












Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
AQSA CERTIFICATION. AQSA CERTIFICATION.
Typology: Exams
1 / 20
This page cannot be seen from the preview
Don't miss anything!













PCI SSC - CORRECT ANSWER >>> is an independent industry standards body providing oversights of the development and management of Payment Card Industry Data Security Standards on a global basis. What are the founding payment brands? - CORRECT ANSWER >>> American express, Discover, JCB, Mastercard, and VISA What define the merchant levels? - CORRECT ANSWER >>> defined by the payment brands, based on transaction volume. Transaction volume determined by the acquirer) What define the service provider levels? - CORRECT ANSWER >>> Defined by the payment brands according to transaction volume and/or type of service provider. Determined by the payment brans or acquirer, or sometimes the service provider. SAQ-A - CORRECT ANSWER >>> Card-not-present merchants (e-commerce or mail/telephone- order) that have fully outsourced all cardholder data functions to PCI DSS validated third-part service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant's systems or premises. SAQ A-EP - CORRECT ANSWER >>> E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn't directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant's systems or premises.
SAQ-B - CORRECT ANSWER >>> Merchants using only:
Visa Inc. Compliance Program is called ______________. **- CORRECT ANSWER
** Information Security Program Visa Europe Compliance Program is called ______________. **- CORRECT ANSWER ** Account Information Security Program. The key thing to understand for payment brand compliance programs is _________. - CORRECT ANSWER >>> that they handle PCI DSS compliance tracking, enforcement, and any penalties or fees that might be assigned. In addition, payment brands are responsible for forensic response and investigation of account data compromises. What are the Payment Brand Roles? - CORRECT ANSWER >>> Develop and enforce ** covers security of the environments that store, process, or transmit account data. The scope of PCI DSS covers environments receiving account data from payment applications and other sources—acquirers, for example. PCI PA-DSS - CORRECT ANSWER >>> covers secure payment applications to support PCI DSS compliance. The scope of PA-DSS addresses when a payment application receives account data from cardholder-interface devices such as point-of sale-terminals or other devices and begins the payment transaction. PCI P2PE (Point-to-Point Encryption) - CORRECT ANSWER >>> covers secure encryption, decryption, and key management for point-to-point encryption solutions. Requirements for a Visa Inc. Compliance Program is called ______________. - CORRECT ANSWER >>> Information Security Program Visa Europe Compliance Program is called ______________. - CORRECT ANSWER >>> Account Information Security Program. The key thing to understand for payment brand compliance programs is _________. - CORRECT ANSWER >>> that they handle PCI DSS compliance tracking, enforcement, and any penalties or fees that might be assigned. In addition, payment brands are responsible for forensic response and investigation of account data compromises. What are the Payment Brand Roles? - CORRECT ANSWER >>> Develop and enforce compliance programs/Endorse QSA, PA-QSA and ASV company qualification criteria/ Accept validation documentation from QSAs, PA-QSAs, and ASVs. Merchant will generally report to their __________ where service providers will report to the ____________. - CORRECT ANSWER >>> acquirer/ payment brands. self-assessment questionnaire - CORRECT ANSWER >>> often referred to as the SAQ which is a validation tool for merchants and service providers self-evaluating their compliance with PCI DSS. It is a validation tool for entities that are not required to submit a Report on Compliance as part of an onsite assessment. SAQ D - CORRECT ANSWER >>> is for all other SAQ-eligible merchants that do not fall into any of the other SAQ categories, and for any service providers defined by a payment brand as eligible to complete the SAQ. SAQ P2PE - CORRECT ANSWER >>> is for merchants using a validated P2PE solution that is listed on the PCI SSC website.
Describe the basic overview of the payment processing workflow - CORRECT ANSWER >>> 1. cardholders that make payment card purchases from merchants,
Which of these devices can be used provide network segmentation controls? - CORRECT ANSWER >>> switches, routers, and firewalls System components include _____________. - CORRECT ANSWER >>> network devices, servers, computing devices, and applications Network segmentation can be achieved through a number of physical or logical means, such as what? - CORRECT ANSWER >>> properly configured internal network firewalls, routers with strong access control lists, or other technology that restricts access to a particular segment of a network. The cardholder data environments compromises of what - CORRECT ANSWER >>> people, processes, and technologies that store, process or transmit cardholder data or sensitive authentication data. What is the fastest way to reduce the scope of the PCI DSS Assessment? **- CORRECT ANSWER
** is to not store cardholder. If virtualization technologies are used in a cardholder data environment, the virtualization technologies are included in scope for PCI DSS.(T/F?) - CORRECT ANSWER >>> True Entities involved in payment card processing via mobile devices (like a phone or tablet) can reduce the risks to the security of cardholder data by: - CORRECT ANSWER >>> Encrypting account data at the point of capture using an approved point of interaction device. What is requirement 1? - CORRECT ANSWER >>> Install and maintain a firewall configuration
to protect cardholder data.
How often must the firewall and router rule sets review? - CORRECT ANSWER >>> at least every six months. What is requirement 2? - CORRECT ANSWER >>> Do not use vendor-supplied defaults for system passwords and other security parameters. Some controls covered in requirement 2 include ________. - CORRECT ANSWER >>> Not using vendor supplied default passwords. Utilizing system configuration standards for all components. Maintaining an inventory of system components. Ensuring all non-console access to network devices, servers, and other components is encrypted. Requirement 2.2.2 and 2.2.3 cover the use of secure services, protocols, and daemons as required for the functions of a system. What is the following is considered secure? - CORRECT ANSWER >>> SSH What is requirement 3? - CORRECT ANSWER >>> Protect stored cardholder data; specifically primary account number (PANs) and sensitive authentication data (SAD). Minimize risk associated with the storage of cardholder data. Requirement 3.1 - CORRECT ANSWER >>> Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures, and processes. Requirement 3.2 - CORRECT ANSWER >>> Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process. Requirement 3.2.2. - CORRECT ANSWER >>> Do not store the card verification code or value after authorization.
Sensitive authentication data includes PAN and service code. (T/F?) **- CORRECT ANSWER
** False Storing track data "long term" or "persistently" is permitted when __________. - CORRECT ANSWER >>> it is being stored by issuers. PCI DSS Requirement 3.4. states that PAN must be rendered unreadable when stored. Which of the following may be used to meet this requirement? - CORRECT ANSWER >>> Hashing the entire PAN using strong cryptography What is requirement 4? - CORRECT ANSWER >>> Encrypt transmission of cardholder data across open, public networks. Protection of cardholder data during. transmission over a ** Protect stored cardholder data; specifically primary account number (PANs) and sensitive authentication data (SAD). Minimize risk associated with the storage of cardholder data. Requirement 3.1 - CORRECT ANSWER >>> Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures, and processes. Requirement 3.2 - CORRECT ANSWER >>> Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process. Requirement 3.2.2. - CORRECT ANSWER >>> Do not store the card verification code or value after authorization. Sensitive authentication data includes PAN and service code. (T/F?) - CORRECT ANSWER >>> False Storing track data "long term" or "persistently" is permitted when __________. - CORRECT ANSWER >>> it is being stored by issuers. PCI DSS Requirement 3.4. states that PAN must be rendered unreadable when stored. Which of the following may be used to meet this requirement? - CORRECT ANSWER >>> Hashing the entire PAN using strong cryptography What is requirement 4? - CORRECT ANSWER >>> Encrypt transmission of cardholder data across open, public networks. Protection of cardholder data during. transmission over a network that may be easily accessed or breached by malicious individuals. Minimize risk associated with the transmission of cardholder data over open, public networks. What is requirement 5? - CORRECT ANSWER >>> Protect all systems against malware and regularly update anti-virus software or programs. Requirement 5.2 - CORRECT ANSWER >>> Ensure that all anti-virus mechanisms are maintained as follows: are kept current, perform periodic scans, and generate audit logs which are retained per PCI. DSS requirement 10. Requirement. 5.3 - CORRECT ANSWER >>> Ensure that. anti-virus mechanisms are actively running and cannot. be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period What is requirement 6? - CORRECT ANSWER >>> Develop and maintain secure systems and applications. Protection from exploitation of vulnerabilities. Develop secure application and systems. Ensure security patches and secure system and application configuration are managed properly.
Requirement 6.1 - CORRECT ANSWER >>> Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability. information, and assign a risk ranking to newly discovered security vulnerabilities Requirement 6.2 - CORRECT ANSWER >>> Ensure that all system components and software are protected from known vulnerabilities by installing application vendor-supplied security patches. Install critical security patches within one month of release. Requirement 6.3 - CORRECT ANSWER >>> Develop internal and external software application securely what are some common coding vulnerabilities? - CORRECT ANSWER >>> Injection flaws, buffer overflow, insecure cryptographic storage, insecure. communications, improper error handling. What are some web application and application interfaces vulnerabilities? - CORRECT ANSWER >>> Cross-site scripting (XSS), improper access control (such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions), cross-site request forgery (CSRF), and broken authentication and session management. What is requirement 7? - CORRECT ANSWER >>> Restrict access to cardholder data by business need to know What is requirement 8? - CORRECT ANSWER >>> Identify and authenticate access to system components. Assign a uniqueID and authentication to each person with access. Ensure that individuals are uniquely accountable for their actions. What is requirement 9? - CORRECT ANSWER >>> Restrict physical access to cardholder data
limited to failure of: firewalls, IDS/IPS, FIM, anti-virus, physical access controls, logical access controls, audit logging mechanisms, and segmentation controls What is requirement 11? - CORRECT ANSWER >>> Regularly test security systems and processes. Requirement 11.1 - CORRECT ANSWER >>> Implement processes to test for the presence of wireless access point (802.aa) and detect and identify all authorized and unauthorized wireless access points on a quarterly basis. What is requirement 12? - CORRECT ANSWER >>> Maintain a policy that addresses information security for all personnel. Appendix A1 - CORRECT ANSWER >>> Additional PCI DSS Requirements for Shared Hosting Providers Appendix A2 - CORRECT ANSWER >>> Additional PCI DSS Requirement for Entities using SSL/early TLS Appendix A3 - CORRECT ANSWER >>> Designated Entities Supplemental Validation (DESV). An entity is required to undergo an assessment according to this appendix only if instructed to do so by an acquirer or a payment brand. Information Supplements provided by the PCI SSC may "supersede" or replace PCI DSS requirements. (T/F?) - CORRECT ANSWER >>> False In order to be considered a compensating control, which of the following must exist: - CORRECT ANSWER >>> a legitimate technical constraint or a documented business constraint
Non-console access - CORRECT ANSWER >>> refers to logical access to a system component that occurs over a network interface rather than via a direct, physical connection to the system component. Which scenario describes segmentation of the cardholder data environment (CDE) for the purposes of reducing PCI DSS scope? - CORRECT ANSWER >>> A network configuration that prevent all network traffic between the CDE and out-of-scope networks. Typical locations where card verification values/code may be found include which of the following? - CORRECT ANSWER >>> databases and log files from e-commerce systems Which of the following is true regarding compensating contorls - CORRECT ANSWER >>> A compensating control is not necessary if all other PCI DSS requirements are in place Which statement is true regarding storage of cardholder data? **- CORRECT ANSWER
** Stored cardholder data that exceeds retention requirements needs to be removed on a quarterly basis Which of the following statements about service providers is true? **- CORRECT ANSWER ** Transaction payment gateway are not considered service providers What activity occurs during the "settlement" step on the payment process? - CORRECT ANSWER >>> The merchant receives payment for the transaction Which statement is true regarding the use of PA-DSS validated applications? **- CORRECT
** refers to logical access to a system component that occurs over a network interface rather than via a direct, physical connection to the system component. Which scenario describes segmentation of the cardholder data environment (CDE) for the purposes of reducing PCI DSS scope? - CORRECT ANSWER >>> A network configuration that prevent all network traffic between the CDE and out-of-scope networks. Typical locations where card verification values/code may be found include which of the following? - CORRECT ANSWER >>> databases and log files from e-commerce systems Which of the following is true regarding compensating contorls - CORRECT ANSWER >>> A compensating control is not necessary if all other PCI DSS requirements are in place Which statement is true regarding storage of cardholder data? - CORRECT ANSWER >>> Stored cardholder data that exceeds retention requirements needs to be removed on a quarterly basis Which of the following statements about service providers is true? - CORRECT ANSWER >>> Transaction payment gateway are not considered service providers What activity occurs during the "settlement" step on the payment process? - CORRECT ANSWER >>> The merchant receives payment for the transaction Which statement is true regarding the use of PA-DSS validated applications? - CORRECT ANSWER >>> PA-DSS validated applications are in-scope for merchant's PCI DSS assessment which entity determines a merchant's transaction volume? - CORRECT ANSWER >>> the acquirer
The best way for a merchant to reduce scope would be - CORRECT ANSWER >>> use a council listed P2PE solution Which cardholder data element is allowed to be stored? - CORRECT ANSWER >>> PAN Storage of secret and private keys that are used to encrypt a PAN must be - CORRECT ANSWER >>> encrypted with a KEK at least as strong as the DEK Scoping documentation usually entails - CORRECT ANSWER >>> an asset inventory, high level diagram, policies Which organization is the final step in the authorization approval process? - CORRECT ANSWER >>> Issuing entity Which is the card verification code for VISA? - CORRECT ANSWER >>> CVV Where should firewalls be placed? - CORRECT ANSWER >>> between the cardholder data environment and the internet Acceptable 16 digit PAN with 8 digit BIN Truncation Formats for MasterCard are - CORRECT ANSWER >>> At least 6 digits removed, "First 6, any other 4" Goal 1 - CORRECT ANSWER >>> Build and maintain a secure network and system Goal 2 - CORRECT ANSWER >>> Protect cardholder data Goal 3 - CORRECT ANSWER >>> Maintain a vulnerability management
Goal 4 - CORRECT ANSWER >>> Implement strong access control measures Goal 5 - CORRECT ANSWER >>> Regular monitor and test networks Goal 6 - CORRECT ANSWER >>> Maintain an information security policy What must the assessor verify when testing that cardholder data is protected whenever it is sent over the Internet? - CORRECT ANSWER >>> The encryption is appropriate for technology in used. Viewing audit trail should be limited to: - CORRECT ANSWER >>> individuals with a job- related needs Cardholder data includes what? - CORRECT ANSWER >>> Primary account number (PAN), Cardholder name, Expiration Data, and Service code Sensitive Authentication Data includes what? - CORRECT ANSWER >>> Full track data (magnetic-stripe data or equivalent on a chip), CAV2/CVC2/CVV2/CID, and PINs/PIN Block What are some ways to render PAN unreadable? - CORRECT ANSWER >>> One-way hashes, truncation, index token and pad, and strong cryptography What are some way to use strong cryptography and security protocols to safeguard cardholder data during transmission? - CORRECT ANSWER >>> only trusted keys and certificates are accepted. The protocol is use only support secure versions or configuration. The encryption strength is appropriate for the encryption methodology in use.
Fill the blank: Are stateful firewalls .......................... for connections into the CDE? - CORRECT ANSWER >>> Required What sanction does the PCI SSC not have against a PCIP who is in contravention of the PCI SSC Code of Professional Responsibility? - CORRECT ANSWER >>> Revoke the PCIP qualification The Payment Card Brands are responsible for : - CORRECT ANSWER >>> penalty or fee assignment for non compliance If a suspected card account number passes the Mod 10 test it means: **- CORRECT ANSWER
** it may be a valid PAN Systems that commonly store track data: - CORRECT ANSWER >>> POS Systems Non-console administrator access to any web-based management interface must be encrypted with technology such as - CORRECT ANSWER >>> HTTPS Acceptable 16 digit PAN with 8 digit BIN Truncation Formats for MasterCard are: - CORRECT ANSWER >>> At least 6 digits removed. "First 6, any other 4" Entities who handle point-of-sale devices must: - CORRECT ANSWER >>> verify the identity of any third-party persons claiming to be repair or maintenance personnel. Partially outsourced E-commerce Merchants using a third-party website for payment processing may be eligible to fill out: - CORRECT ANSWER >>> SAQ-A EP Which is a responsibility of the PCI DSS security council? - CORRECT ANSWER >>> Establish validation requirements for PA-DSS applications.
Who shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program? - CORRECT ANSWER >>> Executive Management