CERTIFIED-IN-CYBERSECURITY Question #536: Real Exam Question with Answer & Explanation

Question

What is one requirement of PCI DSS regarding credit card data?

Options

• ACredit card data should be pseudonymized and segregated into another database
• BCredit card data is retained for shorter periods than any other data
• CNo employee can ever see unmasked credit card data of a data subject
• DCredit card data should be classified as confidential and encrypted

Explanation

According to the Payment Card Industry Data Security Standard (PCI DSS), credit card data should be considered confidential and encrypted (see ISC2 Study Guide, Chapter 5, Module 3). This means that any sensitive cardholder data, such as card numbers, must be protected with strong encryption methods when stored or transmitted over public networks. For example, an e- commerce company must use strong encryption methods to protect customer credit card information when it is stored in its databases and transmitted over the Internet during a transaction. The remaining options can be beneficial in a security strategy, but are not explicitly required by PCI DSS. Pseudonymization of credit card data and segregating it in a separate database can be part of a data protection strategy, but it is not a specific requirement of PCI DSS. The statement that no employee can ever see a cardholder's unmasked credit card data is not entirely true. While PCI DSS requires that access to cardholder data be limited, certain roles within an organization may require access to such data. Retaining credit card data for a shorter period of time than other data is not a specific requirement of PCI DSS. While it's true that PCI DSS requires the secure disposal of cardholder data when it's no longer needed, there is no specific requirement to retain it for a shorter period of time than other types of data

No community discussion yet for this question.