PCI ISA EXAM QUESTIONS WITH 100%
CORRECT ANSWERS
QSAs must retain work papers for a minimum of _______ years. It is a recommendation
for ISAs to do the same.
3
According to PCI DSS requirement 1, Firewall and router rule sets need to be reviewed
every _____ months.
6
At least ______________ and prior to the annual assessment the assessed entity:
- Identifies all locations and flows of cardholder data to verify they are included in the CDE
- Confirms the accuracy of their PCI DSS scope
- Retains their scoping documentation for assessor reference
annually
scope includes
ppl process, tech
Evidence Retention
It is recommended that the ISA secure and maintain digital and/or hard copies of case logs,
audit results and work papers, notes, and any technical information that was created
and/or obtained during the PCI Data Security Assessment for a minimum of ________ or
as applicable to company data retention policies
of three (3) years
A (time) ______ process for identifying and securely deleting stored cardholder data that
exceeds defined retention requirements.
quarterly
Do not store SAD after ____________ (even if encrypted). (track data / cvc / pin)
authorization
manual clear-text key-management procedures specify processes for the use of the
following
Split knowledge.Dual control
Dual control
, least two people are required to perform any key-management operations and no one person has
access to the authentication materials (for example, passwords or keys) of another
Split knowledge
key components are under the control of at least two people who only have knowledge of their
own key components
PAN is rendered unreadable in which ways
hash
mask
encrypt
pad
Ensure that all system components and software are protected from known vulnerabilities
by installing applicable vendor-supplied security patches. Install critical security patches
within _____ of release.
one month
Installation of all applicable vendor-supplied security patches within an
___________________
appropriate time frame (for example, within three months)
makes sure change control has these 4 things
impack
testing (PCI review)
backout
approval
Train developers at least ________ in up-to-date secure coding techniques, including how
to avoid common coding vulnerabilities, and understanding how sensitive data is handled
in memory.
annually
Reviewing public-facing web applications via manual or automated application
vulnerability security assessment tools or methods, at least ___________________
or
automated technical solution that detects and prevents web-based attacks active _________
annually and after any changes
all the time
CORRECT ANSWERS
QSAs must retain work papers for a minimum of _______ years. It is a recommendation
for ISAs to do the same.
3
According to PCI DSS requirement 1, Firewall and router rule sets need to be reviewed
every _____ months.
6
At least ______________ and prior to the annual assessment the assessed entity:
- Identifies all locations and flows of cardholder data to verify they are included in the CDE
- Confirms the accuracy of their PCI DSS scope
- Retains their scoping documentation for assessor reference
annually
scope includes
ppl process, tech
Evidence Retention
It is recommended that the ISA secure and maintain digital and/or hard copies of case logs,
audit results and work papers, notes, and any technical information that was created
and/or obtained during the PCI Data Security Assessment for a minimum of ________ or
as applicable to company data retention policies
of three (3) years
A (time) ______ process for identifying and securely deleting stored cardholder data that
exceeds defined retention requirements.
quarterly
Do not store SAD after ____________ (even if encrypted). (track data / cvc / pin)
authorization
manual clear-text key-management procedures specify processes for the use of the
following
Split knowledge.Dual control
Dual control
, least two people are required to perform any key-management operations and no one person has
access to the authentication materials (for example, passwords or keys) of another
Split knowledge
key components are under the control of at least two people who only have knowledge of their
own key components
PAN is rendered unreadable in which ways
hash
mask
encrypt
pad
Ensure that all system components and software are protected from known vulnerabilities
by installing applicable vendor-supplied security patches. Install critical security patches
within _____ of release.
one month
Installation of all applicable vendor-supplied security patches within an
___________________
appropriate time frame (for example, within three months)
makes sure change control has these 4 things
impack
testing (PCI review)
backout
approval
Train developers at least ________ in up-to-date secure coding techniques, including how
to avoid common coding vulnerabilities, and understanding how sensitive data is handled
in memory.
annually
Reviewing public-facing web applications via manual or automated application
vulnerability security assessment tools or methods, at least ___________________
or
automated technical solution that detects and prevents web-based attacks active _________
annually and after any changes
all the time
