PCIP Exam 2023
PCI Data Security Standard (PCI DSS)
The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It
covers technical
and operational system components included in or connected to cardholder data. If you accept or
process payment cards, PCI DSS app...
PCIP Exam 2023
PCI Data Security Standard (PCI DSS)
The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It
covers technical
and operational system components included in or connected to cardholder data. If you accept or
process payment cards, PCI DSS applies to you.
Sensitive Authentication Data
Merchants, service providers, and other
entities involved with payment card processing must never store sensitive authentication data after
authorization. This includes the 3- or 4- digit security code printed on the front or back of a card (CVD),
the data stored on a card's magnetic stripe or chip (also called "Full Track Data") - and personal
identification numbers (PIN) entered by the cardholder.
Card Verification Data Codes (CVD)
3 or 4 digit code that further authenticates a not-present cardholder
Visa-CVV2
MC- CVC2
Discover- CVD
JCB-CAV2
AmEx- CID
Requirement 1
Install and maintain a firewall configuration to protect cardholder data
,Network devices in scope for Requirement 1
Firewalls and Routers- Routers connect traffic between networks, Firewalls control the traffic between
networks and within internal network
QIR Qualified Integrators & Resellers
Qualified Integrators & Resellers- authorized by the SSC to implement, configure and/or support PA-
DSS payment applications. Visa requires all level 4 merchants use QIRs for POS application and terminal
installation and servicing
Compensating Controls
An alternative control, put in place to satisfy the requirement for a security measure that is deemed
too difficult or impractical to implement at the present time.
Permitted reasons for using Compensating Controls
Organizations needing an alternative to security requirements that could not be met due to legitimate
technological OR documented business constraints, but has sufficiently mitigated the risk associated
with the requirement through implementation of other compensating controls
Examples of Compensating Controls
(i) Segregation of Duties (SOD) and (ii) Encryption
Compensating Controls must:
1) Meet the intent and rigor of the original stated requirement;
2) Provide a similar level of defense as the original stated requirement;
3) Be "above and beyond" other PCI DSS requirements (not simply in compliance with other PCI DSS
requirements); and
4) Be commensurate with the additional risk imposed by not adhering to the original stated
requirement.
Card Data that cannot be stored by Merchants, Service providers after authorization
Sensitive Authentication Data. i) 3- or 4- digit security code printed on the front or back of a card, ii) data
stored on a card's magnetic stripe or chip (also called "Full Track Data"), and iii) personal identification
numbers (PIN) entered by the cardholder
00:0101:22
Card Data that MAY be stored
i) cardholder name, ii) service code (identifies industry iii) Personal Account Number (PAN)
iv) expiration date may be stored.
Network Segmentation
The process of isolating the cardholder data environment from the remainder of an entity's network
Not a requirement but strongly recommended.
Report on Compliance (ROC)
Prepared at the time of the assessment of PCI compliance and comprehensively provides details about
the assessment approach and compliance standing against each PCI DSS requirement
What is included in the Report on Compliance (ROC)?
ROC includes (1) Executive summary, (2) description of scope of work and approach taken, (3) details
about reviewed environment, (4) contact information and report date, (5) quarterly scan results and (6)
findings and observations.
Steps to take for a PCI Assessment (hint: SARA's Remediation)
1. Scope - determine which system components and networks are in scope for PCI DSS
2. Assess - examine the compliance of system components in scope following the testing
Questionnaire (SAQ) or Report on Compliance (ROC)), including documentation of all
compensating controls
4. Attest - complete the appropriate Attestation of Compliance (AOC)
5. Submit - submit the SAQ, ROC, AOC and other requested supporting documentation such as
ASV scan reports to the acquirer (for merchants) or to the payment brand/requestor (for service
providers)
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller CertifiedGrades. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $9.49. You're not tied to anything after your purchase.