PCIP Exam questions with correct answers 100, Exams of Nursing

Download PCIP Exam questions with correct answers 100 and more Exams Nursing in PDF only on Docsity!

PCIP Exam questions with correct answers 100%

PCI Data Security Standard (PCI DSS) The PCI DSS applies to all entities that store, process , and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you accept or process payment cards, PCI DSS applies to you. Sensitive Authentication Data Merchants, service providers, and other entities involved with payment card processing must never store sensitive authentication data after authorization. This includes the 3- or 4- digit security code printed on the front or back of a card (CVD), the data stored on a card's magnetic stripe or chip (also called "Full Track Data") - and personal identification numbers (PIN) entered by the cardholder. Card Verification Data Codes (CVD) 3 or 4 digit code that further authenticates a not-present cardholder Visa-CVV MC- CVC Discover- CVD JCB-CAV AmEx- CID Requirement 1 Install and maintain a firewall configuration to protect cardholder data Network devices in scope for Requirement 1 Firewalls and Routers- Routers connect traffic between networks, Firewalls control the traffic between networks and within internal network

QIR Qualified Integrators & Resellers Qualified Integrators & Resellers - authorized by the SSC to implement, configure and/or support PA-DSS payment applications. Visa requires all level 4 merchants use QIRs for POS application and terminal installation and servicing Compensating Controls An alternative control , put in place to satisfy the requirement for a security measure that is deemed too difficult or impractical to implement at the present time. Permitted reasons for using Compensating Controls Organizations needing an alternative to security requirements that could not be met due to legitimate technological OR documented business constraints , but has sufficiently mitigated the risk associated with the requirement through implementation of other compensating controls Examples of Compensating Controls (i) Segregation of Duties (SOD) and (ii) Encryption Compensating Controls must:

1. Meet the intent and rigor of the original stated requirement;
2. Provide a similar level of defense as the original stated requirement;
3. Be "above and beyond" other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and
4. Be commensurate with the additional risk imposed by not adhering to the original stated requirement. Compensating Controls Worksheet
5. Constraint; 2) Objective; 3) Identified Risk; 4) Define Compensating Control; 5)Validate Controls; 6) Maintenance (COIDVM) Card Data that cannot be stored by Merchants, Service providers after authorization Sensitive Authentication Data. i) 3- or 4- digit security code printed on the front or back of a card, ii) data stored on a card's magnetic stripe or chip (also called "Full Track Data"), and iii) personal identification numbers (PIN) entered by the cardholder Card Data that MAY be stored i) cardholder name, ii) service code (identifies industry iii) Personal Account Number (PAN) iv) expiration date may be stored. Network Segmentation The process of isolating the cardholder data environment from the remainder of an entity's network Not a requirement but strongly recommended. Report on Compliance (ROC)

and while in transit all the way to the payment processor eliminating most PCI requirements.

4. Outsourcing : Outsourcing all or some of your payment card processing capabilities to a PCI DSS compliant service provider can reduce PCI scope. This is especially relevant to companies conducting eCommerce transactions only.
5. Tokenization : Stores card numbers and other sensitive data such as social security numbers in an off-site highly secure data vault. The payment card numbers are replaced with tokens in all other databases and applications. Not storing cardholder data anywhere greatly simplifies the scope of PCI Requirement. Who makes up the PCI Security Standards Council?

1. Five payment brands (Am Ex, JCB, Visa, MC, Discover), and 2) Payment Organizations (merchants, banks, processors, hardware and software developers, point of sale vendors). Card Processing Authorization - who does the merchant request and receive authorization from to complete the purchase? What is provided to the merchant? The Issuer provides an Authorization Code to the merchant Card Processing Clearing - who shares what? Acquirer and Issuer exchange payment information- usually 24 hr period in U.S. Card Processing Settlement - who does acquirer pay? What does Issuer do?
2. Acquirer pays merchant and 2) Issuer bills cardholder (i.e. cardholder is charged)

• Reconciliation takes place, issuer records, posts the transaction which appears on the cardholder's monthly statement What are the 3 steps in Payment Card Processing?

1. Authorization 2) Clearing 3) Settlement

Functions associated with Acquirers Authorize , Clear and Settle to merchant Who ultimately approves the purchase? Issuer Which step does the Payment Brand Network provide complete reconciliation to the merchant bank? Clearing How long is PCIP qualification valid? 3 years Which takes precedence...local laws or PCI Standards? Local Laws Payment Brand Network The cc brands (e.g. Am Ex, Discover). Discover and Amex are BOTH the card network and issuing bank- having their own financial institutions issue the cc's to consumers Visa and MasterCard are card networks only and do NOT issue cc's- they have third party issuing banks do it for them. What do Acquirer's do for their merchants? Authorize -- Clear -- Settle for their merchant Who ultimately approves the purchase? Issuer In which step does the Payment Brand Network provide complete reconciliation to the merchant bank? Clearing (PA-DSS) Payment Application Data Security Standard Third party payment applications that authorize and settle Examples- POS, Shopping Cart Role of Payment Brand Network

1. Develop and Enforce Compliance Programs , 2) Accept validation documentation from approved QSA, PA-QSA, and ASV companies, and 3) endorse the QSA, PA-QSA and ASV company qualification criteria Point to Point Encryption (P2PE) Requirements 1- Secure encryption of payment card data at Point of Interaction (POI) 2- Validated apps at the POI 3- Secure environment of encryption and decryption devices 4- Manage decryption environment and ALL decrypted account data 5- Use source encryption technologies and cryptographic key elements-like key generation, distribution, loading and injection, administration and usage May reduce PCI-DSS scope for Merchant -Geared toward provider of point to point solution (e.g. Processor, Acquirer, payment gateway (e.g. PayPal)

• Systems that typically store track data - POS Systems, POS servers, Authorization servers How frequent review firewall and router rule sets? Req. 1.1. Every six (6) months (at least) What is an untrusted network? An untrusted network is any network that is external to the networks of the entity being reviewed and/or which is out of the entity's ability to control or manage. Req. 1.2 Restrict Traffic Restrict all traffic inbound and outbound from untrusted networks (including wireless) and hosts
• Deny all other traffic except protocols necessary for the CDE Req. 1.2.3 Where do firewalls have to be installed? Between all wireless networks and the CDE Requirement 2 Do NOT use vendor-supplied default passwords and other security parameters (ALL default passwords)
• inventory system components
• Ensure non-console access to network devices, servers and other components is encrypted -Sources of industry accepted system hardening (configuration) standards (Req. 2)

1. Center for Internet Security (CIS)
2. International Organization for Standardization (ISO)
3. SysAdmin Audit Network Security (SANS) Institute
4. National Institute of Standards Technology (NIST) Req. 2.1 When should all vendor defaults be removed or disabled? BEFORE installing a system on the network (includes wireless devices connected to the CHD environment or used to transmit CHD data. (SSH) Secure Shell (Req. 2.2.2-2.2.3) Considered secure Segmentation consists of what? 1)Logical Controls, or 2) physical controls or 3) a combo of both e.g. Firewalls/routers between CHD and corporate network Card holder data ( CHD) environment is comprised of what? People , Processes and Technologies that store, transmit or process CHD or SAD Are untrusted networks (e.g. internet) in scope for PCI-DSS No, they are not in scope, but to protect in-scope systems and data from untrusted networks , PCI-DSS requirements must be implemented What is a flat network? A network without adequate segmentation -results in the entire network being in scope for PCI DSS assessment How frequently does an entity have to confirm PCI DSS scope?

Annually -must identify locations and flows of CHD -identify all systems connected to, or if compromised could impact the CDE How frequently do segmentation controls have to be tested? At least annually (Req. 11.3.4) Maximum PAN digits that may be displayed First 6 or last 4 digits -POS receipt stricter requirements trumps How to render PAN unreadable?

1. One way hash functions based on strong cryptography
2. Truncation
3. Index Tokens and Securely Stored Pads 4 ) Strong Cryptography Requirement 3 Protect stored cardholder data -PAN and SAD -after authorization it cannot be stored (even if encrypted-SAD) -issuers exception for business need Requirement 3. Protect PAN on display (printed receipts, screens, printouts) -different from Req. 3.4- protect PAN stored on databases or soft files Req. 3.2 Do NOT Store SAD after authorization Don't store SAD ( sensitive authentication data) after authorization -render unrecoverable

• Exception for Issuers - may store SAD if business need and secure Req. 3.2.2 Track Data Track data located in magnetic stripe back of card -Track equivalent data found on the Chip - but has a unique code Req. 3.4 If stored, PAN must be Unreadable PAN must be unreadable if stored Tech. Solutions to make unreadable: -One way hash functions of the entire PAN -truncation -index tokens w/ secure pads -strong cryptography Req. 3.2. Don't store PIN after authorization Req. 3.6. Manual clear text cryptographic key management if used, must be managed by:

1. Split Knowledge and 2) Dual Control

• One person alone cannot access the authentication materials of another

Minimum controls include:

1. Train developers (at least) annually- up to date coding techniques
2. Develop apps based on secure coding guidelines
3. Address common coding vulnerabilities (injection flaws, buffer overflows, insecure cryptographic storage, insecure communications, improper error handling, and all high- risk vulnerabilities identified in Req. 6.1) Req. 6.6 Public Facing Web-Apps
4. Review public facing web-apps with manual or automated tools or methods at least annually and after any changes (different from vulnerability scan in Req. 11.2) OR
5. Install an automated technical solution to detect and prevent web based attacks (e.g. web app firewall)- continuously checking all traffic Req. 7 Restrict access to cardholder data to whom? Business need to know basis Req. 7.2 Use Access Control Systems to Restrict Access Change "allow-all" setting to "deny all" Req. 8 Identify and Authenticate Access to System Components
6. Assign all users a unique ID
7. Revoke access for terminated users
8. Remove/ Disable inactive user accounts w/in 90 days
9. Disable 3rd party IDs when not in use, monitor in-use
10. After 6 failed attempts to login, lock out user (min. 30 mins)
11. If idle for more than 15 mins, require user to re-authenticate
12. Passwords need to be 7 characters or more , combo numbers and alphabet
13. Change passwords at least every 90 days
14. New password should not duplicate prior 4 passwords
15. First time use and Reset passwords should be different for each user Req. 8.3 Use Multi-Factor Authentication to Secure CDE Requires a min. 2 of 3 authentication methods (Req. 8.2) before access granted- cannot use one factor twice

• applies only to those with admin and non-console access ( access to system over network and not direct ) to CDE
• does NOT apply to app or system accounts performing automated functions Req. 9 Restrict Physical Access to CHD Control physical access to all systems that store , process and transmit CHD -applies to all personnel on-site
• visitor - anyone onsite less than 1 day Req. 9.1 Restrict access to what? how? Use controls in facility to prevent access to (badges) and to monitor systems (video cameras) in sensitive areas (e.g. data center, server room) that house CDE -excludes public facing areas (e.g. POS-retail/cashier)
• restrict access to publicly accessible network jacks (disable or escort guests) -can be logical, or physical controls or combo
• restrict access to wireless access points Req. 10.3 Which details should be included in audit?

1. User ID, 2) Type of Event, 3) Date and Time 4) Indicate Success or Failure 5) Origin of Event 6) identify affected data, system component, resource Req. 10.4 Time Synchronization Use time synchronization technology for all CRITICAL system clocks -need consistent times-helps establish sequence of events

• protect time data for forensic investigation -time settings from industry accepted time sources Req. 10.4 Review logs how often? Review security events and logs of systems that store CHD or SAD DAILY -includes logs of ALL critical systems and ALL server and system components performing security functions -review all other system components periodically Req. 10 Track and Monitor Access to what? Track and monitor network resources and CDE
• audit trails- retain for 1 year Req. 10.8 Applies to who? Applies to service providers only. -requires formal process to d etect and alert critical security fails Req. 11 Regularly Test Security Systems and Processes-how,when?
• identify and test all wireless access points quarterly -testing methods: wireless network scans , network access control (NAC), wireless IDS/IPS -physical/logical inspection of system components and infrastructure -11.2 3 types of vulnerability scanning required by PCI- DSs 1)run internal vulnerability scans quarterly (ASV not required) and 2)External vulnerability scans quarterly (at least)( ASV required ) and 3) Internal and External scans after each significant change in network Req. 11.2 For initial PCI Compliance - are 4 quarterly scans necessary? No, if the assessor verifies I) the most recent scan result was passing

2. company has documented policies and procedures requiring quarterly scanning 3) vulnerabilities in the scan were corrected and shown in the re-scan -All subsequent years require scans each quarter Sec. 11.3 Penetration Testing ... Req. 10.7 Retention period for Audit Trail Retain audit trail for 1 year -minimum of 3 months audit trail available for analysis Sec. 11.4 Penetration testing Monitor all traffic at the perimeter of CDE and critical points of CDE Req. 12 Maintain a strong information security policy Review policy annually and update when environment changes Req. 12.2 Risk Assessment Implement a risk assessment process -perform annually and when significant environment changes (e.g. merger, acquisition) -identify critical assets, threat, and vulnerabilities -document formally the risk after the assessment

Merchant level 1, 2, 3 and 4 ALL require quarterly scans by an ASV Merchant Level 1 - Criteria and Validation Requirements? Level 1 Criteria- Processing more than 6MM Visa transactions per year (all channels) Level 1 Validation Requirements- 1) Annual ROC signed by QSA or internal auditor and signed by officer (ON Site assessment)

2. Quarterly network scan by ASV
3. Attestation of Compliance Form Merchant Level 2 Level 2 Criteria- 1MM -6MM Visa or MC transactions per year (all channels) Level 2 Verification Requirements-
4. Annual SAQ
5. Quarterly network scan by ASV
6. Attestation of Compliance Form Merchant Level 3 Level 3 Criteria- 20K-1MM Visa or MC E-commerce transactions per year Level 3 Verification Requirements-

• Annual SAQ
• Quarterly scan by ASV
• Attestation of Compliance Form Merchant Level 4 Level 4 Criteria- Less than 20K Visa or MC E-Commerce transactions per year AND all other merchants processing up to 1MM Visa or MC transactions annually Level 4 Validation Requirements-
• Annual SAQ
• Quarterly network scan by ASV
• Attestation of Compliance

When should an EMV chip deployment be used? When there appears to be a spike in card-no present transactions SHRED Secure Reading and Exchange of Data -is a set of PCI PTS requirements intended to protect/encrypt card data in payment terminals PCI DSS requirement that refers to restricting physical access to cardholder data? Req. 9 QSA- is it a data security firm? Yes, a QSA is a data security firm (not a certification b/c it does not leave w/ the individual). Applies to ASVs also. PCIP is the only stand alone certification that follows an individual when they leave a firm. External scans performed by an ASV...components may not contain any vulnerability that has been assigned a Common Vulnerability Scoring System (CVSS) score equal to or higher than what? 4.0 CVSS score Of the 6 PCI DSS goals, the goal "Implement Strong Access Control Measures" refers to which PCI DSS Requirements? Req.'s 7, 8 and 9 -Req. 7 Restrict access to cardholder data by business need to know -Req. 8 Identify and authenticate access to system components -Req. 9 Restrict physical access to cardholder data SAQ B MOTO and NO Internet Imprint- old school slide across paper Dial out stand alone- connected to a phone line (land line) -most risk comes from physical terminal Card present AND Card Not Present SAQ B-IP MOTO AND Internet PTS- PIN Transaction Security -stand alone device that uses IP (internet) connected POI devices -card present and card not present -not connected to any other system in your environment

• paper copies of receipts (nothing stored electronically)

SAQ P2PE

-only deal with payment through hardware payment terminal

• entire payment process through P2PE solution -no access to any clear cardholder data on any computer system
• Brick and Mortar ( Card Present Only) and MOTO (Card Not Present)
• No E-commerce -all P2P encryption controls implemented from PIM manual -no vulnerability scan or penetration test -card holder data stored paper/receipts- never electronically Which SAQs require ASV scanning? A-EP, B-IP, C, D Scope of a penetration test MUST include: App Layer and Network Layer Assessment Exposed external perimeter of CDE Vulnerability that allows data to be written into adjacent memory space? Buffer overflow PEN (penetration) testing is what kind of process? Active process -perform external and internal
• annually and significant changes -internal resource may perform
• Manual testing and verification- different from automated scan -3 types- black box (no info provided), white box (complete info provided), grey box (some info provided) -purpose is to exploit vulnerability and defeat security (trying to "break-in") Which appendixes address Compensating Controls? B and C What is the primary defining factor for cardholder data? PAN -only cardholder data that must be encrypted when at rest (stored) excluding SAD that

can never be stored -name and exp. date WITHOUT PAN is not cardholder data for PCI Changes to the PCI standards follow a defined lifecycle, which is how many months? Stages? 36 months, 8 stages Appendix A1 applies to what? Shared Hosting Providers (Req. 2.6) Section 3- What are the sub-requirements? Protect Stored Cardholder Data SSMUKKI S tore-limit storage time-3. S AD-no storing SAD after authorization- 3. M ask- mask the PAN- first 6, last 4- - 3. U nreadable- render PAN unreadable- one way# function-truncate. 3.4.. K eys (Protect)- keys for encryption-protect them-3. K eys (Manage)- manage keys for cryptography- 3. I S Policy- IS policies in place and known by all- 3. FIPS Federal Information Processing Standards What is a dependency in the context of PA DSS? Hardware OR Software What are first six digits on payment card called? BIN- Bank identifier number -identifies who the merchant is In MFA- Multi Factor Authentication , a password or passphrase is? Something you are--validates Identity -Req. 8. -need two forms of separate authentication Which form does a PA QSA attest to the results of a PA DSS? ROV - Report on Validation Req. 10- How long do you need to keep audit trail history? 1 year For external scans, no component may contain any vulnerability that has been assigned a CVSS base score equal to or higher than? 4 CVSS

10- Track and monitor all access to network resources and cardholder data. Test, Development and Production environments are separately maintained- req.? Req. 6 How frequently firewall rule set reviews? Req? 6 months, Req. 1 Change user passwords/passphrases every___days? Req.? 90 days Req. 8 How frequently run internal and external vulnerability scans? Req. Quarterly and after significant network change -Req. 11 Which req. only allows one primary function per server? Req. 2. DESV (Designated Entity Supplemental Validation) requires a merchant to perform BAU reviews how frequently? At least quarterly -applies only to entities designated by a payment brand PCI SSC is a global open forum launched when? 2006 DESV requires the entity to document and confirm the accuracy of PCI DSS scope (scoping validation) how frequently? Quarterly Can MFA and multi-step authentication be present in the same environment? yes Administrative access to the CDE is only permitted from systems within the CDE or from where else? from specific system in the shared services network What is a secure way to manage recurring transactions? Tokenization Who sells, installs and/or services PA DSS payment apps? QIR- Qualified Integrators and Resellers What attacks a logged on victim's browser to send a pre-authenticated request to a vulnerable web app? Cross Site Request Forgery (CRSF) N/A on an ROC requires what? Reporting must identify that the test was performed , which supports the N/A status PCI SSC is responsible for doing what with the security standards? Managing the security standards Payment Brands are responsible for? Enforcing the Security Standards ... ... All merchants not included in descriptions for various SAQ types are eligible to complete which SAQ? SAQ-D Authorization is the process of confirming whether the customer has?

1. a credit card that is valid
2. has sufficient funds/credit to make purchase