PCI DSS 3.2.1 Test Questions 100% Correct Answers Verified Latest 2024 Version
4 views 0 purchase
Course
Academic Avengers Verified Papers
Institution
Academic Avengers Verified Papers
PCI DSS 3.2.1 Test Questions | 100% Correct
Answers | Verified | Latest 2024 Version
Which of the following does not belong?
The following events should be included in automated audit trails for all system component:
-Individual access to cardholder data
-Creation and deletion of system-level ...
PCI DSS 3.2.1 Test Questions | 100% Correct
Answers | Verified | Latest 2024 Version
Which of the following does not belong?
The following events should be included in automated audit trails for all system component:
-Individual access to cardholder data
-Creation and deletion of system-level objects
-Invalid logical access attempts
-Actions taken by user with root or administrative privileges
-Changes, additions, or deletions to any account with root or administrative privileges
-Audit trail access
-Use of identification and authentication mechanisms
-Elevation of privileges
-Initialization of audit logs
-Stopping or pausing of audit logs - ✔✔All of these should be included. (Requirement 10.2.1 - 10.2.7)
Which of the following does not belong?
The following audit trail entries should be recorded for each event:
-User identification
-Type of event
-Date and time
-Success or failure
-Origination of event
-Identity of name of affected data, system component, or resource
-Initializing, stopping, or pausing of audit logs - ✔✔Initializing, stopping, or pausing of audit logs - this
choice is part of what should be included in audit logs (10.2)
This question pertains to 10.3 (10.3.1 - 10.3.6)
,How often should logs and security event reviews be conducted? - ✔✔At least daily (10.6)
How long should audit trail history be retained?
At least ___ of history must be immediately available for analysis. - ✔✔At least 1 year retained
3 months
(10.7)
How long should visitor logs for physical access be retained? - ✔✔At least 3 months (9.4)
Critical patches need to installed within ___ of release. - ✔✔One month
For public-facing web applications, which of the following is required?
-Web application firewalls
-Manual vulnerability assessment tools
-Automated vulnerability assessment tools - ✔✔Any one or more of these. According to Requirement
6.6, ensure that either one of the following methods is in place:
1. Web application firewalls - Examine system configuration settings to verify an automated technical
solution that detects and prevents web-based attacks is in place.
2. Web application assessment - Verify that public-facing web applications are reviewed using with
manual or automated vulnerability assessment tools or methods.
How frequently should web application assessments be conducted? - ✔✔At least annually and after any
significant changes (6.6)
Does an application vulnerability assessment have to be conducted by a third party? - ✔✔No. As long as
the reviewers specialize in application security and can demonstrate independence from the
development team.
, What is NOT included in cardholder data?
-Primary Account Number (PAN)
-PIN
-Cardholder Name
-Expiration Date
-CVV
-Service Code - ✔✔PIN and CVV are both considered sensitive authentication data.
Which of the following CAN BE stored?
-Full track data
-PAN
-Cardholder Name
-Service Code
-PIN
-Expiration Date
-CVV - ✔✔PAN, cardholder name, service code, and expiration date can be stored (requirement 3).
However, storage should be limited to only required amount of time and purged when no longer needed
or at least quarterly. (3.1)
Sensitive authentication data cannot be stored after authorization (3.2).
Can full Track 1 data be stored? - ✔✔No. Track 1 data contains all fields of Track 2 data plus the
cardholder name and additional information for proprietary use by the issuer. It is generally a violation to
store anything to the right of the service code.
It is not permitted to store full track data or other sensitive authentication data after authorization.
Which SAQ applies to SERVICE PROVIDERS? - ✔✔SAQ D
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller hov. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $8.49. You're not tied to anything after your purchase.
