PCI DSS Requirement 3 A. B. C. D.

Encrypt transmission of cardholder data across open, public networks (Data in motion). Protect stored card holder data Restrict access to cardholder data by business need to know. Restrict Physical Access to Cardholder Data

Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 93 A company wants to replace the actual Personal Account Number (PAN) with a surrogate value. What process can be used? A. B. C. D.

Compensating control Masking Hashing Tokenization

Correct Answer: D Section: (none)

Explanation Explanation/Reference: QUESTION 94 According to requirement 5.1 anti-virus software should be deployed on all systems commonly affected by malicious softwares. Which of the below Operating Systems are not commonly affected by virus? (Choose three) A. B. C. D. E.

Solaris Mainframes Windows HP-Unix MAC

Correct Answer: ABD Section: (none) Explanation Explanation/Reference: Typically, the following operating systems are not commonly affected by malicious software: Mainframes, and certain Unix servers (such as AIX, Solaris, and HP-Unix). However, industry trends for malicious software can change quickly and each organization must comply with Reequirement 6.2 to identify and address new security vulnerabilities and update their configuration standards and provess accordingly