Download PCIP Exam Questions and Answers (Latest Update 2023) and more Exams Nursing in PDF only on Docsity! PCIP Exam Questions and Answers (Latest Update 2023) PCI Data Security Standard (PCI DSS) - Correct Answer ✅The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you accept or process payment cards, PCI DSS applies to you. Sensitive Authentication Data - Correct Answer ✅Merchants, service providers, and other entities involved with payment card processing must never store sensitive authentication data after authorization. This includes the 3- or 4- digit security code printed on the front or back of a card (CVD), the data stored on a card's magnetic stripe or chip (also called "Full Track Data") - and personal identification numbers (PIN) entered by the cardholder. Card Verification Data Codes (CVD) - Correct Answer ✅3 or 4 digit code that further authenticates a not-present cardholder Visa-CVV2 MC- CVC2 Discover- CVD PCIP Exam Questions and Answers (Latest Update 2023) JCB-CAV2 AmEx- CID Requirement 1 - Correct Answer ✅Install and maintain a firewall configuration to protect cardholder data Network devices in scope for Requirement 1 - Correct Answer ✅Firewalls and Routers- Routers connect traffic between networks, Firewalls control the traffic between networks and within internal network QIR Qualified Integrators & Resellers - Correct Answer ✅Qualified Integrators & Resellers- authorized by the SSC to implement, configure and/or support PA-DSS payment applications. Visa requires all level 4 merchants use QIRs for POS application and terminal installation and servicing Compensating Controls - Correct Answer ✅An alternative control, put in place to satisfy the requirement for a security measure that is deemed too difficult or impractical to implement at the present time. PCIP Exam Questions and Answers (Latest Update 2023) Report on Compliance (ROC) - Correct Answer ✅Prepared at the time of the assessment of PCI compliance and comprehensively provides details about the assessment approach and compliance standing against each PCI DSS requirement What is included in the Report on Compliance (ROC)? - Correct Answer ✅ROC includes (1) Executive summary, (2) description of scope of work and approach taken, (3) details about reviewed environment, (4) contact information and report date, (5) quarterly scan results and (6) findings and observations. Steps to take for a PCI Assessment (hint: SARA's Remediation) - Correct Answer ✅1. Scope - determine which system components and networks are in scope for PCI DSS 2. Assess - examine the compliance of system components in scope following the testing procedures for each PCI DSS requirement 3. Report - assessor and/or entity completes required documentation (e.g. Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC)), including documentation of all PCIP Exam Questions and Answers (Latest Update 2023) compensating controls 4. Attest - complete the appropriate Attestation of Compliance (AOC) 5. Submit - submit the SAQ, ROC, AOC and other requested supporting documentation such as ASV scan reports to the acquirer (for merchants) or to the payment brand/requestor (for service providers) 6. Remediate - if required, perform remediation to address requirements that are not in place, and Who can complete a Self Assessment Questionnaire (SAQ)? - Correct Answer ✅i) the organization themselves, or ii) by a third party (e.g. IBM) Who MUST complete a Report on Compliance? - Correct Answer ✅It MUST be completed by an approved Qualified Security Assessor (QSA) through the PCI Security Standards Council What is included in PCI Scope Review? - Correct Answer ✅1) Document the cardholder data flow; 2)develop a network diagram that documents all of the firewalls, routers, switches, access points, servers and other network PCIP Exam Questions and Answers (Latest Update 2023) devices and how they are architected; 3) scan your entire network to confirm that cardholder data is not stored anywhere outside of the CDE (Generally, you need to identify all locations and flows and ensure that they are included in scope.) Steps to reduce scope of Cardholder Data Environment ("CDE") - Correct Answer ✅1. Consolidation: Identifying and eliminating redundant data sets and consolidating applications and information storage can reduce scope. 2.Centralization:Encrypted data stored in a highly secure on-site central data vault. The payment card numbers are replaced with tokens in other applications or databases. Since cardholder data is only stored in one central location, PCI DSS Scope is minimized 3.End-To-End Encryption (E2EE) or Point-To-Point Encryption (P2PE):Ensures that card numbers are encrypted from first card swipe at the point-of-sale (POS), and while in transit all the way to the payment processor eliminating most PCI requirements. 4.Outsourcing: Outsourcing all or some of your payment card processing capabilities to a PCI DSS compliant service provider can reduce PCI scope. This is especially relevant to companies conducting eCommerce transactions only. 5.Tokenization:Stores card numbers and other sensitive data such as social security numbers in an off-site highly secure data vault. The payment card PCIP Exam Questions and Answers (Latest Update 2023) Payment Brand Network - Correct Answer ✅The cc brands (e.g. Am Ex, Discover). Discover and Amex are BOTH the card network and issuing bank- having their own financial institutions issue the cc's to consumers Visa and MasterCard are card networks only and do NOT issue cc's- they have third party issuing banks do it for them. What do Acquirer's do for their merchants? - Correct Answer ✅Authorize-- Clear--Settle for their merchant Who ultimately approves the purchase? - Correct Answer ✅Issuer In which step does the Payment Brand Network provide complete reconciliation to the merchant bank? - Correct Answer ✅Clearing (PA-DSS) Payment Application Data Security Standard - Correct Answer ✅Third party payment applications that authorize and settle Examples- POS, Shopping Cart PCIP Exam Questions and Answers (Latest Update 2023) Role of Payment Brand Network - Correct Answer ✅1) Develop and Enforce Compliance Programs, 2) Accept validation documentation from approved QSA, PA-QSA, and ASV companies, and 3) endorse the QSA, PA-QSA and ASV company qualification criteria Point to Point Encryption (P2PE) Requirements - Correct Answer ✅1-Secure encryption of payment card data at Point of Interaction (POI) 2-Validated apps at the POI 3-Secure environment of encryption and decryption devices 4-Manage decryption environment and ALL decrypted account data 5-Use source encryption technologies and cryptographic key elements-like key generation, distribution, loading and injection, administration and usage May reduce PCI-DSS scope for Merchant -Geared toward provider of point to point solution (e.g. Processor, Acquirer, payment gateway (e.g. PayPal) (PA-DSS) Payment Application DSS - Correct Answer ✅Most payment application (PA-DSS) requirements are equivalent of PCI-DSS -Geared toward the Application providers PCIP Exam Questions and Answers (Latest Update 2023) P2PE - Correct Answer ✅P2PE- Incorporates requirements from PTS, PCI-DSS, PA-DSS, and PCI-PIN Protects cc data from point of capture to processing (PCI-PTS) PIN- Transaction Security Devices - Correct Answer ✅PCI-PTS applies to pin entry devices/ point of interaction devices (POI), Encrypting Pin Pads (EPP), Point of Sale devices (POS), Hardware (or host) security modules (HSMs), Unattended Payment Terminals (UPT)s, and non-PIN entry module -Geared toward Device Manufacturers PCI-PTS - what does the program ensure against? - Correct Answer ✅1- Terminals cannot be manipulated or hacked, or access to pins/keys 2-Secure Read and Exchange Module (SREM)- allows terminals to be approved for the secure encryption of cardholder data as part of the P2PE program 3-PTS extended to allow non-PIN entry modules to be evaluated against the SRED module, allowing secure encryption at POI for non-chip and PIN cards PCI Pin Requirements provides for secure....? - Correct Answer ✅1) PIN management 2) processing and 3) transmission PCIP Exam Questions and Answers (Latest Update 2023) -Deny all other traffic except protocols necessary for the CDE Req. 1.2.3 Where do firewalls have to be installed? - Correct Answer ✅Between all wireless networks and the CDE Requirement 2 - Correct Answer ✅Do NOT use vendor-supplied default passwords and other security parameters (ALL default passwords) -inventory system components -Ensure non-console access to network devices, servers and other components is encrypted -Sources of industry accepted system hardening (configuration) standards (Req. 2) - Correct Answer ✅1) Center for Internet Security (CIS) 2) International Organization for Standardization (ISO) 3) SysAdmin Audit Network Security (SANS) Institute 4) National Institute of Standards Technology (NIST) Req. 2.1 When should all vendor defaults be removed or disabled? - Correct Answer ✅BEFORE installing a system on the network (includes wireless devices connected to the CHD environment or used to transmit CHD data. PCIP Exam Questions and Answers (Latest Update 2023) (SSH) Secure Shell (Req. 2.2.2-2.2.3) - Correct Answer ✅Considered secure Segmentation consists of what? - Correct Answer ✅1)Logical Controls, or 2) physical controls or 3) a combo of both e.g. Firewalls/routers between CHD and corporate network Card holder data (CHD) environment is comprised of what? - Correct Answer ✅People, Processes and Technologies that store, transmit or process CHD or SAD Are untrusted networks (e.g. internet) in scope for PCI-DSS - Correct Answer ✅No, they are not in scope, but to protect in-scope systems and data from untrusted networks, PCI-DSS requirements must be implemented What is a flat network? - Correct Answer ✅A network without adequate segmentation -results in the entire network being in scope for PCI DSS assessment PCIP Exam Questions and Answers (Latest Update 2023) How frequently does an entity have to confirm PCI DSS scope? - Correct Answer ✅Annually -must identify locations and flows of CHD -identify all systems connected to, or if compromised could impact the CDE How frequently do segmentation controls have to be tested? - Correct Answer ✅At least annually (Req. 11.3.4) Maximum PAN digits that may be displayed - Correct Answer ✅First 6 or last 4 digits -POS receipt stricter requirements trumps How to render PAN unreadable? - Correct Answer ✅1) One way hash functions based on strong cryptography 2) Truncation 3) Index Tokens and Securely Stored Pads 4) Strong Cryptography Requirement 3 - Correct Answer ✅Protect stored cardholder data PCIP Exam Questions and Answers (Latest Update 2023) Req. 5 - Correct Answer ✅Protect all systems against malware and regularly update antivirus software -deploy antivirus software on systems COMMONLY susceptible to malicious software (Malware)- not required on systems not commonly affected by malware Zero Day - Correct Answer ✅Term for attacks on previously UNKNOWN vulnerabilities Req. 6.3 - Correct Answer ✅Develop internal and external software securely -include web based administrative access -include security when defining requirements for software development -for apps, get rid of development, test accounts, test user ids and passwords from the production code before it goes live- could give away info about app functionality Req. 6 - Correct Answer ✅Maintain and develop secure systems and applications -identify security vulnerabilities (at a minimum identify all high risk vulnerabilities) PCIP Exam Questions and Answers (Latest Update 2023) -rank the security vulnerabilities -criteria for ranking vulnerabilities: I) consideration of the CVSS base score, and/or ii) classification by the vendor, and/or iii) type of systems affected -install vendor supplied security patches, critical patches within one month of release, lower risk-2 to 3 months of release-Req. 6.2 Req. 6.3.2 Code Reviews - Correct Answer ✅Code reviews 1) be reviewed by someone (knowledgeable on code and security) other than the person that wrote the code; 2) should ensure written with secure coding guidelines; 3)any corrections implemented before release; 4) code review results reviewed by management before release. Req. 6.4 Change control procedures and processes - Correct Answer ✅Follow change control procedures and processes for ALL changes to system components -separate development/test environments from production environments and enforce separation with access controls - separate development/test duties from production duties (e.g. developer uses administrator level account to develop environment, and separate account with user level access to production environment) PCIP Exam Questions and Answers (Latest Update 2023) Req. 6.3.4 and 6.4.4 Live PANs-Testing/Development - Correct Answer ✅Live PANs CANNOT be used for testing or development -Remove even test data and test accounts before system component goes active (in production) Req. 6.5.1 through 6.5.10 Minimum Controls- Coding Vulnerabilities- Software Development - Correct Answer ✅Minimum controls include: 1) Train developers (at least) annually- up to date coding techniques 2) Develop apps based on secure coding guidelines 3) Address common coding vulnerabilities (injection flaws, buffer overflows, insecure cryptographic storage, insecure communications, improper error handling, and all high-risk vulnerabilities identified in Req. 6.1) Req. 6.6 Public Facing Web-Apps - Correct Answer ✅1) Review public facing web-apps with manual or automated tools or methods at least annually and after any changes (different from vulnerability scan in Req. 11.2) OR PCIP Exam Questions and Answers (Latest Update 2023) -can be logical, or physical controls or combo -restrict access to wireless access points Req. 10.3 Which details should be included in audit? - Correct Answer ✅1) User ID, 2) Type of Event, 3) Date and Time 4) Indicate Success or Failure 5) Origin of Event 6) identify affected data, system component, resource Req. 10.4 Time Synchronization - Correct Answer ✅Use time synchronization technology for all CRITICAL system clocks -need consistent times-helps establish sequence of events -protect time data for forensic investigation -time settings from industry accepted time sources Req. 10.4 Review logs how often? - Correct Answer ✅Review security events and logs of systems that store CHD or SAD DAILY -includes logs of ALL critical systems and ALL server and system components performing security functions -review all other system components periodically PCIP Exam Questions and Answers (Latest Update 2023) Req. 10 Track and Monitor Access to what? - Correct Answer ✅Track and monitor network resources and CDE -audit trails- retain for 1 year Req. 10.8 Applies to who? - Correct Answer ✅Applies to service providers only. -requires formal process to detect and alert critical security fails Req. 11 Regularly Test Security Systems and Processes-how,when? - Correct Answer ✅-identify and test all wireless access points quarterly -testing methods: wireless network scans, network access control (NAC), wireless IDS/IPS -physical/logical inspection of system components and infrastructure -11.2 3 types of vulnerability scanning required by PCI-DSs 1)run internal vulnerability scans quarterly (ASV not required) and 2)External vulnerability scans quarterly (at least)(ASV required) and 3) Internal and External scans after each significant change in network PCIP Exam Questions and Answers (Latest Update 2023) Req. 11.2 For initial PCI Compliance- are 4 quarterly scans necessary? - Correct Answer ✅No, if the assessor verifies I) the most recent scan result was passing 2) company has documented policies and procedures requiring quarterly scanning 3)vulnerabilities in the scan were corrected and shown in the re- scan -All subsequent years require scans each quarter Sec. 11.3 Penetration Testing - Correct Answer ✅ Req. 10.7 Retention period for Audit Trail - Correct Answer ✅Retain audit trail for 1 year -minimum of 3 months audit trail available for analysis Sec. 11.4 Penetration testing - Correct Answer ✅Monitor all traffic at the perimeter of CDE and critical points of CDE Req. 12 Maintain a strong information security policy - Correct Answer ✅Review policy annually and update when environment changes PCIP Exam Questions and Answers (Latest Update 2023) GSM Global System for Mobile Communications - Correct Answer ✅Popular standard for mobile phones and networks -allows roaming in different parts of the world AAA Acronym for what? - Correct Answer ✅Authentication, Authorizing, Accounting -protocol for: -Authenticate User based by verifying identity -Authorize User based on User rights -Account for a user's consumption of network resources Information Supplements- supersede, replace, extend? - Correct Answer ✅None- supplements don't do any of these, rather Infor. Supplements: -provide guidance and recommendations on how to comply with PCI DSS requirements P2PE Hardware Solution Requirements- Req. 3A - Correct Answer ✅Physically secure POI (point of interaction) devices through the device lifecycle PCIP Exam Questions and Answers (Latest Update 2023) Which merchant levels require a quarterly scan by an ASV? - Correct Answer ✅Merchant level 1, 2, 3 and 4 ALL require quarterly scans by an ASV Merchant Level 1- Criteria and Validation Requirements? - Correct Answer ✅Level 1 Criteria- Processing more than 6MM Visa transactions per year (all channels) Level 1 Validation Requirements- 1) Annual ROC signed by QSA or internal auditor and signed by officer (ON Site assessment) 2) Quarterly network scan by ASV 3) Attestation of Compliance Form Merchant Level 2 - Correct Answer ✅Level 2 Criteria- 1MM -6MM Visa or MC transactions per year (all channels) Level 2 Verification Requirements- 1) Annual SAQ 2) Quarterly network scan by ASV 3) Attestation of Compliance Form PCIP Exam Questions and Answers (Latest Update 2023) Merchant Level 3 - Correct Answer ✅Level 3 Criteria- 20K-1MM Visa or MC E-commerce transactions per year Level 3 Verification Requirements- -Annual SAQ -Quarterly scan by ASV -Attestation of Compliance Form Merchant Level 4 - Correct Answer ✅Level 4 Criteria-Less than 20K Visa or MC E-Commerce transactions per year AND all other merchants processing up to 1MM Visa or MC transactions annually Level 4 Validation Requirements- -Annual SAQ -Quarterly network scan by ASV -Attestation of Compliance When should an EMV chip deployment be used? - Correct Answer ✅When there appears to be a spike in card-no present transactions SHRED - Correct Answer ✅Secure Reading and Exchange of Data PCIP Exam Questions and Answers (Latest Update 2023) SAQ-B - phone line SAQ B-IP - internet SAQ C - Correct Answer ✅Payment App using internet (e.g. square) or, computer with internet MOTO (card no present) and POS (card present) SAQ C-VT - Correct Answer ✅sends payment via a virtual payment terminal solution accessed by an internet connected web browser (e.g. Venmo, Zelle, Cash) -payment just goes between terminal and web browser -lower risk than e-commerce -computer is not connected to any other systems -no hardware attached - e.g. call centers SAQ D - Correct Answer ✅Applies to all e-commerce merchants that don't meet other SAQ req's PCIP Exam Questions and Answers (Latest Update 2023) and ALL SERVICE PROVIDERS (unless more than 300K transactions per year then ROC required) (e.g. hosting provider, manage firewalls) -Card holder data is STORED -card holder data accepted on website (e-commerce) or MOTO - even if merchant does not store data, but no other SAQs apply, must use SAQ D, or if some req's fall outside of another SAQ, have to use SAQ D -consumer enters cc info on check out page of merchant website SAQ A - Correct Answer ✅E-commerce and/or MOTO -entire payment process outsourced to third party -only SAQ NOT requiring internal or external scan -redirected via URL or IFrame SAQ A-EP - Correct Answer ✅-E-Commerce (website) -some of payment process outsourced but some remains with merchant -no electronic storing of data Three types of E commerce SAQs - Correct Answer ✅A, A-EP and D PCIP Exam Questions and Answers (Latest Update 2023) SAQ P2PE - Correct Answer ✅-only deal with payment through hardware payment terminal -entire payment process through P2PE solution -no access to any clear cardholder data on any computer system -Brick and Mortar (Card Present Only) and MOTO (Card Not Present) -No E-commerce -all P2P encryption controls implemented from PIM manual -no vulnerability scan or penetration test -card holder data stored paper/receipts- never electronically Which SAQs require ASV scanning? - Correct Answer ✅A-EP, B-IP, C, D Scope of a penetration test MUST include: - Correct Answer ✅App Layer and Network Layer Assessment Exposed external perimeter of CDE Vulnerability that allows data to be written into adjacent memory space? - Correct Answer ✅Buffer overflow PCIP Exam Questions and Answers (Latest Update 2023) What is a dependency in the context of PA DSS? - Correct Answer ✅Hardware OR Software What are first six digits on payment card called? - Correct Answer ✅BIN- Bank identifier number -identifies who the merchant is In MFA- Multi Factor Authentication, a password or passphrase is? - Correct Answer ✅Something you are--validates Identity -Req. 8.3 -need two forms of separate authentication Which form does a PA QSA attest to the results of a PA DSS? - Correct Answer ✅ROV- Report on Validation Req. 10- How long do you need to keep audit trail history? - Correct Answer ✅1 year PCIP Exam Questions and Answers (Latest Update 2023) For external scans, no component may contain any vulnerability that has been assigned a CVSS base score equal to or higher than? - Correct Answer ✅4 CVSS - Correct Answer ✅Common Vulnerability Scoring System -rates scoring vulnerability for software -0-10 scoring, 10 most severe Payment Card Industry Security Standards for Manufacturers - Correct Answer ✅PCI PTS- Pin Transaction Security -governs manufacturers of the devices Who does PCI TSP apply to? - Correct Answer ✅Token Service Providers EMV Chip - Correct Answer ✅-prevents cards from being cloned -creates a unique transaction code with each purchase -is best for protecting card-present transactions Ransomware - Correct Answer ✅-fastest growing malware threat PCIP Exam Questions and Answers (Latest Update 2023) -can be delivered by phishing email PCI as a whole should be organized around what? - Correct Answer ✅Business As Usual If stored cardholder data cannot be encrypted or otherwise rendered unreadable, you should refer to which PCI DSS appendix? - Correct Answer ✅Appendix B and C--Compensating Controls Does using a PA-DSS app reduce the merchant's CDE scope? - Correct Answer ✅No Penetration testing falls under which PCI DSS requirement? - Correct Answer ✅3 Anti-virus refers to which PCI DSS requirement? - Correct Answer ✅5 How frequently monitor service provider's compliance - Correct Answer ✅Annually PCIP Exam Questions and Answers (Latest Update 2023) DESV (Designated Entity Supplemental Validation) requires a merchant to perform BAU reviews how frequently? - Correct Answer ✅At least quarterly -applies only to entities designated by a payment brand PCI SSC is a global open forum launched when? - Correct Answer ✅2006 DESV requires the entity to document and confirm the accuracy of PCI DSS scope (scoping validation) how frequently? - Correct Answer ✅Quarterly Can MFA and multi-step authentication be present in the same environment? - Correct Answer ✅yes Administrative access to the CDE is only permitted from systems within the CDE or from where else? - Correct Answer ✅from specific system in the shared services network What is a secure way to manage recurring transactions? - Correct Answer ✅Tokenization PCIP Exam Questions and Answers (Latest Update 2023) Who sells, installs and/or services PA DSS payment apps? - Correct Answer ✅QIR- Qualified Integrators and Resellers What attacks a logged on victim's browser to send a pre-authenticated request to a vulnerable web app? - Correct Answer ✅Cross Site Request Forgery (CRSF) N/A on an ROC requires what? - Correct Answer ✅Reporting must identify that the test was performed, which supports the N/A status PCI SSC is responsible for doing what with the security standards? - Correct Answer ✅Managing the security standards Payment Brands are responsible for ? - Correct Answer ✅Enforcing the Security Standards - Correct Answer ✅ All merchants not included in descriptions for various SAQ types are eligible to complete which SAQ? - Correct Answer ✅SAQ-D PCIP Exam Questions and Answers (Latest Update 2023) Authorization is the process of confirming whether the customer has? - Correct Answer ✅1) a credit card that is valid 2) has sufficient funds/credit to make purchase