ExpertHard1 markMultiple Choice
CPA · Question 18 · Area II: Security
A retailer processes credit card transactions. According to PCI DSS Requirement 3 (Protect stored cardholder data), which of the following data elements is permitted to be stored after authorization, provided it is encrypted?
A retailer processes credit card transactions. According to PCI DSS Requirement 3 (Protect stored cardholder data), which of the following data elements is permitted to be stored after authorization, provided it is encrypted?
Answer options:
A.
Primary Account Number (PAN)
B.
Full track data (magnetic stripe data)
C.
Card Verification Code (CVV/CVC)
D.
PIN block
How to approach this question
Memorize the 'Do Not Store' list for PCI DSS: CVV, PIN, Track Data. PAN is allowed if protected.
Full Answer
A.Primary Account Number (PAN)✓ Correct
A
PCI DSS strictly prohibits storing sensitive authentication data (SAD) like CVV, PIN, and Full Track Data after authorization. The PAN (card number) may be stored if it is protected (encrypted, truncated, etc.).
Common mistakes
Thinking encryption allows you to store CVV. It does not.
Practice the full CPA ISC Practice Exam
82 questions · hints · full answers · grading
More questions from this exam
Q01A CPA is performing a risk assessment for a client that uses a public cloud provider for its core...HardQ02During a walkthrough of a client's change management process, the auditor notes that developers h...HardQ03A service organization provides a real-time transaction processing platform. The service level ag...HardQ04An auditor is reviewing a SQL query used by the finance team to generate a report of all sales tr...HardQ05A healthcare clearinghouse is preparing for a SOC 2® engagement. They utilize a private cloud dep...Hard