Which two statements about PCI DSS are true? (Choose two.)
PCI DSS (Payment Card Industry Data Security Standard) is a security standard that defines a framework for securing credit, debit, and ATM cardholder information. It is not a US government standard, as stated in option A, nor is it a criminal act of cardholder information fraud, as stated in option C.
PCI DSS is maintained by the Payment Card Industry Security Standards Council (PCI SSC), which is a global organization that includes representatives from major credit card companies, such as Visa, MasterCard, American Express, and Discover. The objective of PCI DSS is to ensure the security of cardholder data and to prevent data breaches that could result in the theft of sensitive information.
Option D is true as one of the PCI DSS objectives is to restrict physical access to credit, debit, and ATM cardholder information. This can be achieved through measures such as access controls, surveillance, and monitoring.
Option B is incorrect, as PCI DSS is not a proprietary standard. It is an industry-wide standard that is enforced by the major credit card companies.
Option E is also incorrect, as PCI DSS is not an IETF (Internet Engineering Task Force) standard. The IETF is an organization that develops and promotes internet standards, such as the TCP/IP protocol suite.
In summary, options D and B are the correct answers. PCI DSS is an industry-wide standard maintained by the PCI SSC that aims to secure cardholder data and restrict physical access to it.