PCIP Questions and Answers 2023

PCIP Questions and Answers 2023 PCI DSS Requirement 1 Install and maintain a firewall configuration to protect cardholder data PCI DSS Requirement 2 Do not use vendor supplied defaults for system passwords and other security parameters PCI DSS Requirement 3 Protect stored cardholder data by enacting a formal data retention policy and implement secure deletion methods PCI DSS Requirement 4 Protected Cardholder Data during transmission over the internet, wireless networks or other open access networks or systems (GSM, GPRS, etc.) PCI DSS Requirement 5 Use and regularly update anti-virus software or programs PCI DSS Requirement 6 Develop and maintain secure systems and applications PCI DSS Requirement 7 Restrict access to cardholder data by business need to know PCI DSS Requirement 8 Assign a unique ID to each person with computer access PCI DSS Requirement 9 Restrict physical access to cardholder data PCI DSS Requirement 10 Track and monitor all access to network resources and cardholder data PCI DSS Requirement 11 Regularly test secuirty systems and processes with wireless scans, vulnerability scnas, log audits, ASV (Approved Scanning Vendor) PCI DSS Requirement 12 Maintain a policy that addresses information security for all personnel ASV (Approved Scanning Vendor) Company approved by the PCI SSC to conduct external vulnerability scanning services. PCI Data Security Standards (PCI DSS) Covers the security of the environments that store, process or transmit account data. Environments receive account data from payment applications and other sources (e.g. acquirers) PCI Payment Application Data Security Standards (PCI PA-DSS) Covers secure payment applications to support PCI DSS compliance. Applies to Third Party payment applications if the application performs authorization and/or settlement (POS, shopping carts, etc.) Ensures a payment application can function in a PCI DSS compliant manner PA-DSS applications are in scope for PCI DSS Payment application receives account data from PIN Entry Devices (PED) or other devices and begins payment transaction PCI PIN Transaction Security (PCI PTS) Covers device tamper detection, cryptographic processes and other mechanisms to protect the Personal Identification Number (PIN). Encrypted PIN is passed to payment application or hardware terminal. PCI-PTS - PIN Security Covers secure management, processing and transmission of personal identification number data during online and offline payment card transaction processing PCI-PTS - HSM (Hardware Security Module or Host Security Module) A physically and logically protected hardware device that provides a secure set of cryptographic services, used for cryptographic key-management functions and/or the decryption of account data. Not required by DSS, but may help with the management of keys. PCI Point to Point Encryption (PCI P2PE) Covers encryption, decryption and key management within secure cryptographic devices (SCD). Not a requirement but may result in reduction of scope. Secure Cryptographic Device (SCD) A set of hardware, software and firmware that implements cryptographic processes (including cryptographic algorithms and key generation) and is contained within a defined cryptographic boundary. Examples of secure cryptographic devices include host/hardware security modules (HSMs) and point-of-interaction devices (POIs) that have been validated to PCI PTS. POI - Point of Interaction The initial point where data is read from a card. An electronic transaction-acceptance product, a POI consists of hardware and software and is hosted in acceptance equipment to enable a cardholder to perform a card transaction. The POI may be attended or unattended. POI transactions are typically integrated circuit (chip) and/or magnetic-stripe card-based payment transactions. PCI Card Production Covers physical and logical security requirements for systems and business processes associated with card personalization, PIN generation, PIN mailers, and card carriers and distribution. CDE - Cardholder Data Environment The people, processes and technology that store, process, or transmit cardholder data or sensitive authentication data. Relationship between PTS and PCI DSS DSS prevents the storage of encrypted PIN blocks. PTS supports the PIN encryption so there's no overlap. Relationship between PCI DSS and PA-DSS Payment applications must support and not hinder PCI DSS compliance PCI DSS requirements mirrored in many payment application requirements in PA-DSS Relationship between PCI DSS and P2PE Incorporates requirements from Pin Transaction Security, PCI DSS, PA-DSS and PCI PIN to protect CHD from the point of capture until it reaches the payment processor. Properly implemented, validated P2PE solutions may help reduce the scope of a merchant's PCI DSS assessment. Payment Processor Entity engaged by a merchant or other entity to handle payment card transactions on their behalf. While they typically provide acquiring services, payment processors are not considered acquirers unless defined as such by a payment card brand. CHD - Card Holder Data At a minimum, cardholder data consists of the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code See Sensitive Authentication Data for additional data elements that may be transmitted or processed (but not stored) as part of a payment transaction. PA-DSS applies to third party payment applications if application performs authorization and/or settlement (POS, shopping carts, etc.) in a PCI DSS compliant manner by supporting the compliance of those that use the application. PA-DSS ensure a payment application functions True True or False: Use of a PA-DSS application alone does not guarantee PCI DSS compliance. Assessor must validate that payment application is installed per instructions in the PA-DSS implementation Guide provided by payment application vendor and in a PCI DSS compliant manner. PTS Acronym for "PIN Transaction Security," PTS is a set of modular evaluation requirements managed by PCI Security Standards Council, for PIN acceptance POI terminals PTS requirements apply to: Point of Interaction (POI) devices Encrypting PIN Pads (EPP) Point of Sale devices (POS) Hardware/host Security Modules (HSM) Unattended Payment Terminals (UPT) non-PIN entry modules PTS ensures terminals cannot be manipulated or attacked to allow the capture of sensitive authentication data nor allow access to clear-text PINS or keys SRED Secure Read and Exchange Module The SRED allows terminals to be approved for the secure encryption of cardholder data as part of the P2PE program. PTS has been extended to allow non-PIN entry modules to be evaluated against the SRED module to allow secure encryption at the point of interaction for non-chip and PIN cards. per PA-DSS implementation guide and in a PCI DSS compliant manner A PCI DSS assessor must validate that the payment application is installed Point of Interaction (POI) Hardware Security Modules (HSM) There are two types of devices addressed by PTS... 1. Attended POS devices such as cash registers 2. Encrypting PIN pads for use in unattended environments such as ATM's 3. Unattended payment terminals such as automated fuel dispensers and kiosks. Points of Interaction are broken into 3 device types.... PIN (Personal Identification Number) security is comprised of secure management, processing and transmission of PIN data during online and offline payment card transaction processing - such as POS terminals (attended or unattended) and ATMs P2PE Point to Point Encryption the scope of the cardholder data environment Using a P2PE hardware to hardware solution may reduce P2PE addresses merchants who ..do not store or decrypt encrypted data within their environment and who use validated solutions consisting of hardware-based encryption and third-party hardware-based encryption