You are on page 1of 30

PCIP - Payment Card Industry Professional Certification

Number: 101
Passing Score: 800
Time Limit: 90 min
File Version: 1.0

The PCI SSC Payment Card Industry Professional (PCIP) Program provides a foundational
credential for industry practitioners who demonstrate their professional knowledge and understanding
of PCI SSC standards (PCI Standards) and supporting materials. The PCI Security Standards
Council, LLC (PCI SSC) sponsors this qualification and serves as an impartial, third-party evaluator
of each candidates knowledge and understanding of PCI Standards. PCI SSC is an open global
forum for the ongoing development, enhancement, storage, dissemination and implementation of
security standards for account data protection.

Exam A
QUESTION 1
Which of the following items are included in the Compensating Controls worksheet:
A.
B.
C.
D.
E.

Constraints, assumptions, identified risks and definition of compensating controls


Constraints, objectives, identified risks and definition of compensating controls
Constraints, assumptions, mitigated risks and definition of compensating controls
Constraints, objectives, mitigated risks and maintenance
None of the above items are included in the Compensating Controls worksheet.

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Constraints, objectives, identified risk, definition of compensating controls, validation of compensating
controls and maintenance are all requirements from Appendix C of the PCI Data Security Standard.
QUESTION 2
Which of the following items CANNOT be stored:
A.
B.
C.
D.
E.
F.

Cardholder name
Service code
PIN
Personal Account Number
All of the above items may be stored
None of the above items may be stored

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
PCI Data Security Standard page 8 tells us that cardholder name, service code and Personal Account Number
and expiration date may be stored.
Full magnetic stripe data, CAV2/CVC2/CVV2/CID and PIN/PIN block cannot be stored per requirement 3.2
QUESTION 3
The process of isolating the cardholder data environment from the remainder of an entitys network is called:
A.
B.
C.
D.
E.

Network segmentation
Network virtualization
Data isolation
Access controls
None of the above is correct

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
PCI Data Security Standard page 10 states that network segmentation is not a requirement but is e strongly
recommended

QUESTION 4
For those entities that outsource storage, processing or transmission of cardholder data to third party service
providers which of the following must be completed:
A.
B.
C.
D.
E.

Report on Compliance (ROC)


PCI Forensics Investigation
Compensation Controls worksheet
All of the above
Since the processes have been outsourced, there is no further compliance obligation

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Per the PCI Data Security Standard page 11, a Report on Compliance must document the role of each service
provider.
QUESTION 5
Which of the following are NOT a part of the Report on Compliance (ROC):
A.
B.
C.
D.
E.

Executive summary
Contact information and report date
Findings and observations
All of the above are required
None of the above are required

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The Report on Compliance (ROC) includes (1) Executive summary, (2) description of scope of work and
approach taken, (3) details about reviewed environment, (4) contact information and report date, (5) quarterly
scan results and (6) findings and observations. This information is in the PCI Data Security Standard pages 14
- 17
QUESTION 6
The first step of a PCI assessment is to:
A.
B.
C.
D.

Define a comprehensive list of stakeholders


Assess risk
Develop a timeline of the assessment
Determine the scope of the review

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Identify all locations and flows and ensure that they are included in scope. This information is in the PCI Data
Security Standard page 10
QUESTION 7
Steps to reducing the scope of the cardholder data environment may include all items below EXCEPT:

A.
B.
C.
D.
E.

Reducing the number of locations where cardholder data is present


Eliminate unnecessary data
Purge all data that is older than 1 week
Consolidation of necessary data
All the above items are correct

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reducing the number of locations where cardholder data is present, Eliminate unnecessary data and
Consolidation of necessary data are all steps in reducing scope or "Network Segmentation" per the PCI Data
Security Standard page 11
QUESTION 8
Before wireless technology is implemented:
A.
B.
C.
D.
E.

Establish all WEP and WPA security keys and disseminate only on a "need to know" basis
An entity should carefully evaluate the need for the technology against the risk
Run penetration tests on the entity's network
Secure the locations of all Wireless Access Points
All the above items should be addressed and documented

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
The PCI Data Security Standard states on page 11 an entity should carefully evaluate the need for the wireless
technology against the risk. Also, consider deploying wireless technology only for non-sensitive data
transmission.
QUESTION 9
The P2PE Standard covers:
A.
B.
C.
D.

Secure payment applications


Mechanisms used to protect the PIN
Encryption, decryption, and key management within secure cryptographic devices (SCD)
None of the above

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 10
The PCI DSS applied to any entity that ______________,_______________,or ______________ cardholder
data.
A. stores, processes, transmits
B. accepts, processes, transmits

C. accepts, transacts, processes


D. processes, transmits, transacts
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 11
The PCI DSS standard follows a defined _____________ lifecycle.
A.
B.
C.
D.

12 month
2 year
36 month
48 month

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 12
Which of the below functions is associated with Acquirers?
A.
B.
C.
D.

Provide settlement services to a merchant


Provide authorization services to a merchant
Provide clearing services to a merchant
All of the options

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 13
Which of the following entities will actually approve a purchase?
A.
B.
C.
D.

Non-Issuing Merchant Bank


Issuing Bank
Payment Transaction Gateway
Acquiring Bank

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 14
Which of the following lists the correct order for the flow of a payment card transaction?
A.
B.
C.
D.

Clearing, Settlement, Authorization


Clearing, Authorization, Settlement
Authorization, Clearing, Settlement
Authorization, Settlement, Clearing

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 15
Service Providers include companies which_____________or could______________the security of cardholder
data.
A.
B.
C.
D.

are PCI compliant, prove effective controls for


control, impact
manage, test
control, subrogate

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 16
Cardholder Data may be stored in KNOWN and UNKNOWN locations.
A. True
B. False
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 17
Storing Track Data Long-Term or persistently may be permitted if_______________.
A.
B.
C.
D.

it is being stored by issuers


it is reported to the PCI SSC annually in a RoC
it is encrypted by the merchant storing it
it is hashed by the merchant storing it

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
QUESTION 18
PCI DSS Requirement 3.4 states the PAN must be rendered unreadable when stored, using___________.
A.
B.
C.
D.

Encryption, Truncation, or Obfuscating


Hashing, Scrambling, or Encrypting
Encryption, Hashing, or Truncation
Truncation, Scrambling, or Encrypting

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 19
Requirement 2.2.2 states Enable only necessary and secure services, protocols, daemons, etc., as required
for the function of the system. Which of the following is considered secure?
A.
B.
C.
D.

SSH
RLogon
Telnet
FTP

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 20
When scoping an environment for a PCI DSS assessment, it is important to identify _______________.
A.
B.
C.
D.

All flows of cardholder data


All of the options
Components that store cardholder data
Business facilities involved in processing transactions

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 21
Merchants involved with only e-commerce transactions that are completely outsourced to a PCI DSS compliant
service provider would use which SAQ?
A. SAQ C/VT

B. SAQ B
C. SAQ D
D. SAQ A
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 22
Imprint-Only Merchants with no electronic storage of cardholder data would use which SAQ?
A.
B.
C.
D.

SAQ C/VT
SAQ B
SAQ A
SAQ D

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 23
When a Service Provider has been defined by a payment brand as eligible to complete a SAQ, which SAQ is
used?
A.
B.
C.
D.

SAQ D
SAQ B
SAQ A
SAQ C

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 24
Information Supplements provided by the PCI SSC may supersede requirements.
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 25

If virtualization technologies are used in a cardholder data environment, PCI DSS requirements apply to those
virtualization technologies.
A. False
B. True
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 26
The presumption of P2PE is that cardholder data in transit is protected when it is encrypted to the extent that
an entity in possession of the ciphertext alone can easily reverse the encryption process
A. False
B. True
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 27
Encrypting account data at the point of capture is one way an entity involved in payment card processing via
mobile devices can actively help in controlling risks to the security of cardholder data.
A. True
B. False
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 28
In order to be considered a compensating control, which of the following must exist?
A.
B.
C.
D.

A legitimate technical constraint and a documented business constraint.


A legitimate technical constraint.
A legitimate technical constraint of a documented business constraint.
A documented business constraint.

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:

QUESTION 29
PCI DSS Requirement 1
A. Install and maintain a firewall configuration to protect cardholder data
B. Do not use vendor supplied defaults for system passwords and other security parameters
C. Protect stored cardholder data by enacting a formal data retention policy and implement secure deletion
methods
D. Protected Cardholder Data during transmission over the internet, wireless networks or other open access
networks or systems (GSM, GPRS, etc.)
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 30
PCI DSS Requirement 2
A. Install and maintain a firewall configuration to protect cardholder data
B. Do not use vendor supplied defaults for system passwords and other security parameters
C. Protect stored cardholder data by enacting a formal data retention policy and implement secure deletion
methods
D. Protected Cardholder Data during transmission over the internet, wireless networks or other open access
networks or systems (GSM, GPRS, etc.)
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 31
PCI DSS Requirement 3
A. Install and maintain a firewall configuration to protect cardholder data
B. Do not use vendor supplied defaults for system passwords and other security parameters
C. Protect stored cardholder data by enacting a formal data retention policy and implement secure deletion
methods
D. Protected Cardholder Data during transmission over the internet, wireless networks or other open access
networks or systems (GSM, GPRS, etc.)
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 32
PCI DSS Requirement 4
A. Install and maintain a firewall configuration to protect cardholder data
B. Protect stored cardholder data by enacting a formal data retention policy and implement secure deletion

methods
C. Protected Cardholder Data during transmission over the internet, wireless networks or other open access
networks or systems (GSM, GPRS, etc.)
D. Use and regularly update anti-virus software or programs
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 33
PCI DSS Requirement 5
A. Use and regularly update anti-virus software or programs
B. Protected Cardholder Data during transmission over the internet, wireless networks or other open access
networks or systems (GSM, GPRS, etc.)
C. Protect stored cardholder data by enacting a formal data retention policy and implement secure deletion
methods
D. Do not use vendor supplied defaults for system passwords and other security parameters
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 34
PCI DSS Requirement 6
A.
B.
C.
D.

Use and regularly update anti-virus software or programs


Develop and maintain secure systems and applications
Assign a unique ID to each person with computer access
Restrict access to cardholder data by business need to know

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 35
PCI DSS Requirement 8
A.
B.
C.
D.

Assign a unique ID to each person with computer access


Restrict physical access to cardholder data
Develop and maintain secure systems and applications
Use and regularly update anti-virus software or programs

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
QUESTION 36
PCI DSS Requirement 9
A.
B.
C.
D.

Use and regularly update anti-virus software or programs


Track and monitor all access to network resources and cardholder data
Restrict physical access to cardholder data
Protect stored cardholder data by enacting a formal data retention policy and implement secure deletion
methods

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 37
PCI DSS Requirement 10
A. Track and monitor all access to network resources and cardholder data
B. Regularly test security systems and processes with wireless scans, vulnerability scans, log audits, ASV
(Approved Scanning Vendor)
C. Maintain a policy that addresses information security for all personnel
D. Develop and maintain secure systems and applications
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 38
PCI DSS Requirement 11
A. Maintain a policy that addresses information security for all personnel
B. Regularly test security systems and processes with wireless scans, vulnerability scans, log audits, ASV
(Approved Scanning Vendor)
C. Install and maintain a firewall configuration to protect cardholder data
D. Protect stored cardholder data by enacting a formal data retention policy and implement secure deletion
methods
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 39
PCI DSS Requirement 12

A. Regularly test security systems and processes with wireless scans, vulnerability scans, log audits, ASV
(Approved Scanning Vendor)
B. Restrict physical access to cardholder data
C. Maintain a policy that addresses information security for all personnel
D. Protect stored cardholder data by enacting a formal data retention policy and implement secure deletion
methods
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 40
What PCI Data Security Standards (PCI DSS) covers?
A. Covers the security of the environments that store, process or transmit account data.
Environments receive account data from payment applications and other sources (e.g. acquirers)
B. Covers secure payment applications to support PCI DSS compliance.
Payment application receives account data from PIN Entry Devices (PED) or other devices and begins
payment transaction
C. Covers device tamper detection, cryptographic processes and other mechanisms to protect the Personal
Identification Number (PIN).
Encrypted PIN is passed to payment application or hardware terminal.
D. Covers secure management, processing and transmission of personal identification number data during
online and offline payment card transaction processing
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 41
What is covered by the PCI Payment Application Data Security Standards (PCI PA-DSS)?
A. Covers the security of the environments that store, process or transmit account data.
Environments receive account data from payment applications and other sources (e.g. acquirers)
B. Covers secure payment applications to support PCI DSS compliance.
Payment application receives account data from PIN Entry Devices (PED) or other devices and begins
payment transaction
C. Covers device tamper detection, cryptographic processes and other mechanisms to protect the Personal
Identification Number (PIN).
Encrypted PIN is passed to payment application or hardware terminal.
D. Covers encryption, decryption and key management within secure cryptographic devices (SCD).
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 42

What is covered by PCI PIN Transaction Security (PCI PTS)?


A. Covers encryption, decryption and key management within secure cryptographic devices (SCD).
B. Covers the security of the environments that store, process or transmit account data.
Environments receive account data from payment applications and other sources (e.g. acquirers)
C. Covers device tamper detection, cryptographic processes and other mechanisms to protect the Personal
Identification Number (PIN).
Encrypted PIN is passed to payment application or hardware terminal.
D. Covers secure management, processing and transmission of personal identification number data during
online and offline payment card transaction processing
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 43
What the PCI PIN Security covers?
A. Covers encryption, decryption and key management within secure cryptographic devices (SCD).
B. Covers secure payment applications to support PCI DSS compliance.
Payment application receives account data from PIN Entry Devices (PED) or other devices and begins
payment transaction
C. Covers device tamper detection, cryptographic processes and other mechanisms to protect the Personal
Identification Number (PIN).
Encrypted PIN is passed to payment application or hardware terminal.
D. Covers secure management, processing and transmission of personal identification number data during
online and offline payment card transaction processing
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 44
What the PCI Point to Point Encryption (PCI P2PE) covers?
A. Covers encryption, decryption and key management within secure cryptographic devices (SCD).
B. Cardholder Data Environment
C. Covers secure payment applications to support PCI DSS compliance.
Payment application receives account data from PIN Entry Devices (PED) or other devices and begins
payment transaction
D. Covers the security of the environments that store, process or transmit account data.
Environments receive account data from payment applications and other sources (e.g. acquirers)
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

QUESTION 45
A commercial payment product has been PA-DSS 1.2.1 validated by a PA-QSA. It is also listed on the PCI
Security Standards Council Website as a validated payment application. As a result, the product is
guaranteed to be PCI-DSS compliant when deployed in the merchants environment.
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Payment application vendors can only state in the engagement contracts that products are PA-DSS validated
when installed correctly in the customers CDE. Vendor can not guarantee that merchants who use vendor
payment products will be PCI-DSS validated since a PASS PCI-DSS report of compliance (RoC) is at the
discretion of the merchant QSA.
QUESTION 46
Track Data can not be stored in a payment application after authorization.
A. True
B. False
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Do not store sensitive authentication data after authorization (even if encrypted). Sensitive authentication data
consists of magnetic stripe (or track) data6, card validation code or value7, and PIN data8. Storage of sensitive
authentication data after authorization is prohibited! This data is very valuable to malicious individuals as it
allows them to generate counterfeit payment cards and create fraudulent transactions
QUESTION 47
A customer is using an operating system (OS) that is no longer supported by the OS vendor. However,
payment vendor can PA-DSS validate payment product on the unsupported OS using compensating controls
which is allowed under the rules of PA-DSS
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
If an OS is no longer supported by an OS vendor, an application can not be PA-DSS validated against it. PADSS does not allow compensating controls.
QUESTION 48
It is acceptable to store the PAN# in clear text as long as the PAN# is purged after authorization.
A. True
B. False
Correct Answer: B

Section: (none)
Explanation
Explanation/Reference:
Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs)
by using any of the following approaches:
One-way hashes based on strong cryptography (hash must be of the entire PAN)
Truncation (hashing cannot be used to replace the truncated segment of PAN)
Index tokens and pads (pads must be securely stored)
Strong cryptography with associated key-management processes and procedures
QUESTION 49
Strong passwords are used to mitigate brute force attacks. Typically strong passwords are at least 7
characters long, contain alpha, numeric, special and upper lower case
A. True
B. False
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Require a minimum password length of at least seven characters
QUESTION 50
Encryption key management is an optional PA-DSS requirement to be used only if the customer requests
encryption requirements above and beyond PCI.
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Payment application must implement key management processes and procedures for cryptographic keys used
for encryption of cardholder data
QUESTION 51
Starting January 1, 2012, merchants will have to validate their CDE to PCI-DSS 2.0. As a result, payment
software validated against PA-DSS 1.2.1 will no longer be valid after December 31, 2011.
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Payment software validated validated to PA-DSS 1.2.1 software can still be used as long as it has not yet
expired and no modifcations have been made to the paymemt application covered in the RoV. For example, for
software PA-DSS validated on December 1, 2009, the expiry will be December 1, 2012 if the validated software
has not changed from a PCI requirements point of view.

QUESTION 52
If a payment product is deployed in such away at the customers CDE, that the payment product never
stores,processes or handles credit card data, PA-DSS is not in scope. Examples of this include products that
only process loyalty cards.
A. True
B. False
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Only card holder data (i.e. PAN and track data) is in PCI scope.
QUESTION 53
A PA-DSS policy exception should be used to document a security breach when card data is stolen.
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
A payment vendor PA-DSS policy exception should be used when a customer can not meet PA-DSS
requirements due to business, operational or technical constraints. For example, disable PAN encryption at the
PIN PAD to perform transaction troubleshooting. A policy exception is used to state to the customer, that a risk
of a card breach is increased, not that a breach has already occured.
QUESTION 54
A PCI pre-engagement check list form is used to determine if a payment vendor's PA-DSS validated
application can meet the PCI-DSS requirements of a merchant customer. For example, determine if the
customer is using an OS that the vendor's payment application was PA-DSS validated against.
A. True
B. False
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The main purpose of PA-DSS validation from a customers point of view is liability shift. When installed correctly
in the customers CDE as per the payment vendors installation guide, card fraud liability shifts from the
merchants PCI-DSS to the payment vendors PA-DSS if a forensic audit proves that the vendors payment
application was at fault.
QUESTION 55
A payment application stores the full PAN 1234567890123456 on disk in clear text. When the application
outputs the PAN to a screen or log file it masks the middle 6 digits as 123456******3456. Under the rules of
PA-DSS Req 2. Protect Stored card holder data, the full clear text PAN can be stored on disk as long as it is
masked during output.
A. True
B. False

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
As per PCI-DSS req 3.4 The intent of truncation is that only a portion (not to exceed the first six and last four
digits) of the PAN is stored. This is different from masking, where the whole PAN is stored but the PAN is
masked when displayed (i.e., only part of the PAN is displayed on screens, reports, receipts, etc.).
This requirement relates to protection of PAN when stored in files, databases, etc.,and is not to be confused
with Requirement 3.3 for protection of PAN displayed on screens, paper receipts, etc.
QUESTION 56
It is possible for a PA-DSS validated payment application to be annually revalidated without a full PA-QSA lead
report of compliance audit as long as no changes have been made to application covered by the last report of
validation. However changes related to security such as encryption methodology, will trigger a full RoC
A. True
B. False
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 57
Sensitive authentication data can be stored after authorization. However, prior to authorization, sensitive
authentication data such as track 2 data can be stored as long it is encrypted.
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
PA-DSS 2.0 Req 1.1 Do not store sensitive authentication data after
authorization (even if encrypted):
PA-DSS 2.0 Req 1.1.1 After authorization, do not store the full contents of any track from the magnetic stripe
(located on the back of a card, equivalent data contained on a chip, or elsewhere). This data is alternatively
called full track, track, track 1, track 2, and magnetic-stripe data.
QUESTION 58
Merchants using EMV (Chip & PIN) to secure their payment transactions are exempt from PCI-DSS
compliance as demonstrated by VISA's TIPS program. In this program, if 75% of your card transactions are
EMV, you are exempt from annual PCI-DSS report of compliance.
A. True
B. False
Correct Answer: B
Section: (none)
Explanation

Explanation/Reference:
While EMV helps to minimize the risk of card fraud, typical EMV equipment still passes card data in the clear to
downstream payment apps. These payment apps still have to be PA-DSS validated.
QUESTION 59
A commercial payment product has been PA-DSS 1.2.1 validated by a PA-QSA. It is also listed on the PCI
Security Standards Council Website as a validated payment application. As a result, the product is
guaranteed to be PCI-DSS compliant when deployed in the merchants environment.
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Payment application vendors can only state in the engagement contracts that products are PA-DSS validated
when installed correctly in the customers CDE. Vendor can not guarantee that merchants who use vendor
payment products will be PCI-DSS validated since a PASS PCI-DSS report of compliance (RoC) is at the
discretion of the merchant QSA.
QUESTION 60
Track Data can not be stored in a payment application after authorization
A. True
B. False
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Do not store sensitive authentication data after authorization (even if encrypted). Sensitive authentication data
consists of magnetic stripe (or track) data6, card validation code or value7, and PIN data8. Storage of sensitive
authentication data after authorization is prohibited! This data is very valuable to malicious individuals as it
allows them to generate counterfeit payment cards and create fraudulent transactions
QUESTION 61
According to the requirement 11.1 a wireless scanning must be performed at all locations connected to the
cardholder data environment. What is the time span that the scan must occur?
A.
B.
C.
D.

Semiannually
Annually
Quartely
Monthly

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Detection and identification of wireless access points must occur at least quarterly and this requirement is for
ALL locations including those where no authorized wireless technologies are deployed. Quarterly wireless
scanning must be performed at all locations connected to the cardholder data environment.

QUESTION 62
The use of WEP as a security control was prohibited as of June 30, 2010 - true or false?
A. True
B. False
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Requirement 4.1.1 applies security for wireless networks, including the use of industry best practices (such as
I-Triple-E 802.11i ) for any wireless networks transmitting cardholder data or connected to the cardholder
data environment.
As of June 30 2010, WEP must never be used as a security control since it is not considered strong
cryptography. If WEP is present in the environment, additional technologies must be implemented to provide
the required level of security for both transmission and authentication.
QUESTION 63
If virtualization is used in a CDE, PCI DSS requirements do not apply.
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
If virtualization technologies are used in a cardholder data environment, PCI DSS requirements apply to those
virtualization technologies.
Virtualization technology introduces new risks that may not be relevant to other technologies, and that must be
assessed when adopting virtualization in cardholder data environments.
QUESTION 64
Service providers can control or impact the security of the cardholder data?
A. True
B. False
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 65
What is the name of the organization accepting the payment card for payment during a purchase?
A.
B.
C.
D.

Merchant
Issuer
Acquirer
Payment Brand Network

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Merchants are the organizations accepting payment.
QUESTION 66
Visa and MasterCard support a closed-loop network because they are responsible for issuing and providing
authorization
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Visa and MasterCard support an open-loop network because they neither issue cards nor provide authorization
QUESTION 67
Visa and MasterCard support an open-loop network because they neither issue cards nor provide authorization
A. True
B. False
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Visa and MasterCard support an open-loop network because they neither issue cards nor provide authorization
QUESTION 68
What are the three disciplinary actions taken by PCI SSC in case o violation of the Code of Professional
Responsibility?
A.
B.
C.
D.

Warning
Suspension
Fine
Revocation

Correct Answer: ABD


Section: (none)
Explanation
Explanation/Reference:
QUESTION 69
Amex, Discover, and JCB International are part of a closed-loop network because they acquire transactions,
and issue cards directly.
A. True
B. False

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Amex, Discover, and JCB International will also acquire those transactions, so by issuing and acquiring, they
are part of a closed-loop network.
QUESTION 70
CardHolder data should never be stored; however, in certain situations the merchant is allowed to store
sensitive cardholder data pre-authorization. In this case the PCI DSS controls should not be applied
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
If the merchant is allowed to store sensitive cardholder data pre-authorization, remember that the controls in
PCI DSS still apply, as well as any additional controls imposed by the acquirer and the card brands.
QUESTION 71
What is the name of the process in which the PAN is replaced by a surrogate value?
A.
B.
C.
D.

Compensating control
Tokenization
PCI DSS PTS
Virtualization

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Tokenization is a process by which the primary account number (PAN) is replaced with a surrogate value
called a "TOKEN". De-tokenization is the reverse process of redeeming a token for its associated PAN value.
The security of an individual token relies predominantly on the unfeasibility of determining the original PAN
knowing only the surrogate value.
QUESTION 72
Compensating controls can be used due:
A.
B.
C.
D.

Budget constraints
Malicious attacks
Legitimate technical or business constraints
Legal requirements

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Compensating controls may be considered for most PCI DSS requirements when an entity cannot meet a

requirement explicitly as stated due to legitimate technical or documented business constraints, but has
sufficiently mitigated the risk associated with the requirement through implementation of a compensating
control.
QUESTION 73
Select three key points to be considered for a compensating control:
A.
B.
C.
D.

Must meet the intent and rigor of the original PCI DSS requirement
The control must not exceed other PCI DSS requirements
Must sufficiently offset the risk that the original PCI DSS requirement was designed to defend against
Commensurate with additional risk imposed by not adhering to original requirement

Correct Answer: ACD


Section: (none)
Explanation
Explanation/Reference:
First, it must meet the intent and rigor of the original PCI DSS requirement. This is the most important test.
Second, it must sufficiently offset the risk that the original PCI DSS requirement was designed to defend
against. You should look at a compensating control worksheet as a risk assessment. You are doing a risk
assessment to identify the risk of not implementing this control as written, how the control reduces the risk, and
whether that is an acceptable level of risk reduction to you and your customer.
Third, the control must be above and beyond other PCI DSS requirements, not simply in compliance with other
requirements. Two examples of "above and beyond":
First example, if an entity can't implement 7-character passwords on a mainframe, compensating controls
can be: 12-character password required for network authentication prior to mainframe authentication,
change mainframe password every 30 days, make mainframe password more complex (for example, use
special characters).
A second example, if an entity can't encrypt cardholder data on a storage system, they might implement
controls that enforce internal network segmentation for the system, IP address or MAC address filtering to
that system, and two-factor authentication for access from within the internal network (beyond that which is
already required for remote network access).
And then fourth, the control must be commensurate with the additional risk imposed by not adhering to the
original requirements.
QUESTION 74
A company is unable to render cardholder data unreadable through encryption as per requirement 3.4. A
compensating control could consist of a device or a combination of devices, applications, and controls.
Which three of the below options, could be implemented as a compensating control to protect cardholder data?
A.
B.
C.
D.

Internal network segmentation


IP address or MAC address filtering
PKI - Public Key Infrastructure
Two-factor authentication from within the internal network

Correct Answer: ABD


Section: (none)
Explanation
Explanation/Reference:
When evaluating above and beyond for compensating controls, consider the following:
Existing PCI DSS requirements may be combined with new controls to become a compensating contorl.

- For example, if a company is unable to render cardholder data unreadable per requirement 3.4 (for example,
by encryption), a compensating control could consist of a device or combination of devices, applications, and
controls that address all of the following:
- Internal network segmentation;
- IP address or MAC address filtering;
- Two-factor authentication from within the internal network
The items at a) through c) are intended as examples only. All compensating controls must be reviewed and
validated for sufficiency by the assessor who conducts the PCI DSS review. The effectiveness of a
compensating control is dependent on the specifics of the environment in which the control is implemented, the
surrounding security controls, and the configuration of the control. Companies should be aware that a particular
compensating control will not be effective in all environments.
QUESTION 75
Which of the following applies to third-party payment applications that perform authorization and/or settlement.
Example: Point of Sale, shopping carts etc.
A.
B.
C.
D.

PCI PTS
PCI DSS
PA-DSS
PCI P2PE

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
PA-DSS applies to third-party payment applications that perform authorization and/or settlement. Example:
Point of Sale, shopping carts etc.
QUESTION 76
This requirement applies to Point of Interaction (POI) devices; Encrypting PIN Pads (EPP). It also ensures
terminals cannot be manipulated or attacked to allow the capture of Sensitive Authentication data.
A.
B.
C.
D.

PCI DSS
PCIA PA-DSS
PCI P2PE
PCI PTS

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
PTS applies to point of interaction (POI) devices including both attended and unattended POS terminals that
accept cardholder PINs, and to hardware security modules used for the protection of sensitive data during
activities such as payment processing or the production of payment cards.
If a PTS device is integrated into a POS or other payment systems implementation, PTS applies only to the
PTS features, and PA-DSS applies to payment application features.
QUESTION 77
The PCI PIN Security provides protection of personal identification number (PIN) during online and offline
payment transactions processed at:

A.
B.
C.
D.

ATMs
Attended point-of-sale (POS) terminals
Unattended point-of-sale (POS) terminals
Internet transactions

Correct Answer: ABC


Section: (none)
Explanation
Explanation/Reference:
QUESTION 78
Which of the following may reduce the scope of the cardholder data environment (CDE)?
A.
B.
C.
D.

PA-DSS application
P2PE hardware-hardware solution
PCI-PTS
PCI-PIN security

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Using a P2PE hardware-hardware solution may reduce the scope of the cardholder data environment (CDE).
The P2PE scenario addresses merchants who do not store or decrypt encrypted data within their P2PE
environment, and who use validated solutions consisting of hardware-based encryption and third-party
hardware-based decryption.
QUESTION 79
A merchant can have their validation scope reduced when using validated P2PE solutions where the merchant
has no access to account data within encryption device.
A. True
B. False
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
P2PE may allow merchants to reduce their validation scope when using validated P2PE solutions where the
merchant has no access to account data within the encryption device (POI) or decryption environment provided
to them by the Solution Provider, where the merchant has no involvement in any encryption or decryption
operations or cryptographic key management, and all cryptographic operations are managed by the P2PE
Solution Provider.
QUESTION 80
What a merchant should do in order to be eligible for PCI DSS scope reduction via use of a validated P2PE
solution?
A. Ensure that any other payment channels within the merchant environment is adequately segmented
(isolated)
B. Ensure that VLANs are properly configured
C. Ensure that firewall is correctly configured with unauthorized ports blocked

D. Implement encryption in the card holder environment via AES-256


Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
To be eligible for PCI DSS scope reduction via use of a validated P2PE solution, merchants must ensure that
any other payment channels within the merchant environment are adequately segmented (isolated) from the
P2PE environment.
QUESTION 81
In the context of PCI DSS, this is a method of concealing a segment of data when displayed or printed. This
technique is used when there is no business requirement to view the entire PAN. It relates to protection of
PAN when displayed or printed. See Truncation for protection of PAN when stored in files, databases, etc.
A.
B.
C.
D.

Masking
Hosting
Segmenting
Hashing

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
https://www.pcisecuritystandards.org/security_standards/glossary.php
QUESTION 82
Hardware and/or software technology that protects network resources from unauthorized access. This item
permits or denies computer traffic between networks with different security levels based upon a set of rules
and other criteria.
A.
B.
C.
D.

Router
Firewall
Switch
Bridge

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
https://www.pcisecuritystandards.org/security_standards/glossary.php
QUESTION 83
This test attempts to exploit vulnerabilities to determine whether unauthorized access or other malicious activity
is possible.
A.
B.
C.
D.

Vulnerability analysis
Scanning
Penetration Test
Vulnerability research

Correct Answer: C
Section: (none)

Explanation
Explanation/Reference:
https://www.pcisecuritystandards.org/security_standards/glossary.php
QUESTION 84
For the purposes of the PCI DSS, a ___________ is defined as any entity that accepts payment cards bearing
the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as
payment for goods and/or services.
A.
B.
C.
D.

Payment Brand Network


Acquirer
Issuer
Merchant

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
https://www.pcisecuritystandards.org/security_standards/glossary.php
QUESTION 85
Process of rendering cardholder data unreadable by converting data into a fixed-length message digest via
Strong Cryptography. This is a (mathematical) function in which a non-secret algorithm takes any arbitrary
length message as input and produces a fixed length output
A.
B.
C.
D.

Hashing
Encryption
Truncation
Tokenization

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
https://www.pcisecuritystandards.org/security_standards/glossary.php
QUESTION 86
Flaw or weakness which, if exploited, may result in an intentional or unintentional compromise of a system.
A.
B.
C.
D.

Open ports
Vulnerability
Virus
Worm

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
https://www.pcisecuritystandards.org/security_standards/glossary.php
QUESTION 87
Which documents have been published by the Council on a variety of topics designed to provide additional

direction for stakeholders on specific technologies?


A.
B.
C.
D.

Information Supplements
PCI DSS requirements
SAQ
EMV

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The Council has published a number of information supplements on varying topics, which are designed to
provide additional guidance for all stakeholders on specific technologies.
These information supplements can help merchants, service providers, and assessors identify the
considerations that certain technologies may have for PCI DSS. They are not intended to replace technical
training nor do they provide additional testing procedures, but they can help point you in the right direction. The
assessor will still need to thoroughly understand the environment they are reviewing in order to ensure
cardholder data is protected and PCI DSS control objectives are met.
QUESTION 88
By implementing the tokenization solution, a company may eliminate the need to maintain and validate PCI
DSS compliance.
A. True
B. False
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Tokenization solutions do not eliminate the need to maintain and validate PCI DSS compliance, but they may
simplify a merchants validation efforts by reducing the number of system components for which PCI DSS
requirements apply.
QUESTION 89
When merchants and service providers are not required to submit a Report on Compliance (RoC) as part of an
on-site assessment, which validation tool can they use to self-evaluate their compliance with PCI-DSS?
A.
B.
C.
D.

S-A-Q
RoC
Penetration test
Information Supplements

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The self-assessment questionnaire often referred to as the S-A-Q or sometimes called the sack, is a
validation tool for merchants and service providers self-evaluating their compliance with PCI DSS. It is a
validation tool for those entities not required to submit a Report on Compliance as part of an on-site
assessment.
QUESTION 90

According to Requirement 13.2, which of the following is true:


A.
B.
C.
D.

Covers information security policy requirements for all personnel


Concerns itself with regular testing of all system components comprising the cardholder data environment
Concerns itself with assigning a unique ID to each person
None of the above

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
There is no Requirement 13.2
QUESTION 91
PCI DSS Requirement 7
A.
B.
C.
D.

Regularly test security systems and processes


Do not user vendor supplied defaults for system passwords and other security parameters.
Maintain a policy that addresses information security for all personnel.
Restrict access to cardholder data by business need to know.

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 92
PCI DSS Requirement 3
A.
B.
C.
D.

Encrypt transmission of cardholder data across open, public networks (Data in motion).
Protect stored card holder data
Restrict access to cardholder data by business need to know.
Restrict Physical Access to Cardholder Data

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 93
A company wants to replace the actual Personal Account Number (PAN) with a surrogate value. What process
can be used?
A.
B.
C.
D.

Compensating control
Masking
Hashing
Tokenization

Correct Answer: D
Section: (none)

Explanation
Explanation/Reference:
QUESTION 94
According to requirement 5.1 anti-virus software should be deployed on all systems commonly affected by
malicious softwares.
Which of the below Operating Systems are not commonly affected by virus? (Choose three)
A.
B.
C.
D.
E.

Solaris
Mainframes
Windows
HP-Unix
MAC

Correct Answer: ABD


Section: (none)
Explanation
Explanation/Reference:
Typically, the following operating systems are not commonly affected by malicious software: Mainframes, and
certain Unix servers (such as AIX, Solaris, and HP-Unix). However, industry trends for malicious software can
change quickly and each organization must comply with Reequirement 6.2 to identify and address new security
vulnerabilities and update their configuration standards and provess accordingly