APRP Data Security & Privacy

Question 1

What is the primary objective of the Payment Card Industry Data Security Standard (PCI DSS)?

Accepted Answer

To protect cardholder data and reduce payment card fraud

Answer

PCI DSS was established to protect cardholder data environments and reduce payment card fraud by setting security requirements for all entities that store, process, or transmit cardholder data.

Question 2

Under PCI DSS, which data element is NEVER permitted to be stored after transaction authorization?

Accepted Answer

Full magnetic stripe data (track data)

Answer

Full magnetic stripe data (track data) is classified as sensitive authentication data and must never be stored after authorization under any circumstances under PCI DSS.

Question 3

A merchant stores customer PANs in a database. Under PCI DSS, which method is acceptable for protecting stored PANs?

Accepted Answer

Encrypting PANs using strong cryptography with proper key management

Answer

PCI DSS requires that stored PANs be protected using strong cryptography with associated key management procedures.

Question 4

What does 'tokenization' accomplish in a payment security context?

Accepted Answer

It replaces sensitive cardholder data with a non-sensitive surrogate value (token)

Answer

Tokenization replaces sensitive cardholder data such as the PAN with a unique token that has no exploitable value outside the specific system that issued it.

Question 5

Which US federal law primarily governs the privacy of nonpublic personal financial information held by financial institutions, including payment service providers?

Accepted Answer

Gramm-Leach-Bliley Act (GLBA)

Answer

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices and protect customers' nonpublic personal financial information.

APRP - Accredited Payments Risk Professional Practice Test

APRP - Accredited Payments Risk Professional Practice Test

APRP Data Security & Privacy