PCI ISA Exam Study Guide | 100% Correct
Answers | Verified | Latest 2024 Version
Non-console administrator access to any web-based management interfaces must be encrypted with
technology such as......... - ✔✔HTTPS
Requirements 2.2.2 and 2.2.3 cover the use of secure services, protocols and daemons. Which of the
following is considered to be secure? - ✔✔SSH
Which of the following is considered "Sensitive Authentication Data"? - ✔✔Card Verification Value
(CAV2/CVC2/CVV2/CID), Full Track Data, PIN/PIN Block
True or False: It is acceptable for merchants to store Sensitive Authentication after authorization as long
as it is strongly encrypted? - ✔✔False
When a PAN is displayed to an employee who does NOT need to see the full PAN, the minimum digits to
be masked are: - ✔✔All digits between the first six and last four
Which of the following is true regarding protection of PAN? - ✔✔PAN must be rendered unreadable
during transmission over public, wireless networks
Which of the following may be used to render PAN unreadable in order to meet requirement 3.4? -
✔✔Hashing the entire PAN using strong cryptography
True or False Where keys are stored on production systems, split knowledge and dual control is
required? - ✔✔True
When assessing requirement 6.5, testing to verify secure coding techniques are in place to address
common coding vulnerabilities includes: - ✔✔Reviewing software development policies and procedures
One of the principles to be used when granting user access to systems in CDE is: - ✔✔Least privilege
, An example of a "one-way" cryptographic function used to render data unreadable is: - ✔✔SHA-2
A set of cryptographic hash functions designed by the National Security Agency (NS). - ✔✔SHA-2 (Secure
Hash Algorithm
True or False: Procedures must be developed to easily distinguish the difference between onsite
personnel and visitors. - ✔✔True
When should access be revoked of recently terminated employees? - ✔✔immediately
True or False: A visitor with a badge may enter sensitive area unescorted. - ✔✔False, visitors must be
escorted at all times.
Protection of keys used for encryption of cardholder data against disclosure must include at least: (4
items) - ✔✔*Access to keys is restricted to the fewest number of custodians necessary
*Key-encrypting keys are at least as strong as the data-encrypting keys they protect
*Key encrypting keys are stored separately from data-encrypting keys
*Keys are stored securely in the fewest possible locations
Description of cryptographic architecture includes: - ✔✔*Details of all algorithms, protocols, and keys
used for the protection of cardholder data, including key strength and expiry date
*Description of the key usage for each key
*Inventory of any HSMs and other SCDs used for key management
What 2 methods must NOT be used to be disk-level encryption compliant - ✔✔*Cannot use the same
user account authenticator as the operating system
*Cannot use a decryption key that is associated with or derived from the systems local user account
database or general network login credentials.
6 months - ✔✔DESV User accounts and access privileges are reviewed at least every______
Answers | Verified | Latest 2024 Version
Non-console administrator access to any web-based management interfaces must be encrypted with
technology such as......... - ✔✔HTTPS
Requirements 2.2.2 and 2.2.3 cover the use of secure services, protocols and daemons. Which of the
following is considered to be secure? - ✔✔SSH
Which of the following is considered "Sensitive Authentication Data"? - ✔✔Card Verification Value
(CAV2/CVC2/CVV2/CID), Full Track Data, PIN/PIN Block
True or False: It is acceptable for merchants to store Sensitive Authentication after authorization as long
as it is strongly encrypted? - ✔✔False
When a PAN is displayed to an employee who does NOT need to see the full PAN, the minimum digits to
be masked are: - ✔✔All digits between the first six and last four
Which of the following is true regarding protection of PAN? - ✔✔PAN must be rendered unreadable
during transmission over public, wireless networks
Which of the following may be used to render PAN unreadable in order to meet requirement 3.4? -
✔✔Hashing the entire PAN using strong cryptography
True or False Where keys are stored on production systems, split knowledge and dual control is
required? - ✔✔True
When assessing requirement 6.5, testing to verify secure coding techniques are in place to address
common coding vulnerabilities includes: - ✔✔Reviewing software development policies and procedures
One of the principles to be used when granting user access to systems in CDE is: - ✔✔Least privilege
, An example of a "one-way" cryptographic function used to render data unreadable is: - ✔✔SHA-2
A set of cryptographic hash functions designed by the National Security Agency (NS). - ✔✔SHA-2 (Secure
Hash Algorithm
True or False: Procedures must be developed to easily distinguish the difference between onsite
personnel and visitors. - ✔✔True
When should access be revoked of recently terminated employees? - ✔✔immediately
True or False: A visitor with a badge may enter sensitive area unescorted. - ✔✔False, visitors must be
escorted at all times.
Protection of keys used for encryption of cardholder data against disclosure must include at least: (4
items) - ✔✔*Access to keys is restricted to the fewest number of custodians necessary
*Key-encrypting keys are at least as strong as the data-encrypting keys they protect
*Key encrypting keys are stored separately from data-encrypting keys
*Keys are stored securely in the fewest possible locations
Description of cryptographic architecture includes: - ✔✔*Details of all algorithms, protocols, and keys
used for the protection of cardholder data, including key strength and expiry date
*Description of the key usage for each key
*Inventory of any HSMs and other SCDs used for key management
What 2 methods must NOT be used to be disk-level encryption compliant - ✔✔*Cannot use the same
user account authenticator as the operating system
*Cannot use a decryption key that is associated with or derived from the systems local user account
database or general network login credentials.
6 months - ✔✔DESV User accounts and access privileges are reviewed at least every______
