Certified Information Systems Auditor (CISA) — Question 773

An IS auditor is performing an integrated audit covering payment processing activities using point-of-sale (POS) systems. Which of the following findings related to personal identification numbers (PINs) should be of GREATEST concern?

Answer options

• A. Cardholder PINs are encrypted and stored on the local POS terminal.
• B. Cardholders are not required to enter their PINs.
• C. Cardholders may select any 4-digit PIN without restrictions.
• D. Cardholder PINs are not encrypted on the central computer.

Correct answer: D

Explanation

The correct answer is D because storing cardholder PINs unencrypted on the central computer poses a significant security risk, allowing potential unauthorized access. Option A is not concerning as encryption is a good practice. Option B raises a concern but not as critical as unencrypted PINs. Option C is a potential vulnerability, but it does not have the same severity as unencrypted data.