PCI-DSS (Payment Card Industry Data Security Standard) Implementation Quiz Questions and Answers

The use of WEP as a security control was prohibited as of June 30, 2010 - true or false?

Answer :
  • True

Explanation :

Requirement 4.1.1 applies security for wireless networks, including the use of industry best practices (such asI-”Triple-E” 802.11i ) for any wireless networks transmitting cardholder data or connected to the cardholderdata environment. As of June 30 2010

According to the requirement 11.1 a wireless scanning must be performed at all locations connected to thecardholder data environment. What is the time span that the scan must occur?

Answer :
  • Quartely

Explanation :

Detection and identification of wireless access points must occur at least quarterly and this requirement is forALL locations including those where no authorized wireless technologies are deployed. Quarterly wirelessscanning must be performed at all locat

Track Data can not be stored in a payment application after authorization.

Answer :
  • True

Explanation :

Do not store sensitive authentication data after authorization (even if encrypted). Sensitive authentication dataconsists of magnetic stripe (or track) data6, card validation code or value7, and PIN data8. Storage of sensitiveauthentication data after aut

Sensitive authentication data can be stored after authorization. However prior authorization , sensitive authentication data such as track 2 data can be stored as long as it is encrypted.

Answer :
  • FALSE

Explanation :

PA DSS 2.0 Req 1.1.1 After Authorization do not store the full content of any track from the megnatic stripe ( located on the back of a card , equivalent data contained on a chip , or elsewhere ) . This data is alternatively called full track, track , tra

Starting january 1 2012 merchants will have to validate their CDE with PCIDSS 2.0 As a result payment card software against PA DSS 1.2.1 will no longer be valid after December 31 2011.

Answer :
  • FALSE

Explanation :

Payment software validate to PA DSS 1.2.1 can still be used as long as it has not yet expired and no modification have been made to the payment application covered in the RoV. For example, for software PA DSS validated on December 1 2009, the expiry will

A customer is using and operating system (OS) that is no longer supported by OS vendor. However payment vendor can PA DSS validate payment product on the unsupported OS using compensating controls which is allowed under the rules of PA DSS.

Answer :
  • FALSE

Explanation :

If an OS is no longer supported by the OS vendor, an application cannot be PA DSS validated against it. PA DSS does not allow compensating controls.

Visa and MasterCard support a closed-loop network because they are responsible for issuing and providing authorization.

Answer :
  • FALSE

Explanation :

Visa and MasterCard support an open-loop network because they neither issue cards nor provide authorization

If a payment product is explained in such a way at the customer CDE that the payment product never stored, processed or handled credit card data , PA DSS never in scope . Example of this includes products that only processed loyalty cards.

Answer :
  • True

Explanation :

Only card holder data that is ( i.e. PAN and track data ) is in scope.

What is the name of the organization accepting the payment card for payment during a purchase?

Answer :
  • Merchants

Explanation :

Merchants are the organizations accepting payment

Service providers can control or impact the security of the cardholder data?

Answer :
  • True