CISSP Question #125: Real Exam Question with Answer & Explanation

Question

When dealing with compliance with the Payment Card Industry-Data Security Standard (PCI- DSS), an organization that shares card holder information with a service provider MUST do which of the following?

Options

• APerform a service provider PCI-DSS assessment on a yearly basis.
• BValidate the service provider's PCI-DSS compliance status on a regular basis.
• CValidate that the service providers security policies are in alignment with those of the
• DEnsure that the service provider updates and tests its Disaster Recovery Plan (DRP) on a yearly

Explanation

PCI-DSS requires organizations that share cardholder data with service providers to maintain ongoing oversight of those providers' compliance status. This is a formal requirement under PCI-DSS to ensure third-party risk is continuously managed.

Common mistakes.

• A. PCI-DSS does not require the sharing organization to personally perform a PCI-DSS assessment on the service provider; rather, the organization must validate the provider's compliance status, which can be done via the provider's own attestation or listing on Visa/Mastercard's compliance registries.
• C. PCI-DSS does not require that a service provider's security policies be in full alignment with the hiring organization's policies; the standard focuses on the service provider meeting PCI-DSS requirements independently, not mirroring another entity's internal policies.
• D. While Disaster Recovery Plan testing is a component of PCI-DSS compliance, PCI-DSS does not specifically require the hiring organization to ensure the service provider updates and tests its DRP on a yearly basis as the primary obligation when sharing cardholder data.

Concept tested. PCI-DSS service provider compliance monitoring requirements

Reference. https://www.pcisecuritystandards.org/document_library/

No community discussion yet for this question.