PCI Compliance Test! Trivia Quiz
(106).jpg "PCI Compliance Test! Trivia Quiz - Quiz")
Below is a PCI compliance test! If you want to pay your bill using your credit or debit card, you want to know that your information will not be used for other reasons other than the transactions you have verified to do. Take this quiz and get to see some of the major PCI guidelines and how effective they actually are.
Questions and Answers
- 1.
A commercial payment product has been PA-DSS 1.2.1 validated by a PA-QSA. It is also listed on the PCI Security Standards Council Website as a validated payment application. As a result, the product is guaranteed to be PCI-DSS compliant when deployed in the merchant’s environment.
- A.
True
- B.
False
Correct Answer
B. FalseExplanation
Payment application vendors can only state in the engagement contracts that products are PA-DSS validated when installed correctly in the customers CDE. Vendor can not guarantee that merchants who use vendor payment products will be PCI-DSS validated since a ‘PASS’ PCI-DSS report of compliance (RoC) is at the discretion of the merchant QSA.Rate this question:
-
- 2.
Track Data can not be stored in a payment application after authorization.
- A.
True
- B.
False
Correct Answer
A. TrueExplanation
Do not store sensitive authentication data after authorization (even if encrypted). Sensitive authentication data consists of magnetic stripe (or track) data6, card validation code or value7, and PIN data8. Storage of sensitive authentication data after authorization is prohibited! This data is very valuable to malicious individuals as it allows them to generate counterfeit payment cards and create fraudulent transactionsRate this question:
-
- 3.
A customer is using an operating system (OS) that is no longer supported by the OS vendor. However, payment vendor can PA-DSS validate payment product on the unsupported OS using compensating controls which is allowed under the rules of PA-DSS
- A.
True
- B.
False
Correct Answer
B. FalseExplanation
If an OS is no longer supported by an OS vendor, an application can not be PA-DSS validated against it. PA-DSS does not allow compensating controls.Rate this question:
-
- 4.
It is acceptable to store the PAN# in clear text as long as the PAN# is purged after authorization.
- A.
True
- B.
False
Correct Answer
B. FalseExplanation
Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:
• One-way hashes based on strong cryptography (hash must be of the entire PAN)
• Truncation (hashing cannot be used to replace the truncated segment of PAN)
• Index tokens and pads (pads must be securely stored)
• Strong cryptography with associated key-management processes and proceduresRate this question:
-
- 5.
Strong passwords are used to mitigate brute force attacks. Typically strong passwords are at least 7 characters long, contain alpha, numeric, special and upper lower case
- A.
True
- B.
False
Correct Answer
A. TrueExplanation
Require a minimum password length of at least seven charactersRate this question:
-
- 6.
Encryption key management is an optional PA-DSS requirement to be used only if the customer requests encryption requirements above and beyond PCI.
- A.
True
- B.
False
Correct Answer
B. FalseExplanation
Payment application must implement key
management processes and procedures for
cryptographic keys used for encryption of
cardholder dataRate this question:
-
- 7.
Starting January 1, 2012, merchants will have to validate their CDE to PCI-DSS 2.0. As a result, payment software validated against PA-DSS 1.2.1 will no longer be valid after December 31, 2011.
- A.
True
- B.
False
Correct Answer
B. FalseExplanation
Payment software validated validated to PA-DSS 1.2.1 software can still be used as long as it has not yet expired and no modifcations have been made to the paymemt application covered in the RoV. For example, for software PA-DSS validated on December 1, 2009, the expiry will be December 1, 2012 if the validated software has not changed from a PCI requirements point of view.Rate this question:
-
- 8.
If a payment product is deployed in such away at the customers CDE, that the payment product never stores,processes or handles credit card data, PA-DSS is not in scope. Examples of this include products that only process loyalty cards.
- A.
True
- B.
False
Correct Answer
A. TrueExplanation
Only card holder data (i.e. PAN and track data) is in PCI scope.Rate this question:
-
- 9.
A PA-DSS policy exception should be used to document a security breach when card data is stolen.
- A.
True
- B.
False
Correct Answer
B. FalseExplanation
A payment vendor PA-DSS policy exception should be used when a customer can not meet PA-DSS requirements due to business, operational or technical constraints. For example, disable PAN encryption at the PIN PAD to perform transaction troubleshooting. A policy exception is used to state to the customer, that a risk of a card breach is increased, not that a breach has already occured.Rate this question:
-
- 10.
A PCI pre-engagement check list form is used to determine if a payment vendor's PA-DSS validated application can meet the PCI-DSS requirements of a merchant customer. For example, determine if the customer is using an OS that the vendor's payment application was PA-DSS validated against.
- A.
True
- B.
False
Correct Answer
A. TrueExplanation
The main purpose of PA-DSS validation from a customers point of view is liability shift. When installed correctly in the customers CDE as per the payment vendors installation guide, card fraud liability shifts from the merchants PCI-DSS to the payment vendors PA-DSS if a forensic audit proves that the vendors payment application was at fault.Rate this question:
-
Quiz Review Timeline +
Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.
-
Current Version
-
Mar 22, 2023Quiz Edited by
ProProfs Editorial Team -
Nov 01, 2011Quiz Created by
Ajbsoftware
Back to top