Exam (elaborations)
PCI 4.0 QUESTRIONS WITH SOLUTIONS
- Course
- Institution
Exam of 18 pages for the course pci at pci (PCI 4.0)
[Show more]
Content preview
PCI 4.0An Assessment Performed on ___ MUST include testing of the requirements that are
currently best practice - answer21st April 2025
Which of these describe a function of the security controls that must be implemented on
a computing device to the CDE and untrusted networks? - answer Include settings to
prevent threats being introduced to the entity's network
which of these should be secured a per req. 1.2.8? - answer any file or setting used to
configure NSCs
when must secure configuration be applied to the new system? - answer Before or
immediately after a system component is connected to a production environment
Which of the following algorithms could be used to meet req. 3.5.1.1 - answerHMAC-
SHA-256
Can a random salt be used with SHA256 for hashing PAN to meet req. 3.5.1.1 - answer
No, a random salt must be used with a keyed hashing function
during an assessment you interview a system admin about their processes for
administering a server that contains PAN. They explain that they use a remote-desktop
application to manage the server from their laptop. You ask if they can copy the PAN to
their local drive and they say that they were told my their manager not to do this. you
check the policy document and find that this rule is documented and applied properly. Is
req. 3.4.2. in place? - answer No
during an assessment, what needs to be confirmed to ensure the usage of self-signed
certificates is secure? - answerAn internal CA was used and the certificate's Author is
confirmed.
Which of the following is an alternative to the performing periodic anti-malware scans on
affected systems for an entity used the defined approach? - answerReal-time scanning
continuous behavioral analysis
Removable electronic media is now covered in Req 5, but which of the following
statements is true? - answerSystems with anti-malware installed must be protected from
the risk of malware introduced via removable electronic media
the risk of phishing attacks must be mitigated in which of the following ways? -
answerboth security awareness training and anti-phishing mechanisms and processes
,when is and automated technical solution required to protect public facing web
applications? - answerfrom 31 march 2025
which of the following merchants does not need to meet req. 6.4.3 preventing
unauthorized scripts from running in their payment page? - answera merchant that has
only face to face payment channels
which of the following words is used to describe cardholder accounts within the
requirements and testing procedure. - answerConsumer
A merchant has shared-services network printers (not apart of the CDE, but connected
to it). Access to the printers is via accounts that have a password as their only
authentication factor. the merchant can not configure the passwords to be changed
every 90 days. what is true about how they can meet req. 8.3.9? - answerThey can
meet 8.3.9 with dynamic analysis of the security posture of the accounts with real-time
granting or revoking of access.
Sensitive area's can include secure rooms outside the CDE that house network security
systems. - answerTrue
After march 31 2025 which of the following is true? - answerentities that store CHD
must implement an automated log review mechanism
how should a modern e-commerce merchant meet req. 11.6.1 for a change- and
tamper- detection mechanism for their payment pages? - answerembed a tamper-
resistant and tamper-detection script in the payment page
How must low-risk vulnerabilities discovered during internal scanning be addressed? -
answerThey must be addressed based on the risk defined in the TRA
Req 11.3.1.1 states that vulnerabilities not marked as high-risk must be addressed
based on the 'risk defined in the entity's targeted risk analysis.' Each of the following
entities has performed a TRA and adjusted their vulnerability process accordingly. But
which of the entities is most likely meeting 11.3.1.1? - answerThe entity that has a
process to ensure all low-risk and medium-risk vulnerabilities are fixed within 90 days.
What must be included in the incident response procedures in the event that stored
PAN is discovered in an unexpected place? - answerA check to see whether any SAD
was stored with the PAN
According to req. 12.6.3.1 what must security awareness training include? -
answerContent on how to react to potential phishing attacks
Which entities must meet the additional requirements for service providers? -
answerAny service provider completing a PCI DSS assessment
, Which of the following statements is true about Partial Assessments? - answerA single
answer of "Not Tested" in the ROC results in a Partial Assessment
Which of these is a requirement for a QSA company's internal QA personnel? -
answerThey are either a QSA, AQSA, or PCIP
What type(s) of evidence are requireed to be reported when assessing requirement
2.2.7? (note you will need to refer to either PCI DSS or the ROC template to answer
this) - answerDocumentation, Interview, observation and system
which evidence table (in section 6 of the ROC) would the evidence for this testing
procedure be referenced in? - answerDocumentation
What information should the assessor put in the highlighted box? - answerA reference
number that refers to the evidence reviewed.
Which of these statements about the customized approach is true? - answerA
compensating control cannot be used to meet the customized approach
When should the finding 'Not Tested' be used in the ROC? - answerWhen a
requirement is completely excluded from review without any consideration as to whether
it could apply.
In a typical payment transaction, the merchant's bank is known as the ___. -
answerAcquirer
Which of the following statements is/are true about a service provider? - answerMay
also be referred to as a third party service provider
may handle sensitive cardholder data as part of the services they provide.
what is the name of the method of collecting cardholder data by attaching small
hardware devices to point of sale terminals? - answerPhysical skimming
A card verification code (CVV) is an example of what type of account data? -
answerSensitive Authentication Data (SAD)
The PCI Data Security Standard is intended for all entities that ___ payment account
data - answerStore, process, and transmit
In addition to the PCI DSS, which of the following are standards developed and
maintained by the PCI SSC? - answerPin Transaction Security (PTS), Point-to-point
encryption (P2PE), and Secure Software Standard
Is it the responsibility of the PCI SSC to determine if an organization is PCI-compliant? -
answerNo (false)
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller jw638729. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $13.99. You're not tied to anything after your purchase.
Can Stuvia be trusted?
4.6 stars on Google & Trustpilot (+1000 reviews)
80467 documents were sold in the last 30 days
Founded in 2010, the go-to place to buy study notes for 14 years now