Management, compliance & auditing

PCI compliance interview questions

Infosec
February 20, 2015 by
Infosec

The payment card industry (PCI) standard is a methodology used to ensure that customer data is protected such as credit cards and store transmissions of transactions. Transactions are secured by a merchant ID, and it’s this ID that connects a store with its PCI compliance report. Most companies need someone to guide them through the PCI compliance process, so they hire an expert. If you consider yourself an expert and have a job interview, here are some questions you might encounter in the interview process.

  • Who must follow PCI compliance to protect customers?

A: All merchants and organizations that use credit card transactions must follow PCI compliance.

  • Do shared hosting providers also have PCI requirements?

A: A shared host is one that lets several hundreds of users host websites on one server. Even host providers must follow PCI compliance. Some compliance rules don’t apply for shared hosts, but all data still must be protected using firewalls and SSL certificates.

 

  • How are PCI compliance levels determined for each business?

A: PCI compliance level is determined by the number or volume of credit card transactions accumulated by a vendor.

 

  • How many levels of PCI compliance are there?

A: There are four levels of PCI compliance. The first level is any merchant that uses credit card transactions for purchases, and the final fourth level are high volume merchants that take over a million transactions a year.

 

  • How can a merchant’s level change?

A: If a merchant gets hacked, the levels of risk and severity can change to ensure that the hack is fixed and that customer credit card numbers are protected in the future.

 

  • If a company uses a third party to create credit card transactions, are they still responsible for user data under PCI compliance?

A: Yes, any company that takes user information and private credit card data is responsible and falls under the PCI compliance requirements.

 

  • Does PCI compliance require encryption

A: Yes, you must encrypt data that is sent from a local point of sale (POS) machine to the credit card processing company. Merchants are required to encrypt data when processing across a network at any given time.

 

  • Does PCI compliance only involve credit card transactions over the Internet?

A: No, PCI compliance requires merchants to encrypt data even if it is over the local network. Requiring encryption within the network defends against man in the middle attacks.

 

  • Is SSL the only requirement for Internet stores?

A: No, an SSL certificate is one of the requirements, but merchants are also responsible for encrypting information across the network. Merchants must also store information such as credit cards in an encrypted field within a database.

 

  • What is a POS in terms of PCI compliance?

A: A point of sale system is a system such as a cash register or credit card machine that takes user information such as debit or credit card numbers and stores them for the purpose of sending this information to a payment gateway.

 

Infosec
Infosec