PCI DSS 3.2.1 Questions and Answers
Which of the following does not belong?
The following events should be included in automated audit trails for all system component:
-Individual access to cardholder data
-Creation and deletion of system-level objects
-Invalid logical access attempts
-Action...
PCI DSS 3.2.1 Questions and Answers
Which of the following does not belong?
The following events should be included in automated audit trails for all system
component:
-Individual access to cardholder data
-Creation and deletion of system-level objects
-Invalid logical access attempts
-Actions taken by user with root or administrative privileges
-Changes, additions, or deletions to any account with root or administrative privileges
-Audit trail access
-Use of identification and authentication mechanisms
-Elevation of privileges
-Initialization of audit logs
-Stopping or pausing of audit logs - answer All of these should be included.
(Requirement 10.2.1 - 10.2.7)
Which of the following does not belong?
The following audit trail entries should be recorded for each event:
-User identification
-Type of event
-Date and time
-Success or failure
-Origination of event
-Identity of name of affected data, system component, or resource
-Initializing, stopping, or pausing of audit logs - answer Initializing, stopping, or
pausing of audit logs - this choice is part of what should be included in audit logs (10.2)
This question pertains to 10.3 (10.3.1 - 10.3.6)
How often should logs and security event reviews be conducted? - answer At least
daily (10.6)
How long should audit trail history be retained?
At least ___ of history must be immediately available for analysis. - answer At least 1
year retained
3 months
(10.7)
How long should visitor logs for physical access be retained? - answer At least 3
months (9.4)
,Critical patches need to installed within ___ of release. - answer One month
For public-facing web applications, which of the following is required?
-Web application firewalls
-Manual vulnerability assessment tools
-Automated vulnerability assessment tools - answer Any one or more of these.
According to Requirement 6.6, ensure that either one of the following methods is in
place:
1. Web application firewalls - Examine system configuration settings to verify an
automated technical solution that detects and prevents web-based attacks is in place.
2. Web application assessment - Verify that public-facing web applications are reviewed
using with manual or automated vulnerability assessment tools or methods.
How frequently should web application assessments be conducted? - answer At
least annually and after any significant changes (6.6)
Does an application vulnerability assessment have to be conducted by a third party? -
answer No. As long as the reviewers specialize in application security and can
demonstrate independence from the development team.
What is NOT included in cardholder data?
-Primary Account Number (PAN)
-PIN
-Cardholder Name
-Expiration Date
-CVV
-Service Code - answer PIN and CVV are both considered sensitive authentication
data.
Which of the following CAN BE stored?
-Full track data
-PAN
-Cardholder Name
-Service Code
-PIN
-Expiration Date
-CVV - answer PAN, cardholder name, service code, and expiration date can be
stored (requirement 3). However, storage should be limited to only required amount of
time and purged when no longer needed or at least quarterly. (3.1)
Sensitive authentication data cannot be stored after authorization (3.2).
Can full Track 1 data be stored? - answer No. Track 1 data contains all fields of
Track 2 data plus the cardholder name and additional information for proprietary use by
the issuer. It is generally a violation to store anything to the right of the service code.
, It is not permitted to store full track data or other sensitive authentication data after
authorization.
Which SAQ applies to SERVICE PROVIDERS? - answer SAQ D
Which SAQ applies to MERCHANTS that store any cardholder data, including legacy
data? - answer SAQ D
Which SAQ applies to MERCHANTS that accept transactions through a PCI-listed
P2PE solution? - answer SAQ P2PE
Which SAQ applies to MERCHANTS that accept e-commerce transactions only through
a fully outsourced service provider? - answer SAQ A
Which SAQ applies to MERCHANTS that accept e-commerce transactions only through
a fully outsourced service provider and payment processing is outsourced to PCI DSS
validated service provider? - answer SAQ A-EP
Which SAQ applies to MERCHANTS that accept e-commerce transactions only through
a fully outsourced service provider and payment processing is outsourced to PCI DSS
validated service provider on systems managed by the merchant? - answer SAQ D
Because the system is managed by the merchant, it is a SAQ D
Which SAQ applies to MERCHANTS that accept mail/telephone order (MOTO)
transactions not protected by P2PE solution? - answer SAQ A
Which SAQ applies to MERCHANTS that accept MOTO or card-present transactions
via imprint or dial-out machines (no internet)? - answer SAQ B
Which SAQ applies to MERCHANTS that accept MOTO or card-present transactions
via PIN transaction system (PTS) approved devices (with internet)? - answer SAQ B-
IP
Which SAQ applies to MERCHANTS that accept MOTO or card-present transactions
via payment app on POS or PC (with internet)? - answer SAQ C
Which SAQ applies to MERCHANTS that accept MOTO or card-present transactions
via merchant's web-browser sending to service provider's "virtual payment application?"
- answer SAQ C-VT
What determines if an organization requires additional validation to existing PCI DSS
requirements aka DESV?
-Determined by SAQ reaults
-Determined by ASV
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller Pogba119. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $12.49. You're not tied to anything after your purchase.
