ExpertHard1 markMultiple Choice
CPA · Question 11 · Area II: Security
An auditor is evaluating a company's compliance with PCI DSS Requirement 3 (Protect stored cardholder data). The auditor finds that the Primary Account Number (PAN) is displayed in full on the customer service representative's screen. Which specific control is missing?
An auditor is evaluating a company's compliance with PCI DSS Requirement 3 (Protect stored cardholder data). The auditor finds that the Primary Account Number (PAN) is displayed in full on the customer service representative's screen. Which specific control is missing?
Answer options:
A.
Encryption
B.
Hashing
C.
Masking
D.
Tokenization
How to approach this question
Differentiate between storage protection (encryption) and display protection (masking).
Full Answer
C.Masking✓ Correct
Masking is the specific technique used to obscure specific digits of the PAN when displayed on screens or paper receipts (e.g., XXXXXX-1234).
Common mistakes
Confusing encryption (storage) with masking (display).
Practice the full CPA ISC Practice Exam 4
82 questions · hints · full answers · grading
More questions from this exam
Q01A CPA is advising a client who is migrating their legacy on-premise ERP system to a cloud environ...HardQ02An auditor is reviewing the Service Level Agreement (SLA) for a client using a public cloud provi...HardQ03A company uses an Infrastructure as a Service (IaaS) model. During an IT audit, the auditor disco...HardQ04An organization is implementing the COSO Enterprise Risk Management (ERM) framework to govern its...HardQ05During a walkthrough of an order-to-cash process, the auditor observes that the sales manager can...Hard