Payment Card Industry (PCI) Data Security Standards Practice Test

Typical location where card verification values/codes may be found include which of the following?

• A. Database files from point-of-sale terminals
• B. Log files from point-of-sale terminals
• C. Databases and log files from PIN-entry devices
• D. Databases and log files from e-commerce systems

The correct answer is: Log files from point-of-sale terminals

The location of card verification values (CVVs) or codes is critical to understanding how to protect sensitive cardholder data. Typically, CVVs should not be stored in any location as per the PCI Data Security Standards (PCI DSS). During a transaction, these values are used primarily for preventing fraud in card-not-present transactions. Focusing on the provided context, options that involve databases or log files—especially those stemming from point-of-sale terminals or PIN-entry devices—are not appropriate for storing CVVs due to security risks. Storing these codes in any form of database or log files would violate PCI DSS guidelines, as these areas would be potential attack vectors for data breaches. The correct answer in your context reflects the common practice of not retaining CVVs particularly in environments like log files, where data can be inadequately secured or improperly accessed. Although the question intended to highlight typical locations where CVVs might be found, the emphasis should always be on the principle that CVVs should not be stored at all. The essence of the answer encapsulates an organizational understanding of PCI compliance and the importance of minimizing risk through responsible data handling practices.