PCI DSS 3.2.1 Test Questions 100% Correct Answers Verified Latest 2024 Version

PCI DSS 3.2.1 Test Questions | 100% Correct
Answers | Verified | Latest 2024 Version
Which of the following does not belong?

The following events should be included in automated audit trails for all system component:

-Individual access to cardholder data

-Creation and deletion of system-level objects

-Invalid logical access attempts

-Actions taken by user with root or administrative privileges

-Changes, additions, or deletions to any account with root or administrative privileges

-Audit trail access

-Use of identification and authentication mechanisms

-Elevation of privileges

-Initialization of audit logs

-Stopping or pausing of audit logs - ✔✔All of these should be included. (Requirement 10.2.1 - 10.2.7)



Which of the following does not belong?

The following audit trail entries should be recorded for each event:

-User identification

-Type of event

-Date and time

-Success or failure

-Origination of event

-Identity of name of affected data, system component, or resource

-Initializing, stopping, or pausing of audit logs - ✔✔Initializing, stopping, or pausing of audit logs - this
choice is part of what should be included in audit logs (10.2)



This question pertains to 10.3 (10.3.1 - 10.3.6)

,How often should logs and security event reviews be conducted? - ✔✔At least daily (10.6)



How long should audit trail history be retained?



At least ___ of history must be immediately available for analysis. - ✔✔At least 1 year retained



3 months

(10.7)



How long should visitor logs for physical access be retained? - ✔✔At least 3 months (9.4)



Critical patches need to installed within ___ of release. - ✔✔One month



For public-facing web applications, which of the following is required?

-Web application firewalls

-Manual vulnerability assessment tools

-Automated vulnerability assessment tools - ✔✔Any one or more of these. According to Requirement
6.6, ensure that either one of the following methods is in place:



1. Web application firewalls - Examine system configuration settings to verify an automated technical
solution that detects and prevents web-based attacks is in place.

2. Web application assessment - Verify that public-facing web applications are reviewed using with
manual or automated vulnerability assessment tools or methods.



How frequently should web application assessments be conducted? - ✔✔At least annually and after any
significant changes (6.6)



Does an application vulnerability assessment have to be conducted by a third party? - ✔✔No. As long as
the reviewers specialize in application security and can demonstrate independence from the
development team.

, What is NOT included in cardholder data?

-Primary Account Number (PAN)

-PIN

-Cardholder Name

-Expiration Date

-CVV

-Service Code - ✔✔PIN and CVV are both considered sensitive authentication data.



Which of the following CAN BE stored?

-Full track data

-PAN

-Cardholder Name

-Service Code

-PIN

-Expiration Date

-CVV - ✔✔PAN, cardholder name, service code, and expiration date can be stored (requirement 3).
However, storage should be limited to only required amount of time and purged when no longer needed
or at least quarterly. (3.1)



Sensitive authentication data cannot be stored after authorization (3.2).



Can full Track 1 data be stored? - ✔✔No. Track 1 data contains all fields of Track 2 data plus the
cardholder name and additional information for proprietary use by the issuer. It is generally a violation to
store anything to the right of the service code.



It is not permitted to store full track data or other sensitive authentication data after authorization.



Which SAQ applies to SERVICE PROVIDERS? - ✔✔SAQ D