CISSP Question #1335: Real Exam Question with Answer & Explanation

Question

While classifying credit card data related to Payment Card Industry Data Security Standards (PCI-DSS), which of the following is a PRIMARY security requirement?

Options

• AProcessor agreements with card holders
• BThree-year retention of data
• CEncryption of data
• DSpecific card disposal methodology

Explanation

PCI-DSS mandates encryption as a core requirement to protect cardholder data, making it the primary security control when classifying credit card data.

Common mistakes.

• A. Processor agreements with cardholders are a contractual or business relationship concern, not a primary PCI-DSS technical security requirement for protecting cardholder data.
• B. PCI-DSS does not mandate a three-year data retention period; in fact, it encourages minimizing data retention and prohibits storing sensitive authentication data after authorization.
• D. While PCI-DSS does address secure disposal of media containing cardholder data (Requirement 9), specific card disposal methodology is a physical security sub-requirement, not the primary security requirement when classifying credit card data.

Concept tested. PCI-DSS primary security requirements for cardholder data

Reference. https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf

No community discussion yet for this question.