Exam Professional Cloud Architect topic 1 question 15 discussion

Final Decision to go with Option A. I have done PCI DSS Audit for my project and thats the best suited case. 100% sure to use tokenised data instead of actual card number

To minimize the scope of Payment Card Industry (PCI) compliance while still allowing for the analysis of transactional data and trends related to payment methods, you should consider using a tokenizer service and storing only tokenized data, as described in option A. Tokenization is a process of replacing sensitive data, such as credit card numbers, with unique, randomly-generated tokens that cannot be used for fraudulent purposes. By using a tokenizer service and storing only tokenized data, you can reduce the scope of PCI compliance to only the tokenization service, rather than the entire application. This can help minimize the amount of sensitive data that needs to be protected and reduce the overall compliance burden.

1. Reduced PCI Scope: Tokenization replaces sensitive credit card data with non-sensitive tokens. This significantly reduces the scope of PCI DSS compliance, as you no longer store actual cardholder data. Only the tokenization service needs to be PCI compliant. 2. Data Analysis: You can still analyze transactional data and trends using the tokenized data. The tokens can be linked back to the original cardholder data if needed for specific analysis or reporting purposes, but this would be done in a controlled and secure environment.

A is correct

Not sure why 100% agree on A. To limit PCI DSS scope, the data handling should be done in a separate project with very limited access. Only in this project should tokenization be done and made available for analytics. The first requirement however, is isolating the payment and tokenization code in a separate project. Answer should be B.

Tokenizing is the best way to protect PCI information.

A is my best option

https://cloud.google.com/architecture/tokenizing-sensitive-cardholder-data-for-pci-dss

ok for A

A. Create a tokenizer service and store only tokenized data

B appears the most thorough but the question asks to comply with the smallest scope, network segmentation is not a must. Tokenization is simpler. C is similar to B, more than required. D & E do not address the problem.

correct answer is A use tokenize

Correct answer A

The mandatory stage in PCI is having a encryption/ description system. Data must not be stored as is with PAN. So A IS A MUST. The rest are nice to have.

I think it should be A and C - the paper states clearly, a proper network segmentation is still required to disparate the vault and token servers from the rest of the flat network.

I chose A. But why C is not good?

A is the correct answer https://cloud.google.com/architecture/tokenizing-sensitive-cardholder-data-for-pci-dss#a_service_for_handling_sensitive_information