Methods for Stealing Payment card data include:
a) Weak Passwords
b) Malware
c) Physical skimming
d) All of the options are correct
d) All of the opti... [Show More] ons are correct
The PCI DSS applies to:
a) Any entity that stores, processes, or transmits payment card account data
b) Service Providers only
c) Merchants only
d) Merchants and third party processors (TTPs) only
a) Any entity that stores, processes, or transmits payment card account data
The PCI DSS applies to:
a) Any entity that stores, processes, or transmits payment card account data
b) Service Providers only
c) Merchants only
d) Merchants and third party processors (TTPs) only
a) Any entity that stores, processes, or transmits payment card account data
The P2PE Standard Covers:
a) Secure payment applications for processing transactions
b) Encryption, decryption, and key management requirements for point-to-point encryption solutions
c) Physical security requirements for manufacturing payment cards
d) Mechanisms used to protect the PIN and encrypted PIN Blocks
b) Encryption, decryption, and key management requirements for point-to-point encryption solutions
The standard for validating off-the-shelf payment applications used in authorizations and settlement is:
a) PCI P2PE
b) PA-DSS
c) PCI PTS
d) PCI DSS
b) PA-DSS
Merchants using PA-DSS validated payment applications are automatically PCI DSS compliant.
a) True
b) False
b) False
Which of the below functions is associated with acquirers?
a) Provide settlement services to a merchant
b) Provide clearing services to a merchant
c) Provide authorization services to a merchant
d) All of the options
d) All of the options
Which of the following entities will ultimately approve a purchase?
a) Issuer
b) Acquirer
c) Payment Transaction Gateway
d) Merchant
a) Issuer
Which step does the payment brand network provide complete reconciliation to the merchants' bank?
a) Settlement
b) Authorization
c) Approval
d) Clearing
d) Clearing
A company that _____________________ is considered to be a service provider.
a) Controls or could impact the security of another entity's cardholder data
b) Is a payment card brand
c) Is a founding member of PCI SSC
d) Is not also a merchant
a) Controls or could impact the security of another entity's cardholder data
Which of the following are examples of service providers?
(choose all that apply)
a) Data Center hosting providers
b) Telcom providers (only communication link)
c) Payment Gateways
d) ISOs
a) Data Center hosting providers
c) Payment Gateways
d) ISOs
Which of the following are parts of the Payment Brand role?
(Select all that apply)
a) Offer training for QSAs, PA-QSA and ASVs
b) Endorse QSA, PA-QSA and ASV company qualification criteria
c) Develop and enforce compliance programs
d) Accept validation documentation from QSAs, PA-QSA and ASVs
b) Endorse QSA, PA-QSA and ASV company qualification criteria
c) Develop and enforce compliance programs
d) Accept validation documentation from QSAs, PA-QSA and ASVs
Merchant obligations may include submitting their compliance status to multiple entities.
a) True
b) False
a) True
The decision about a merchant's level is made by the :
a) Merchant's acquirer
b) Merchant's QSA
c) Merchant
d) Payment Brands
a) Merchant's acquirer
Level 1 and 2 merchants must include ______________ as part of their PCI DSS compliance validation reporting process?
a) A report from their QSA
b) sensitive authentication data (SAD)
c) ASV scan results
d) A copy of their risk assessment
c) ASV scan results
Which SAQ best applies to the entities below? (Assume that none of the entities store any cardholder data electronically)
Service provider using only web-based virtual terminal
MO/TO merchant with all payment functions outsourced to a compliant service provider
Merchant with standalone payment application connected to the internet
Merchant with only card-present dial-out terminals
Service provider using only web-based virtual terminal
SAQ D
MO/TO merchant with all payment functions outsourced to a compliant service provider
SAQ A
Merchant with standalone payment application connected to the internet
SAQ C
Merchant with only card-present dial-out terminals
SAQ D
Which SAQ best applies to the entities below? (Assume that none of the entities store any cardholder data electronically)
Merchant who is using a validated P2PE solution listed on the PCI SSC website
An online merchant with a payment page that accepts cardholder data, but transmits the data to a PCI DSS-compliant service provider
An online merchant that displays a PCI-DSS-compliant service provider's payment page in a IFRAME, all page content is from PSP.
Merchant using an end-to-end encryption solution (E2EE) that utilizes PCI PTC-approved POI devices which communicate with the acquirer over an IP network.
Merchant who is using a validated P2PE solution listed on the PCI SSC website
SAQ P2PE
An online merchant with a payment page that accepts cardholder data, but transmits the data to a PCI DSS-compliant service provider
SAQ-A-EP
An online merchant that displays a PCI-DSS-compliant service provider's payment page in a IFRAME, all page content is from PSP.
SAQ-A
Merchant using an end-to-end encryption solution (E2EE) that utilizes PCI PTC-approved POI devices which communicate with the acquirer over an IP network.
SAQ B-IP
Which of the following could PA-DSS apply to?
a) Custom payment application endorsed by the PCI SSC
b) Third-party payment application designed for one company
c) Third-party, "off-the-shelf" payment application
d) Custom payment application used by one company
c) Third-party, "off-the-shelf" payment application
The presumption of P2PE is that:
a) The data connect be decrypted between the source and the destination points
b) The data can never be decrypted
c) The data can be decrypted between the source and the destination points
d) Any entity in possession of the ciphertext can easily reversed the encryption process.
a) The data connect be decrypted between the source and the destination points
Merchants using P2PE solutions are still required to validate to PCI-DSS
a) True
b) False
a) True
Which entity is responsible for developing and enforcing compliance programs?
a) Issuers
b) Acquirers
c) PCI SSC
d) Payment card brands
d) Payment card brands
Which entity is responsbile for forensic investigations of account data compromise?
a) Payment brands
b) QSA/ISA
c) PCI SSC
d) QIR
a) Payment brands
Account data consists of _______________and _________________?
a) Cardholder Names, PANs
b) PANs, PINs
c) Cardholder Data, PANs
d) Cardholder Data, Sensitive Authentication Data
d) Cardholder Data, Sensitive Authentication Data [Show Less]
