Exam CISA topic 1 question 1092 discussion

The finding of greatest concern would be option D: Cardholder PINs are not encrypted on the central computer. While all the options present potential security risks, the lack of encryption on the central computer is the most serious. This is because the central computer is likely to store the PINs of many cardholders, making it a high-value target for attackers. If an attacker were to gain access to the central computer, they could potentially obtain the PINs of all cardholders, leading to a massive data breach. In contrast, the other options, while still concerning, present less severe risks. For example, option A could lead to a data breach if an individual POS terminal is compromised, but the impact would likely be less severe than a breach of the central computer

Storing encrypted PINs locally on the POS terminal can pose a significant security risk, as it increases the likelihood of unauthorized access and potential compromise of PINs. Best practices involve avoiding the local storage of encrypted PINs, especially in a manner that could be vulnerable to exploitation. The storage of encrypted PINs on the local POS terminal is generally considered a higher risk due to the potential for direct compromise at the point of entry.