PCI ISA Questions and Answers with
Certified Solutions
For PCI DSS requirement 1, firewall and router rule sets need to be reviewed every
_____________ months ✔✔6 months
Non-console administrator access to any web-based management interfaces must be encrypted
with technology such as......... ✔✔HTTPS
Requirements 2.2.2 and 2.2.3 cover the use of secure services, protocols and daemons. Which of
the following is considered to be secure? ✔✔SSH
Which of the following is considered "Sensitive Authentication Data"? ✔✔Card Verification
Value (CAV2/CVC2/CVV2/CID), Full Track Data, PIN/PIN Block
True or False: It is acceptable for merchants to store Sensitive Authentication after authorization
as long as it is strongly encrypted? ✔✔False
When a PAN is displayed to an employee who does NOT need to see the full PAN, the minimum
digits to be masked are: ✔✔All digits between the first six and last four
,Which of the following is true regarding protection of PAN? ✔✔PAN must be rendered
unreadable during transmission over public, wireless networks
Which of the following may be used to render PAN unreadable in order to meet requirement 3.4?
✔✔Hashing the entire PAN using strong cryptography
True or False Where keys are stored on production systems, split knowledge and dual control is
required? ✔✔True
When assessing requirement 6.5, testing to verify secure coding techniques are in place to
address common coding vulnerabilities includes: ✔✔Reviewing software development policies
and procedures
One of the principles to be used when granting user access to systems in CDE is: ✔✔Least
privilege
An example of a "one-way" cryptographic function used to render data unreadable is: ✔✔SHA-2
, A set of cryptographic hash functions designed by the National Security Agency (NS). ✔✔SHA-
2 (Secure Hash Algorithm
Inactive user accounts should be either removed or disabled within___ ✔✔90 days
True or False: Procedures must be developed to easily distinguish the difference between onsite
personnel and visitors. ✔✔True
When should access be revoked of recently terminated employees? ✔✔immediately
True or False: A visitor with a badge may enter sensitive area unescorted. ✔✔False, visitors
must be escorted at all times.
Protection of keys used for encryption of cardholder data against disclosure must include at least:
(4 items) ✔✔*Access to keys is restricted to the fewest number of custodians necessary
*Key-encrypting keys are at least as strong as the data-encrypting keys they protect
*Key encrypting keys are stored separately from data-encrypting keys
*Keys are stored securely in the fewest possible locations
Certified Solutions
For PCI DSS requirement 1, firewall and router rule sets need to be reviewed every
_____________ months ✔✔6 months
Non-console administrator access to any web-based management interfaces must be encrypted
with technology such as......... ✔✔HTTPS
Requirements 2.2.2 and 2.2.3 cover the use of secure services, protocols and daemons. Which of
the following is considered to be secure? ✔✔SSH
Which of the following is considered "Sensitive Authentication Data"? ✔✔Card Verification
Value (CAV2/CVC2/CVV2/CID), Full Track Data, PIN/PIN Block
True or False: It is acceptable for merchants to store Sensitive Authentication after authorization
as long as it is strongly encrypted? ✔✔False
When a PAN is displayed to an employee who does NOT need to see the full PAN, the minimum
digits to be masked are: ✔✔All digits between the first six and last four
,Which of the following is true regarding protection of PAN? ✔✔PAN must be rendered
unreadable during transmission over public, wireless networks
Which of the following may be used to render PAN unreadable in order to meet requirement 3.4?
✔✔Hashing the entire PAN using strong cryptography
True or False Where keys are stored on production systems, split knowledge and dual control is
required? ✔✔True
When assessing requirement 6.5, testing to verify secure coding techniques are in place to
address common coding vulnerabilities includes: ✔✔Reviewing software development policies
and procedures
One of the principles to be used when granting user access to systems in CDE is: ✔✔Least
privilege
An example of a "one-way" cryptographic function used to render data unreadable is: ✔✔SHA-2
, A set of cryptographic hash functions designed by the National Security Agency (NS). ✔✔SHA-
2 (Secure Hash Algorithm
Inactive user accounts should be either removed or disabled within___ ✔✔90 days
True or False: Procedures must be developed to easily distinguish the difference between onsite
personnel and visitors. ✔✔True
When should access be revoked of recently terminated employees? ✔✔immediately
True or False: A visitor with a badge may enter sensitive area unescorted. ✔✔False, visitors
must be escorted at all times.
Protection of keys used for encryption of cardholder data against disclosure must include at least:
(4 items) ✔✔*Access to keys is restricted to the fewest number of custodians necessary
*Key-encrypting keys are at least as strong as the data-encrypting keys they protect
*Key encrypting keys are stored separately from data-encrypting keys
*Keys are stored securely in the fewest possible locations
