Special Summer Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: buysanta

Exact2Pass Menu

Question # 4

Which of the following file types must be monitored by a change-detection mechanism (for example, a file-integrity monitoring tool)?

A.

Application vendor manuals

B.

Files that regularly change

C.

Security policy and procedure documents

D.

System configuration and parameter files

Full Access
Question # 5

Which statement is true regarding the presence of both hashed and truncated versions of the same PAN in an environment?

A.

Controls are needed to prevent the original PAN being exposed by the hashed and truncated versions.

B.

The hashed version of the PAN must also be truncated per PCI DSS requirements for strong cryptography.

C.

The hashed and truncated versions must be correlated so the source PAN can be identified.

D.

Hashed and truncated versions of a PAN must not exist in same environment.

Full Access
Question # 6

Which of the following file types must be monitored by a change-detection mechanism (e.g., a file-integrity monitoring tool)?

A.

Application vendor manuals

B.

Files that regularly change

C.

Security policy and procedure documents

D.

System configuration and parameter files

Full Access
Question # 7

What is the intent of classifying media that contains cardholder data?

A.

Ensuring that media is properly protected according to the sensitivity of the data it contains.

B.

Ensuring that media containing cardholder data Is moved from secured areas an a quarterly basis.

C.

Ensuring that media is clearly and visibly labeled as "Confidential" so all personnel know that the media contains cardholder data.

D.

Ensuring that all media is consistently destroyed on the same schedule, regardless of the contents.

Full Access
Question # 8

According to the glossary, "bespoke and custom software” describes which type of software?

A.

Any software developed by a third party.

B.

Any software developed by a third party that can be customized by an entity.

C.

Software developed by an entity for the entity’s own use.

D.

Virtual payment terminals.

Full Access
Question # 9

An organization wishes to implement multi-factor authentication for remote access, using the user's individual password and a digital certificate. Which of the following scenarios would meet PCI DSS requirements for multi-factor authentication?

A.

Certificates are assigned only to administrative groups, and not to regular users.

B.

A different certificate is assigned to each individual user account, and certificates are not shared.

C.

Certificates are logged so they can be retrieved when the employee leaves the company.

D.

Change control processes are in place to ensure certificates are changed every 90 days.

Full Access
Question # 10

Which of the following describes “stateful responses” to communication initiated by a trusted network?

A.

Administrative access to respond to requests to change the firewall is limited to one individual at a time.

B.

Active network connections are tracked so that invalid “response” traffic can be identified.

C.

A current baseline of application configurations is maintained and any misconfiguration is responded to promptly.

D.

Logs of user activity on the firewall are correlated to identify and respond to suspicious behavior.

Full Access
Question # 11

A "Partial Assessment" is a new assessment result. What is a “Partial Assessment"?

A.

A ROC that has been completed after using an SAQ to determine which requirements should be tested, as per FAQ 1331.

B.

An interim result before the final ROC has been completed.

C.

A term used by payment brands and acquirers to describe entities that have multiple payment channels, with each channel having its own assessment.

D.

An assessment with at least one requirement marked as “Not Tested".

Full Access
Question # 12

PCI DSS Requirement 12.7 requires screening and background checks for which of the following?

A.

All personnel employed by the organization.

B.

Personnel with access to the cardholder data environment.

C.

Visitors with access to the organization’s facilities.

D.

Cashiers with access to one card number at a time.

Full Access
Question # 13

Where can live PANs be used for testing?

A.

Production (live) environments only.

B.

Pre-production (test) environments only if located outside the CDE.

C.

Pre-production environments that are located within the CDE.

D.

Testing with live PANs must only be performed in the QSA Company environment.

Full Access
Question # 14

At which step in the payment transaction process does the merchant's bank pay the merchant for the purchase, and the cardholder's bank bill the cardholder?

A.

Authorization

B.

Clearing

C.

Settlement

D.

Chargeback

Full Access
Question # 15

If disk encryption is used to protect account data, what requirement should be met for the disk encryption solution?

A.

Access to the disk encryption must be managed independently of the operating system access control mechanisms.

B.

The disk encryption system must use the same user account authenticator as the operating system.

C.

The decryption keys must be associated with the local user account database.

D.

The decryption keys must be stored within the local user account database.

Full Access
Question # 16

What must be included in an organization's procedures for managing visitors?

A.

Visitors are escorted at all times within areas where cardholder data is processed or maintained.

B.

Visitor badges are identical to badges used by onsite personnel.

C.

Visitor log includes visitor name, address, and contact phone number.

D.

Visitors retain their identification (for example, a visitor badge) for 30 days after completion of the visit.

Full Access
Question # 17

Which statement is true regarding the PCI DSS Report on Compliance (ROC)?

A.

The ROC Reporting Template and instructions provided by PCI SSC should be used for all ROCs.

B.

The assessor may use either their own template or the ROC Reporting Template provided by PCI SSC.

C.

The assessor must create their own ROC template tor each assessment report.

D.

The ROC Reporting Template provided by PCI SSC is only required for service provider assessments.

Full Access
Question # 18

An internal NTP server that provides time services to the Cardholder Data Environment is?

A.

Only in scope if it provides time services to database servers.

B.

Not in scope for PCI DSS.

C.

Only in scope if it stores, processes or transmits cardholder data.

D.

In scope for PCI DSS.

Full Access
Question # 19

Which of the following is a requirement for multi-tenant service providers?

A.

Ensure that customers cannot access another entity’s cardholder data environment.

B.

Provide customers with access to the hosting provider's system configuration files.

C.

Provide customers with a shared user ID for access to critical system binaries.

D.

Ensure that a customer’s log files are available to all hosted entities.

Full Access
Question # 20

In the ROC Reporting Template, which of the following is the best approach for a response where the requirement was “In Place”?

A.

Details of the entity’s project plan for implementing the requirement.

B.

Details of how the assessor observed the entity's systems were compliant with the requirement.

C.

Details of the entity's reason for not implementing the requirement.

D.

Details of how the assessor observed the entity's systems were not compliant with the requirement.

Full Access
Question # 21

Which statement is true regarding the use of intrusion detection techniques, such as intrusion detection systems and/or intrusion protection systems (IDS/IPS)?

A.

Intrusion detection techniques are required on all system components.

B.

Intrusion detection techniques are required to alert personnel of suspected compromises.

C.

Intrusion detection techniques are required to isolate systems in the cardholder data environment from all other systems.

D.

Intrusion detection techniques are required to identify all instances of cardholder data.

Full Access
Question # 22

Which of the following is true regarding compensating controls?

A.

A compensating control is not necessary if all other PCI DSS requirements are in place.

B.

A compensating control must address the risk associated with not adhering to the PCI DSS requirement.

C.

An existing PCI DSS requirement can be used as a compensating control if it is already implemented.

D.

A compensating control worksheet is not required if the acquirer approves the compensating control.

Full Access