Download PCI DSS Compliance Requirements and Validation and more Exams Information Technology in PDF only on Docsity!
PCI DSS 3.2.1 Test Questions | 100% Correct
Answers | Verified | Latest 2024 Version
Which of the following does not belong? The following events should be included in automated audit trails for all system component:
- Individual access to cardholder data
- Creation and deletion of system-level objects
- Invalid logical access attempts
- Actions taken by user with root or administrative privileges
- Changes, additions, or deletions to any account with root or administrative privileges
- Audit trail access
- Use of identification and authentication mechanisms
- Elevation of privileges
- Initialization of audit logs
- Stopping or pausing of audit logs - ✔✔All of these should be included. (Requirement 10.2.1 - 10.2.7) Which of the following does not belong? The following audit trail entries should be recorded for each event:
- User identification
- Type of event
- Date and time
- Success or failure
- Origination of event
- Identity of name of affected data, system component, or resource
- Initializing, stopping, or pausing of audit logs - ✔✔Initializing, stopping, or pausing of audit logs - this choice is part of what should be included in audit logs (10.2) This question pertains to 10.3 (10.3.1 - 10.3.6)
How often should logs and security event reviews be conducted? - ✔✔At least daily (10.6) How long should audit trail history be retained? At least ___ of history must be immediately available for analysis. - ✔✔At least 1 year retained 3 months (10.7) How long should visitor logs for physical access be retained? - ✔✔At least 3 months (9.4) Critical patches need to installed within ___ of release. - ✔✔One month For public-facing web applications, which of the following is required?
- Web application firewalls
- Manual vulnerability assessment tools
- Automated vulnerability assessment tools - ✔✔Any one or more of these. According to Requirement 6.6, ensure that either one of the following methods is in place:
- Web application firewalls - Examine system configuration settings to verify an automated technical solution that detects and prevents web-based attacks is in place.
- Web application assessment - Verify that public-facing web applications are reviewed using with manual or automated vulnerability assessment tools or methods. How frequently should web application assessments be conducted? - ✔✔At least annually and after any significant changes (6.6) Does an application vulnerability assessment have to be conducted by a third party? - ✔✔No. As long as the reviewers specialize in application security and can demonstrate independence from the development team.
Which SAQ applies to MERCHANTS that store any cardholder data, including legacy data? - ✔✔SAQ D Which SAQ applies to MERCHANTS that accept transactions through a PCI-listed P2PE solution? - ✔✔SAQ P2PE Which SAQ applies to MERCHANTS that accept e-commerce transactions only through a fully outsourced service provider? - ✔✔SAQ A Which SAQ applies to MERCHANTS that accept e-commerce transactions only through a fully outsourced service provider and payment processing is outsourced to PCI DSS validated service provider? - ✔✔SAQ A-EP Which SAQ applies to MERCHANTS that accept e-commerce transactions only through a fully outsourced service provider and payment processing is outsourced to PCI DSS validated service provider on systems managed by the merchant? - ✔✔SAQ D Because the system is managed by the merchant, it is a SAQ D Which SAQ applies to MERCHANTS that accept mail/telephone order (MOTO) transactions not protected by P2PE solution? - ✔✔SAQ A Which SAQ applies to MERCHANTS that accept MOTO or card-present transactions via imprint or dial-out machines (no internet)? - ✔✔SAQ B Which SAQ applies to MERCHANTS that accept MOTO or card-present transactions via PIN transaction system (PTS) approved devices (with internet)? - ✔✔SAQ B-IP Which SAQ applies to MERCHANTS that accept MOTO or card-present transactions via payment app on POS or PC (with internet)? - ✔✔SAQ C Which SAQ applies to MERCHANTS that accept MOTO or card-present transactions via merchant's web- browser sending to service provider's "virtual payment application?" - ✔✔SAQ C-VT
What determines if an organization requires additional validation to existing PCI DSS requirements aka DESV?
- Determined by SAQ reaults
- Determined by ASV
- Determined by an Acquirer or Payment Brand
- Determined by Merchant - ✔✔Designated Entity is determined by an Acquirer or Payment Brand as an organization that requires additional validation to existing PCI DSS requirements. Frequently Asked Questions for Designated Entities Supplemental Validation Who may be permitted to store sensitive authentication data? - ✔✔Issuers and issuing processors may be permitted to retain sensitive authentication data if needed for business purposes. Which method is an acceptable method to render PAN unreadable?
- One-way hash based on strong cryptography (hash must be of the entire PAN)
- Truncation to remove a segment of PAN data so that only a portion (not to exceed first six and last four digits) of the PAN is stored
- Index tokens (cryptographic token that replaces the PAN based on a given index for an unpredictable value) and pads (system in which a randomly generated private key is used only once to encrypt a message that is then decrypted using a matching one-time pad and key)
- Strong cryptography with associated key-management processes and procedures
- None of the above. PAN can never be stored. - ✔✔All four options are acceptable (3.4). How long do camera recordings and/or physical access control data (e.g., key card swipes) need to be retained? - ✔✔3 months (9.1.1) How often should you conduct reviews to verify BAU activities are being followed?
The P2PE Standard covers encryption, decryption, and key management requirements for point-to-point encryption solutions. The standard for validating off-the-shelf payment applications used in authorization and settlement is: a)PCI P2PE b)PA-DSS c)PCI PTS d)PCI DSS - ✔✔B PA-DSS PA-DSS is the standard used by PA-QSAs to validate payment applications. Merchants using PA-DSS validated payment applications are automatically PCI DSS compliant. (True or False) - ✔✔False - Using PA-DSS validated applications is not the only requirement for a merchant to meet to become PCI DSS compliant. Which of the below functions is associated with acquirers? a)Provide settlement services to a merchant b)Provide clearing services to a merchant c)Provide authorization services to a merchant d)All of the options - ✔✔D - All of the options Acquirers are involved in authorization, clearing and settlement for their merchants. Which of the following entities will ultimately approve a purchase? a)Issuer b)Payment Transaction Gateway c)Acquirer d)Merchant - ✔✔A-Issuer The issuer ultimately approves a purchase.
In which step does the payment brand network provide complete reconciliation to the merchant's bank? a)Approval b)Settlement c)Authorization d)Clearing - ✔✔D-Clearing During clearing, the processor provides complete reconciliation to the merchant's bank. A company that _________________ is considered to be a service provider. a)Is a founding member of PCI SSC b)Is a payment card brand c)Is not also a merchant d)Controls or could impact the security of another entity's cardholder data - ✔✔D- A company that controls or impacts the security of cardholder data is considered to be a service provider. Which of the following are examples of service providers?(choose all that apply) a)Data Center hosting providers b)ISOs c)Telecom providers (only communications link) d)Payment Gateways - ✔✔A, B, D Data Center Hosting providers, Payment Gateways, and Independent Sales Organizations (ISOs) or External Sales Agents (ESAs) are examples of Service Providers. Telecommunications providers who only provide communication links and who do not have access to the application layer of the communication are not considered Service Providers. Which of the following are parts of the Payment Brand role?(Select all that apply) a)Offer training for QSAs, PA-QSAs and ASVs b)Develop and enforce compliance programs
Which SAQ best applies to the following: Service provider using only web-based virtual terminals
- SAQ A
- SAQ B
- SAQ C
- SAQ D - ✔✔SAQ D Service providers always use SAQ D, (if eligible) and their reporting and validation process is determined by their acquirer, or the payment brands. Which SAQ best applies to the following: Merchant with standalone payment application connected to the internet
- SAQ A
- SAQ B
- SAQ C
- SAQ D - ✔✔SAQ C Which SAQ best applies to the following: MO/TO merchant with all payment functions outsourced to a compliant service provider
- SAQ A
- SAQ B
- SAQ C
- SAQ D - ✔✔SAQ A Which SAQ best applies to the following: Merchant with only card-present dial-out terminals
- SAQ A
- SAQ B
- SAQ C
- SAQ D - ✔✔SAQ B
Which SAQ best applies to the following: Merchant who is using a validated P2PE solution listed on the PCI SSC website.
- SAQ A
- SAQ A-EP
- SAQ B-IP
- SAQ P2PE - ✔✔SAQ P2PE Which SAQ best applies to the following: An online merchant that displays a PCI DSS-compliant service provider's payment page in an IFRAME, all page content is from the PSP.
- SAQ A
- SAQ A-EP
- SAQ B-IP
- SAQ P2PE - ✔✔SAQ A Which SAQ best applies to the following: An online merchant with a payment page that accepts cardholder data, but transmits the data to a PCI DSS-compliant service provider.
- SAQ A
- SAQ A-EP
- SAQ B-IP
- SAQ P2PE - ✔✔SAQ A-EP Which SAQ best applies to the following: Merchant using an end-to-end encryption solution (E2EE) that utilizes PCI PTS-approved POI devices which communicate with the acquirer over an IP network.
- SAQ A
- SAQ A-EP
- SAQ B-IP
- SAQ P2PE - ✔✔SAQ B-IP Which of the following could PA-DSS apply to? a)Third-party payment application designed for one company
a)Payment card brands b)Issuers c)Acquirers d)PCI SSC - ✔✔A-Payment card brands Payment brands are responsible for enforcing compliance. Which entity is responsible for forensic investigations of account data compromise? a)PCI SSC b)QSA/ISA c)Payment Brands d)QIR - ✔✔C-Payment Brands The payment brands are responsible for enforcement of compliance and forensic investigations of data breaches. Account data consists of __________ and __________ ?a)Cardholder Names, PANs b)Cardholder Data, Sensitive Authentication Data c)PANs, PINs d)Cardholder Data, PANs - ✔✔B Account Data consists of Cardholder Data and Sensitive Authentication Data. Storing track data is permitted when ______. a)it is reported to the PCI SSC annually in a ROC b)it is being stored by issuers with a business justification c)it is encrypted by the merchant storing it d)it is hashed by the merchant storing it - ✔✔B
Storing track data is permitted when it is being stored by issuers. When scoping an environment for PCI DSS, it is important to identify ___________.(select all that apply) a)Business facilities involved in processing transactions b)Components that store cardholder data c)Personnel with access to cardholder data d)All flows of cardholder data - ✔✔A, B, C, D People, processes and technology that store, process or transmit cardholder data are in scope, along with any connected systems. Systems that provide, or could affect the security of, in-scope systems are also in scope. Which of these devices can be used to provide network segmentation controls?(select all that apply) a)Routers b)Switches c)Firewalls d)File servers - ✔✔A, B, C File servers might be protected by firewalls, but do not provide the functionality needed to segment networks. If virtualization technologies are used in a cardholder data environment: a)The virtualization technologies are included in scope for PCI DSS b)The virtualization technologies are not in scope for PCI DSS c)Entities using virtualization technologies should complete SAQ C d)Virtualization technologies should not be used in the cardholder data environment - ✔✔A If virtualization technologies are used in the cardholder data environment, the virtualization technologies are included in scope for PCI DSS.
a)it is reported to the PCI SSC annually in a ROC b)it is being stored by issuers c)it is hashed by the merchant storing it d)it is encrypted by the merchant storing it - ✔✔B Storing track data "long-term" or "persistently" is permitted when it is being stored by issuers. PCI DSS Requirement 3.4 states that PAN must be rendered unreadable when stored. Which of the following may be used to meet this requirement? a)Hiding the column containing PAN data in the database b)Encryption of the first six and last four numbers of the PAN c)Hashing the entire PAN using strong cryptography d)Masking the entire PAN using industry standards - ✔✔C The entire PAN is hashed using strong cryptography to meet the PCI DSS Requirement 3.4 which states that PAN must be rendered unreadable when stored. PCI DSS Requirements 5 state that anti-virus software must be: a)Updated at least annually b)Installed on all systems, even those not commonly affected by malware c)Installed on systems commonly affected by malware d)Configured to allow users to disable it as desired - ✔✔C PCI DSS Requirement 5 states that anti-virus software must be installed on all systems commonly affected by malware. As defined by PCI DSS Requirement 7, access to cardholder data should be restricted based on which principle? a)Maximum privilege b)Number of personnel in the organization
c)Business need to know d)No access to cardholder data should be permitted - ✔✔C Per PCI DSS Requirement 7, access to cardholder data should be restricted based on business need-to- know. PCI DSS Requirement 12.6 requires personnel to acknowledge at least ___________ that they have read and understood the security policy and procedures. a)Once during their employment b)Every six months c)Quarterly d)Annually - ✔✔D PCI DSS Requirement 12.6 requires personnel to acknowledge at least annually that they have read and understood the security policy and procedures. Information Supplements provided by the PCI SSC may "supersede" or replace PCI DSS requirements. (True or False) - ✔✔False Information Supplements provided by the PCI SSC do not supersede or replace PCI DSS requirements. In order to be considered a compensating control, which of the following must exist: a)A documented business constraint. b)A legitimate technical constraint and a documented business constraint. c)A legitimate technical constraint. d)A legitimate technical constraint or a documented business constraint. - ✔✔D A legitimate technical constraint or a documented business constraint must exist to consider a compensating control.
a)Rlogin b)RConsole c)Telnet d)HTTPS - ✔✔D HTTPS can be used to encrypt non-console, web-based admin access to network components. Requirements 2.2.2 and 2.2.3 cover the use of secure services, protocols and daemons. Which of the follow is considered to be secure? a)Rlogin b)SSH c)Telnet d)FTP - ✔✔B SSH is an example of secure protocol. Which of the following is considered "Sensitive Authentication Data"? a)Card verification value b)Cardholder name c)Expiration Date d)PAN - ✔✔A Card verification value is considered "Sensitive Authentication Data." It is acceptable for merchants to store Sensitive Authentication after authorization as long as it is strongly encrypted. (True or False) - ✔✔False It is not acceptable for merchants to store Sensitive Authentication Data after authorization even if it is encrypted.
When a PAN is displayed to an employee who does NOT need to see the full PAN, the minimum digits to be masked are: a)The first six and last four digits b)All digits between the first six and last four c)Only the last four digits d)First four and last four digits - ✔✔B The digits that exist between the first 6 and the last 4 digits of the PAN should be "masked" or hidden for an employee who does NOT need to see full PAN. Which of the following is true regarding protection of PAN? a)PAN must be rendered unreadable during transmission over private, secure networks b)There are no PCI DSS requirements for rendering PAN unreadable c)PAN must be rendered unreadable during transmission over public, wireless networks d)PAN must be rendered unreadable when present in volatile memory during a transaction - ✔✔C PAN must be rendered unreadable during transmission over public, wireless networks. Which of the following may be used to render PAN unreadable in order to meet requirement 3.4? a)Hiding the column containing PAN data in the database b)Encryption of the first six and last four numbers of the PAN c)Hashing the entire PAN using strong cryptography d)Masking the entire PAN using industry standards - ✔✔C Requirement 3.4 may be met by hashing the entire PAN using strong cryptography. When assessing requirement 6.5, testing to verify secure coding techniques are in place to address common coding vulnerabilities includes: a)Interview firewall administrators to identify open ports and protocols b)Reviewing software development policies and procedures
