Summer Special Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > PCI SSC > PCI SSC Certification > Assessor_New_V4

Assessor_New_V4 Assessor_New_V4 Question and Answers

Question # 4

An entity accepts e-commerce payment card transactions and stores account data in a database The database server and the web server are both accessible from the Internet The database server and the web server are on separate physical servers. What is required for the entity to meet PCI DSS requirements7

A.

The web server and the database server should be installed on the same physical server

B.

The database server should be relocated so that it is not accessible from untrusted networks

C.

The web server should be moved into the internal network

D.

The database server should be moved to a separate segment from the web server to allow for more concurrent connections

Full Access
Question # 5

What must the assessor verify when testing that PAN is protected whenever it is sent over the Internet?

A.

The security protocol is configured to support earlier versions

B.

The PAN is encrypted with strong cryptography

C.

The security protocol is configured to accept all digital certificates

D.

The PAN is securely deleted once the transmission has been sent

Full Access
Question # 6

Which statement is true regarding the PCI DSS Report on Compliance (ROC)?

A.

The ROC Reporting Template and instructions provided by PCI SSC should be used for all ROCs.

B.

The assessor may use either their own template or the ROC Reporting Template provided by PCI SSC

C.

The assessor must create their own ROC template for each assessment report

D.

The ROC Reporting Template provided by PCI SSC is only required for service provider assessments

Full Access
Question # 7

Passwords for default accounts and default administrative accounts should be?

A.

Changed within 30 days after installing a system on the network.

B.

Reset to the default password before installing a system on the network

C.

Changed before installing a system on the network

D.

Configured to expire in 30 days

Full Access
Question # 8

Which scenario describes segmentation of the cardholder data environment (CDE) for the purposes of reducing PCI DSS scope?

A.

Routers that monitor network traffic flows between the CDE and out-of-scope networks

B.

Firewalls that log all network traffic flows between the CDE and out of-scope networks

C.

Virtual LANs that route network traffic between the CDE and out-of-scope networks

D.

A network configuration that prevents all network traffic between the CDE and out-of-scope networks

Full Access
Question # 9

An LDAP server providing authentication services to the cardholder data environment is

A.

in scope for PCI DSS.

B.

not in scope for PCI DSS

C.

in scope only if it stores processes or transmits cardholder data

D.

in scope only if it provides authentication services to systems in the DMZ

Full Access
Question # 10

Which of the following types of events is required to be logged?

A.

All use of end-user messaging technologies

B.

All access to external web sites

C.

All access to all audit trails

D.

All network transmissions

Full Access
Question # 11

Which of the following is true regarding compensating controls?

A.

A compensating control is not necessary if all other PCI DSS requirements are in place

B.

A compensating control must address the risk associated with not adhering to the PCI DSS requirement

C.

An existing PCI DSS requirement can be used as compensating control if it is already implemented

D.

A compensating control worksheet is not required if the acquirer approves the compensating control

Full Access
Question # 12

Where can live PANs be used for testing?

A.

Production (live) environments only

B.

Pre-production (test) environments only if located outside the CDE.

C.

Pre-production environments that are located within the CDE

D.

Testing with live PANs must only be performed in the QSA Company environment

Full Access
Question # 13

Which of the following parties is responsible for completion of the Controls Matrix for the Customized Approach?

A.

Only a Qualified Security Assessor (QSA)

B.

Either a QSA, AQSA, or PClP.

C.

Entity being assessed

D.

Card brands or acquirer

Full Access
Question # 14

At which step in the payment transaction process does the merchants bank pay the merchant for the purchase and the cardholder s bank bill the cardholder?

A.

Authorization

B.

Clearing

C.

Settlement

D.

Chargeback

Full Access
Question # 15

A "Partial Assessment is a new assessment result What is a ‘Partial Assessment’?

A.

A ROC that has been completed after using an SAQ to determine which requirements should be tested. As per FAQ 1331. (As long as the entity meets the SAQs eligibility criteria)

B.

An interim result before the final ROC has been completed

C.

A term used by payment brands and acquirers to describe entities that have multiple payment channels with each channel having its own assessment

D.

An assessment with at least one requirement marked as Not Tested”

Full Access
Question # 16

Which systems must have anti-malware solutions'

A.

All CDE systems, connected systems. NSCs. and security-providing systems

B.

All portable electronic storage

C.

All systems that store PAN

D.

Any in-scope system except for those identified as not at risk from malware

Full Access
Question # 17

What do PCI DSS requirements for protecting cryptographic keys include?

A.

Public keys must be encrypted with a key-encrypting key.

B.

Data-encrypting keys must be stronger than the key-encrypting key that protects it.

C.

Private or secret keys must be encrypted, stored within an SCD or stored as key components

D.

Key-encrypting keys and data-encrypting keys must be assigned to the same key custodian

Full Access
Question # 18

PCI DSS Requirement 12.7 requires screening and background checks for which of the following?

A.

All personnel employed by the organization

B.

Personnel with access to the cardholder data environment.

C.

Visitors with access to the organization s facilities

D.

Cashiers with access to one card number at a time

Full Access