PCI ISA EXAM QUESTIONS
CORRECTLY
ANSWERS 2023
QSAs must retain work papers for a minimum of years. It is a recommendation
for ISAs to do the same. - 3
According to PCI DSS requirement 1, Firewall and router rule sets need to be reviewed
every months. - 6
At least and prior to the annual assessment the assessed entity:
- Identifies all locations and flows of cardholder data to verify they are included in the
CDE
- Confirms the accuracy of their PCI DSS scope
- Retains their scoping documentation for assessor reference - annually
scope includes - ppl process, tech
Evidence Retention
It is recommended that the ISA secure and maintain digital and/or hard copies of case
logs, audit results and work papers, notes, and any technical information that was
created and/or obtained during the PCI Data Security Assessment for a minimum of
or as applicable to company data retention policies - of three (3) years
A (time) process for identifying and securely deleting stored cardholder data
that exceeds defined retention requirements. - quarterly
Do not store SAD after (even if encrypted). (track data / cvc / pin) -
authorization
manual clear-text key-management procedures specify processes for the use of the
following - Split knowledge.Dual control
Dual control - least two people are required to perform any key-management operations
and no one person has access to the authentication materials (for example, passwords
or keys) of another
Split knowledge - key components are under the control of at least two people who only
have knowledge of their own key components
PAN is rendered unreadable in which ways - hash
mask
https://www.stuvia.com/
, This study source was downloaded by 100000826171513 from CourseHero.com on 08-29-2023 16:21:25 GMT -05:00
https://www.stuvia.com/
CORRECTLY
ANSWERS 2023
QSAs must retain work papers for a minimum of years. It is a recommendation
for ISAs to do the same. - 3
According to PCI DSS requirement 1, Firewall and router rule sets need to be reviewed
every months. - 6
At least and prior to the annual assessment the assessed entity:
- Identifies all locations and flows of cardholder data to verify they are included in the
CDE
- Confirms the accuracy of their PCI DSS scope
- Retains their scoping documentation for assessor reference - annually
scope includes - ppl process, tech
Evidence Retention
It is recommended that the ISA secure and maintain digital and/or hard copies of case
logs, audit results and work papers, notes, and any technical information that was
created and/or obtained during the PCI Data Security Assessment for a minimum of
or as applicable to company data retention policies - of three (3) years
A (time) process for identifying and securely deleting stored cardholder data
that exceeds defined retention requirements. - quarterly
Do not store SAD after (even if encrypted). (track data / cvc / pin) -
authorization
manual clear-text key-management procedures specify processes for the use of the
following - Split knowledge.Dual control
Dual control - least two people are required to perform any key-management operations
and no one person has access to the authentication materials (for example, passwords
or keys) of another
Split knowledge - key components are under the control of at least two people who only
have knowledge of their own key components
PAN is rendered unreadable in which ways - hash
mask
https://www.stuvia.com/
, This study source was downloaded by 100000826171513 from CourseHero.com on 08-29-2023 16:21:25 GMT -05:00
https://www.stuvia.com/
