PCI Jeopardy 2023

PCI Basics

Grubhub and PCI

PCI DSS v4

PCI TLA's

PCI Potpourri

100

Who does PCI DSS apply to?

All entities that store, process and/or transmit cardholder data.

100

Why does Grubhub have to comply with PCI DSS standards?

Grubhub accepts credit card payments

100

When does PCI DSS v4 go into effect?

April 1, 2024 (phase 1) and April 1, 2025 (all)

100

What does PCI DSS stand for?

Payment Card Industry Data Security Standard

100

True or False;
Your Security Awareness training is a requirement for PCI compliance

TRUE

200

How many PCI requirements are there?

12 major requirements

200

Who is responsible for the security of credit card payments at Grubhub?

Everyone at Grubhub.

200

Who is ultimately accountable for maintaining PCI compliance?

Executive Leadership

200

What is the unique number on credit and debit cards that identifies the cardholder account is called?

Primary Account Number or PAN

200

How would a Grubhub employee get access to the CDE?

Submit a Service Desk ticket

300

What is an example of a PCI violation?

Credit Card information stored on your Grubhub laptop / workstation.

300

Who are Grubhub's payment processors?

Braintree (PayPal), Stripe, Worldpay

300

Will the new requirement mandating that all internal vulnerability scanning be performed using authenticated scanning impact Grubhub?

False - Grubhub already does authenticated scanning

300

What is MFA / 2FA?

Multi Factor Authentication / Two Factor Authentication

300

True or False;
It's okay to temporarily save a credit card number in a Google doc for a diner or Corp client if you delete it within 48 hours

FALSE - It is never OK to store credit card numbers

400

What are the five major credit card companies that came together to form the PCI council?

MasterCard, American Express, Visa, JCB International and Discover

400

What are some of the services that are in Grubhub's PCI scope?

Tokenizer, Payments, Corp Self Service, Umami, cciframe

400

What are some of the new requirements and elements in PCI DSS v4?

Requirements RACI, Targeted Risk Analysis, Script Inventories, Semi-Annual Scope Review, HW and SW Inventories, System and App Account Management, Certificate Inventory, etc.

400

What does CDE stand for?

Cardholder Data Environment

400

If your device that you use for Okta verify or DUO is lost or stolen, you should do what?

Reach out to your manager and Service Desk

500

What credit card elements can never be stored?

Card Verification Code (CVV/CV2), Full Track, PIN Block

500

How would you report a suspected breach of credit card information?

Report it on Slack in #tech-oncall and include @cybersecurity

500

How can Grubhub meet PCI specific requirements using new technologies and processes? (Example - Zero Trust)

Use the Customized Approach

500

Credit Card Account Data is divided into two elements, SAD & CHD. Which element can never be stored after authorization?

SAD (Sensitive Authentication Data)

500

Which of the two PCI compliance reports can be shared with Grubhub partners such as Corporate clients, Merchants, etc.?

Attestation of Compliance (AoC)