Exam CCSP topic 1 question 325 discussion

Ans is A as pci dss is a voluntary sectoral set of controls

As per CCSP official CBK: PCIDSS is a contractual requirement where as FIPS 140-2 is US federal government cryptographic standard. so the best answer should be PCIDSS. isn't it?

FIPS 140-2 (Federal Information Processing Standard 140-2) is a cryptographic standard, not a regulatory framework. It defines security requirements for cryptographic modules used in federal systems but does not regulate industries like PCI DSS, HIPAA, or SOX. PCI DSS (Payment Card Industry Data Security Standard) is technically a security standard, but it is often treated as a regulatory framework because it enforces strict security requirements on businesses handling credit card transactions. Why is PCI DSS considered a regulatory framework? Mandatory Compliance: Businesses that process, store, or transmit credit card data must comply with PCI DSS to avoid fines, legal risks, and potential loss of card-processing privileges. Industry Enforcement: While not a law, PCI DSS is enforced by major payment card brands (Visa, MasterCard, Amex, etc.) through contracts and penalties. Compliance Audits: Organizations must undergo regular audits (PCI DSS assessments) to prove compliance.

It's 100% D. FIPS 140-2 (Federal Information Processing Standard 140-2) is a standard for cryptographic modules used by U.S. federal agencies and contractors. While it is widely recognized, it is not a regulatory framework. Instead, it provides specific technical requirements for cryptographic module validation.

PCI is not regulatory (Not from government)

My choice is answer "D". FIPS 140-2 is important, especially for government agencies and their contractors, it is not a broad regulatory framework that applies to a wide range of industries or organizations. Instead, it is a specific set of guidelines and requirements related to cryptographic security.

FIPS is the worst answer so I'll just roll with that one.

Frameworks created by a group of industries are also considered regulatory (in that sector). PCI is mandatory for companies processing card payments.

If Answer is D then question should be asked in different wording. It should include compliance framework

both PCSI DSS and FIPS are not regulatory framework

I think the answer should be PCI dss

PCI DSS is a regulatory framework; while FIPS-140 is just a standard which has four levels.

I agree, PCI is not even created by the government. FIPS should be the answer.

PCI is not regulatory it's a standard

how is pci gegulatory