Question #1
In the ROC Repotting Template, which of the following is the best approach for a response where the requirement was in Place’’?
- A . Details of the entity s project plan for implementing the requirement
- B . Details of how the assessor observed the entity s systems were compliant with the requirement
- C . Details of the entity s reason for not implementing the requirement
- D . Details of how the assessor observed the entity s systems were not compliant with the requirement
Correct Answer: B
B
Explanation:
when a cryptographic key is retired and replaced with a new key, the assessor will verify that the assessor observed the entity’s systems were compliant with the requirement, which means they should have implemented compensating controls to address any weaknesses or gaps in the customized control. This is one of the requirements for ensuring that an entity can use both approaches when appropriate.
B
Explanation:
when a cryptographic key is retired and replaced with a new key, the assessor will verify that the assessor observed the entity’s systems were compliant with the requirement, which means they should have implemented compensating controls to address any weaknesses or gaps in the customized control. This is one of the requirements for ensuring that an entity can use both approaches when appropriate.
Question #2
An entity accepts e-commerce payment card transactions and stores account data in a database The database server and the web server are both accessible from the Internet The database server and the web server are on separate physical servers.
What is required for the entity to meet PCI DSS requirements7
- A . The web server and the database server should be installed on the same physical server
- B . The database server should be relocated so that it is not accessible from untrusted networks
- C . The web server should be moved into the internal network
- D . The database server should be moved to a separate segment from the web server to allow for more
concurrent connections
Correct Answer: B
B
Explanation:
According to the PCI DSS v3.2.1 Quick Reference Guide1, the database server should be relocated so that it is not accessible from untrusted networks. This is one of the requirements for protecting cardholder data in transit and at rest.
B
Explanation:
According to the PCI DSS v3.2.1 Quick Reference Guide1, the database server should be relocated so that it is not accessible from untrusted networks. This is one of the requirements for protecting cardholder data in transit and at rest.
Question #3
An organization has implemented a change-detection mechanism on their systems.
How often must critical file comparisons be performed?
- A . At least weekly
- B . Periodically as defined by the entity
- C . Only after a valid change is installed
- D . At least monthly
Correct Answer: A
A
Explanation:
PCI DSS Requirement 11.5 states that entities must deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly1. This is to ensure that any unauthorized or malicious changes to the files are detected and reported in a timely manner, and that the integrity and security of the files are maintained. Critical files are those that affect the security of the cardholder data environment (CDE), such as system files, application executables, configuration files, database files, and log files2. Therefore, the correct answer is option
A
Explanation:
PCI DSS Requirement 11.5 states that entities must deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly1. This is to ensure that any unauthorized or malicious changes to the files are detected and reported in a timely manner, and that the integrity and security of the files are maintained. Critical files are those that affect the security of the cardholder data environment (CDE), such as system files, application executables, configuration files, database files, and log files2. Therefore, the correct answer is option
Question #4
Which statement is true regarding the use of intrusion detection techniques, such as intrusion detection systems and/or intrusion protection systems (IDS’IPS)?
- A . Intrusion detection techniques are required on all system components
- B . Intrusion detection techniques are required to alert personnel of suspected compromises
- C . Intrusion detection techniques are required to isolate systems in the cardholder data environment from all other systems
- D . Intrusion detection techniques are required to identify all instances of cardholder data
Correct Answer: B
B
Explanation:
According to the PCI DSS v3.2.1 Quick Reference Guide1, intrusion detection techniques are required to alert personnel of suspected compromises that could compromise cardholder data or payment processing systems. This is one of the requirements for identifying and mitigating vulnerabilities that could compromise cardholder data.
B
Explanation:
According to the PCI DSS v3.2.1 Quick Reference Guide1, intrusion detection techniques are required to alert personnel of suspected compromises that could compromise cardholder data or payment processing systems. This is one of the requirements for identifying and mitigating vulnerabilities that could compromise cardholder data.
Question #5
Which of the following statements is true whenever a cryptographic key is retired and replaced with a new key?
- A . The retired key must not be used for encryption operations
- B . Cryptographic key components from the retired key must be retained for 3 months before disposal
- C . A new key custodian must be assigned
- D . All data encrypted under the retired key must be securely destroyed
Correct Answer: A
A
Explanation:
PCI DSS Requirement 3.6.4 states that entities must retire or replace keys when the keys have reached the end of their cryptoperiod, which is the time span during which a specific key can be used for cryptographic operations1. The retired key must not be used for encryption operations, as it may have been compromised or weakened by cryptanalysis, and may not provide adequate protection for the data. A The retired key may still be used for decryption operations, if needed, to access historical data that was encrypted under the retired key2. Therefore, the correct answer is option A.
The other options are not true regarding the cryptographic key retirement and replacement. A Option B is not true because PCI DSS does not specify a retention period for the cryptographic key components from the retired key, although it requires entities to securely delete cryptographic material when it is no longer needed for business or legal reasons1. Option C is not true because PCI DSS does not require a new key custodian tobe assigned, although it requires entities to define and document the roles, responsibilities, and accountability of all key custodians1. Option D is not true because PCI DSS does not require all data encrypted under the retired key to be securely destroyed, although it requires entities to render cardholder data unreadable when it is no longer needed for business or legal reasons1. A References:
PCI DSS v3.2.1
Cryptographic Key Blocks – PCI Security Standards Council
A
Explanation:
PCI DSS Requirement 3.6.4 states that entities must retire or replace keys when the keys have reached the end of their cryptoperiod, which is the time span during which a specific key can be used for cryptographic operations1. The retired key must not be used for encryption operations, as it may have been compromised or weakened by cryptanalysis, and may not provide adequate protection for the data. A The retired key may still be used for decryption operations, if needed, to access historical data that was encrypted under the retired key2. Therefore, the correct answer is option A.
The other options are not true regarding the cryptographic key retirement and replacement. A Option B is not true because PCI DSS does not specify a retention period for the cryptographic key components from the retired key, although it requires entities to securely delete cryptographic material when it is no longer needed for business or legal reasons1. Option C is not true because PCI DSS does not require a new key custodian tobe assigned, although it requires entities to define and document the roles, responsibilities, and accountability of all key custodians1. Option D is not true because PCI DSS does not require all data encrypted under the retired key to be securely destroyed, although it requires entities to render cardholder data unreadable when it is no longer needed for business or legal reasons1. A References:
PCI DSS v3.2.1
Cryptographic Key Blocks – PCI Security Standards Council
Question #6
What should the assessor verify when testing that cardholder data is protected whenever it is sent over open public networks?
- A . The security protocol is configured to accept all digital certificates
- B . A proprietary security protocol is used
- C . The security protocol accepts only trusted keys
- D . The security protocol accepts connections from systems with lower encryption strength than
required by the protocol
Correct Answer: C
C
Explanation:
According to the PCI DSS v3.2.1 Quick Reference Guide1, the security protocol accepts only trusted keys. This is one of the requirements for ensuring secure encryption and authentication.
C
Explanation:
According to the PCI DSS v3.2.1 Quick Reference Guide1, the security protocol accepts only trusted keys. This is one of the requirements for ensuring secure encryption and authentication.
Question #7
What must be included m an organization’s procedures for managing visitors?
- A . Visitors are escorted at all times within areas where cardholder data is processed or maintained
- B . Visitor badges are identical to badges used by onsite personnel
- C . Visitor log includes visitor name, address, and contact phone number
- D . Visitors retain their identification (for example a visitor badge) for 30 days after completion of the visit
Correct Answer: A
A
Explanation:
According to the PCI DSS v3.2.1 Quick Reference Guide1, visitors are escorted at all times within areas where cardholder data is processed or maintained, visitor badges are identical to badges used by onsite personnel, visitor log includes visitor name, address, and contact phone number, visitors retain their identification (for example a visitor badge) for 30 days after completion of the visit. These are some examples of procedures that must be included in an organization’s procedures for managing visitors who access in-scope systems where cardholder data is processed or maintained.
A
Explanation:
According to the PCI DSS v3.2.1 Quick Reference Guide1, visitors are escorted at all times within areas where cardholder data is processed or maintained, visitor badges are identical to badges used by onsite personnel, visitor log includes visitor name, address, and contact phone number, visitors retain their identification (for example a visitor badge) for 30 days after completion of the visit. These are some examples of procedures that must be included in an organization’s procedures for managing visitors who access in-scope systems where cardholder data is processed or maintained.
Question #8
According to the glossary, bespoke and custom software describes which type of software?
- A . Any software developed by a third party
- B . Any software developed by a third party that can be customized by an entity.
- C . Software developed by an entity for the entity’s own use
- D . Virtual payment terminals
Correct Answer: C
C
Explanation:
According to the glossary, bespoke and custom software describes software developed by an entity for its own use, which means it should not be shared with other entities or sold or transferred without proper authorization. This is one of the requirements for ensuring that bespoke and custom software meets all the security standards and controls defined in Appendix E of the PCI DSS v3.2.1 Quick Reference Guide1.
C
Explanation:
According to the glossary, bespoke and custom software describes software developed by an entity for its own use, which means it should not be shared with other entities or sold or transferred without proper authorization. This is one of the requirements for ensuring that bespoke and custom software meets all the security standards and controls defined in Appendix E of the PCI DSS v3.2.1 Quick Reference Guide1.
Question #9
Which statement about PAN is true?
- A . It must be protected with strong cryptography for transmission over private wireless networks
- B . It must be protected with strong cryptography (or transmission over private wired networks
- C . It does not require protection for transmission over public wireless networks
- D . It does not require protection for transmission over public wired networks
Correct Answer: A
A
Explanation:
According to requirement 4, PAN must be protected with strong cryptography for transmission over private wireless networks, which means it should use encryption techniques such as WEP, WPA, WPA2, or TLS/SSL to prevent unauthorized access or interception of cardholder data over wireless networks. This is one of the requirements for ensuring that PAN is protected from unauthorized access or interception.
A
Explanation:
According to requirement 4, PAN must be protected with strong cryptography for transmission over private wireless networks, which means it should use encryption techniques such as WEP, WPA, WPA2, or TLS/SSL to prevent unauthorized access or interception of cardholder data over wireless networks. This is one of the requirements for ensuring that PAN is protected from unauthorized access or interception.
Question #10
A "Partial Assessment is a new assessment result What is a ‘Partial Assessment’?
- A . A ROC that has been completed after using an SAQ to determine which requirements should be tested. As per FAQ 1331. (As long as the entity meets the SAQs eligibility criteria)
- B . An interim result before the final ROC has been completed
- C . A term used by payment brands and acquirers to describe entities that have multiple payment channels with each channel having its own assessment
- D . An assessment with at least one requirement marked as Not Tested”
Correct Answer: D
D
Explanation:
According to requirement 3.1.2, an assessment with at least one requirement marked as Not Tested is considered a partial assessment, which means it does not meet all the requirements and controls defined in Appendix E of the PCI DSS v3.2.1 Quick Reference Guide1. This is one of the requirements for ensuring that assessments are conducted in accordance with PCI DSS.
D
Explanation:
According to requirement 3.1.2, an assessment with at least one requirement marked as Not Tested is considered a partial assessment, which means it does not meet all the requirements and controls defined in Appendix E of the PCI DSS v3.2.1 Quick Reference Guide1. This is one of the requirements for ensuring that assessments are conducted in accordance with PCI DSS.
Question #11
If disk encryption is used to protect account data what requirement should be met for the disk encryption solution?
- A . Access to the disk encryption must be managed independently of the operating system access control mechanisms
- B . The disk encryption system must use the same user account authenticator as the operating system
- C . The decryption keys must be associated with the local user account database
- D . The decryption keys must be stored within the local user account database
Correct Answer: A
A
Explanation:
when disk encryption is used to protect account data, access to the disk encryption must be managed independently of the operating system access control mechanisms, which means it should not be affected by changes in the operating system settings or permissions. This is one of the requirements for ensuring that disk encryption is secure and effective.
A
Explanation:
when disk encryption is used to protect account data, access to the disk encryption must be managed independently of the operating system access control mechanisms, which means it should not be affected by changes in the operating system settings or permissions. This is one of the requirements for ensuring that disk encryption is secure and effective.
Question #12
Which of the following is an example of multi-factor authentication?
- A . A token that must be presented twice during the login process
- B . A user passphrase and an application level password.
- C . A user password and a PIN-activated smart card
- D . A user fingerprint and a user thumbprint
Correct Answer: C
C
Explanation:
According to the PCI DSS v3.2.1 Quick Reference Guide1, a user password and a PIN-activated smart card is an example of multi-factor authentication. This is one of the requirements for preventing unauthorized access to cardholder data using digital certificates.
C
Explanation:
According to the PCI DSS v3.2.1 Quick Reference Guide1, a user password and a PIN-activated smart card is an example of multi-factor authentication. This is one of the requirements for preventing unauthorized access to cardholder data using digital certificates.
Question #13
What would be an appropriate strength for the key-encrypting key (KEK) used to protect an AES 128-bit data-encrypting key (DEK)
- A . DES256
- B . RSA512
- C . AES 128
- D . ROT 13
Correct Answer: C
C
Explanation:
The key-encrypting key (KEK) is used to protect the data-encrypting key (DEK) from unauthorized access or disclosure. The KEK should have a strength that is equal to or greater than the DEK, to prevent a weaker link in the encryption chain. According to the PCI Card Production Logical Security Requirements, section 4.1.1, “The key-encrypting key (KEK) must be at least as strong as the data-encrypting key (DEK) it protects.” Furthermore, section 4.1.2 states, “The KEK must be generated using a secure random number generator (RNG) that meets the requirements of NIST SP 800-90A or equivalent.” AES 128 is a symmetric encryption algorithm that uses a 128-bit key and meets the NIST standards. Therefore, it would be an appropriate strength for the KEK used to protect an AES 128-bit DEK. The other options are either weaker or asymmetric encryption algorithms, which are not suitable for the KEK. References: PCI Card Production Logical Security Requirements, [NIST SP 800-90A]
C
Explanation:
The key-encrypting key (KEK) is used to protect the data-encrypting key (DEK) from unauthorized access or disclosure. The KEK should have a strength that is equal to or greater than the DEK, to prevent a weaker link in the encryption chain. According to the PCI Card Production Logical Security Requirements, section 4.1.1, “The key-encrypting key (KEK) must be at least as strong as the data-encrypting key (DEK) it protects.” Furthermore, section 4.1.2 states, “The KEK must be generated using a secure random number generator (RNG) that meets the requirements of NIST SP 800-90A or equivalent.” AES 128 is a symmetric encryption algorithm that uses a 128-bit key and meets the NIST standards. Therefore, it would be an appropriate strength for the KEK used to protect an AES 128-bit DEK. The other options are either weaker or asymmetric encryption algorithms, which are not suitable for the KEK. References: PCI Card Production Logical Security Requirements, [NIST SP 800-90A]
Question #14
An LDAP server providing authentication services to the cardholder data environment is
- A . in scope for PCI DSS.
- B . not in scope for PCI DSS
- C . in scope only if it stores processes or transmits cardholder data
- D . in scope only if it provides authentication services to systems in the DMZ
Correct Answer: A
A
Explanation:
An LDAP server is a type of directory service that provides authentication and authorization data to the cardholder data environment (CDE)1. According to the PCI DSS scoping and segmentation guidance2, any system that provides a security service to the CDE, such as authentication, is considered a connected or security-impacting system (Category 2) and is in scope for PCI DSS. This is because such systems can affect the security and controls of the CDE and the cardholder data (CHD) or sensitive authentication data (SAD) that it contains. Therefore, an LDAP server providing authentication services to the CDE is in scope for PCI DSS, regardless of whether it stores, processes, or transmits CHD or SAD, or whether it provides authentication services to systems in the DMZ or not. References: Guidance for PCI DSS Scoping and Network Segmentation
What Are the Effects of Using Active Directory as a Shared Service on PCI Compliance? The Ultimate Guide To PCI DSS Scoping and Segmentation LDAP – PCI Security Standards Council
A
Explanation:
An LDAP server is a type of directory service that provides authentication and authorization data to the cardholder data environment (CDE)1. According to the PCI DSS scoping and segmentation guidance2, any system that provides a security service to the CDE, such as authentication, is considered a connected or security-impacting system (Category 2) and is in scope for PCI DSS. This is because such systems can affect the security and controls of the CDE and the cardholder data (CHD) or sensitive authentication data (SAD) that it contains. Therefore, an LDAP server providing authentication services to the CDE is in scope for PCI DSS, regardless of whether it stores, processes, or transmits CHD or SAD, or whether it provides authentication services to systems in the DMZ or not. References: Guidance for PCI DSS Scoping and Network Segmentation
What Are the Effects of Using Active Directory as a Shared Service on PCI Compliance? The Ultimate Guide To PCI DSS Scoping and Segmentation LDAP – PCI Security Standards Council
Question #15
According to requirement 1, what is the purpose of "Network Security Controls?
- A . Manage anti-malware throughout the CDE.
- B . Control network traffic between two or more logical or physical network segments.
- C . Discover vulnerabilities and rank them
- D . Encrypt PAN when stored
Correct Answer: B
B
Explanation:
According to requirement 1, network security controls are intended to control network traffic between two or more logical or physical network segments, which means they should prevent unauthorized access, modification, or disclosure of cardholder data or transactions over the network. This is one of the requirements for ensuring that network security controls are implemented and maintained in accordance with PCI DSS.
B
Explanation:
According to requirement 1, network security controls are intended to control network traffic between two or more logical or physical network segments, which means they should prevent unauthorized access, modification, or disclosure of cardholder data or transactions over the network. This is one of the requirements for ensuring that network security controls are implemented and maintained in accordance with PCI DSS.
Question #16
Passwords for default accounts and default administrative accounts should be?
- A . Changed within 30 days after installing a system on the network.
- B . Reset to the default password before installing a system on the network
- C . Changed before installing a system on the network
- D . Configured to expire in 30 days
Correct Answer: C
C
Explanation:
According to the PCI DSS v3.2.1 Quick Reference Guide1, passwords for default accounts and default administrative accounts should be changed before installing a system on the network. This is one of the requirements for preventing unauthorized access to cardholder data.
C
Explanation:
According to the PCI DSS v3.2.1 Quick Reference Guide1, passwords for default accounts and default administrative accounts should be changed before installing a system on the network. This is one of the requirements for preventing unauthorized access to cardholder data.
Question #17
Which of the following is true regarding internal vulnerability scans?
- A . They must be performed after a significant change
- B . They must be performed by an Approved Scanning Vendor (ASV)
- C . They must be performed by QSA personnel
- D . They must be performed at least annually
Correct Answer: A
A
Explanation:
According to the PCI DSS v3.2.1 Quick Reference Guide1, internal vulnerability scans must be performed after a significant change in any component or configuration that affects cardholder data or payment processing systems. This is one of the requirements for identifying and mitigating vulnerabilities that could compromise cardholder data.
A
Explanation:
According to the PCI DSS v3.2.1 Quick Reference Guide1, internal vulnerability scans must be performed after a significant change in any component or configuration that affects cardholder data or payment processing systems. This is one of the requirements for identifying and mitigating vulnerabilities that could compromise cardholder data.
Question #18
What is the intent of classifying media that contains cardholder data?
- A . Ensuring that media is property protected according to the sensitivity of the data it contains
- B . Ensuring that media containing cardholder data is moved from secured areas an a quarterly basis
- C . Ensuring that media is clearly and visibly labeled as ‘Confidential so all personnel know that the media contains cardholder data
- D . Ensuring that all media is consistently destroyed on the same schedule regardless of the contents
Correct Answer: A
A
Explanation:
classifying media that contains cardholder data is intended to ensure that media is property protected according to the sensitivity of the data it contains, which means it should be marked with labels or tags that indicate its level of confidentiality or integrity. This is one of the requirements for ensuring that media containing cardholder data is properly labeled.
A
Explanation:
classifying media that contains cardholder data is intended to ensure that media is property protected according to the sensitivity of the data it contains, which means it should be marked with labels or tags that indicate its level of confidentiality or integrity. This is one of the requirements for ensuring that media containing cardholder data is properly labeled.
Question #19
Which of the following file types must be monitored by a change-detection mechanism (for example, a file-integrity monitoring tool)?
- A . Application vendor manuals
- B . Files that regularly change
- C . Security policy and procedure documents
- D . System configuration and parameter files
Correct Answer: D
D
Explanation:
According to the PCI DSS v3.2.1 Quick Reference Guide1, system configuration and parameter files must be monitored by a change-detection mechanism (for example, a file-integrity monitoring tool). This is one of the requirements for ensuring that changes to system configuration and parameter files are detected and verified.
D
Explanation:
According to the PCI DSS v3.2.1 Quick Reference Guide1, system configuration and parameter files must be monitored by a change-detection mechanism (for example, a file-integrity monitoring tool). This is one of the requirements for ensuring that changes to system configuration and parameter files are detected and verified.
Question #20
An entity wants to use the Customized Approach. They are unsure how to complete the Controls Matrix or TRA. During the assessment, you spend time completing the Controls Matrix and the TRA. while also ensuing that the customized control is implemented securely.
Which of the following statements is true?
- A . You can assess the customized control but another assessor must verify that you completed the TRA correctly.
- B . You can assess the customized control and verify that the customized approach was correctly followed but you must document this in the ROC.
- C . You must document the work on the customized control in the ROC but you can not assess the control or the documentation.
- D . Assessors are not allowed to assist an entity with the completion of the Controls Matrix or the TR
Correct Answer: B