100% satisfaction guarantee Immediately available after payment Both online and in PDF No strings attached
logo-home
PCI ISA Fundamentals Questions and Answers 100% Solved $12.99   Add to cart

Exam (elaborations)

PCI ISA Fundamentals Questions and Answers 100% Solved

 4 views  0 purchase
  • Course
  • Pci
  • Institution
  • Pci

PCI ISA Fundamentals

Preview 4 out of 89  pages

  • October 31, 2024
  • 89
  • 2024/2025
  • Exam (elaborations)
  • Questions & answers
  • Pci
  • Pci
avatar-seller
jw638729
PCI ISA Fundamentals

Methods identified as being used to remove stolen data from the environments: -
answer- Use of stolen credentials to access the POS environment
- Outdated patches or poor system patching processes
- The use of default or static vendor credentials / brute force
- POS skimming malware being installed on POS controllers
- POI physical skimming devices

95% of breaches feature - answer The use of stolen credentials leveraging vendor
remote access to hack into customers POS environments.

Skimming - answerCopying payment card numbers either by tampering with:

- POS Devices
- ATMs
- Kiosks

Or by copying the card's magnetic stripe manually using handheld skimmers.

Phishing - answerReconnaissance
- Information gathering from various online sources and social networking sites
- Business applications and software

Social Engineering
- Phishing emails or messages coming from a target's social network
- Phone call from an assumed known entity

Break-In
- Delivery through email
- Software vulnerabilities

Common methods for monetizing stolen card data: - answer- Skimmed full track data
and transaction information used to replicate a physical payment card, which can then
be used for fraudulent transactions in face-to-face environments, or ATM transactions

- Captured cardholder data is used where card-not-present transactions are accepted,
such as e-commerce or mail-order / telephone order (MO/TO) transactions

- Stolen cardholder data and sensitive authentication data are sold in bulk to other
criminals who perform their own fraud using the stolen data

Commonly targeted industries - answer- Retail - 45% of breaches

,- Food and Beverage - 24% of breaches
- Hospitality - 9% of breaches
- Financial Services - 7% of breaches
- Nonprofit - 3%

PCI SSC founding payment brands include: - answer- American Express
- Discover Financial
- JCB International
- MasterCard
- Visa, Inc.

PCI DSS: - answerCovers security of the environments that store, process, or transmit
account data

- Environments receive account data from payment applications and other sources
(e.g., acquirers)

PCI PA-DSS - answerCovers secure payment applications to support PCI DSS
compliance

Payment application receives account data from PIN-entry devices (PEDs) or other
devices and begins payment transaction

PCI P2PE - answerCovers encryption, decryption, and key management requirements
for point-to-point encryption solutions

PCI PTS - POI - answerCovers the protection of sensitive data at point-of-interaction
devices and their secure components, including cardholder PINs and account data, and
the cryptographic keys used in connection with the protection of that cardholder data

PCI PTS - PIN Security - answerCovers secure management, processing and
transmission of personal identificationnumber (PIN) data during online and offline
payment card transaction processing

PCI PTS - HSM - answerCovers physical, logical and device security requirements for
securing Hardware Security
Modules (HSM)

PCI Card Production - answerCovers physical and logical security requirements for
systems and business processes

PA-DSS applies to third party payment applications if? - answerAn application performs
authorization and/or settlement (POS, shopping carts, etc.)

PA-DSS ensures a payment application can function in a PCI DSS compliant manner -
answer- To support the PCI DSS compliance of those that use the application

,- Use of a PA-DSS application alone does not guarantee PCI DSS compliance

Are PA-DSS applications in scope for PCI DSS? - answerYes

PA DSS assessor must validate that payment application is installed: - answer- Per
instructions in the PA-DSS Implementation Guide provided by payment application
vendor
- In a PCI DSS compliant manner

A PCI P2PE solution must include all of the following: - answer- Secure encryption of
payment card data at the point-of-interaction (POI)
- Validated application(s) at the point-of-interaction
- Secure management of encryption and decryption devices
- Management of the decryption environment and all decrypted account data
- Use of secure encryption methodologies and cryptographic key operations, including
key generation, distribution, loading/injection, administration and usage

Merchants may be able to reduce their PCI DSS scope when using Council-listed P2PE
solutions - answer- Merchant has no access to account data within encryption device
(POI) or decryption environment (at Solution Provider)

- Merchant has no involvement in encryption or decryption operations, or cryptographic
key management

- All cryptographic operations managed by third party Solution Provider

PTS requirements apply to: - answerPoint of Interaction (POI) devices; Encrypting PIN
Pads (EPP); Point of Sale devices (POS); Hardware (or host) Security Modules (HSMs);
Unattended Payment Terminals, (UPTs) and non-PIN Entry module

The PTS program ensures - answerTerminals cannot be manipulated or attacked to
allow the capture of Sensitive Authentication data, nor allow access to clear-text PINs or
Keys

The Secure Read and Exchange Module, (SRED) - answerAllows terminals to be
approved for the secure encryption of cardholder data as part of the Point to Point
Encryption program

PTS has been extended to allow - answerNon-PIN entry modules to be evaluated
against the SRED module to allow secure encryption at the point of interaction for non-
chip and PIN cards

PCI PIN Security Requirements - answerThese requirements provide for secure PIN:
- management
- processing
- transmission

, Protection of personal identification number (PIN) data during online and offline
payment card transaction processing at:
- ATMs
- attended point-of-sale (POS) terminals
- unattended point-of-sale (POS) terminals

The requirements also provide guidance on key management and key handling
associated with the PIN

PCI PTS - POI and PCI DSS - answer- PCI DSS requires that account data be
protected both when stored and when transmitted across open, public networks
- PCI PTS POI validates how POIs protect PIN and account data and manage
cryptographic keys
- PCI PTS POI-approved devices may form part of a PCI DSS-compliant environment

PCI PTS - PIN Security Standard and PCI DSS - answer- PCI DSS prohibits storage of
encrypted PIN blocks
- No overlap

PCI Card Production and PCI DSS - answer- No overlap
- Procedures for assessing card production facilities are defined and managed by the
payment brands, not by PCI SSC

PCI PTS - HSM and PCI DSS - answer- PCI DSS requires that stored cardholder data
be protected and cryptographic keys be managed in a secure manner
- Use of a Hardware Security Module is not required by PCI DSS, but may help with
handling and managing keys used to protect stored cardholder data

Payment Industry Terminology - answerCardholder
- Customer purchasing goods either as a "Card Present" or "Card Not Present"
transaction
- Receives the payment card and bills from the issuer
Issuer
- Bank or other organization issuing a payment card on behalf of a Payment Brand (e.g.
MasterCard & Visa)
- Payment Brand issuing a payment card directly (e.g. Amex, Discover, JCB)
Merchant
- Organization accepting the payment card for payment during a purchase
Acquirer
- Bank or entity the merchant uses to process their payment card transactions
- Receive authorization request from merchant and forward to Issuer for approval
- Provide authorization, clearing and settlement services to merchants

Acquirer is also called:
- Merchant Bank

The benefits of buying summaries with Stuvia:

Guaranteed quality through customer reviews

Guaranteed quality through customer reviews

Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.

Quick and easy check-out

Quick and easy check-out

You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.

Focus on what matters

Focus on what matters

Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!

Frequently asked questions

What do I get when I buy this document?

You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.

Satisfaction guarantee: how does it work?

Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.

Who am I buying these notes from?

Stuvia is a marketplace, so you are not buying this document from us, but from seller jw638729. Stuvia facilitates payment to the seller.

Will I be stuck with a subscription?

No, you only buy these notes for $12.99. You're not tied to anything after your purchase.

Can Stuvia be trusted?

4.6 stars on Google & Trustpilot (+1000 reviews)

79373 documents were sold in the last 30 days

Founded in 2010, the go-to place to buy study notes for 14 years now

Start selling
$12.99
  • (0)
  Add to cart