PCI Basics
This type of business is considered a "merchant" under PCI DSS.
What is a business that accepts, processes, or stores payment card information?
Grubhub accepts credit cards for payments, so needs to comply with PCI DSS standards as a __________
What is a Merchant?
April 1, 2024 (phase 1) and April 1, 2025 (all)
When does PCI DSS v4 go into effect?
This acronym stands for Payment Card Industry Data Security Standard.
What is PCI DSS?
This type of assessment is performed by an external entity to validate a merchant's compliance with PCI DSS.
What is a PCI DSS Compliance Audit?
This level of PCI compliance is required for merchants that process over 6 million card transactions annually.
What is Level 1 compliance?
Merchants are advised to regularly train their staff in recognizing and responding to potential security threats. This practice is often referred to as _____
What is Security Awareness Training?
Grubhub Executive Leadership
Who is ultimately accountable for maintaining PCI compliance?
This is the unique number on credit and debit cards that identifies the cardholder account.
What is the PAN (Promary Account Number)?
This organization oversees the development and enforcement of PCI security standards.
What is the PCI Security Standards Council?
MasterCard, American Express, Visa, JCB International and Discover.
What major credit card companies that came together to form the PCI council?
For PCI DSS purposes, a ______ that focuses on a specific PCI DSS requirement(s) of interest, either because the requirement
allows flexibility (for example, as to frequency) or, for the Customized Approach, to explain how the entity assessed the ___ and
determined the customized control meets the objective of a PCI DSS requirement.
What is a Targeted Risk Analysis?
The the new requirement mandating that all internal vulnerability scanning be performed using authenticated scanning _______ impact Grubhub.
What is will not? GH already does this.
User authentication using more than one thing (something you have, something you know, something you are)
What is MFA (Multi Factor Authentication)?
This practice involves regularly updating and patching software and systems to protect against known vulnerabilities.
What is Patch Management?
These two terms refer to methods of reducing the amount of cardholder data a merchant stores, thereby minimizing risk.
What are Truncation, One-way Hashing, or Tokenization?
Cryptography is a method to protect data through a reversible encryption process, and is a foundational primitive used in many
security protocols and services. __________ is based on industry-tested and accepted algorithms along with key lengths that
provide a minimum of 112-bits of effective key strength and proper key-management practices.
What is Strong Cryptography
This would be used to meet specific PCI controls using new technologies and processes (i.e. zero trust).
What is the Customized Approach?
This encryption protocol is used to secure transactions over the internet and is a critical part of PCI compliance.
What is TLS (Transport Layer Security)?
PCI DSS requires that merchants maintain several different policies and standards. These documents include _________.
Any one is acceptable
What is the Information Security policy, Access Management policy, Vulnerability Management policy and process, Data Retention standard, Change Management, Vendor Management standard, etc.
Card Verification Code (CVV/CV2), Full Track, PIN Block.
What credit card elements can never be stored after authentication?
In the context of authentication and access control, a ____ is a value provided by hardware or software that works with an
authentication server or VPN to perform dynamic or multi-factor authentication.
What is a Token?
Requirements RACI, Targeted Risk Analysis, Script Inventories, Semi-Annual Scope Review, HW and SW Inventories, System and App Account Management, and Certificate Inventory.
What are some of the new requirements and reporting elements in PCI DSS v4?
Credit Card Account Data is divided into two elements, SAD & CHD. The _____ can never be stored after authorization.
What is SAD (Sensitive Authentication Data)?
This Grubhub microservice is responsible for generating and storing tokens that reference a user's vaulted credit card with several payment processors.
What is Tokenizer?