PCI Compliance Training Test!

Explanation
PCI DSS was developed by the five major payment card brands (American Express, Discover, JCB, MasterCard and Visa) which founded the Payment Card Industry Security Standards Council (PCI SSC) in 2006. The mission of the PCI SSC is to develop, manage, educate and create awareness of the PCI Security Standards.

Explanation
According to a 2007 Forrester Research report, the financial services, healthcare, insurance and higher education industries have the highest percentages of businesses that store credit card data. The survey of 677 European and US-based organizations found that ninety-four percent of Level 1 merchants retained credit card numbers, compared to eighty percent of of Level 2 merchant respondents.

Explanation
The PCI DSS compliance level a merchant falls under depends on the number of transactions they process per year and whether those transactions are performed from a brick and mortar location or over the Internet.

Explanation
Sensitive authentication data must not be stored after authorization, even if it is encrypted.

Explanation
All software vendors must meet PA-DSS requirements for their merchants to comply with the mandated Payment Card Industry Data Security Standard (PCI DSS). As of October 1, 2008, acquiring financial institutions cannot approve merchants for processing that are using non-PA-DSS compliant software.

Explanation
Software applications that allow users to directly enter cardholder data are considered payment applications by the PCI SCC and are in scope of the Payment Application Data Security Standard (PA-DSS). The PA-DSS applies to software vendors and others who develop payment applications that store, process or transmit cardholder data as part of authorization and settlement, where these payment applications are sold, distributed, or licensed to third parties.

Explanation
According to industry analyst Gartner Group, 75 percent of successful attacks occur through an application, rather than through a network or operating system.

Explanation
Visa developed the Payment Application Best Practices (PABP) before the PA-DSS. However, we realize this might seem like a trick question, since this is the first security standard created by PCI DSS that is directed towards software vendors. So if you answered true we'll bend the rules a bit and say you're correct as well!

Explanation
Software vendors also have the option of using a PCI compliant hosting service to go out of scope for PA-DSS. By shifting the responsibility of storing, processing and transmitting sensitive cardholder data to a hosting company, it is no longer necessary for the software application to become PA-DSS validated.

Explanation
Cardholder data breaches can and have occurred from merchants that are PCI DSS compliant. In 2008, Hanniford Bros. supermarket chain suffered a breach in which 4.2 million card numbers were stolen despite the fact that the grocer was PCI DSS compliant. Merchants can better protect themselves by instituting POS solutions that exceed PCI DSS requirements such as offsite data storage and encrypting card readers.