I'm completely lost, need help to find which two are true:
A
A standard ID-1 payment card has a CVV1 code printed on it to assist
with ‘card-not-present’ transactions.
B
A four-digit decimal PIN (commonly used for payment cards) can provide
a wider range of combinations than a password based upon three
(English) alphabetic letters.
C
An EMV SDA card is less susceptible than an EMV DDA card to being
‘skimmed’ and ‘cloned’ for future fraudulent use.
D
In a secure session using TLS/SSL, symmetric encryption is used to
protect some of the data being sent between two computers.
E
An SDA EMV card uses the private key of a public key pair to encrypt a
response to an unpredictable challenge message sent to it by an EMV
terminal during a purchase transaction process.
F
In an ATM card transaction, a user’s entered PIN is used to derive a
PVV which can be compared within a hardware security module (HSM)
with the PVV registered for that account.
G
Each debit transaction carried out with a DDA EMV card requires
immediate online authorisation from the card issuer.
To determine which two statements are true, we will go through each statement and explain how to verify its accuracy:
A. A standard ID-1 payment card has a CVV1 code printed on it to assist with ‘card-not-present’ transactions.
To verify this, you can check the physical payment card. If it has a CVV1 code printed on it, then this statement is true. If there is no CVV1 code present, then the statement is false.
B. A four-digit decimal PIN (commonly used for payment cards) can provide a wider range of combinations than a password based upon three (English) alphabetic letters.
To verify this, we can compare the total number of combinations possible for a four-digit decimal PIN and a password based on three alphabetic letters. The PIN has 10,000 (10^4) possible combinations, while a password based on three alphabetic letters would have 17,576 (26^3) possible combinations. Therefore, this statement is false.
C. An EMV SDA card is less susceptible than an EMV DDA card to being ‘skimmed’ and ‘cloned’ for future fraudulent use.
To verify this, we need to understand that SDA (Static Data Authentication) and DDA (Dynamic Data Authentication) are two different types of authentication mechanisms used in EMV (chip-based) cards. SDA cards are more vulnerable to cloning as they do not generate dynamic cryptograms during transactions. DDA cards, on the other hand, generate unique cryptograms for each transaction, making them more secure against cloning. Therefore, this statement is false.
D. In a secure session using TLS/SSL, symmetric encryption is used to protect some of the data being sent between two computers.
To verify this, we can refer to the documentation or specifications of the TLS/SSL protocol. It states that symmetric encryption is indeed used in TLS/SSL to protect data transmitted between two computers. Therefore, this statement is true.
E. An SDA EMV card uses the private key of a public key pair to encrypt a response to an unpredictable challenge message sent to it by an EMV terminal during a purchase transaction process.
To verify this, we can seek information about SDA (Static Data Authentication) in EMV card specifications. SDA cards do not use private-public key encryption for response encryption but instead digitally sign the response using a private key. Therefore, this statement is false.
F. In an ATM card transaction, a user’s entered PIN is used to derive a PVV which can be compared within a hardware security module (HSM) with the PVV registered for that account.
To verify this, we can refer to the documentation or guidelines followed by the specific ATM system. If the entered PIN is used to derive a PIN Verification Value (PVV) and this PVV is compared within a hardware security module (HSM), then the statement is true. If the process differs, then the statement is false.
G. Each debit transaction carried out with a DDA EMV card requires immediate online authorization from the card issuer.
To verify this, we can refer to the specifications or guidelines for DDA (Dynamic Data Authentication) cards. DDA cards perform online authorization for each transaction by interacting with the card issuer. Therefore, this statement is true.
Based on the verification of each statement:
- Statement D is true.
- Statement G is true.
Therefore, the two true statements are D and G.