QIR Practice Exam 1

1. The Implementation Guide and Implementation Statement are to be used together on each Qualified Installation.

True

False

The Implementation Guide and Implementation Statement are meant to be used together on each Qualified Installation. This implies that both documents are necessary and complement each other in providing guidance and instructions for the successful implementation of a Qualified Installation. Therefore, it is essential to use both the Implementation Guide and Implementation Statement together to ensure a proper and effective implementation process.

Explanation

The Implementation Guide and Implementation Statement are meant to be used together on each Qualified Installation. This implies that both documents are necessary and complement each other in providing guidance and instructions for the successful implementation of a Qualified Installation. Therefore, it is essential to use both the Implementation Guide and Implementation Statement together to ensure a proper and effective implementation process.

2. Account Data includes cardholder data and/or sensitive authentication data.

True

False

Account Data refers to the information associated with a cardholder's account, including cardholder data and sensitive authentication data. Cardholder data includes the primary account number (PAN) and other personal information, while sensitive authentication data includes data such as the card's expiration date and CVV code. Therefore, it is true that Account Data includes cardholder data and/or sensitive authentication data.

Explanation

Account Data refers to the information associated with a cardholder's account, including cardholder data and sensitive authentication data. Cardholder data includes the primary account number (PAN) and other personal information, while sensitive authentication data includes data such as the card's expiration date and CVV code. Therefore, it is true that Account Data includes cardholder data and/or sensitive authentication data.

3. Many PA-DSS requirements are derived from PCI DSS Requirements and Security Assessment (PCI DSS).

True

False

The statement is true because PA-DSS requirements are indeed derived from PCI DSS requirements and security assessments. PA-DSS stands for Payment Application Data Security Standard, which is a set of requirements designed to ensure that payment applications are secure and do not store sensitive cardholder data. Since PCI DSS is a comprehensive standard for securing cardholder data, it makes sense that PA-DSS requirements would be derived from it to ensure consistency and alignment in security measures.

Explanation

The statement is true because PA-DSS requirements are indeed derived from PCI DSS requirements and security assessments. PA-DSS stands for Payment Application Data Security Standard, which is a set of requirements designed to ensure that payment applications are secure and do not store sensitive cardholder data. Since PCI DSS is a comprehensive standard for securing cardholder data, it makes sense that PA-DSS requirements would be derived from it to ensure consistency and alignment in security measures.

4. The Payment Card Industry Data Security Standard (PCI DSS) is managed by the __________?

QSA

PCI Security Standards Council

ISA

QIR

The correct answer is PCI Security Standards Council. The PCI DSS is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. The PCI Security Standards Council is responsible for managing and maintaining these standards, as well as providing guidance and support to organizations in implementing them. The council is made up of major payment card brands, such as Visa, Mastercard, and American Express, and is responsible for enforcing compliance with the PCI DSS.

Explanation

The correct answer is PCI Security Standards Council. The PCI DSS is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. The PCI Security Standards Council is responsible for managing and maintaining these standards, as well as providing guidance and support to organizations in implementing them. The council is made up of major payment card brands, such as Visa, Mastercard, and American Express, and is responsible for enforcing compliance with the PCI DSS.

5. For wireless environments connected to the cardholder data environment or transmitting cardholder data, ALL wireless vendor defaults should be changed prior to installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings.

True

False

Payment Card Industry (PCI) Data Security Standard, v3.2 Requirement 2.1.1

Explanation

Payment Card Industry (PCI) Data Security Standard, v3.2 Requirement 2.1.1

6. Track data, also referred to as "full track data" or "magnetic-stripe data," is data encoded in the magnetic stripe or chip used for authentication and/or authorization during payment transactions.

True

False

Also referred to as “full track data” or “magnetic-stripe data.” Data encoded in
the magnetic stripe or chip used for authentication and/or authorization during
payment transactions. Can be the magnetic-stripe image on a chip or the data
on the track 1 and/or track 2 portion of the magnetic stripe. ---- PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms January 2014
© 2006-2013 PCI Security Standards Council, LLC. All Rights Reserved Page 19

Explanation

Also referred to as “full track data” or “magnetic-stripe data.” Data encoded in
the magnetic stripe or chip used for authentication and/or authorization during
payment transactions. Can be the magnetic-stripe image on a chip or the data
on the track 1 and/or track 2 portion of the magnetic stripe. ---- PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms January 2014
© 2006-2013 PCI Security Standards Council, LLC. All Rights Reserved Page 19

7. PCI DSS sets the foundation for other PCI Standards and related requirements.

True

False

QIR Program Guide, v 3.0 September 2015
© 2015 PCI Security Standards Council, LLC Page 1

Explanation

QIR Program Guide, v 3.0 September 2015
© 2015 PCI Security Standards Council, LLC Page 1

8. QIR Implementation Statement is a template used to document the results of a Qualified Installation.

True

False

QIR Program Guide, v 3.0 September 2015
© 2015 PCI Security Standards Council, LLC Page 1

Explanation

QIR Program Guide, v 3.0 September 2015
© 2015 PCI Security Standards Council, LLC Page 1

9. The Payment Card Industry (PCI) Qualified Integrators and Resellers (QIR) Program Guide (or "QIR Program Guide") should be used in conjunction with the latest versions of the PCI SSC publications, each as available through the PCI SSC Website.

True

False

QIR Program Guide, v 3.0 September 2015
© 2015 PCI Security Standards Council, LLC Page 1

Explanation

QIR Program Guide, v 3.0 September 2015
© 2015 PCI Security Standards Council, LLC Page 1

10. The QIR Employee Additional Observations, of the Implementation Statement, section provides the QIR Employee a place to document any concerns or issues identified during the Qualified Installation. Any observations or details applicable to the overall installation that the Customer needs to be aware of should be recorded in this section. Also, any anomalies or issues observed that may affect the Customers' PCI DSS compliance should be recorded here. This is also where the QIR Employee will record explanations for any tasks that could not be or were not performed as part of the Qualified Installation, such as a required task that the Customer executed rather than the QIR Employee.

True

False

QIR Program Guide, v 3.0 September 2015
© 2015 PCI Security Standards Council, LLC Page 7 -----The Implementation Statement is divided into three
(3) parts; Part 1: Implementation Statement Summary, Part 2: Implementation Statement Details
and Part 3: QIR Employee Additional Observations.

Explanation

QIR Program Guide, v 3.0 September 2015
© 2015 PCI Security Standards Council, LLC Page 7 -----The Implementation Statement is divided into three
(3) parts; Part 1: Implementation Statement Summary, Part 2: Implementation Statement Details
and Part 3: QIR Employee Additional Observations.

11. The second section of the QIR Implementation Statement, or Implementation Statement Details, contains a checklist of tasks that must be completed during the Qualified Installation. The checklist provides the QIR Employee with a systematic way to comprehensively document each step of the Qualified Installation. The activities conducted during the installation and configuration of the Payment Application must be recorded so that the customer understands, and has a record of, changes made to their environment. The QIR Implementation Instructions provides details for each task.

True

False

QIR Program Guide, v 3.0 September 2015
© 2015 PCI Security Standards Council, LLC Page 6 ------The Implementation Statement is divided into three
(3) parts; Part 1: Implementation Statement Summary, Part 2: Implementation Statement Details
and Part 3: QIR Employee Additional Observations.

Explanation

QIR Program Guide, v 3.0 September 2015
© 2015 PCI Security Standards Council, LLC Page 6 ------The Implementation Statement is divided into three
(3) parts; Part 1: Implementation Statement Summary, Part 2: Implementation Statement Details
and Part 3: QIR Employee Additional Observations.

12. The QIR Company must review, at least annually, updates to the applicable PA-DSS Implementation Guide and supporting documentation to remain current with all major and minor software changes, and QIR Company training materials must be updated to reflect all major and minor software changes.

True

False

QIR Program Guide, v 3.0 September 2015
© 2015 PCI Security Standards Council, LLC Page 7

Explanation

QIR Program Guide, v 3.0 September 2015
© 2015 PCI Security Standards Council, LLC Page 7

13. The status of a QIR Company or QIR Employee is initially Good Standing but may change based on quality concerns, feedback, administrative issues, or other factors.

True

False

QIR Program Guide, v 3.0 September 2015
© 2015 PCI Security Standards Council, LLC Page 10

Explanation

QIR Program Guide, v 3.0 September 2015
© 2015 PCI Security Standards Council, LLC Page 10

14. PCI DSS requirements are applicable wherever primary account number (PAN) or sensitive authentication data (SAD) is stored, processed, or transmitted.

True

False

The Payment Card Industry Data Security Standard (PCI DSS) applies to any organization that stores, processes, or transmits primary account numbers (PAN) or sensitive authentication data (SAD). This means that if an organization handles credit card information, they must comply with the PCI DSS requirements to ensure the security and protection of this sensitive data. Therefore, the statement "PCI DSS requirements are applicable wherever primary account number (PAN) or sensitive authentication data (SAD) is stored, processed, or transmitted" is true.

Explanation

The Payment Card Industry Data Security Standard (PCI DSS) applies to any organization that stores, processes, or transmits primary account numbers (PAN) or sensitive authentication data (SAD). This means that if an organization handles credit card information, they must comply with the PCI DSS requirements to ensure the security and protection of this sensitive data. Therefore, the statement "PCI DSS requirements are applicable wherever primary account number (PAN) or sensitive authentication data (SAD) is stored, processed, or transmitted" is true.

15. Account data includes all of the information printed on the physical card as well as the data on the magnetic stripe or chip.

True

False

Account data refers to all the information that is present on the physical card, such as the cardholder's name, card number, and expiration date. Additionally, it also includes the data that is stored on the magnetic stripe or chip of the card, which is used for transactions and authentication purposes. Therefore, the statement that account data includes both the information on the physical card and the data on the magnetic stripe or chip is true.

Explanation

Account data refers to all the information that is present on the physical card, such as the cardholder's name, card number, and expiration date. Additionally, it also includes the data that is stored on the magnetic stripe or chip of the card, which is used for transactions and authentication purposes. Therefore, the statement that account data includes both the information on the physical card and the data on the magnetic stripe or chip is true.

16. Sensitive authentication data is not stored post-authorization.

True

False

Sensitive authentication data refers to information that can be used to authenticate or authorize access to a system, such as passwords, PINs, or security codes. Storing this data after the authorization process increases the risk of unauthorized access or misuse. Therefore, it is important to ensure that sensitive authentication data is not stored post-authorization to maintain security and protect user information.

Explanation

Sensitive authentication data refers to information that can be used to authenticate or authorize access to a system, such as passwords, PINs, or security codes. Storing this data after the authorization process increases the risk of unauthorized access or misuse. Therefore, it is important to ensure that sensitive authentication data is not stored post-authorization to maintain security and protect user information.

17. By signing the Implementation Statement, the customer acknowledges the following (select all that apply):

The customer accepts the information documented within the Implementation Statement

The customer has read and understands all potential compliance issues identified in Part 3 of the Implementation Statement

The customer understands they are responsible for maintaining their PCI DSS compliance

The customer is acknowledging their acceptance of the information documented within the Implementation Statement, their understanding of potential compliance issues identified in Part 3 of the Implementation Statement, their responsibility for maintaining PCI DSS compliance, and the need to make any changes to the payment application or underlying systems in accordance with PCI DSS requirements.

Explanation

The customer is acknowledging their acceptance of the information documented within the Implementation Statement, their understanding of potential compliance issues identified in Part 3 of the Implementation Statement, their responsibility for maintaining PCI DSS compliance, and the need to make any changes to the payment application or underlying systems in accordance with PCI DSS requirements.

Submit

18. A QIR must ensure that all QIR personnel with access to any customer locations have ______________________________.

A unique user account and password per each individual QIR Employee, and site location

The customer's credentials to access the system under their account

A shared account between QIRs responsible for ongoing support

The vendor-supplied default username and password

QIR Implementation Instructions Part 2 QIR Access - page 8

Explanation

QIR Implementation Instructions Part 2 QIR Access - page 8

19. You are the lead QIR performing an upgrade for a customer site. You notice that the personal firewall software/anti-virus on the payment application server and back office reporting PC are not enabled. What do you do?

Correct the problem right away

The customer should fix the problem

Anti-virus doesn't need to be running, with logging enabled on devices in the CDE

Payment Card Industry (PCI) Data Security Standard, v3.2 Requirement 1.4, 5, 6.2

Explanation

Payment Card Industry (PCI) Data Security Standard, v3.2 Requirement 1.4, 5, 6.2

20. The goal of the QIR Program is to educate, qualify and train organizations involved in the implementation, configuration and/or support of a PA-DSS validated payment application on behalf of a merchant or service provider.

True

False

QIR Program Guide, v 3.0 September 2015
© 2015 PCI Security Standards Council, LLC Page 2

Explanation

QIR Program Guide, v 3.0 September 2015
© 2015 PCI Security Standards Council, LLC Page 2

21. The Implementation Statement Summary is used to provide confirmation and acceptance of the Qualified Installation, along with Customer, QIR Company and Payment Application details. The following information must be included in the QIR Implementation Statement:

Customer’s company name and contact details

Name of QIR Company

Name and contact details of the Lead QIR

PA-DSS validated Payment Application name, version number and reference numberas shown on the Website

QIR Program Guide, v 3.0 September 2015 © 2015 PCI Security Standards Council, LLC Page 6 ----The Implementation Statement is divided into three (3) parts; Part 1: Implementation Statement Summary, Part 2: Implementation Statement Details and Part 3: QIR Employee Additional Observations.

Explanation

QIR Program Guide, v 3.0 September 2015 © 2015 PCI Security Standards Council, LLC Page 6 ----The Implementation Statement is divided into three (3) parts; Part 1: Implementation Statement Summary, Part 2: Implementation Statement Details and Part 3: QIR Employee Additional Observations.

Submit

22. If the QIR company does not maintain at least one QIR Employee, the QIR Company will be removed from the QIR List and become ineligible to perform new Qualified Installations until the minimum requirements are satisfied.

True

False

The QIR Company must notify PCI SSC anytime a QIR Employee leaves employment or moves
to a non-QIR role.
QIR Program Guide, v 3.0 September 2015
© 2015 PCI Security Standards Council, LLC Page 9

Explanation

The QIR Company must notify PCI SSC anytime a QIR Employee leaves employment or moves
to a non-QIR role.
QIR Program Guide, v 3.0 September 2015
© 2015 PCI Security Standards Council, LLC Page 9

23. The QIR program aims to assure quality and provide effective feedback among QIRs, their customers, and the PCI SSC.

True

False

The explanation for the given correct answer is that the QIR program is designed to ensure quality and facilitate efficient communication and feedback between QIRs (Qualified Integrators and Resellers), their customers, and the PCI SSC (Payment Card Industry Security Standards Council). This program aims to enhance the overall security and compliance of payment card systems by promoting collaboration and accountability among all stakeholders involved. Therefore, the statement that the QIR program aims to assure quality and provide effective feedback among QIRs, their customers, and the PCI SSC is true.

Explanation

The explanation for the given correct answer is that the QIR program is designed to ensure quality and facilitate efficient communication and feedback between QIRs (Qualified Integrators and Resellers), their customers, and the PCI SSC (Payment Card Industry Security Standards Council). This program aims to enhance the overall security and compliance of payment card systems by promoting collaboration and accountability among all stakeholders involved. Therefore, the statement that the QIR program aims to assure quality and provide effective feedback among QIRs, their customers, and the PCI SSC is true.

24. PA-DSS requirements apply to application vendors, to develop and maintain secure payment applications.

True

False

The Payment Application Data Security Standard (PA-DSS) is a set of requirements that apply to application vendors. These requirements ensure that payment applications are developed and maintained in a secure manner. By adhering to PA-DSS, application vendors can protect sensitive payment card data and prevent potential security breaches. Therefore, the statement "PA-DSS requirements apply to application vendors, to develop and maintain secure payment applications" is true.

Explanation

The Payment Application Data Security Standard (PA-DSS) is a set of requirements that apply to application vendors. These requirements ensure that payment applications are developed and maintained in a secure manner. By adhering to PA-DSS, application vendors can protect sensitive payment card data and prevent potential security breaches. Therefore, the statement "PA-DSS requirements apply to application vendors, to develop and maintain secure payment applications" is true.

25. A QIR Company may only sell validated application versions.

True

False

A QIR Company is required to sell only validated application versions. This means that they must ensure that the applications they sell have gone through a validation process to ensure they meet certain standards and requirements. By selling validated application versions, the QIR Company can provide their customers with reliable and secure software that has been tested and approved. This helps to maintain the integrity and security of the payment processing systems used by businesses.

Explanation

A QIR Company is required to sell only validated application versions. This means that they must ensure that the applications they sell have gone through a validation process to ensure they meet certain standards and requirements. By selling validated application versions, the QIR Company can provide their customers with reliable and secure software that has been tested and approved. This helps to maintain the integrity and security of the payment processing systems used by businesses.

26. PA-DSS defines the specific technical requirements and provides related assessment procedures and templates used to validate payment applications and document the validation process.

True

False

QIR Program Guide, v 3.0 September 2015
© 2015 PCI Security Standards Council, LLC Page 1

Explanation

QIR Program Guide, v 3.0 September 2015
© 2015 PCI Security Standards Council, LLC Page 1

27. What are the Implementation Statement sections (select all that apply)?

Statement Summary

QIR Employee Observations

Statement Details

PCI DSS

The correct answer is Statement Summary, QIR Employee Observations, and Statement Details. These are the sections that make up the Implementation Statement. The Statement Summary provides a brief overview of the implementation, the QIR Employee Observations section includes observations made by Qualified Security Assessors, and the Statement Details section provides more detailed information about the implementation.

Explanation

The correct answer is Statement Summary, QIR Employee Observations, and Statement Details. These are the sections that make up the Implementation Statement. The Statement Summary provides a brief overview of the implementation, the QIR Employee Observations section includes observations made by Qualified Security Assessors, and the Statement Details section provides more detailed information about the implementation.

Submit

28. In accordance with the PCI DSS Requirement 2.1, the QIR ensures that all vendor-supplied defaults are changed and unnecessary default accounts are removed or disabled, before completing a qualified installation.

True

False

According to PCI DSS Requirement 2.1, the Qualified Integrator and Reseller (QIR) is responsible for changing all vendor-supplied defaults and removing or disabling unnecessary default accounts before completing a qualified installation. This ensures that the system is secure and reduces the risk of unauthorized access or exploitation of default settings. Therefore, the statement "True" is correct.

Explanation

According to PCI DSS Requirement 2.1, the Qualified Integrator and Reseller (QIR) is responsible for changing all vendor-supplied defaults and removing or disabling unnecessary default accounts before completing a qualified installation. This ensures that the system is secure and reduces the risk of unauthorized access or exploitation of default settings. Therefore, the statement "True" is correct.

29. There does not have to be a firewall on every Internet connection coming into (and out of) the network, and between any DMZ and the internal network.

True

False

PCI DSS Req. 1.1.4; Guidance - There should be a firewall on every Internet connection coming into (and out of) the network, and between any DMZ and the internal network.

Payment Card Industry (PCI) Data Security Standard, v3.2, page 21

Explanation

PCI DSS Req. 1.1.4; Guidance - There should be a firewall on every Internet connection coming into (and out of) the network, and between any DMZ and the internal network.

Payment Card Industry (PCI) Data Security Standard, v3.2, page 21

30. Firewalls should be installed between the CDE and all wireless access points.

True

False

Requirement 1.2.3 Guidance: "The known (or unknown) implementation and exploitation of wireless technology within a network is a common path for malicious individuals to gain access to the network and cardholder data. If a wireless device or network is installed without the entity's knowledge, a malicious individual could easily and "invisibly" enter the network. If firewalls do not restrict access from wireless networks into the CDE, malicious individuals that gain unauthorized access to the wireless network can easily connect to the CDE and compromise account information. - Firewalls must be installed between all wireless networks and the CDE, regardless of the purpose of the environment to which the wireless network is connected. This may include, but is not limited to, corporate networks, retail stores, guest networks, warehouse environments, etc." ------
Payment Card Industry (PCI) Data Security Standard, v3.2 Page 24
© 2006-2016 PCI Security Standards Council, LLC. All Rights Reserved. April 2016

Explanation

Requirement 1.2.3 Guidance: "The known (or unknown) implementation and exploitation of wireless technology within a network is a common path for malicious individuals to gain access to the network and cardholder data. If a wireless device or network is installed without the entity's knowledge, a malicious individual could easily and "invisibly" enter the network. If firewalls do not restrict access from wireless networks into the CDE, malicious individuals that gain unauthorized access to the wireless network can easily connect to the CDE and compromise account information. - Firewalls must be installed between all wireless networks and the CDE, regardless of the purpose of the environment to which the wireless network is connected. This may include, but is not limited to, corporate networks, retail stores, guest networks, warehouse environments, etc." ------
Payment Card Industry (PCI) Data Security Standard, v3.2 Page 24
© 2006-2016 PCI Security Standards Council, LLC. All Rights Reserved. April 2016

31. QIR Qualification Requirements define requirements that must be satisfied by QIR Companies, in order to perform Qualified Installations.

True

False

QIR Program Guide, v 3.0 September 2015
© 2015 PCI Security Standards Council, LLC Page 1

Explanation

QIR Program Guide, v 3.0 September 2015
© 2015 PCI Security Standards Council, LLC Page 1

32. Prior to the Qualified Installation, the customer should be provided with the following (select all that apply):

Lead QIR name

Estimate of work to be performed

Expected duration of the work

Notice of any potential downtime

not-available-via-ai

Explanation

not-available-via-ai

Submit

33. Name the two types of validated Payment Applications:

Not acceptable for deployment

Acceptable for new deployment

Not acceptable for pre-existing deployments

Acceptable for pre-existing deployments

The two types of validated Payment Applications are "Acceptable for new deployment" and "Acceptable for pre-existing deployments". This means that both types of applications have been tested and approved for use, whether it is for new installations or for existing systems. It implies that these applications meet the necessary security and compliance requirements for processing payments, regardless of the deployment scenario.

Explanation

The two types of validated Payment Applications are "Acceptable for new deployment" and "Acceptable for pre-existing deployments". This means that both types of applications have been tested and approved for use, whether it is for new installations or for existing systems. It implies that these applications meet the necessary security and compliance requirements for processing payments, regardless of the deployment scenario.

Submit

34. If there are a number of QIR Employees leading Qualified Installations, each Lead QIR must produce his or her own Implementation Statement(s) for the installations he or she was responsible for.

True

False

QIR Implementation Instructions Part 1, page 5

Explanation

QIR Implementation Instructions Part 1, page 5

35. The Lead QIR Employee is required to sign the _______________ affirming the findings surrounding the qualified installation documented therein.

Implementation Statement

Attestation of Compliance

SAQ-D

QIR Feedback form

The Lead QIR Employee is required to sign the Implementation Statement affirming the findings surrounding the qualified installation documented therein. The Implementation Statement serves as a confirmation that the installation has been carried out according to the required standards and guidelines. It ensures that the Lead QIR Employee takes responsibility for the accuracy and completeness of the installation documentation. By signing the Implementation Statement, the employee acknowledges and affirms the findings of the qualified installation.

Explanation

The Lead QIR Employee is required to sign the Implementation Statement affirming the findings surrounding the qualified installation documented therein. The Implementation Statement serves as a confirmation that the installation has been carried out according to the required standards and guidelines. It ensures that the Lead QIR Employee takes responsibility for the accuracy and completeness of the installation documentation. By signing the Implementation Statement, the employee acknowledges and affirms the findings of the qualified installation.

36. It is best practice to require passwords have a minimum length requirement of at least 7 characters, contain both numeric and alphabetic characters and to be changed at least once every 90 days

True

False

Payment Card Industry (PCI) Data Security Standard, v3.2 Requirement 8.2.3, 8.2.4

Explanation

Payment Card Industry (PCI) Data Security Standard, v3.2 Requirement 8.2.3, 8.2.4

37. QIR Implementation Instructions is a guidance document used to explain how to complete the QIR Implementation Statement.

True

False

QIR Program Guide, v 3.0 September 2015
© 2015 PCI Security Standards Council, LLC Page 1

Explanation

QIR Program Guide, v 3.0 September 2015
© 2015 PCI Security Standards Council, LLC Page 1

38. Core responsibilities as a QIR include (select all that apply):

Install payment applications in a manner which supports the customer's PCI DSS compliance using the PA-DSS Implementation Guide

Document for the customer any potential risks to PCI DSS compliance

Explain any changes made to the customer's system(s) and any potential risks to the customer

Provide a Feedback Form to the customer

Support PCI Forensic Investigator (PFI) investigations in the event of a breach

The core responsibilities of a QIR include installing payment applications in a manner that ensures the customer's compliance with PCI DSS using the PA-DSS Implementation Guide. They are also responsible for documenting any potential risks to the customer's PCI DSS compliance, explaining any changes made to the customer's system(s) and the associated risks, providing a Feedback Form to the customer, and supporting PCI Forensic Investigator (PFI) investigations in the event of a breach.

Explanation

The core responsibilities of a QIR include installing payment applications in a manner that ensures the customer's compliance with PCI DSS using the PA-DSS Implementation Guide. They are also responsible for documenting any potential risks to the customer's PCI DSS compliance, explaining any changes made to the customer's system(s) and the associated risks, providing a Feedback Form to the customer, and supporting PCI Forensic Investigator (PFI) investigations in the event of a breach.

Submit

39. PCI DSS requirements do not apply to systems that provide security services or could impact the security of account data.

True

False

The statement is false because PCI DSS requirements do apply to systems that provide security services or could impact the security of account data. The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to protect cardholder data and ensure the secure handling of credit card information. These requirements apply to all organizations that store, process, or transmit cardholder data, including systems that provide security services or have the potential to impact the security of account data. Therefore, the statement that PCI DSS requirements do not apply to such systems is incorrect.

Explanation

The statement is false because PCI DSS requirements do apply to systems that provide security services or could impact the security of account data. The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to protect cardholder data and ensure the secure handling of credit card information. These requirements apply to all organizations that store, process, or transmit cardholder data, including systems that provide security services or have the potential to impact the security of account data. Therefore, the statement that PCI DSS requirements do not apply to such systems is incorrect.

40. One of the requirements of a QIR Company is that they must be either the direct provider of a PA-DSS validated Payment Application or a completely independent third party licensed or otherwise authorized by a PA-DSS validated Payment Application vendor to implement that Payment Application into the merchant or service provider environment.

True

False

PCI SSC QIR Qualification Requirements 3.1.1 page 4

Explanation

PCI SSC QIR Qualification Requirements 3.1.1 page 4

41. Records observations or details that the customer should be aware of.

QIR Employee Additional Observations

Implementation Statement Summary

PCI DSS QIR Website Listing

Implementation Statement Details

The correct answer is "QIR Employee Additional Observations". This option suggests that the employee records observations or details that the customer should be aware of. This could include any additional information or notes that the employee wants to communicate to the customer regarding the implementation statement or the PCI DSS QIR website listing.

Explanation

The correct answer is "QIR Employee Additional Observations". This option suggests that the employee records observations or details that the customer should be aware of. This could include any additional information or notes that the employee wants to communicate to the customer regarding the implementation statement or the PCI DSS QIR website listing.

42. The QIR Company must at all times employee at least ___ QIR Employee(s)

5

3

2

1

The QIR Company is required to have at least one QIR employee at all times. This implies that the company must have at least one qualified individual who can perform the necessary tasks and responsibilities associated with being a QIR employee. Having at least one QIR employee ensures that the company can effectively and efficiently carry out its duties and obligations in accordance with the relevant regulations and standards.

Explanation

The QIR Company is required to have at least one QIR employee at all times. This implies that the company must have at least one qualified individual who can perform the necessary tasks and responsibilities associated with being a QIR employee. Having at least one QIR employee ensures that the company can effectively and efficiently carry out its duties and obligations in accordance with the relevant regulations and standards.

43. Which of the following is an example of a secure network protocol?

Telnet

IMAP

FTP

SSH

SSH (Secure Shell) is an example of a secure network protocol. It provides a secure way to access and manage remote systems over an unsecured network. SSH ensures secure communication by encrypting data and authenticating the parties involved. It is widely used for remote administration, file transfers, and tunneling services securely. Telnet, IMAP, and FTP, on the other hand, are not secure protocols as they transmit data in plain text, making it susceptible to eavesdropping and unauthorized access.

Explanation

SSH (Secure Shell) is an example of a secure network protocol. It provides a secure way to access and manage remote systems over an unsecured network. SSH ensures secure communication by encrypting data and authenticating the parties involved. It is widely used for remote administration, file transfers, and tunneling services securely. Telnet, IMAP, and FTP, on the other hand, are not secure protocols as they transmit data in plain text, making it susceptible to eavesdropping and unauthorized access.

44. There is a difference between cardholder data and sensitive authentication data.

True

False

True, SAD is not stored post-authorization.

Explanation

True, SAD is not stored post-authorization.

45. A trusted network is the network of an organization that is within the organization's ability to control or manage.

True

False

A trusted network refers to a network that is under the control and management of an organization. This means that the organization has the authority to set up security measures, monitor network activities, and enforce policies within this network. It implies that the organization has a level of confidence in the security and reliability of this network as it is within their ability to oversee and manage it. Therefore, the statement "A trusted network is the network of an organization that is within the organization's ability to control or manage" is true.

Explanation

A trusted network refers to a network that is under the control and management of an organization. This means that the organization has the authority to set up security measures, monitor network activities, and enforce policies within this network. It implies that the organization has a level of confidence in the security and reliability of this network as it is within their ability to oversee and manage it. Therefore, the statement "A trusted network is the network of an organization that is within the organization's ability to control or manage" is true.

46. Who is responsible for a Merchant's PCI Compliance?

QIR

QSA

Firewall Provider

Merchant

The correct answer is Merchant. The responsibility for a Merchant's PCI Compliance lies with the Merchant themselves. It is the Merchant's responsibility to ensure that they comply with the Payment Card Industry Data Security Standard (PCI DSS) requirements in order to protect cardholder data. This includes implementing and maintaining secure systems and processes, conducting regular security assessments, and adhering to the guidelines set forth by the PCI Security Standards Council. The other options listed, QIR, QSA, and Firewall Provider, may play a role in assisting the Merchant with their PCI Compliance efforts, but ultimately the responsibility lies with the Merchant.

Explanation

The correct answer is Merchant. The responsibility for a Merchant's PCI Compliance lies with the Merchant themselves. It is the Merchant's responsibility to ensure that they comply with the Payment Card Industry Data Security Standard (PCI DSS) requirements in order to protect cardholder data. This includes implementing and maintaining secure systems and processes, conducting regular security assessments, and adhering to the guidelines set forth by the PCI Security Standards Council. The other options listed, QIR, QSA, and Firewall Provider, may play a role in assisting the Merchant with their PCI Compliance efforts, but ultimately the responsibility lies with the Merchant.

47. PAN should be rendered unreadable anywhere it's stored.

True

False

The statement is suggesting that PAN (Primary Account Number) should be made unreadable in any location where it is stored. This is true because PAN is a sensitive piece of information that is used to identify and authenticate credit card transactions. Storing it in a readable format increases the risk of unauthorized access and potential misuse. By rendering PAN unreadable, it adds an extra layer of security to protect the cardholder's information.

Explanation

The statement is suggesting that PAN (Primary Account Number) should be made unreadable in any location where it is stored. This is true because PAN is a sensitive piece of information that is used to identify and authenticate credit card transactions. Storing it in a readable format increases the risk of unauthorized access and potential misuse. By rendering PAN unreadable, it adds an extra layer of security to protect the cardholder's information.

48. Which is an example of two factor authentication?

Token and password

Biometric authentication

Username and password

Username, password, and answering a security question

Token and password is an example of two-factor authentication because it requires two different types of credentials to verify a user's identity. The token is a physical device that generates a unique code, and the password is a secret phrase known only to the user. By combining something the user has (the token) with something the user knows (the password), it adds an extra layer of security to the authentication process, making it more difficult for unauthorized individuals to gain access to the system.

Explanation

Token and password is an example of two-factor authentication because it requires two different types of credentials to verify a user's identity. The token is a physical device that generates a unique code, and the password is a secret phrase known only to the user. By combining something the user has (the token) with something the user knows (the password), it adds an extra layer of security to the authentication process, making it more difficult for unauthorized individuals to gain access to the system.

49. Includes items identified in the Details section that require explanation.

Implementation Statement Details

Implementation Statement Summary

QIR Employee Additional Observations

PCI DSS QIR Website Listing

The correct answer is "QIR Employee Additional Observations". This refers to additional observations made by a Qualified Integrators and Resellers (QIR) employee during the implementation of the Payment Card Industry Data Security Standard (PCI DSS). These observations may include any relevant details or information that the employee has noticed during the implementation process.

Explanation

The correct answer is "QIR Employee Additional Observations". This refers to additional observations made by a Qualified Integrators and Resellers (QIR) employee during the implementation of the Payment Card Industry Data Security Standard (PCI DSS). These observations may include any relevant details or information that the employee has noticed during the implementation process.

50. How often does each validated payment application undergo attestation, until the Expiry Date is reached?

Annually

Every 2 years

Every 3 years

Quarterly

Each validated payment application undergoes attestation on a yearly basis until the Expiry Date is reached. This means that the application is reviewed and verified for compliance and security measures once every year. This regular attestation ensures that the payment application remains up to date and meets the necessary standards throughout its lifespan.

Explanation

Each validated payment application undergoes attestation on a yearly basis until the Expiry Date is reached. This means that the application is reviewed and verified for compliance and security measures once every year. This regular attestation ensures that the payment application remains up to date and meets the necessary standards throughout its lifespan.

51. When an engagement ends, the QIR Company must perform clean-up tasks that include, but are not limited to:

Ensure credentials are removed from all customer sites after any installation or maintenance tasks have been completed

The correct answer includes all the clean-up tasks that the QIR Company must perform when an engagement ends. These tasks include ensuring that credentials are removed from all customer sites after any installation or maintenance tasks have been completed, providing instructions to the customer to remove QIR Company user accounts and credentials if the QIR company no longer supports the customer, and providing instructions for the customer to eliminate all connectivity, such as open firewall ports, between the QIR Company and the customer.

Explanation

The correct answer includes all the clean-up tasks that the QIR Company must perform when an engagement ends. These tasks include ensuring that credentials are removed from all customer sites after any installation or maintenance tasks have been completed, providing instructions to the customer to remove QIR Company user accounts and credentials if the QIR company no longer supports the customer, and providing instructions for the customer to eliminate all connectivity, such as open firewall ports, between the QIR Company and the customer.

Submit

52. Which of the following is not true of acquirers?

Also called Visa and/or Mastercard

Provide authorization, clearing and settlement services to merchants

Bank or entity the merchant uses to process their payment card transactions

Also called Merchant Bank

Acquirers are not called Visa and/or Mastercard. Acquirers are the banks or entities that provide authorization, clearing, and settlement services to merchants. They are also known as the merchant bank, as they are the bank or entity that the merchant uses to process their payment card transactions. However, Visa and Mastercard are payment networks that facilitate the transfer of funds between the acquirer and the issuer (the cardholder's bank).

Explanation

Acquirers are not called Visa and/or Mastercard. Acquirers are the banks or entities that provide authorization, clearing, and settlement services to merchants. They are also known as the merchant bank, as they are the bank or entity that the merchant uses to process their payment card transactions. However, Visa and Mastercard are payment networks that facilitate the transfer of funds between the acquirer and the issuer (the cardholder's bank).

53. When reviewing the Implementation Statement Summary with the client, the lead QIR makes sure they understand that system passwords should be changed every ________.

30 days

60 days

90 days

120 days

The lead QIR ensures that the client understands that system passwords should be changed every 90 days. This is important for maintaining security and preventing unauthorized access to the system. Regularly changing passwords helps to minimize the risk of password guessing or cracking, as well as reducing the impact of a compromised password. By enforcing password changes every 90 days, the client can enhance the overall security of their system.

Explanation

The lead QIR ensures that the client understands that system passwords should be changed every 90 days. This is important for maintaining security and preventing unauthorized access to the system. Regularly changing passwords helps to minimize the risk of password guessing or cracking, as well as reducing the impact of a compromised password. By enforcing password changes every 90 days, the client can enhance the overall security of their system.

54. Organizations qualified by the PCI SSC to implement, configure and/or support PA-DSS validated Payment Applications on behalf of merchants and service providers are referred to as _______ companies.

ISA

QSA

PA-QSA

QIR

QIR stands for Qualified Integrators and Resellers. These are organizations that have been approved by the PCI SSC to implement, configure, and support PA-DSS validated Payment Applications on behalf of merchants and service providers. QIR companies are knowledgeable and qualified to ensure that the payment applications they work with are properly integrated and secure.

Explanation

QIR stands for Qualified Integrators and Resellers. These are organizations that have been approved by the PCI SSC to implement, configure, and support PA-DSS validated Payment Applications on behalf of merchants and service providers. QIR companies are knowledgeable and qualified to ensure that the payment applications they work with are properly integrated and secure.

55. The QIR Employee should have confidence that the customer understands that any remote access to their network must be implemented in a secure manner, such as (select all that apply):

Strong authentication and complex passwords for logins are used

Connections are allowed only from specific (known) IP/MAC addresses

VPN connections are established via a firewall before access is allowed

Encrypted data transmission is enabled

Customer passwords are established according to PCI DSS Requirements

Default settings in the remote access software are changed

The logging function is enabled

Account lockout after a certain number of failed login attempts is enabled

Access to accounts on the customer network is restricted to authorized integrator/reseller

The correct answer choices all contribute to implementing secure remote access to a customer's network. Changing default settings in the remote access software helps prevent unauthorized access. Allowing connections only from specific IP/MAC addresses adds an extra layer of security. Using strong authentication and complex passwords makes it harder for hackers to gain access. Enabling encrypted data transmission ensures that information is protected during transmission. Account lockout after failed login attempts prevents brute force attacks. Establishing VPN connections via a firewall adds another layer of security. Enabling the logging function helps monitor and identify any suspicious activity. Restricting access to authorized integrators/resellers and following PCI DSS requirements for customer passwords further enhance security.

Explanation

The correct answer choices all contribute to implementing secure remote access to a customer's network. Changing default settings in the remote access software helps prevent unauthorized access. Allowing connections only from specific IP/MAC addresses adds an extra layer of security. Using strong authentication and complex passwords makes it harder for hackers to gain access. Enabling encrypted data transmission ensures that information is protected during transmission. Account lockout after failed login attempts prevents brute force attacks. Establishing VPN connections via a firewall adds another layer of security. Enabling the logging function helps monitor and identify any suspicious activity. Restricting access to authorized integrators/resellers and following PCI DSS requirements for customer passwords further enhance security.

Submit

56. PCI DSS Requirement 10 focuses on ____________, and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise.

Access control

Security

Network segregation

Logging mechanisms

Logging mechanisms and the ability to track user activities are ciritical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows through tracking, alerting, and analysis when something does go wrong. Determinig the cause of a compromise is very difficult, if not impossible without system activity logs.

The events that should be logged include: individual access to cardholder data or to the audit logs themselves, administrative access, failed login attempts, service provider remote ongoing support, and changes to user accounts.

QIR eLearning PearsonVUE Transcript - QIR Training - Google Drive
Email: ltraylor@rdspos.com to request access, if you do not have access to the QIR Training Google Drive

Explanation

Logging mechanisms and the ability to track user activities are ciritical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows through tracking, alerting, and analysis when something does go wrong. Determinig the cause of a compromise is very difficult, if not impossible without system activity logs.

The events that should be logged include: individual access to cardholder data or to the audit logs themselves, administrative access, failed login attempts, service provider remote ongoing support, and changes to user accounts.

QIR eLearning PearsonVUE Transcript - QIR Training - Google Drive
Email: ltraylor@rdspos.com to request access, if you do not have access to the QIR Training Google Drive

57. In preparation for a Qualified Installation, the Lead QIR employee, should be prepared to answer any questions the customer may have, or know where to refer the customer, regarding the payment application listing information on the Website, such as:

Where to verify payment application revalidation date, and the acceptable for new and existing deployments list

Notifying the customer that PCI DSS compliance risk concerns

Ensure that QIR Employee access credentials are unique per QIR Employee and per customer

QIR Program Guide, v 3.0 September 2015
© 2015 PCI Security Standards Council, LLC Page 5

Explanation

QIR Program Guide, v 3.0 September 2015
© 2015 PCI Security Standards Council, LLC Page 5

Submit

58. PCI PTS PIN Security covers secure management, processing, and transmission of personal identification number (PIN) data during online and offline payment card transaction processing.

True

False

The statement is true because PCI PTS PIN Security specifically addresses the secure handling of personal identification number (PIN) data during payment card transactions, both online and offline. This includes secure management, processing, and transmission of PIN data to ensure the confidentiality and integrity of this sensitive information. Compliance with PCI PTS PIN Security standards is essential for organizations involved in payment card processing to protect cardholder data and prevent unauthorized access or misuse.

Explanation

The statement is true because PCI PTS PIN Security specifically addresses the secure handling of personal identification number (PIN) data during payment card transactions, both online and offline. This includes secure management, processing, and transmission of PIN data to ensure the confidentiality and integrity of this sensitive information. Compliance with PCI PTS PIN Security standards is essential for organizations involved in payment card processing to protect cardholder data and prevent unauthorized access or misuse.

59. Where should a firewall be implemented on a network that facilitates the flow of cardholder data?

A firewall should be placed at each Internet connection and between any DMZ and the internal network

A firewall should be placed at each Internet connection and DMZ

A firewall should be placed on the internal network

A firewall is not recommended or required

A firewall should be placed at each Internet connection and between any DMZ and the internal network in order to protect the cardholder data. By implementing firewalls at these points, it helps to control and monitor the incoming and outgoing traffic, preventing unauthorized access and potential attacks from the internet. Additionally, placing a firewall between the DMZ and the internal network adds an extra layer of security, ensuring that any potential threats from the DMZ are not able to directly access the internal network where the cardholder data is stored.

Explanation

A firewall should be placed at each Internet connection and between any DMZ and the internal network in order to protect the cardholder data. By implementing firewalls at these points, it helps to control and monitor the incoming and outgoing traffic, preventing unauthorized access and potential attacks from the internet. Additionally, placing a firewall between the DMZ and the internal network adds an extra layer of security, ensuring that any potential threats from the DMZ are not able to directly access the internal network where the cardholder data is stored.

60. Where a Qualified Installation involves multiple locations, the QIR Employee may choose to prepare a number of Implementation Statements that together represent all locations.

True

False

In a Qualified Installation that involves multiple locations, it is possible for the QIR Employee to prepare multiple Implementation Statements. These statements would collectively represent all the locations involved in the installation. This allows for a more comprehensive and accurate representation of the installation process and ensures that all locations are accounted for. Therefore, the statement is true.

Explanation

In a Qualified Installation that involves multiple locations, it is possible for the QIR Employee to prepare multiple Implementation Statements. These statements would collectively represent all the locations involved in the installation. This allows for a more comprehensive and accurate representation of the installation process and ensures that all locations are accounted for. Therefore, the statement is true.

61. What is the standard for vetting off-the-shelf payment applications used in authorization and settlement?

PA-DSS

PA-QSA

PCI DSS

Qualified Installation

PA-DSS stands for Payment Application Data Security Standard. It is the standard for vetting off-the-shelf payment applications used in authorization and settlement. This standard ensures that payment applications are secure and do not store sensitive cardholder data. It provides guidelines and requirements for developers to follow in order to ensure the security of payment applications. By adhering to PA-DSS, organizations can minimize the risk of data breaches and ensure the protection of customer payment information. PCI DSS (Payment Card Industry Data Security Standard) is a related standard that focuses on the security of the entire payment card ecosystem.

Explanation

PA-DSS stands for Payment Application Data Security Standard. It is the standard for vetting off-the-shelf payment applications used in authorization and settlement. This standard ensures that payment applications are secure and do not store sensitive cardholder data. It provides guidelines and requirements for developers to follow in order to ensure the security of payment applications. By adhering to PA-DSS, organizations can minimize the risk of data breaches and ensure the protection of customer payment information. PCI DSS (Payment Card Industry Data Security Standard) is a related standard that focuses on the security of the entire payment card ecosystem.

62. Which of the following should the lead QIR do for the customer, as part of the Qualified Installation include (select all the apply):

Provide a current network diagram that identifies all connections between the CDE and other networks, including any wireless networks

Make sure they understand they must use a firewall that allows only required ports inbound AND outbound connections

Make sure they are aware that they should enable logging on firewall(s)

Make sure they understand that unauthorized outbound traffic from the CDE to the Internet should NOT be allowed

Payment Card Industry (PCI) Data Security Standard, v3.2 Requirement 1
QIR Implementation Instructions Part 2

Explanation

Payment Card Industry (PCI) Data Security Standard, v3.2 Requirement 1
QIR Implementation Instructions Part 2

Submit

63. Compliance validation requirements vary by payment brand.

True

False

Compliance validation requirements vary by payment brand, meaning that different payment brands have different criteria and standards that businesses must meet in order to be compliant. This implies that there is no one-size-fits-all approach to compliance validation, and businesses must understand and adhere to the specific requirements of each payment brand they work with. Therefore, the statement "Compliance validation requirements vary by payment brand" is true.

Explanation

Compliance validation requirements vary by payment brand, meaning that different payment brands have different criteria and standards that businesses must meet in order to be compliant. This implies that there is no one-size-fits-all approach to compliance validation, and businesses must understand and adhere to the specific requirements of each payment brand they work with. Therefore, the statement "Compliance validation requirements vary by payment brand" is true.

64. What date and year, in the PCI DSS and PA-DSS lifecycle, do the new PCI DSS standards become effective?

January 1 of Year 1

January 31 of Year 1

January 1 of Year 2

January 21 of Year 2

https://www.pcisecuritystandards.org/pdfs/pci_lifecycle_for_changes_to_dss_and_padss.pdf

Explanation

https://www.pcisecuritystandards.org/pdfs/pci_lifecycle_for_changes_to_dss_and_padss.pdf

65. Changes to the PCI DSS and PA DSS, follow a _______ lifecycle, to ensure a gradual, phased introduction of new versions of the standard, in order to prevent organizations from becoming non-compliant when changes are published.

1 year

2 year

3 year

5 year

https://www.pcisecuritystandards.org/pdfs/pci_lifecycle_for_changes_to_dss_and_padss.pdf

Explanation

https://www.pcisecuritystandards.org/pdfs/pci_lifecycle_for_changes_to_dss_and_padss.pdf

66. Where should payment application logs be stored?

In the back office payroll software

On the hardware firewall

They should not be stored

On the Payment Application server

Payment application logs should be stored on the Payment Application server. This is because the Payment Application server is responsible for processing and handling payment transactions. Storing the logs on the same server ensures that they are easily accessible for monitoring and troubleshooting purposes. It also helps in maintaining the security and integrity of the logs, as they are stored in a controlled and secure environment. Additionally, storing the logs on the Payment Application server allows for efficient analysis and auditing of payment transactions.

Explanation

Payment application logs should be stored on the Payment Application server. This is because the Payment Application server is responsible for processing and handling payment transactions. Storing the logs on the same server ensures that they are easily accessible for monitoring and troubleshooting purposes. It also helps in maintaining the security and integrity of the logs, as they are stored in a controlled and secure environment. Additionally, storing the logs on the Payment Application server allows for efficient analysis and auditing of payment transactions.

67. The QIR Program focuses on two core objectives (select all that apply):

Ensuring that QIR Companies can guarantee merchants a passing PCI Compliance status

Ensuring that QIR Companies are responsible for merchants PCI DSS Compliance

Ensure that QIR Companies are accountable for ensuring that such installations facilitate their customers' PCI DSS Compliance efforts

QIR Program Guide, v 3.0 September 2015
© 2015 PCI Security Standards Council, LLC Page 2

Explanation

QIR Program Guide, v 3.0 September 2015
© 2015 PCI Security Standards Council, LLC Page 2

Submit

68. The PCI SSC Listing Number, Payment Application Vendor, Payment Application Name, and Application Version Number are found in what part of the Implementation Statement?

Implementation Statement Summary

Implementation Statement Details

QIR Employee Additional Observations

Firewall Whitelist

The Implementation Statement Summary is where the PCI SSC Listing Number, Payment Application Vendor, Payment Application Name, and Application Version Number are found. This summary provides a concise overview of the implementation statement, including important details about the payment application and its vendor. It is a quick reference for understanding the key information related to the implementation statement.

Explanation

The Implementation Statement Summary is where the PCI SSC Listing Number, Payment Application Vendor, Payment Application Name, and Application Version Number are found. This summary provides a concise overview of the implementation statement, including important details about the payment application and its vendor. It is a quick reference for understanding the key information related to the implementation statement.

69. What is P2PE?

Covers secure payment applications to support PCI DSS

Covers the protection of sensitive data at point-of-interaction devices and their secure components

Covers encryption, decryption, and key management requirements for point-to-point encryption

Covers secure management, processing and transmission of personal identification number (PIN) data during online and offline payment card transaction processing

P2PE stands for point-to-point encryption and it refers to a set of requirements that cover encryption, decryption, and key management for secure transmission of data. This means that P2PE ensures that sensitive data is protected during its journey from the point of interaction devices to the intended recipient. By implementing P2PE, organizations can ensure that data is encrypted and decrypted securely, and that the keys used for encryption are properly managed. This helps to prevent unauthorized access and protect against data breaches.

Explanation

P2PE stands for point-to-point encryption and it refers to a set of requirements that cover encryption, decryption, and key management for secure transmission of data. This means that P2PE ensures that sensitive data is protected during its journey from the point of interaction devices to the intended recipient. By implementing P2PE, organizations can ensure that data is encrypted and decrypted securely, and that the keys used for encryption are properly managed. This helps to prevent unauthorized access and protect against data breaches.

70. What is the last step in the payment processing workflow?

Authentication

Authorization

Settlement

Clearing

The last step in the payment processing workflow is settlement. After the customer's payment is authorized and cleared, settlement occurs where the funds are transferred from the customer's account to the merchant's account. Settlement is the final step in completing the payment transaction and ensuring that the merchant receives the payment for the goods or services provided.

Explanation

The last step in the payment processing workflow is settlement. After the customer's payment is authorized and cleared, settlement occurs where the funds are transferred from the customer's account to the merchant's account. Settlement is the final step in completing the payment transaction and ensuring that the merchant receives the payment for the goods or services provided.

71. Select the PCI SSC stakeholders, who give input for proposed changes to the PCI DSS:

Participating Organizations

Merchants

Banks

Point-of-sale Vendors

Assessment community (QSA & ASV)

Software & hardware developers

Processors

PCI SSC Board of Advisors

The PCI SSC stakeholders who give input for proposed changes to the PCI DSS include participating organizations, merchants, banks, point-of-sale vendors, the assessment community (QSA & ASV), software & hardware developers, processors, and the PCI SSC Board of Advisors. These stakeholders represent various sectors of the payment card industry and are involved in the development and implementation of the PCI DSS standards. They provide valuable insights, expertise, and recommendations to ensure that the standards are effective and up-to-date in addressing the evolving threats and vulnerabilities in the industry.

Explanation

The PCI SSC stakeholders who give input for proposed changes to the PCI DSS include participating organizations, merchants, banks, point-of-sale vendors, the assessment community (QSA & ASV), software & hardware developers, processors, and the PCI SSC Board of Advisors. These stakeholders represent various sectors of the payment card industry and are involved in the development and implementation of the PCI DSS standards. They provide valuable insights, expertise, and recommendations to ensure that the standards are effective and up-to-date in addressing the evolving threats and vulnerabilities in the industry.

Submit

72. If the QIR provides services to the customer that could potentially result in the collection of cardholder data and/or SAD, it should only be collected

When a specific problem is identified that requires temporary collection of SAD

During specific times as needed to solve that specific problem

With the minimum capacity needed to solve the specific problem

And stored only in specific, known locations

With access limited to specific individuals requiring access to solve that specific problem

And stored encrypted with strong cryptography

If securely deleted immediately after use

3.2 Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process. It is permissible for issuers and companies that support issuing services to store sensitive authentication data if: There is a business justification and The data is stored securely ---- Payment Card Industry (PCI) Data Security Standard, v3.2 Page 37
© 2006-2016 PCI Security Standards Council, LLC. All Rights Reserved. April 2016 --- QIR Implementation Instructions Part 2

Explanation

3.2 Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process. It is permissible for issuers and companies that support issuing services to store sensitive authentication data if: There is a business justification and The data is stored securely ---- Payment Card Industry (PCI) Data Security Standard, v3.2 Page 37
© 2006-2016 PCI Security Standards Council, LLC. All Rights Reserved. April 2016 --- QIR Implementation Instructions Part 2

Submit

73. What is PCI PA-DSS?

Covers the physical and logical security requirements for systems and business processes

Covers secure management, processing, and transmission of personal identification number (PIN) data during online and offline payment card transaction processing.

Covers security of environments that store, process, or transmit account data

Covers secure payment applications to support PCI DSS compliance

PCI PA-DSS stands for Payment Card Industry Payment Application Data Security Standard. It is a set of requirements that ensure the security of payment applications in order to support compliance with the broader Payment Card Industry Data Security Standard (PCI DSS). This standard specifically focuses on the security of payment applications and covers their development, implementation, and maintenance. By adhering to PCI PA-DSS, organizations can ensure that their payment applications are secure and meet the necessary standards for processing payment card transactions in a secure manner.

Explanation

PCI PA-DSS stands for Payment Card Industry Payment Application Data Security Standard. It is a set of requirements that ensure the security of payment applications in order to support compliance with the broader Payment Card Industry Data Security Standard (PCI DSS). This standard specifically focuses on the security of payment applications and covers their development, implementation, and maintenance. By adhering to PCI PA-DSS, organizations can ensure that their payment applications are secure and meet the necessary standards for processing payment card transactions in a secure manner.

74. What takes place in the Authorization portion of the payment processing workflow?

Issuer and Acquirer exchange purchase and reconciliation information

Cardholder gets charged

Issuer pays acquirer

Merchant requests and receives authorization

In the Authorization portion of the payment processing workflow, the merchant requests and receives authorization. This means that the merchant sends a request to the issuer of the card to verify if the cardholder has sufficient funds or credit available for the transaction. The issuer then approves or declines the authorization request and sends a response back to the merchant. This step ensures that the transaction is valid and that the cardholder can be charged for the purchase.

Explanation

In the Authorization portion of the payment processing workflow, the merchant requests and receives authorization. This means that the merchant sends a request to the issuer of the card to verify if the cardholder has sufficient funds or credit available for the transaction. The issuer then approves or declines the authorization request and sends a response back to the merchant. This step ensures that the transaction is valid and that the cardholder can be charged for the purchase.

75. Sensitive authentication data can be stored after authorization, if encrypted.

True

False

SAD should not be stored, post-authorization

Explanation

SAD should not be stored, post-authorization

76. If the QIR Company suspects one of their customer's has been breached, who should they notify?

PCI SSC

The customer's processor

FTC

Manager on duty at the site, in question

The correct answer is PCI SSC. PCI SSC stands for Payment Card Industry Security Standards Council. They are responsible for developing and maintaining the security standards for the payment card industry. If the QIR Company suspects that one of their customers has been breached, they should notify PCI SSC, as they are the appropriate authority to handle such incidents and ensure that the necessary steps are taken to mitigate the breach and protect the customer's sensitive information.

Explanation

The correct answer is PCI SSC. PCI SSC stands for Payment Card Industry Security Standards Council. They are responsible for developing and maintaining the security standards for the payment card industry. If the QIR Company suspects that one of their customers has been breached, they should notify PCI SSC, as they are the appropriate authority to handle such incidents and ensure that the necessary steps are taken to mitigate the breach and protect the customer's sensitive information.

77. It is best practice to implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. Which of the following is an example of this in a cardholder data environment?

A 3rd party service provider secure application server hosting web applications with anti-virus and firewall implemented

Email server hosting web applications, with anti-virus and firewalls implemented

Payment application server hosting only services necessary configured with the appropriate security paramters

SQL server running multiple compliant versions purposed to run databases

During an audit, the auditor is qualified to interpret the PCI DSS and build a report on compliance. There are exceptions for deviating from the baseline, one must just put the reasoning why and explain it. If justifiable and necessary, reasons for deviating from the baseline is permitted. Though generally speaking, separating database and web servers is pretty much non-negotiable. With all that taken into account, the "SQL server" question would be permissible as a correct answer, given there was a justifiable business function explanation. . -----* However, on the QIR, there will be a question similar to this. The QIR exam should be taken from the viewpoint of being as literal, as possible with the instructions provided in the PCI DSS, Implementation Statement, Implementation Statement Summary, and the application Implementation Guide. Select the answer that shows an instance of total segmentation of a particular server and its primary function.

Explanation

During an audit, the auditor is qualified to interpret the PCI DSS and build a report on compliance. There are exceptions for deviating from the baseline, one must just put the reasoning why and explain it. If justifiable and necessary, reasons for deviating from the baseline is permitted. Though generally speaking, separating database and web servers is pretty much non-negotiable. With all that taken into account, the "SQL server" question would be permissible as a correct answer, given there was a justifiable business function explanation. . -----* However, on the QIR, there will be a question similar to this. The QIR exam should be taken from the viewpoint of being as literal, as possible with the instructions provided in the PCI DSS, Implementation Statement, Implementation Statement Summary, and the application Implementation Guide. Select the answer that shows an instance of total segmentation of a particular server and its primary function.

78. What does PCI DSS cover?

Covers security of environments that store, process, or transmit account data

Covers secure payment applications to support PCI DSS

Covers the physical and logical security requirements for systems and business processes

Covers secure management, processing, and transmission of personal identification number (PIN) data during online and offline payment card transaction processing.

PCI DSS covers the security of environments that store, process, or transmit account data. This means that it ensures the protection of sensitive information related to payment card transactions. It sets requirements for organizations to implement security measures such as network security, access control, and encryption to safeguard cardholder data. By covering the security of these environments, PCI DSS aims to prevent data breaches and protect the confidentiality and integrity of account data.

Explanation

PCI DSS covers the security of environments that store, process, or transmit account data. This means that it ensures the protection of sensitive information related to payment card transactions. It sets requirements for organizations to implement security measures such as network security, access control, and encryption to safeguard cardholder data. By covering the security of these environments, PCI DSS aims to prevent data breaches and protect the confidentiality and integrity of account data.

79. _________: Standards Published, occurs in October of year 1, after the Council's annual Community Meetings and initiates a new lifecycle for the PCI DSS and the PA-DSS. Stakeholders may immediately implement the new standards, but are not required to do so, until they become effective.

Stage 8

Stage 6

Stage 3

Stage 1

https://www.pcisecuritystandards.org/pdfs/pci_lifecycle_for_changes_to_dss_and_padss.pdf

Explanation

https://www.pcisecuritystandards.org/pdfs/pci_lifecycle_for_changes_to_dss_and_padss.pdf

80. Will the PCI SSC do nothing, if they receive enough 'Unsatisfactory' QIR feedback ratings about a QIR?

No, the QIR will have their status revoked

No, the PCI SSC will fine the QIR

The PCI SSC will start a PFI investigation

No, the QIR will be placed in remediation

If the PCI SSC receives enough 'Unsatisfactory' QIR feedback ratings about a QIR, they will not do nothing. Instead, they will place the QIR in remediation. This means that the QIR will be required to take corrective actions to address the issues identified in the feedback and improve their performance.

Explanation

If the PCI SSC receives enough 'Unsatisfactory' QIR feedback ratings about a QIR, they will not do nothing. Instead, they will place the QIR in remediation. This means that the QIR will be required to take corrective actions to address the issues identified in the feedback and improve their performance.

81. At what point during the Qualified Installation should you direct the customer to the QIR Feedback Form on the PCI SCC website?

Before a qualified installation

During a qualified installation

After a qualified installation

After the Implementation Statement Summary has been completed

https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_integrators_and_resellers_feedback

Explanation

https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_integrators_and_resellers_feedback

82. At this stage in the PCI DSS and PA-DSS lifecycle, feedback collected from Participating Organizations is evaluated and clarification request about language in standards that may be perceived as confusing, are addressed.

Stage 4

Stage 7

Stage 3

Stage 6

https://www.pcisecuritystandards.org/pdfs/pci_lifecycle_for_changes_to_dss_and_padss.pdf

Explanation

https://www.pcisecuritystandards.org/pdfs/pci_lifecycle_for_changes_to_dss_and_padss.pdf

83. Which is true of PA-DSS?

PA-DSS applies to non-payment applications that exist within the payment application system

PA-DSS applies to merchants and service providers who develop payment applications for in-house use only

The PA-DSS does not apply to merchants and service providers who develop payment applications for in-house use only

Use of a PA-DSS compliant application, by itself, makes an entity PCI DSS compliant

PA-DSS Applicability: page 42, QIR eLearning Transcript (Google Drive)

Explanation

PA-DSS Applicability: page 42, QIR eLearning Transcript (Google Drive)

84. Includes required signatures for the customer acceptance and the QIR Employee affirmation of the Qualified Installation.

Implementation Statement Details

QIR Employee Additional Observations

Implementation Statement Summary

PCI DSS QIR Website Listing

The Implementation Statement Summary is the correct answer because it includes all the required signatures for the customer acceptance and the QIR Employee affirmation of the Qualified Installation. This summary is an important document that outlines the key details and observations related to the implementation process. Additionally, it ensures compliance with PCI DSS requirements and allows for the listing of the installation on the QIR website.

Explanation

The Implementation Statement Summary is the correct answer because it includes all the required signatures for the customer acceptance and the QIR Employee affirmation of the Qualified Installation. This summary is an important document that outlines the key details and observations related to the implementation process. Additionally, it ensures compliance with PCI DSS requirements and allows for the listing of the installation on the QIR website.

85. QIR Employees must requalify every ___________.

1 year

2 years

3 years

5 years

QIR Program Guide: 2.3 QIR Required Re-qualification Processes, page 3

Explanation

QIR Program Guide: 2.3 QIR Required Re-qualification Processes, page 3

86. Select the types of Qualified Installations:

New Installation

Guided Installation

Upgrade to an Existing Installation

Customer Assisted Installation

QIR Implementation Instructions Part 1, page 6

Explanation

QIR Implementation Instructions Part 1, page 6

Submit

87. Which is an example of sensitive authentication data?

Encrypted PAN

PIN Block

Unencrypted PAN

Cardholder Name

A PIN block is an example of sensitive authentication data. It is a combination of the cardholder's personal identification number (PIN) and a cryptographic key. The PIN block is used during the authentication process to verify the cardholder's identity. It is encrypted to protect it from unauthorized access and ensure the security of the authentication process.

Explanation

A PIN block is an example of sensitive authentication data. It is a combination of the cardholder's personal identification number (PIN) and a cryptographic key. The PIN block is used during the authentication process to verify the cardholder's identity. It is encrypted to protect it from unauthorized access and ensure the security of the authentication process.

88. Which is an example of cardholder data?

Track 1 Data

Expiration Date

PIN Block

Card Brand

Cardholder data refers to any personally identifiable information that is associated with a payment card. This includes information such as the cardholder's name, card number, and expiration date. In this case, the expiration date is an example of cardholder data as it is directly associated with the payment card and can be used to identify the cardholder.

Explanation

Cardholder data refers to any personally identifiable information that is associated with a payment card. This includes information such as the cardholder's name, card number, and expiration date. In this case, the expiration date is an example of cardholder data as it is directly associated with the payment card and can be used to identify the cardholder.

89. If aspects of the installation were performed by parties other than the QIR Employee, the QIR Employee should provide details in _____________ of the Implementation Statement.

Part 4

Part 3

Part 2

Part 1

QIR Implementation Instructions Part 1 - Confirmation of Implementation Approach, page 6

Explanation

QIR Implementation Instructions Part 1 - Confirmation of Implementation Approach, page 6

90. Records details about the activities performed by the QIR Employee during the Qualified Installation.

QIR Employee Additional Observations

Implementation Statement Summary

PCI DSS QIR Website Listing

Implementation Statement Details

The given correct answer is "Implementation Statement Details". This answer is likely correct because it aligns with the context of the question, which is about recording details of activities performed by a QIR Employee during a Qualified Installation. The other options, such as "QIR Employee Additional Observations" and "Implementation Statement Summary", do not specifically mention recording details of activities and therefore may not be as relevant to the given context.

Explanation

The given correct answer is "Implementation Statement Details". This answer is likely correct because it aligns with the context of the question, which is about recording details of activities performed by a QIR Employee during a Qualified Installation. The other options, such as "QIR Employee Additional Observations" and "Implementation Statement Summary", do not specifically mention recording details of activities and therefore may not be as relevant to the given context.

91. What does ISA stand for?

ISA stands for Internal Security Assessor. An Internal Security Assessor is an individual who is certified by the Payment Card Industry Security Standards Council (PCI SSC) to assess an organization's compliance with the Payment Card Industry Data Security Standard (PCI DSS). The ISA is responsible for evaluating the security measures and controls in place within the organization to protect cardholder data. They conduct assessments, provide recommendations for improvement, and ensure that the organization maintains compliance with the PCI DSS. The role of an ISA is crucial in maintaining the security and integrity of cardholder data within an organization.

Explanation

ISA stands for Internal Security Assessor. An Internal Security Assessor is an individual who is certified by the Payment Card Industry Security Standards Council (PCI SSC) to assess an organization's compliance with the Payment Card Industry Data Security Standard (PCI DSS). The ISA is responsible for evaluating the security measures and controls in place within the organization to protect cardholder data. They conduct assessments, provide recommendations for improvement, and ensure that the organization maintains compliance with the PCI DSS. The role of an ISA is crucial in maintaining the security and integrity of cardholder data within an organization.

Submit

92. Records details about the customer, the QIR Company, and QIR Employees and the payment application.

Implementation Statement Summary

Implementation Statement Details

QIR Employee Additional Observations

PCI DSS QIR Website Listing

The implementation statement summary is a document that records details about the customer, the QIR Company, and QIR Employees, as well as the payment application. It provides a summary of the implementation process and the steps taken to ensure compliance with PCI DSS requirements. The document may include information such as the scope of the implementation, the roles and responsibilities of the QIR Company and its employees, and any additional observations or notes made during the implementation process. The implementation statement summary is an important record that demonstrates the QIR Company's commitment to maintaining the security of payment card data.

Explanation

The implementation statement summary is a document that records details about the customer, the QIR Company, and QIR Employees, as well as the payment application. It provides a summary of the implementation process and the steps taken to ensure compliance with PCI DSS requirements. The document may include information such as the scope of the implementation, the roles and responsibilities of the QIR Company and its employees, and any additional observations or notes made during the implementation process. The implementation statement summary is an important record that demonstrates the QIR Company's commitment to maintaining the security of payment card data.

93. Stage 2 occurs in October of Year 1, after the Council's annual community meetings and initiates a new llifecycle for PCI DSS and the PA-DSS.

True

False

Stage 1 occurs in October of Year 1, after the Council's annual community meetings and initiates a new llifecycle for PCI DSS and the PA-DSS.

Explanation

Stage 1 occurs in October of Year 1, after the Council's annual community meetings and initiates a new llifecycle for PCI DSS and the PA-DSS.

94. Which of the following is not a responsibility of an ASV?

Performing external vulnerability scans in accordance with PCI DSS Requirement 11.2 and other Council requirements

Maintaining an internal PA-QSA

Scanning all IP ranges and domains provided by scan customer to identify active IP addresses and services

Consulting with the scan customer to determine if IP addresses found should be included

not-available-via-ai

Explanation

not-available-via-ai

95. Who is responsible for validating the scope of a PCI DSS assessment?

QIR

QSA

Merchant

PCI SSC

A Qualified Security Assessor (QSA) is responsible for validating the scope of a PCI DSS assessment. A QSA is an individual or company certified by the Payment Card Industry Security Standards Council (PCI SSC) to assess and validate an organization's compliance with the Payment Card Industry Data Security Standard (PCI DSS). They conduct thorough assessments to determine the scope of the assessment, ensuring that all relevant systems and processes are included. Their expertise and certification make them the appropriate entity to validate the scope of a PCI DSS assessment.

Explanation

A Qualified Security Assessor (QSA) is responsible for validating the scope of a PCI DSS assessment. A QSA is an individual or company certified by the Payment Card Industry Security Standards Council (PCI SSC) to assess and validate an organization's compliance with the Payment Card Industry Data Security Standard (PCI DSS). They conduct thorough assessments to determine the scope of the assessment, ensuring that all relevant systems and processes are included. Their expertise and certification make them the appropriate entity to validate the scope of a PCI DSS assessment.

96. If the customer requested the application be configured in a way that does not meet PCI DSS requirements, the QIR Employee must advise the customer of such, and provide details in ______ of the Implementation Statement?

Part 1

Part 2

Part 3

Part 4

QIR Implementation Instructions: Part 1, Confirmation of Implementation Approach, page 6

Explanation

QIR Implementation Instructions: Part 1, Confirmation of Implementation Approach, page 6

97. According to PCI DSS Requirement 3, the only cardholder data that may be stored after authorization is PAN (rendered unreadable), expiration date, cardholder name, and service code.

True

False

A formal data retention policy identifies what data needs to be retained, and where that data resides so it can be securely destroyed or deleted as soon as it is no longer needed.
The only cardholder data that may be stored after authorization is the primary account number or PAN (rendered unreadable), expiration date, cardholder name, and service code.
Understanding where cardholder data is located is necessary so it can be properly retained or disposed of when no longer needed. In order to define appropriate retention requirements, an entity first needs to understand their own business needs as well as any legal or regulatory obligations that apply to their industry, and/or that apply to the type of data being retained.Identifying and deleting stored data that has exceeded its specified retention period prevents unnecessary retention of data that is no longer needed. This process may be automated or manual or a combination of both. For example, a programmatic procedure (automatic or manual) to locate and remove data and/or a manual review of data storage areas could be performed.
Implementing secure deletion methods ensure that the data cannot be retrieved when it is no longer needed. Remember, if you don't need it, don't store it! ----Payment Card Industry (PCI) Data Security Standard, v3.2 Page 37
© 2006-2016 PCI Security Standards Council, LLC. All Rights Reserved. April 2016

Explanation

A formal data retention policy identifies what data needs to be retained, and where that data resides so it can be securely destroyed or deleted as soon as it is no longer needed.
The only cardholder data that may be stored after authorization is the primary account number or PAN (rendered unreadable), expiration date, cardholder name, and service code.
Understanding where cardholder data is located is necessary so it can be properly retained or disposed of when no longer needed. In order to define appropriate retention requirements, an entity first needs to understand their own business needs as well as any legal or regulatory obligations that apply to their industry, and/or that apply to the type of data being retained.Identifying and deleting stored data that has exceeded its specified retention period prevents unnecessary retention of data that is no longer needed. This process may be automated or manual or a combination of both. For example, a programmatic procedure (automatic or manual) to locate and remove data and/or a manual review of data storage areas could be performed.
Implementing secure deletion methods ensure that the data cannot be retrieved when it is no longer needed. Remember, if you don't need it, don't store it! ----Payment Card Industry (PCI) Data Security Standard, v3.2 Page 37
© 2006-2016 PCI Security Standards Council, LLC. All Rights Reserved. April 2016

98. What is the 2nd step in the payment processing workflow?

Clearing

Authorization

Settlement

Authentication

The 2nd step in the payment processing workflow is Clearing. Clearing refers to the process of transmitting and reconciling payment information between the acquiring bank (merchant's bank) and the issuing bank (customer's bank). During this step, the payment details are verified and the funds are transferred from the customer's account to the merchant's account.

Explanation

The 2nd step in the payment processing workflow is Clearing. Clearing refers to the process of transmitting and reconciling payment information between the acquiring bank (merchant's bank) and the issuing bank (customer's bank). During this step, the payment details are verified and the funds are transferred from the customer's account to the merchant's account.

99. In what stage of the PCI DSS and PA-DSS lifecycle, is feedback given from stakeholders on the new standards?

Stage 3

Stage 7

Stage 4

Stage 2

https://www.pcisecuritystandards.org/pdfs/pci_lifecycle_for_changes_to_dss_and_padss.pdf

Explanation

https://www.pcisecuritystandards.org/pdfs/pci_lifecycle_for_changes_to_dss_and_padss.pdf

100. What is the definition of cardholder data?

Security-related information used to authenticate cardholders and/or authorize payment card transactions

At a minimum, cardholder data consists of the full PAN. Cardholder data may
also appear in the form of the full PAN plus any of the following: cardholder
name, expiration date and/or service code
See Sensitive Authentication Data for additional data elements that may be
transmitted or processed (but not stored) as part of a payment transaction. ---- PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms January 2014
© 2006-2013 PCI Security Standards Council, LLC. All Rights Reserved Page 3

Explanation

At a minimum, cardholder data consists of the full PAN. Cardholder data may
also appear in the form of the full PAN plus any of the following: cardholder
name, expiration date and/or service code
See Sensitive Authentication Data for additional data elements that may be
transmitted or processed (but not stored) as part of a payment transaction. ---- PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms January 2014
© 2006-2013 PCI Security Standards Council, LLC. All Rights Reserved Page 3

101. If the customer connects from one secure system on the network to another, they should be made aware that

Credentials must be transmitted, encrypted with strong cryptographic keys

Credentials must be transmitted, encrypted with strong cryptographic keys, in addition to two-factor authentication

Credentials do not have to be transmitted, encrypted with strong cryptographic keys, as long as two-factor authentication is being used

Credentials do not have to be individual specific

When a customer connects from one secure system on the network to another, they should be made aware that their credentials must be transmitted and encrypted with strong cryptographic keys. This is important to ensure the security and confidentiality of the transmitted information. Encryption with strong cryptographic keys adds an extra layer of protection to prevent unauthorized access or interception of the credentials during transmission.

Explanation

When a customer connects from one secure system on the network to another, they should be made aware that their credentials must be transmitted and encrypted with strong cryptographic keys. This is important to ensure the security and confidentiality of the transmitted information. Encryption with strong cryptographic keys adds an extra layer of protection to prevent unauthorized access or interception of the credentials during transmission.

102. _________: Market Implementation occurs through Year 1, and entails assessing changes to the new standard and determining their applicability to a stakeholder's cardholder data environment. It is a period that provides for an orderly, phased implementation of any required changes.

Stage 1

Stage 2

Stage 3

Stage 4

https://www.pcisecuritystandards.org/pdfs/pci_lifecycle_for_changes_to_dss_and_padss.pdf

Explanation

https://www.pcisecuritystandards.org/pdfs/pci_lifecycle_for_changes_to_dss_and_padss.pdf

103. The QIR Employee must confirm that the application being installed is configured in a manner that prevents any SAD from being retained once authorization of a transaction has been completed. Select the options for which this can be achieved:

SAD can be stored post-authorization, if encrypted

If the application does have an option that permits SAD to be stored post-authorization, all such options are disabled

The customer is solely responsible for disabling options in the application permitting the storage of SAD post-authorization

Requirement 3.2: Sensitive authentication data (SAD) consists of full track data, card validation code or value, and PIN data. Storage of sensitive authentication data after authorization is prohibited! This data is very valuable to malicious individuals as it allows them to generate counterfeit payment cards and create fraudulent transactions.
Payment Card Industry (PCI) Data Security Standard, v3.2 Page 37
© 2006-2016 PCI Security Standards Council, LLC. All Rights Reserved. April 2016

Explanation

Requirement 3.2: Sensitive authentication data (SAD) consists of full track data, card validation code or value, and PIN data. Storage of sensitive authentication data after authorization is prohibited! This data is very valuable to malicious individuals as it allows them to generate counterfeit payment cards and create fraudulent transactions.
Payment Card Industry (PCI) Data Security Standard, v3.2 Page 37
© 2006-2016 PCI Security Standards Council, LLC. All Rights Reserved. April 2016

Submit

104. Any non-console administrative access to systems in the CDE, including the payment application or its underlying systems must be encrypted and ________________.

Secured using vendor-supplied defaults

Secured using strong cryptography and 2-factor authentication

Accessed via telnet or rlogin

Secured using strong cryptography

Explanation

105. On December 31st, every _______ in the PCI DSS lifecycle, the old PCI DSS and PA-DSS standards are retired. After this date, all validation efforts for compliance must follow the new standards.

5 years

4 years

3 years

2 years

https://www.pcisecuritystandards.org/pdfs/pci_lifecycle_for_changes_to_dss_and_padss.pdf

Explanation

https://www.pcisecuritystandards.org/pdfs/pci_lifecycle_for_changes_to_dss_and_padss.pdf

106. PCI PTS - HSM covers device tamper detection, cryptographic processes, and other mechanisms used to protect the PIN and other sensitive data, such as cryptographic keys.

True

False

False - PCI PTS - POI covers device tamper detection, cryptographic processes, and other mechanisms used to protect the PIN and other sensitive data, such as cryptographic keys. The PTS - HSM standard covers the design of hardware security modules and for securely protecting those devices until they are deployed.

Explanation

False - PCI PTS - POI covers device tamper detection, cryptographic processes, and other mechanisms used to protect the PIN and other sensitive data, such as cryptographic keys. The PTS - HSM standard covers the design of hardware security modules and for securely protecting those devices until they are deployed.

107. The ___________________ is an independent industry standards body providing oversight of the development and management of Payment Card Industry Data Security Standards on a global basis.

The correct answer is PCI SSC, or Payment Card Industry Security Standards Council. This organization is responsible for overseeing the development and management of Payment Card Industry Data Security Standards (PCI DSS) globally. They ensure that businesses that handle cardholder data maintain a secure environment and comply with industry standards to prevent data breaches and protect sensitive information.

Explanation

The correct answer is PCI SSC, or Payment Card Industry Security Standards Council. This organization is responsible for overseeing the development and management of Payment Card Industry Data Security Standards (PCI DSS) globally. They ensure that businesses that handle cardholder data maintain a secure environment and comply with industry standards to prevent data breaches and protect sensitive information.

Submit

108. Which is true of utilizing remote access to install or provide ongoing support for a payment application (select all that apply)?

Remote management software access should be active, at all times to ensure for easy access for support purposes

Use remote management software only when absolutely necessary

The QIR must request access to remotely access the system, prior to each remote logon

Use remote management software should be used in a secure manner

Remote management software should include two-factor authentication

Site access should be restricted and authentication credentials assigned to only those personnel who need access

Data transmission should always be encrypted

Remote Access is only activated when needed and deactivated or suspended immediately after use

QIR Program Guide: 5.2.1, page 7

Explanation

QIR Program Guide: 5.2.1, page 7

Submit

Qir Practice Exam 1

1. The Implementation Guide and Implementation Statement are to be used together on each Qualified Installation.

2.

What first name or nickname would you like us to use?

2. Account Data includes cardholder data and/or sensitive authentication data.

3. Many PA-DSS requirements are derived from PCI DSS Requirements and Security Assessment (PCI DSS).

4. The Payment Card Industry Data Security Standard (PCI DSS) is managed by the __________?

5. For wireless environments connected to the cardholder data environment or transmitting cardholder data, ALL wireless vendor defaults should be changed prior to installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings.

6. Track data, also referred to as "full track data" or "magnetic-stripe data," is data encoded in the magnetic stripe or chip used for authentication and/or authorization during payment transactions.

7. PCI DSS sets the foundation for other PCI Standards and related requirements.

8. QIR Implementation Statement is a template used to document the results of a Qualified Installation.

9. The Payment Card Industry (PCI) Qualified Integrators and Resellers (QIR) Program Guide (or "QIR Program Guide") should be used in conjunction with the latest versions of the PCI SSC publications, each as available through the PCI SSC Website.

12. The QIR Company must review, at least annually, updates to the applicable PA-DSS Implementation Guide and supporting documentation to remain current with all major and minor software changes, and QIR Company training materials must be updated to reflect all major and minor software changes.

13. The status of a QIR Company or QIR Employee is initially Good Standing but may change based on quality concerns, feedback, administrative issues, or other factors.

14. PCI DSS requirements are applicable wherever primary account number (PAN) or sensitive authentication data (SAD) is stored, processed, or transmitted.

15. Account data includes all of the information printed on the physical card as well as the data on the magnetic stripe or chip.

16. Sensitive authentication data is not stored post-authorization.

17. By signing the Implementation Statement, the customer acknowledges the following (select all that apply):

18. A QIR must ensure that all QIR personnel with access to any customer locations have ______________________________.

19. You are the lead QIR performing an upgrade for a customer site. You notice that the personal firewall software/anti-virus on the payment application server and back office reporting PC are not enabled. What do you do?

20. The goal of the QIR Program is to educate, qualify and train organizations involved in the implementation, configuration and/or support of a PA-DSS validated payment application on behalf of a merchant or service provider.

21. The Implementation Statement Summary is used to provide confirmation and acceptance of the Qualified Installation, along with Customer, QIR Company and Payment Application details. The following information must be included in the QIR Implementation Statement:

22. If the QIR company does not maintain at least one QIR Employee, the QIR Company will be removed from the QIR List and become ineligible to perform new Qualified Installations until the minimum requirements are satisfied.

23. The QIR program aims to assure quality and provide effective feedback among QIRs, their customers, and the PCI SSC.

24. PA-DSS requirements apply to application vendors, to develop and maintain secure payment applications.

25. A QIR Company may only sell validated application versions.

26. PA-DSS defines the specific technical requirements and provides related assessment procedures and templates used to validate payment applications and document the validation process.

27. What are the Implementation Statement sections (select all that apply)?

28. In accordance with the PCI DSS Requirement 2.1, the QIR ensures that all vendor-supplied defaults are changed and unnecessary default accounts are removed or disabled, before completing a qualified installation.

29. There does not have to be a firewall on every Internet connection coming into (and out of) the network, and between any DMZ and the internal network.

30. Firewalls should be installed between the CDE and all wireless access points.

31. QIR Qualification Requirements define requirements that must be satisfied by QIR Companies, in order to perform Qualified Installations.

32. Prior to the Qualified Installation, the customer should be provided with the following (select all that apply):

33. Name the two types of validated Payment Applications:

34. If there are a number of QIR Employees leading Qualified Installations, each Lead QIR must produce his or her own Implementation Statement(s) for the installations he or she was responsible for.

35. The Lead QIR Employee is required to sign the _______________ affirming the findings surrounding the qualified installation documented therein.

36. It is best practice to require passwords have a minimum length requirement of at least 7 characters, contain both numeric and alphabetic characters and to be changed at least once every 90 days

37. QIR Implementation Instructions is a guidance document used to explain how to complete the QIR Implementation Statement.

38. Core responsibilities as a QIR include (select all that apply):

39. PCI DSS requirements do not apply to systems that provide security services or could impact the security of account data.

41. Records observations or details that the customer should be aware of.

42. The QIR Company must at all times employee at least ___ QIR Employee(s)

43. Which of the following is an example of a secure network protocol?

44. There is a difference between cardholder data and sensitive authentication data.

45. A trusted network is the network of an organization that is within the organization's ability to control or manage.

46. Who is responsible for a Merchant's PCI Compliance?

47. PAN should be rendered unreadable anywhere it's stored.

48. Which is an example of two factor authentication?

49. Includes items identified in the Details section that require explanation.

50. How often does each validated payment application undergo attestation, until the Expiry Date is reached?

51. When an engagement ends, the QIR Company must perform clean-up tasks that include, but are not limited to:

52. Which of the following is not true of acquirers?

53. When reviewing the Implementation Statement Summary with the client, the lead QIR makes sure they understand that system passwords should be changed every ________.

54. Organizations qualified by the PCI SSC to implement, configure and/or support PA-DSS validated Payment Applications on behalf of merchants and service providers are referred to as _______ companies.

55. The QIR Employee should have confidence that the customer understands that any remote access to their network must be implemented in a secure manner, such as (select all that apply):

56. PCI DSS Requirement 10 focuses on ____________, and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise.

57. In preparation for a Qualified Installation, the Lead QIR employee, should be prepared to answer any questions the customer may have, or know where to refer the customer, regarding the payment application listing information on the Website, such as:

58. PCI PTS PIN Security covers secure management, processing, and transmission of personal identification number (PIN) data during online and offline payment card transaction processing.

59. Where should a firewall be implemented on a network that facilitates the flow of cardholder data?

60. Where a Qualified Installation involves multiple locations, the QIR Employee may choose to prepare a number of Implementation Statements that together represent all locations.

61. What is the standard for vetting off-the-shelf payment applications used in authorization and settlement?

62. Which of the following should the lead QIR do for the customer, as part of the Qualified Installation include (select all the apply):

63. Compliance validation requirements vary by payment brand.

64. What date and year, in the PCI DSS and PA-DSS lifecycle, do the new PCI DSS standards become effective?

65. Changes to the PCI DSS and PA DSS, follow a _______ lifecycle, to ensure a gradual, phased introduction of new versions of the standard, in order to prevent organizations from becoming non-compliant when changes are published.

66. Where should payment application logs be stored?

67. The QIR Program focuses on two core objectives (select all that apply):

68. The PCI SSC Listing Number, Payment Application Vendor, Payment Application Name, and Application Version Number are found in what part of the Implementation Statement?

69. What is P2PE?

70. What is the last step in the payment processing workflow?

71. Select the PCI SSC stakeholders, who give input for proposed changes to the PCI DSS:

72. If the QIR provides services to the customer that could potentially result in the collection of cardholder data and/or SAD, it should only be collected

73. What is PCI PA-DSS?

74. What takes place in the Authorization portion of the payment processing workflow?

75. Sensitive authentication data can be stored after authorization, if encrypted.

76. If the QIR Company suspects one of their customer's has been breached, who should they notify?

77. It is best practice to implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. Which of the following is an example of this in a cardholder data environment?

78. What does PCI DSS cover?

79. _________: Standards Published, occurs in October of year 1, after the Council's annual Community Meetings and initiates a new lifecycle for the PCI DSS and the PA-DSS. Stakeholders may immediately implement the new standards, but are not required to do so, until they become effective.

80. Will the PCI SSC do nothing, if they receive enough 'Unsatisfactory' QIR feedback ratings about a QIR?