Cisco
350-201 · Question #114
350-201 Question #114: Real Exam Question with Answer & Explanation
The correct answer is C: post-authorization by non-issuing entities if the data is encrypted and securely stored. PCI DSS defines strict conditions for how sensitive authentication data may be stored post-authorization, particularly distinguishing between issuing and non-issuing entities.
Security Policies and Procedures
Question
A company recently started accepting credit card payments in their local warehouses and is undergoing a PCI audit. Based on business requirements, the company needs to store sensitive authentication data for 45 days. How must data be stored for compliance?
Options
- Apost-authorization by non-issuing entities if there is a documented business justification
- Bby entities that issue the payment cards or that perform support issuing services
- Cpost-authorization by non-issuing entities if the data is encrypted and securely stored
- Dby issuers and issuer processors if there is a legitimate reason
Explanation
PCI DSS defines strict conditions for how sensitive authentication data may be stored post-authorization, particularly distinguishing between issuing and non-issuing entities.
Common mistakes.
- A. A documented business justification alone does not satisfy PCI DSS requirements for non-issuing entities - encryption and secure storage are also mandatory, not optional.
- B. This option correctly describes issuer permissions but does not apply to the company in the question, which is a non-issuing entity accepting payments at warehouses.
- D. Issuers and issuer processors have their own storage permissions, but this option does not address the non-issuing entity scenario presented in the question.
Concept tested. PCI DSS sensitive authentication data retention rules
Reference. https://www.pcisecuritystandards.org/documents/PCI-DSS-v4_0.pdf
Topics
#PCI DSS#sensitive authentication data#data storage compliance#card data
Community Discussion
No community discussion yet for this question.