PCI Practice Exam 3 with all Correct & 100% Verified
Answers |Latest Version |Already Graded A+
When must cryptographic keys be changed?
- At the end of their defined crypto period
- At least annually
- When a new key custodian is employed
- Upon release of a new algorithm ✔Correct Answer-At the end of their defined crypto period
What must the assessors verify when testing that cardholder data is protected whenever it is sent
over the Internet?
- The security protocol is configured to support earlier versions
- The encryption strength is appropriate for the technology in use
- The security protocol is configured to accept all digital certificates
- The cardholder data is securely deleted once the transmission has been sent ✔Correct Answer-
The encryption strength is appropriate for the technology in use
As defined in Requirement 8, what is the minimum complexity of user passwords?
- 8 characters, either alphabetic or numeric
- 5 characters, either alphabetic or numeric
- 6 characters, both alphabetic and numeric characters
- 7 characters, both alphabetic and numeric characters ✔Correct Answer-7 characters, both
alphabetic and numeric characters
Which statement is correct regarding use of production data (live PANs) for testing and
development?
- Live PANs must not be used for testing or development
- Access to live PANs must be used for testing and development must be restricted to authorized
personnel
- Live PANs must be used for testing and development
- All live PANs used for testing and development must be authorized by the cardholder ✔Correct
Answer-Live PANs must not be used for testing or development
Which of the following is an example of multi-factor authentication?
- A token that must be presented twice during the login process
- A user passphrase and an application-level password
- A user password and a PIN-activated smart card
- A user fingerprint and a user thumbprint ✔Correct Answer-A user password and a PIN-activated
smart card
Which of the following types of events is required to be logged?
- All use of end-user messaging technologies
- All access to external websites
- All access to all audit trails
- All network transmissions ✔Correct Answer-All access to all audit trails
Which of the following meets PCI DSS requirements for secure destruction of media containing
cardholder data?
, - Cardholder data on hard copy materials is copied to electronic media before the hard copy
materials are destroyed
- Storage containers used for hardcopy materials are located outside of the CDE
- Electronic media is physically destroyed to ensure the data cannot be reconstructed
- Electronic media is stored in a secure location when the data is no longer needed for business or
legal reasons ✔Correct Answer-Electronic media is physically destroyed to ensure the data cannot
be reconstructed
Which scenario meets the intent of PCI DSS requirements for assigning users access to cardholder
data?
- Access is assigned to all users based on the access needs of the least-privileged user
- Access is assigned to individual users based on the highest privilege available
- Access is assigned to an individual users based on the privileges needed to perform their job
- Access is assigned to a group of users based on the privileges of the most senior user in the group
✔Correct Answer-Access is assigned to an individual users based on the privileges needed to perform
their job
Which of the following is an example of a system-level object?
- A log file
- An application executable or configuration file
- A document containing cardholder data
- Transaction data in a point-of-sale device ✔Correct Answer-An application executable or
configuration file
Which scenario would support a smaller sample size being used for a PCI DSS assessment of an entity
with multiple facilities located in different regions?
- Security policies and procedures are independently defined by each facility
- Security policies and procedures are standardized for each region
- Security policies are centralized, and procedures consistently implemented across all regions
- Security policies are centrally defined, and each facility defines their own procedures for
implementing the policies ✔Correct Answer-Security policies and procedures are standardized for
each region
Which of the following statements is correct regarding track equivalent data on the chip of a
payment card?
- It is allowed to be stored by merchants after authorization, if encrypted
- It is sensitive authentication data
- It is out of scope for PCI DSS
- It is not applicable for PCI DSS Requirement 3.2 ✔Correct Answer-It is sensitive authentication
data
What is the intent of performing a risk assessment?
- To document the names and contact details of individuals with access to cardholder data
- To identify potential threats and vulnerabilities to critical assets
- To allocate security resources equally across all levels of risk
- To ensure separation of duties between assessors and the entity being assessed ✔Correct
Answer-To identify potential threats and vulnerabilities to critical assets
Which statement is correct regarding the PCI DSS Report on Compliance (ROC)?
- The ROC Reporting Template and instructions provided by PCI SSC should be used for all ROCs
Answers |Latest Version |Already Graded A+
When must cryptographic keys be changed?
- At the end of their defined crypto period
- At least annually
- When a new key custodian is employed
- Upon release of a new algorithm ✔Correct Answer-At the end of their defined crypto period
What must the assessors verify when testing that cardholder data is protected whenever it is sent
over the Internet?
- The security protocol is configured to support earlier versions
- The encryption strength is appropriate for the technology in use
- The security protocol is configured to accept all digital certificates
- The cardholder data is securely deleted once the transmission has been sent ✔Correct Answer-
The encryption strength is appropriate for the technology in use
As defined in Requirement 8, what is the minimum complexity of user passwords?
- 8 characters, either alphabetic or numeric
- 5 characters, either alphabetic or numeric
- 6 characters, both alphabetic and numeric characters
- 7 characters, both alphabetic and numeric characters ✔Correct Answer-7 characters, both
alphabetic and numeric characters
Which statement is correct regarding use of production data (live PANs) for testing and
development?
- Live PANs must not be used for testing or development
- Access to live PANs must be used for testing and development must be restricted to authorized
personnel
- Live PANs must be used for testing and development
- All live PANs used for testing and development must be authorized by the cardholder ✔Correct
Answer-Live PANs must not be used for testing or development
Which of the following is an example of multi-factor authentication?
- A token that must be presented twice during the login process
- A user passphrase and an application-level password
- A user password and a PIN-activated smart card
- A user fingerprint and a user thumbprint ✔Correct Answer-A user password and a PIN-activated
smart card
Which of the following types of events is required to be logged?
- All use of end-user messaging technologies
- All access to external websites
- All access to all audit trails
- All network transmissions ✔Correct Answer-All access to all audit trails
Which of the following meets PCI DSS requirements for secure destruction of media containing
cardholder data?
, - Cardholder data on hard copy materials is copied to electronic media before the hard copy
materials are destroyed
- Storage containers used for hardcopy materials are located outside of the CDE
- Electronic media is physically destroyed to ensure the data cannot be reconstructed
- Electronic media is stored in a secure location when the data is no longer needed for business or
legal reasons ✔Correct Answer-Electronic media is physically destroyed to ensure the data cannot
be reconstructed
Which scenario meets the intent of PCI DSS requirements for assigning users access to cardholder
data?
- Access is assigned to all users based on the access needs of the least-privileged user
- Access is assigned to individual users based on the highest privilege available
- Access is assigned to an individual users based on the privileges needed to perform their job
- Access is assigned to a group of users based on the privileges of the most senior user in the group
✔Correct Answer-Access is assigned to an individual users based on the privileges needed to perform
their job
Which of the following is an example of a system-level object?
- A log file
- An application executable or configuration file
- A document containing cardholder data
- Transaction data in a point-of-sale device ✔Correct Answer-An application executable or
configuration file
Which scenario would support a smaller sample size being used for a PCI DSS assessment of an entity
with multiple facilities located in different regions?
- Security policies and procedures are independently defined by each facility
- Security policies and procedures are standardized for each region
- Security policies are centralized, and procedures consistently implemented across all regions
- Security policies are centrally defined, and each facility defines their own procedures for
implementing the policies ✔Correct Answer-Security policies and procedures are standardized for
each region
Which of the following statements is correct regarding track equivalent data on the chip of a
payment card?
- It is allowed to be stored by merchants after authorization, if encrypted
- It is sensitive authentication data
- It is out of scope for PCI DSS
- It is not applicable for PCI DSS Requirement 3.2 ✔Correct Answer-It is sensitive authentication
data
What is the intent of performing a risk assessment?
- To document the names and contact details of individuals with access to cardholder data
- To identify potential threats and vulnerabilities to critical assets
- To allocate security resources equally across all levels of risk
- To ensure separation of duties between assessors and the entity being assessed ✔Correct
Answer-To identify potential threats and vulnerabilities to critical assets
Which statement is correct regarding the PCI DSS Report on Compliance (ROC)?
- The ROC Reporting Template and instructions provided by PCI SSC should be used for all ROCs
