PCI Basics
This type of business is considered a "merchant" under PCI DSS.
What is a business that accepts, processes, or stores payment card information?
Toys R Us accepts credit cards for payments, so needs to comply with PCI DSS standards as a __________
What is a Merchant?
April 1, 2024 (phase 1) and April 1, 2025 (all)
When does PCI DSS v4 go into effect?
This acronym stands for Payment Card Industry Data Security Standard.
What is PCI DSS?
This type of assessment is performed by an external entity to validate a merchant's compliance with PCI DSS.
What is a PCI DSS Compliance Audit?
This level of PCI compliance is required for merchants that process over 6 million card transactions annually.
What is Level 1 compliance?
Merchants are advised to regularly train their staff in recognizing and responding to potential security threats. This practice is often referred to as _____
What is Security Awareness Training?
Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals
What is Requirement 4?
This is the unique number on credit and debit cards that identifies the cardholder account.
What is the PAN (Primary Account Number)?
This organization oversees the development and enforcement of PCI security standards.
What is the PCI Security Standards Council?
MasterCard, American Express, Visa, JCB International and Discover.
What major credit card companies that came together to form the PCI council?
For PCI DSS purposes, a ______ that focuses on a specific PCI DSS requirement(s) of interest, either because the requirement
allows flexibility (for example, as to frequency) or, for the Customized Approach, to explain how the entity assessed the ___ and
determined the customized control meets the objective of a PCI DSS requirement.
What is a Targeted Risk Analysis?
Process of verifying identity of an individual, device, or process. _________ typically occurs through the use of one or more _________ factors such as:
Something you know, such as a password or passphrase Something you have, such as a token device or smart card
Something you are, such as a biometric
What is Authentication?
User authentication using more than one thing (something you have, something you know, something you are)
What is MFA (Multi Factor Authentication)?
This practice involves regularly updating and patching software and systems to protect against known vulnerabilities.
What is Patch Management?
These two terms refer to methods of reducing the amount of cardholder data a merchant stores, thereby minimizing risk.
What are Truncation, One-way Hashing, or Tokenization?
Cryptography is a method to protect data through a reversible encryption process, and is a foundational primitive used in many
security protocols and services. __________ is based on industry-tested and accepted algorithms along with key lengths that
provide a minimum of 112-bits of effective key strength and proper key-management practices.
What is Strong Cryptography
This would be used to meet specific PCI controls using new technologies and processes (i.e. zero trust).
What is the Customized Approach?
This encryption protocol is used to secure transactions over the internet and is a critical part of PCI compliance.
What is TLS (Transport Layer Security)?
PCI DSS requires that merchants maintain several different policies and standards. These documents include _________.
Any one is acceptable
What is the Information Security policy, Access Management policy, Vulnerability Management policy and process, Data Retention standard, Change Management, Vendor Management standard, etc.
Card Verification Code (CVV/CV2), Full Track, PIN Block.
What credit card elements can never be stored after authentication?
In the context of authentication and access control, a ____ is a value provided by hardware or software that works with an
authentication server or VPN to perform dynamic or multi-factor authentication.
What is a Token?
Requirements RACI, Targeted Risk Analysis, Script Inventories, Semi-Annual Scope Review, HW and SW Inventories, System and App Account Management, and Certificate Inventory.
What are some of the new requirements and reporting elements in PCI DSS v4?
Credit Card Account Data is divided into two elements, SAD & CHD. The _____ can never be stored after authorization.
What is SAD (Sensitive Authentication Data)?
This approach may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other _____.
What are Compensating Controls?