PCI Practice Exam 3 questions and answers

When must cryptographic keys be changed? - At the end of their defined crypto period - At least annually - When a new key custodian is employed - Upon release of a new algorithm At the end of their defined crypto period What must the assessors verify when testing that cardholder data is protected whenever it is sent over the Internet? - The security protocol is configured to support earlier versions - The encryption strength is appropriate for the technology in use - The security protocol is configured to accept all digital certificates - The cardholder data is securely deleted once the transmission has been sent The encryption strength is appropriate for the technology in use As defined in Requirement 8, what is the minimum complexity of user passwords? - 8 characters, either alphabetic or numeric - 5 characters, either alphabetic or numeric - 6 characters, both alphabetic and numeric characters - 7 characters, both alphabetic and numeric characters 7 characters, both alphabetic and numeric characters Which statement is correct regarding use of production data (live PANs) for testing and development? - Live PANs must not be used for testing or development - Access to live PANs must be used for testing and development must be restricted to authorized personnel - Live PANs must be used for testing and development - All live PANs used for testing and development must be authorized by the cardholder Live PANs must not be used for testing or development Which of the following is an example of multi-factor authentication? - A token that must be presented twice during the login process - A user passphrase and an application-level password - A user password and a PIN-activated smart card - A user fingerprint and a user thumbprint A user password and a PIN-activated smart card Which of the following types of events is required to be logged? - All use of end-user messaging technologies - All access to external websites - All access to all audit trails - All network transmissions All access to all audit trails Which of the following meets PCI DSS requirements for secure destruction of media containing cardholder data? - Cardholder data on hard copy materials is copied to electronic media before the hard copy materials are destroyed - Storage containers used for hardcopy materials are located outside of the CDE - Electronic media is physically destroyed to ensure the data cannot be reconstructed - Electronic media is stored in a secure location when the data is no longer needed for business or legal reasons Electronic media is physically destroyed to ensure the data cannot be reconstructed Which scenario meets the intent of PCI DSS requirements for assigning users access to cardholder data? - Access is assigned to all users based on the access needs of the least-privileged user - Access is assigned to individual users based on the highest privilege available - Access is assigned to an individual users based on the privileges needed to perform their job - Access is assigned to a group of users based on the privileges of the most senior user in the group Access is assigned to an individual users based on the privileges needed to perform their job Which of the following is an example of a system-level object? - A log file - An application executable or configuration file - A document containing cardholder data - Transaction data in a point-of-sale device An application executable or configuration file Which scenario would support a smaller sample size being used for a PCI DSS assessment of an entity with multiple facilities located in different regions? - Security policies and procedures are independently defined by each facility - Security policies and procedures are standardized for each region - Security policies are centralized, and procedures consistently implemented across all regions - Security policies are centrally defined, and each facility defines their own procedures for implementing the policies Security policies and procedures are standardized for each region Which of the following statements is correct regarding track equivalent data on the chip of a payment card? - It is allowed to be stored by merchants after authorization, if encrypted - It is sensitive authentication data - It is out of scope for PCI DSS - It is not applicable for PCI DSS Requirement 3.2 It is sensitive authentication data What is the intent of performing a risk assessment? - To document the names and contact details of individuals with access to cardholder data - To identify potential threats and vulnerabilities to critical assets - To allocate security resources equally across all levels of risk - To ensure separation of duties between assessors and the entity being assessed To identify potential threats and vulnerabilities to critical assets Which statement is correct regarding the PCI DSS Report on Compliance (ROC)? - The ROC Reporting Template and instructions provided by PCI SSC should be used for all ROCs - The assessors may use either their own template or the ROC Reporting Template provided by PCI SSC - The assessor must create their own ROC template for each assessment report - The ROC Reporting Template provided by PCI SSC is only required for service provider assessments The ROC Reporting Template and instructions provided by PCI SSC should be used for all ROCs What should be reviewed daily in order to meet PCI DSS requirements? - Vulnerability scans and penetration testing reports - Data retention policies and procedures - Security events and logs from critical system components - Firewall and router rule sets Security events and logs from critical system components What do PCI DSS requirements for protecting cryptographic keys include? - Public keys must be encrypted with a key-encrypting key - Data-encrypting keys must be stronger than the key-encrypting key that protects it - Private or secret keys must be encrypted, stored within an SCD, or stored as key components - Key-encrypting keys and data-encrypting keys must be assigned to the same key custodian Data-encrypting keys must be stronger than the key-encrypting key that protects it What should be included in an organization's procedures for managing visitors? - Visitors are escorted at all times within areas where cardholder data is processed or maintained - Visitor badges are identical to badges used by onsite personnel - Visitor log includes visitor name, address, and contact phone number - Visitors retain their identification (for example, a visitor badge) for 30 days after completion of the visit Visitors are escorted at all times within areas where cardholder data is processed or maintained An entity accepts e-commerce payment card transactions. The database server and web server are located in the same, secured DMZ network segment. The database server and web server are on separate physical servers. What is required for the entity to meet PCI DSS requirements? - The web server and database server should be installed on same physical server - The database server should be moved out of the DMZ and into the internal network - The web server should be moved out of DMZ and into the internal network - The database server should be moved to the separate DMZ segment from the web server The database server should be moved out of the DMZ and into the internal network