Which entity may store sensitive authentication data after auth with business justification and secure storage?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the PCI DSS Requirements Test with our interactive quizzes. Use multiple choice questions, flashcards, and detailed explanations. Ace your exam with confidence!

Multiple Choice

Which entity may store sensitive authentication data after auth with business justification and secure storage?

Explanation:
Storing sensitive authentication data after authorization is highly restricted. Only issuers and entities that support issuing services may retain this data, and only when there is a legitimate business justification and strong security controls in place. This exception exists because issuers need access to data to support card life cycle processes such as card re-issuance, disputes, and certain issuer workflows, and they must protect that data with robust measures (encryption at rest and in transit, strict access controls, key management, monitoring, and incident response). Merchants generally must not store sensitive authentication data after authorization, since their role does not require retaining that data and doing so would increase fraud risk. Saying “all PCI participants” would be too broad, as not every participant has a justified need or the secure controls to store SAD. Banks are typically issuers, but the option is framed to emphasize the broader category of issuers and issuing-supporting companies rather than banks alone. So, the best answer is that issuers and companies that support issuing services may store sensitive authentication data after authorization with a business justification and secure storage.

Storing sensitive authentication data after authorization is highly restricted. Only issuers and entities that support issuing services may retain this data, and only when there is a legitimate business justification and strong security controls in place. This exception exists because issuers need access to data to support card life cycle processes such as card re-issuance, disputes, and certain issuer workflows, and they must protect that data with robust measures (encryption at rest and in transit, strict access controls, key management, monitoring, and incident response).

Merchants generally must not store sensitive authentication data after authorization, since their role does not require retaining that data and doing so would increase fraud risk. Saying “all PCI participants” would be too broad, as not every participant has a justified need or the secure controls to store SAD. Banks are typically issuers, but the option is framed to emphasize the broader category of issuers and issuing-supporting companies rather than banks alone.

So, the best answer is that issuers and companies that support issuing services may store sensitive authentication data after authorization with a business justification and secure storage.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy