Performing CyberOps Using Cisco Security Technologies (CBRCOR) — Question 27

A company recently started accepting credit card payments in their local warehouses and is undergoing a PCI audit. Based on business requirements, the company needs to store sensitive authentication data for 45 days. How must data be stored for compliance?

Answer options

• A. post-authorization by non-issuing entities if there is a documented business justification
• B. by entities that issue the payment cards or that perform support issuing services
• C. post-authorization by non-issuing entities if the data is encrypted and securely stored
• D. by issuers and issuer processors if there is a legitimate reason

Correct answer: C

Explanation

The correct answer is C because sensitive authentication data must be encrypted and securely stored if retained for any period post-authorization by non-issuing entities. Options A and D do not meet the encryption requirement, and B is incorrect as it pertains to the entities that issue payment cards rather than non-issuing entities.