According to the PCI DSS v3.2.1 Quick Reference Guide1, visitors are escorted at all times within areas where cardholder data is processed or maintained, visitor badges are identical to badges used by onsite personnel, visitor log includes visitor name, address, and contact phone number, visitors retain their identification (for example a visitor badge) for 30 days after completion of the visit. These are some examples of procedures that must be included in an organization’s procedures for managing visitors who access in-scope systems where cardholder data is processed or maintained.

According to the glossary, bespoke and custom software describes software developed by an entity for its own use, which means it should not be shared with other entities or sold or transferred without proper authorization. This is one of the requirements for ensuring that bespoke and custom software meets all the security standards and controls defined in Appendix E of the PCI DSS v3.2.1 Quick Reference Guide1.

According to requirement 4, PAN must be protected with strong cryptography for transmission over private wireless networks, which means it should use encryption techniques such as WEP, WPA, WPA2, or TLS/SSL to prevent unauthorized access or interception of cardholder data over wireless networks. This is one of the requirements for ensuring that PAN is protected from unauthorized access or interception.

when disk encryption is used to protect account data, access to the disk encryption must be managed independently of the operating system access control mechanisms, which means it should not be affected by changes in the operating system settings or permissions. This is one of the requirements for ensuring that disk encryption is secure and effective.

According to the PCI DSS v3.2.1 Quick Reference Guide1, a compensating control must address the risk associated with not adhering to a PCI DSS requirement and must be approved by an authorized person before implementation. This is one of the requirements for reducing or eliminating a risk that cannot be eliminated by other means

all network transmissions must be logged by an entity’s security information and event management (SIEM) system or equivalent tool, which means they should record all network events and activities related to cardholder data processing and transmission. This is one of the requirements for ensuring that network transmissions are monitored and audited.

According to the PCI DSS v3.2.1 Quick Reference Guide1, an internal NTP server that provides time services to the cardholder data environment is in scope for PCI DSS if it stores processes or transmits cardholder data, regardless of whether it provides authentication services to systems in the DMZ or not. This is one of the requirements for preventing unauthorized access to cardholder data using time services.

critical systems must have correct and consistent time, which means they should use a reliable time source and synchronize their clocks with other systems. This is one of the requirements for ensuring that critical systems have accurate time.

Segmentation is a method of isolating system components that store, process, or transmit cardholder data from systems that do not, by using security controls such as firewalls, routers, switches, or other devices1. Segmentation can reduce the scope of the cardholder data environment (CDE) and thus reduce the scope of the PCI DSS assessment, as only the systems and networks within the CDE or connected to the CDE are subject to PCI DSS requirements2. Virtual LANs (VLANs) are one example of such a security control, as they can create logical subnetworks that separate different types of traffic and restrict access between them3. Therefore, the correct answer is option C.

The other options are not true regarding the scenario that describes segmentation of the cardholder data environment (CDE) for the purposes of reducing PCI DSS scope. Option A is not true because routers that monitor network traffic flows between the CDE and out-of-scope networks are not sufficient to isolate the CDE, as they do not prevent or limit the traffic flows. Option B is not true because firewalls that log all network traffic flows between the CDE and out-of-scope networks are not sufficient to isolate the CDE, as they do not block or filter the traffic flows. Option D is not true because a network configuration that prevents all network traffic between the CDE and out-of-scope networks is not realistic or feasible, as some traffic may be necessary for business or legal reasons, such as payment processing, reporting, or auditing. References:

• Network Segmentation - PCI Security Standards Council
• Guidance for PCI DSS Scoping and Network Segmentation
• VLANs and PCI Compliance: What You Need to Know

According to the PCI DSS v3.2.1 Quick Reference Guide1, the intent of assigning a risk ranking to vulnerabilities is to prioritize the highest risk items so they can be addressed more quickly, rather than ensuring all vulnerabilities are addressed within 30 days or replacing the need to quarterly ASV scans or ensuring that critical security patches are installed at least quarterly. This is one of the requirements for ensuring that vulnerabilities are identified and mitigated as soon as possible.

According to the PCI DSS v3.2.1 Quick Reference Guide1, active network connections are tracked so that invalid response traffic can be identified. This is one of the requirements for preventing replay attacks and ensuring secure communication.

According to the PCI DSS v3.2.1 Quick Reference Guide1, business facilities and system components can be sampled for testing during a PCI DSS assessment, as long as they are not critical components or components that are not in scope for testing. This is one of the requirements for ensuring that testing covers all relevant components and processes.

an entity can use both the Customized Approach and the Defined Approach to meet the same requirement, as long as it uses compensating controls to address any weaknesses or gaps inthe customized control. This is one of the requirements for ensuring that an entity can use both approaches when appropriate.

The PCI DSS requires that access to databases containing cardholder data is restricted to authorized users and applications, and that direct access to such databases is prohibited. According to the PCI DSS Requirement 7.1.2, “Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.” Furthermore, according to the PCI DSS Requirement 8.3.1, “Implement multi-factor authentication for all non-console access into the cardholder data environment for personnel with administrative access.” Therefore, the scenario that meets the PCI DSS requirements for restricting access to databases containing cardholder data is the one where user access to the database is only through programmatic methods, such as through an application interface that enforces authentication, authorization, and encryption. The other scenarios either allow direct access to the database, or do not limit the access to the least privileges necessary, or do not use multi-factor authentication for administrative access. References: [PCI DSS v3.2.1], Card Production Security Assessor - Logical - Credly

Hashing is a form of one-way encryption that transforms a data element into a unique fixed-size data element (hash value) without a way to get the original data element from the hash value1. Truncation is a method of rendering the full PAN unreadable by permanently removing a segment of the PAN data2. PCI DSS Requirement 3.4 states that entities must render the PAN unreadable wherever it is stored, using any of the following methods: one-way hashes based on strong cryptography, truncation, index tokens and pads, or strong cryptography with associated key-management processes and procedures3. However, PCI DSS Requirement 3.4e also states that if hashed and truncated versions of the same PAN are present in the environment, additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN3. This is because if an attacker obtains both the hashed and truncated versions of the same PAN, they may be able to use a brute-force or dictionary attack to guess the original PAN by hashing and truncating different PAN values until they find a match4. Therefore, the correct answer is option A.

The other options are not true regarding the presence of both hashed and truncated versions of the same PAN in an environment. Option B is not true because PCI DSS does not require the hashed version of the PAN to be also truncated, although it is a recommended best practice to further reduce the risk of exposing the original PAN5. Option C is not true because PCI DSS does not require the hashed and truncated versions to be correlated, as this would defeat the purpose of rendering the PAN unreadable and increase the risk of exposing the original PAN. Option D is not true because PCI DSS does not prohibit the presence of both hashed and truncated versions of the same PAN in the same environment, as long as additional controls are in place to prevent the reconstruction of the original PAN. References:

• Protect hashed CardHolder Data according to PCI DSS 3.4 - Advantio
• PCI DSS Truncation Rules and Guidelines - Truvantis
• PCI DSS v3.2.1
• Storing Card Numbers using hashed and truncated version of PAN
• pci dss - Credit card data security - hashing, truncation and encryption - Information Security Stack Exchange