PCI-DSS Fundamentals questions & answer 2023

PCI-DSS Fundamentals questions & answer 2023Methods for Stealing Payment card data include: a) Weak Passwords b) Malware c) Physical skimming d) All of the options are correct d) All of the options are correct The PCI DSS applies to: a) Any entity that stores, processes, or transmits payment card account data b) Service Providers only c) Merchants only d) Merchants and third party processors (TTPs) only a) Any entity that stores, processes, or transmits payment card account data The PCI DSS applies to: a) Any entity that stores, processes, or transmits payment card account data b) Service Providers only c) Merchants only d) Merchants and third party processors (TTPs) only a) Any entity that stores, processes, or transmits payment card account data The P2PE Standard Covers: a) Secure payment applications for processing transactions b) Encryption, decryption, and key management requirements for point-to-point encryption solutions c) Physical security requirements for manufacturing payment cards d) Mechanisms used to protect the PIN and encrypted PIN Blocks b) Encryption, decryption, and key management requirements for point-to-point encryption solutions The standard for validating off-the-shelf payment applications used in authorizations and settlement is: a) PCI P2PE b) PA-DSS c) PCI PTS d) PCI DSS b) PA-DSS Merchants using PA-DSS validated payment applications are automatically PCI DSS compliant. a) True b) False b) False Which of the below functions is associated with acquirers? a) Provide settlement services to a merchant b) Provide clearing services to a merchant c) Provide authorization services to a merchant d) All of the options d) All of the options Which of the following entities will ultimately approve a purchase? a) Issuer b) Acquirer c) Payment Transaction Gateway d) Merchant a) Issuer Which step does the payment brand network provide complete reconciliation to the merchants' bank? a) Settlement b) Authorization c) Approval d) Clearing d) Clearing A company that _____________________ is considered to be a service provider. a) Controls or could impact the security of another entity's cardholder data b) Is a payment card brand c) Is a founding member of PCI SSC d) Is not also a merchant a) Controls or could impact the security of another entity's cardholder data Which of the following are examples of service providers? (choose all that apply) a) Data Center hosting providers b) Telcom providers (only communication link) c) Payment Gateways d) ISOs a) Data Center hosting providers c) Payment Gateways d) ISOs Which of the following are parts of the Payment Brand role? (Select all that apply) a) Offer training for QSAs, PA-QSA and ASVs b) Endorse QSA, PA-QSA and ASV company qualification criteria c) Develop and enforce compliance programs d) Accept validation documentation from QSAs, PA-QSA and ASVs b) Endorse QSA, PA-QSA and ASV company qualification criteria c) Develop and enforce compliance programs d) Accept validation documentation from QSAs, PA-QSA and ASVs Merchant obligations may include submitting their compliance status to multiple entities. a) True b) False a) True The decision about a merchant's level is made by the : a) Merchant's acquirer b) Merchant's QSA c) Merchant d) Payment Brands a) Merchant's acquirer Level 1 and 2 merchants must include ______________ as part of their PCI DSS compliance validation reporting process? a) A report from their QSA b) sensitive authentication data (SAD) c) ASV scan results d) A copy of their risk assessment c) ASV scan results Which SAQ best applies to the entities below? (Assume that none of the entities store any cardholder data electronically) Service provider using only web-based virtual terminal MO/TO merchant with all payment functions outsourced to a compliant service provider Merchant with standalone payment application connected to the internet Merchant with only card-present dial-out terminals Service provider using only web-based virtual terminal SAQ D MO/TO merchant with all payment functions outsourced to a compliant service provider SAQ A Merchant with standalone payment application connected to the internet SAQ C Merchant with only card-present dial-out terminals SAQ D Which SAQ best applies to the entities below? (Assume that none of the entities store any cardholder data electronically) Merchant who is using a validated P2PE solution listed on the PCI SSC website An online merchant with a payment page that accepts cardholder data, but transmits the data to a PCI DSS-compliant service provider An online merchant that displays a PCI-DSS-compliant service provider's payment page in a IFRAME, all page content is from PSP. Merchant using an end-to-end encryption solution (E2EE) that utilizes PCI PTC-approved POI devices which communicate with the acquirer over an IP network. Merchant who is using a validated P2PE solution listed on the PCI SSC website SAQ P2PE An online merchant with a payment page that accepts cardholder data, but transmits the data to a PCI DSS-compliant service provider SAQ-A-EP An online merchant that displays a PCI-DSS-compliant service provider's payment page in a IFRAME, all page content is from PSP. SAQ-A Merchant using an end-to-end encryption solution (E2EE) that utilizes PCI PTC-approved POI devices which communicate with the acquirer over an IP network. SAQ B-IP Which of the following could PA-DSS apply to? a) Custom payment application endorsed by the PCI SSC b) Third-party payment application designed for one company c) Third-party, "off-the-shelf" payment application d) Custom payment application used by one company c) Third-party, "off-the-shelf" payment application The presumption of P2PE is that: a) The data connect be decrypted between the source and the destination points b) The data can never be decrypted c) The data can be decrypted between the source and the destination points d) Any entity in possession of the ciphertext can easily reversed the encryption process. a) The data connect be decrypted between the source and the destination points Merchants using P2PE solutions are still required to validate to PCI-DSS a) True b) False a) True Which entity is responsible for developing and enforcing compliance programs? a) Issuers b) Acquirers c) PCI SSC d) Payment card brands d) Payment card brands Which entity is responsbile for forensic investigations of account data compromise? a) Payment brands b) QSA/ISA c) PCI SSC d) QIR a) Payment brands Account data consists of _______________and _________________? a) Cardholder Names, PANs b) PANs, PINs c) Cardholder Data, PANs d) Cardholder Data, Sensitive Authentication Data d) Cardholder Data, Sensitive Authentication Data