PCI Compliance Test! Trivia Quiz

Approved & Edited by ProProfs Editorial Team
The editorial team at ProProfs Quizzes consists of a select group of subject experts, trivia writers, and quiz masters who have authored over 10,000 quizzes taken by more than 100 million users. This team includes our in-house seasoned quiz moderators and subject matter experts. Our editorial experts, spread across the world, are rigorously trained using our comprehensive guidelines to ensure that you receive the highest quality quizzes.
Learn about Our Editorial Process
| By Ajbsoftware
A
Ajbsoftware
Community Contributor
Quizzes Created: 2 | Total Attempts: 8,943
Questions: 10 | Attempts: 8,883

SettingsSettingsSettings
PCI Compliance Test! Trivia Quiz - Quiz

Below is a PCI compliance test! If you want to pay your bill using your credit or debit card, you want to know that your information will not be used for other reasons other than the transactions you have verified to do. Take this quiz and get to see some of the major PCI guidelines and how effective they actually are.


Questions and Answers
  • 1. 

    A commercial payment product has been PA-DSS 1.2.1 validated by a PA-QSA.   It is also listed on the PCI Security Standards Council Website as a validated payment application.   As a result, the product is guaranteed to be PCI-DSS compliant when deployed in the merchant’s environment.

    • A.

      True

    • B.

      False

    Correct Answer
    B. False
    Explanation
    Payment application vendors can only state in the engagement contracts that products are PA-DSS validated when installed correctly in the customers CDE. Vendor can not guarantee that merchants who use vendor payment products will be PCI-DSS validated since a ‘PASS’ PCI-DSS report of compliance (RoC) is at the discretion of the merchant QSA.

    Rate this question:

  • 2. 

    Track Data can not be stored in a payment application after authorization.

    • A.

      True

    • B.

      False

    Correct Answer
    A. True
    Explanation
    Do not store sensitive authentication data after authorization (even if encrypted). Sensitive authentication data consists of magnetic stripe (or track) data6, card validation code or value7, and PIN data8. Storage of sensitive authentication data after authorization is prohibited! This data is very valuable to malicious individuals as it allows them to generate counterfeit payment cards and create fraudulent transactions

    Rate this question:

  • 3. 

    A customer is using an operating system (OS) that is no longer supported by the OS vendor.  However,  payment vendor can PA-DSS validate payment product on the unsupported OS using compensating controls which is allowed under the rules of PA-DSS

    • A.

      True

    • B.

      False

    Correct Answer
    B. False
    Explanation
    If an OS is no longer supported by an OS vendor, an application can not be PA-DSS validated against it. PA-DSS does not allow compensating controls.

    Rate this question:

  • 4. 

    It is acceptable to store the PAN# in clear text as long as the PAN# is purged after authorization. 

    • A.

      True

    • B.

      False

    Correct Answer
    B. False
    Explanation
    Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:
    • One-way hashes based on strong cryptography (hash must be of the entire PAN)
    • Truncation (hashing cannot be used to replace the truncated segment of PAN)
    • Index tokens and pads (pads must be securely stored)
    • Strong cryptography with associated key-management processes and procedures

    Rate this question:

  • 5. 

    Strong passwords are used to mitigate brute force attacks.    Typically strong passwords are at least 7  characters long, contain alpha, numeric, special and upper lower case

    • A.

      True

    • B.

      False

    Correct Answer
    A. True
    Explanation
    Require a minimum password length of at least seven characters

    Rate this question:

  • 6. 

    Encryption key management is an optional PA-DSS requirement to be used only if the customer requests encryption requirements above and beyond PCI.

    • A.

      True

    • B.

      False

    Correct Answer
    B. False
    Explanation
    Payment application must implement key
    management processes and procedures for
    cryptographic keys used for encryption of
    cardholder data

    Rate this question:

  • 7. 

    Starting January 1, 2012, merchants will have to validate their CDE to PCI-DSS 2.0.   As a result, payment software validated against PA-DSS 1.2.1 will no longer be valid after December 31, 2011.

    • A.

      True

    • B.

      False

    Correct Answer
    B. False
    Explanation
    Payment software validated validated to PA-DSS 1.2.1 software can still be used as long as it has not yet expired and no modifcations have been made to the paymemt application covered in the RoV. For example, for software PA-DSS validated on December 1, 2009, the expiry will be December 1, 2012 if the validated software has not changed from a PCI requirements point of view.

    Rate this question:

  • 8. 

    If a payment product is deployed in such away at the customers CDE, that the payment product never stores,processes or handles credit card data, PA-DSS is not in scope.   Examples of this include products that only process loyalty cards.

    • A.

      True

    • B.

      False

    Correct Answer
    A. True
    Explanation
    Only card holder data (i.e. PAN and track data) is in PCI scope.

    Rate this question:

  • 9. 

    A PA-DSS policy exception should be used to document a security breach when card data is stolen.    

    • A.

      True

    • B.

      False

    Correct Answer
    B. False
    Explanation
    A payment vendor PA-DSS policy exception should be used when a customer can not meet PA-DSS requirements due to business, operational or technical constraints. For example, disable PAN encryption at the PIN PAD to perform transaction troubleshooting. A policy exception is used to state to the customer, that a risk of a card breach is increased, not that a breach has already occured.

    Rate this question:

  • 10. 

    A PCI pre-engagement check list form is used to determine if a payment vendor's PA-DSS validated application can meet the PCI-DSS requirements of a merchant customer.   For example, determine if the customer is using an OS that the vendor's payment application was PA-DSS validated against.   

    • A.

      True

    • B.

      False

    Correct Answer
    A. True
    Explanation
    The main purpose of PA-DSS validation from a customers point of view is liability shift. When installed correctly in the customers CDE as per the payment vendors installation guide, card fraud liability shifts from the merchants PCI-DSS to the payment vendors PA-DSS if a forensic audit proves that the vendors payment application was at fault.

    Rate this question:

Related Topics

Back to Top Back to top
Advertisement
×

Wait!
Here's an interesting quiz for you.

We have other quizzes matching your interest.