Weekend Special Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: buysanta

Exact2Pass Menu

Question # 4

What must be included m an organization’s procedures for managing visitors?

A.

Visitors are escorted at all times within areas where cardholder data is processed or maintained

B.

Visitor badges are identical to badges used by onsite personnel

C.

Visitor log includes visitor name, address, and contact phone number

D.

Visitors retain their identification (for example a visitor badge) for 30 days after completion of the visit

Full Access
Question # 5

According to the glossary, bespoke and custom software describes which type of software?

A.

Any software developed by a third party

B.

Any software developed by a third party that can be customized by an entity.

C.

Software developed by an entity for the entity's own use

D.

Virtual payment terminals

Full Access
Question # 6

Which statement about PAN is true?

A.

It must be protected with strong cryptography for transmission over private wireless networks

B.

It must be protected with strong cryptography (or transmission over private wired networks

C.

It does not require protection for transmission over public wireless networks

D.

It does not require protection for transmission over public wired networks

Full Access
Question # 7

If disk encryption is used to protect account data what requirement should be met for the disk encryption solution?

A.

Access to the disk encryption must be managed independently of the operating system access control mechanisms

B.

The disk encryption system must use the same user account authenticator as the operating system

C.

The decryption keys must be associated with the local user account database

D.

The decryption keys must be stored within the local user account database

Full Access
Question # 8

Which of the following is true regarding compensating controls?

A.

A compensating control is not necessary if all other PCI DSS requirements are in place

B.

A compensating control must address the risk associated with not adhering to the PCI DSS requirement

C.

An existing PCI DSS requirement can be used as compensating control if it is already implemented

D.

A compensating control worksheet is not required if the acquirer approves the compensating control

Full Access
Question # 9

Which of the following types of events is required to be logged?

A.

All use of end-user messaging technologies

B.

All access to external web sites

C.

All access to all audit trails

D.

All network transmissions

Full Access
Question # 10

An internal NTP server that provides time services to the Cardholder Data Environment is?

A.

Only in scope if it provides time services to database servers.

B.

Not in scope for PCI DSS

C.

Only m scope if it stores processes or transmits cardholder data

D.

In scope for PCI DSS

Full Access
Question # 11

Which scenario meets PCI DSS requirements for critical systems to have correct and consistent time?

A.

Each internal system is configured to be its own time server.

B.

Access to time configuration settings is available to all users of the system.

C.

Central time servers receive time signals from specific, approved external sources

D.

Each internal system peers directory with an external source to ensure accuracy of time updates

Full Access
Question # 12

Which scenario describes segmentation of the cardholder data environment (CDE) for the purposes of reducing PCI DSS scope?

A.

Routers that monitor network traffic flows between the CDE and out-of-scope networks

B.

Firewalls that log all network traffic flows between the CDE and out of-scope networks

C.

Virtual LANs that route network traffic between the CDE and out-of-scope networks

D.

A network configuration that prevents all network traffic between the CDE and out-of-scope networks

Full Access
Question # 13

The intent of assigning a risk ranking to vulnerabilities is to?

A.

Ensure all vulnerabilities are addressed within 30 days

B.

Replace the need to quarterly ASV scans

C.

Prioritize the highest risk items so they can be addressed more quickly

D.

Ensure that critical security patches are installed at least quarterly

Full Access
Question # 14

Which of the following describes "stateful responses' to communication initiated by a trusted network?

A.

Administrative access to respond to requests to change the firewall is limited to one individual at a time

B.

Active network connections are tracked so that invalid response' traffic can be identified.

C.

A current baseline of application configurations is maintained and any mis-configuration is responded to promptly

D.

Logs of user activity on the firewall are correlated to identify and respond to suspicious behavior

Full Access
Question # 15

Which of the following can be sampled for testing during a PCI DSS assessment?

A.

PCI DSS requirements and testing procedures.

B.

Compensating controls

C.

Business facilities and system components

D.

Security policies and procedures

Full Access
Question # 16

Could an entity use both the Customized Approach and the Defined Approach to meet the same requirement?

A.

No because a single approach must be selected

B.

No. because only compensating controls can be used with the Defined Approach

C.

Yes if the entity uses no compensating controls

D.

Yes if the entity is eligible to use both approaches

Full Access
Question # 17

Which scenario meets PCI DSS requirements for restricting access to databases containing cardholder data?

A.

User access to the database is only through programmatic methods

B.

User access to the database is restricted to system and network administrators

C.

Application IDs for database applications can only be used by database administrators

D.

Direct queries to the database are restricted to shared database administrator accounts

Full Access
Question # 18

Which statement is true regarding the presence of both hashed and truncated versions of the same PAN in an environment?

A.

Controls are needed to prevent the original PAN being exposed by the hashed and truncated versions

B.

The hashed version of the PAN must also be truncated per PCI OSS requirements for strong cryptography.

C.

The hashed and truncated versions must be correlated so the source PAN can be identified

D.

Hashed and truncated versions of a PAN must not exist in same environment

Full Access