Payments Encryption and Security skills development

Security, Encryption, Payments and Standards are a key part of the payment industry, used to secure online payment systems. Many standards, methods and practises have been designed and regulated by the PCI Security Standards Council to maximise the security of sensitive information used in payment transactions. How much do you know about this fascinating industry? (30 Questions)
__________________________________________________________________________________________________

Please enter your email:

1. Which of the following methods may be used to store PAN numbers in a PCI-DSS compliant environment? (Check all that apply).

One-way hashes

Truncation (provided hashing is not used to replace the truncated segment of PAN)

Strong cryptography (with associated key-management processes and procedures)

Clear text (including portable digital media, backup media, and in logs), stored offline in secure data areas

2. What is meant by the term ‘Digital Signature’? (Check all that apply).

A cryptogram generated by encrypting a message digest (or hash) with a private key

Also called a ‘wet’ signature that complies with legal and regulatory requirements in many countries

The process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising security

Used with sensitive data of all kinds including bank transactions, medical records, criminal records, vehicle driver information, loan applications, stock trading and voter registration

3. Which term(s) apply to ‘Tokenisation’ in payments? (Check all that apply).

The process of replacing the Primary Account Number (PAN) with a surrogate value called a “Payment Token”

The process of replacing customer information with an encrypted string (or ‘Token)

The process of substituting a sensitive data elements non-sensitive equivalents, in the form of a data Token

All of the above

4. Which statement(s) apply during a financial authorisation process? (Check all that apply).

The issuer confirms whether the cardholder has adequate funds available against a line of credit

A positive confirmation results in an authorisation code and requested funds being set aside

The cardholder’s available credit limit for that transaction is matched to the authorised limit

The identity of the cardholder is established to the satisfaction of all parties

5. Select the best answer to complete the following statement: “Encryption is…”

“a technique of scrambling data automatically in the terminal or computer before it is transmitted onto a data network.”

“a technique of obscuring sensitive data from hackers, by replacing information with randomly generated numbers and letters.”

“a technique whereby sensitive data is masked or hidden from the bank staff and operators to prevent fraud.”

“a technique whereby algorithms are used to replace Data, before the data is transmitted to secure against interception.”

6. What does the term API represent, when used in software development?

Application Programming Interface

Any Program Instructor

Area Police Instructor

All Policy Interface

7. Why is the Cardholder Verification Method critical to all stakeholders in a payments ecosystem?

Issuers must understand CVMs so they can decide which CVMs to support, and in what priority order, based on their business needs

Merchants must ensure that their terminals support the minimum CVM requirements for the major payment networks so their staff can assist customers at the point of sale

Acquirers, processors, and value added resellers must ensure their terminals support the minimum CVM requirements for the major payment networks.

All the above

8. What is meant by ‘authentication’, when referring to card security?

Authentication is the process that confirms an identity against a known profile

Authentication determines whether or not an authorization is given to access the resources

Authentication is the process that guarantees the requestor is who they say they are

None of the above

9. Which of the following statement best describes ‘cryptography’?

Cryptography is both the art and science of keeping messages either secret or secure, unless permitted

Cryptography is the art of keeping money safe

Cryptography is the science of ensuring data is never read or understood by anyone

Cryptography is the method used by bankers to hide secret messages from regulators

10. Which of the following terms best describes ‘Data Encryption’?

A process banks use to transform information in such a way that is is obscured from customers, regulators and the authorities

A method of processing and transforming information to make it unusable to anyone except those possessing special knowledge or information, usually referred to as a ‘key’

A method of processing and transforming information to ensure customers do not see how the bank operates

None of the above

11. What is an OTP? What does it stand for?

One Time Pass – A method to send a unique one-time-use password that is used via a separate channel to verify identity

Operator To Pass – When a customers new card PIN number is sent to them physically via post

Only Takes Passwords – A method to send a unique single use password that is used to verify the customers identity. Sent over a separate channel, usually by the card Issuer

One Time Pin – A method to send a unique one-time-use password, via a separate channel to verify identity

12. PIN Verification occurs when…

The bank teller or Customer Service Representative requests the customer to confirm their secret 4 digit number on a Bank-owned device

The customer enters their personal identification number on the merchants point of sale device

The card issuer successfully verifies the identity of the cardholder upon receipt of the cardholders personal identification number

The three digit number on the back of a credit card is used to prove the customers identity in an online purchase

13. Which of statement correctly applies to the acronym AES?

It describes the algorithm that ensures Messages are secured and cannot be hacked

It’s a method Used to Encrypt/Decrypt messages in Data exchange

It stands for Advanced Encryption Standard

All of the Above

14. Which act involves illegally obtaining a person’s identity for the purpose of using it for unethical and/or financial gain?

Credit card cloning

Payment fraud

Identity theft

“Man in the Middle” fraud

15. What role does a Hardware Security Module (HSM) play in securing payments data?

It’s a secure module, used to protect insecure data including customer PIN’s and Account numbers

It’s a secure module used to store cryptographic keys and perform cryptographic functions

It’s a secure module, used to protect secure data including customer PIN’s and Account numbers

It’s a Software-as-a-Service Module, used by Banks to prevent hackers from illegaly tampering with customer PINs

16. What is ‘3-D Secure’?

A method to authenticate payments using Samsung 3-D viewing technology

A 3 stage protocol to secure ATM transactions over insecure networks

A standard for device Data exchange for Point of Sale Devices

A protocol implemented by card schemes to allow cardholder authentication in card not present e-Commerce transactions

17. What does the Payment Card Industry Data Security Standard (PCI DSS) encompass?

The information standard for organisations and banks to secure confidential customer information on core banking systems

The guidelines that describe how regulated financial services organisations treat the exchange of confidential data exchange across borders

The information security standard for organisations that handle, process or store cardholder information for the major debit, credit, pre-paid card schemes

The industry accepted rules set by the major card associations to provide a definitive Data standard for software vendors that develop payment applications

18. What is meant by payment ‘De-Tokenisation’?

De-Tokenisation is the final stages of redeeming a Payment Token, replacing the transmitted non-sensitive data, with the original equivalent

De-Tokenisation is the process of substituting sensitive data with a non-sensitive equivalent

De-Tokenisation is the process of mapping from original data which renders the tokens infeasible in the absence of a tokenization system

De-Tokenisation is when tokens replace live data in systems, the result is minimised exposure of sensitive data to those applications

19. What must companies do to protect cardholder data in a PCI-DSS compliant environment?

Store customer data in clear text on the server

Separate sensitive customer data by storing it on another network

Encrypt transmission of cardholder data across open, public networks

Limit customer access to their own data to ensure ongoing data integrity

20. Offline PIN (Personal Identification Number) verification occurs when…

A cardholder-entered PIN is passed to the card for comparison to the PIN value stored on the customers card

The card issuers ATM or Point of Sale (POS) is offline, but the customer is allowed to enter the PIN anyway

The customer has forgotten their real PIN, and creates a temporary PIN for the purchase

None of the above

21. In fraud detection, a ‘false positive’ occurs when…

Something innocent is wrongly deemed suspicious

A cardholder accidentally trips the card issuer’s fraud detection system

Systems that work by detecting activities and patterns associated with fraud, don’t work precisely as intended

All of the above

22. Which statements (if any) apply to a Security Compliance Review? When done according to Financial Industry Best practise.

The review is based on an industry or sector approved checklist

The review is performed by members or the Processor’s Approved Auditor

The review is done to verify the members or the processors compliance with a set of agreed standards or rules

All of the above

23. Which statement applies to the Payment Application Data Security Standard (PA – DSS)?

The global payments standard created by the Payment Card Association & Payment Standards Council (PSC) to provide the definitive Data standard for banks to exchange Inter-bank transactions and messages

The global security standard created by the Payment Card Industry Security Standards Council (PCI SSC) to provide the definitive Data standard for software vendors that develop payment applications

The industry-wide guideline set by the Industry Payment Association and Associated Legal Entities (IPA ALE), to provide data standards for banks to follow

Industry wide rules set by the major banks to provide a definitive data standard for software vendors that develop payment applications

24. What steps should companies take to maintain a PCI-DSS secure network? (Check all that apply).

Companies must create their own firewall configuration policy and develop a configuration test procedure designed to protect cardholder data

Companies must not use vendor-supplied defaults for system passwords and other security parameters

Companies must ensure that all employees are subject to regular screening and lie-detector testing

Companies must monitor all employee communication and social media for signs of dishonesty and fraud

25. Which statement best describes the ‘Data Encryption Algorithm (DEA)?’

Data Encryption Algorithm (DEA) is a widely-used block cipher encryption method using a private (secret) key

Data Encryption Algorithm (DEA) is an algorithm used by one party to read the others message, if they agree

Data Encryption Algorithm (DEA) is a protocol described by ANSI standard 10810

An operation to encipher (or encrypt) and inversely decipher (or decrypt) messages, as part of a cryptographic system

26. Which statement(s) best describes the Data Encryption Standard (DES) and its features? (Check all that apply).

DES is a widely-used block cipher encryption method using a private (secret) key

Like other private key cryptographic methods, both the sender and the receiver must know and use the same private key

For each given message the key is chosen at random from among an enormous number of keys, making it almost impossible to crack, without the right key

There are around 720000000 (72 quadrillion) or more possible encryption keys for each DES, making the keys exceptionally secure

27. Which fraud type involves obtaining information through the use of a fake website or email, through impersonation and deception?

Identity theft

Phishing Fraud

Check fraud

Credit card fraud

28. What does CVM mean when referring to card payments?

Cardholder Vilification Model – A method to evaluate the ability of cardholders to pay for the purchases they have just made

Cardholder Verification Mode – An alternative way of confirming the identity of a customer when the terminal or device is off-line

Cardholder Verification Method – A way of evaluating whether the person presenting a payment instrument, such as a payment card, is the legitimate cardholder

Cardholder Valuation Method – A method used by the payments industry to assess the purchasing limit and credit availability limits of customers

29. In the world of cryptography, what does ‘Triple DES’ (3DES) refer to?

The Device Encryption Algorithm used to transmit secure data to ATM devices

The Data encryption algorithm used with a quadruple-length DES key

A symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block

The Device Encryption Algorythm used to trasmit secure data to ATM devices

30. Which statement applies to the storage of PAN numbers? (In a PCI-DSS compliant environment).

The PAN may be stored in clear text as long as the PAN is purged immediately after authorisation

The PAN may be stored in clear text after authorization

The PAN may be never be stored in clear text

The PAN may be stored in clear text if it is kept off-line (including on portable digital media, backup media, and in logs)