PCI ISA EXAM 200 REAL EXAM QUESTIONS AND VERIFIED
ANSWERS LATEST VERSION
What makes up SAD? - ANSWER: Track Data/ (CAV2/CVC2/CVV2/CID) / PINs & PIN
Blocks
Track 1 vs Track 2 - ANSWER: Track 1: contains all fields of both Track 1 and Track 2,
up to 79 characters long
11.2 Internal Scans - Frequency and performed by who? - ANSWER: Quarterly and
after significant changes in the network - Performed by qualified internal or qualified
external resource
11.3 Penetration Tests (SERVICE PROVIDERS) - Frequency and performed by who? -
ANSWER: Every 6 months; qualified internal or external resource
11.2 External Scans - Frequency and performed by who? - ANSWER: Quarterly and
after significant changes in the network - Performed by PCI SSC Approved Scanning
Vendor (ASV)
11.3 Penetration Tests - Frequency and performed by who? - ANSWER: At least
annually and after significant changes in the network - Performed by qualified
internal or qualified external resource
11.2 Review scan reports and verify scan process includes rescans until: - ANSWER: -
External scans: no vulnerabilities exists that scored 4.0 or higher by the CVSS
- Internal scans: all high-risk vulnerabilities as defined in PCI DSS requirement 6.1 are
resolved
Who decides if a ROC or SAQ is required? - ANSWER: payment brands / acquirers
10.2 Implement audit trails for all system components to reconstruct the following
events: - ANSWER: - Individual accesses to CHD
- Actions taken by any invidivudal with root or admin privileges
- Access to all audit trails
- Invalid logical access attempts
- Use of identification and authentication mechanisms
- Initialization of the audit logs
- Creation and deleting of system-level objects
How long must QSA's retain work papers? - ANSWER: 3 years, recommend the same
for ISAs
Firewall and router rule sets must be reviewed every _ months - ANSWER: every 6
months
, Things to consider when assessing: - ANSWER: People, processes, technology
How often should an entity undergo a process to securely delete stored CHD that
exceeds defined retention requirements? - ANSWER: at least quarterly
3.6 Key-management operations - ANSWER: Dual Control: at least two people are
required to perform any key-management operations and no one person has access
to the authentication materials (for example, passwords or keys) of another
Split Knowledge: key components are under the control of at least two people who
only have knowledge of their own key components
3.4 Pan is rendered unreadable in which ways? - ANSWER: hash, truncation, encrypt,
index token and pads
6.2 Critical Security patches should be installed within _ of release. - ANSWER: one
month
6.2 Installation of applicable vendor-supplied security patches (non-critical) should
be installed: - ANSWER: within an appropriate time frame (e.g., 3 months)
6.4.5 Change control procedures must include the following - ANSWER: -
Documentation of impact
- Documented change approval by authorized parties
- Functionality testing to verify change does not adversely impact security of the
system
- Back-out procedures
6.5 Developers must be trained at least _ in up-to-date secure coding techniques. -
ANSWER: annually
6.6 For public-facing web applications, address new threats and vulnerabilities on an
ongoing basis and ensure these applications are protected against known attacks by
either of the following methods - ANSWER: - At least annually, and after any
changes, review via manual or automated application vulnerability assessment
tools/methods
- Automated technical solution that detects and prevents web-based attacks
continuously
1.3.2 Examine firewall and router configurations to verify inbound traffic is: -
ANSWER: limited to IP addresses within the DMZ
7.1.4 Select sample of user IDs and compare with documented approvals to verify: -
ANSWER: Documented approval exists for the assigned privileges
Approval by authorized parties
Specified privileges match the role of the user ID
ANSWERS LATEST VERSION
What makes up SAD? - ANSWER: Track Data/ (CAV2/CVC2/CVV2/CID) / PINs & PIN
Blocks
Track 1 vs Track 2 - ANSWER: Track 1: contains all fields of both Track 1 and Track 2,
up to 79 characters long
11.2 Internal Scans - Frequency and performed by who? - ANSWER: Quarterly and
after significant changes in the network - Performed by qualified internal or qualified
external resource
11.3 Penetration Tests (SERVICE PROVIDERS) - Frequency and performed by who? -
ANSWER: Every 6 months; qualified internal or external resource
11.2 External Scans - Frequency and performed by who? - ANSWER: Quarterly and
after significant changes in the network - Performed by PCI SSC Approved Scanning
Vendor (ASV)
11.3 Penetration Tests - Frequency and performed by who? - ANSWER: At least
annually and after significant changes in the network - Performed by qualified
internal or qualified external resource
11.2 Review scan reports and verify scan process includes rescans until: - ANSWER: -
External scans: no vulnerabilities exists that scored 4.0 or higher by the CVSS
- Internal scans: all high-risk vulnerabilities as defined in PCI DSS requirement 6.1 are
resolved
Who decides if a ROC or SAQ is required? - ANSWER: payment brands / acquirers
10.2 Implement audit trails for all system components to reconstruct the following
events: - ANSWER: - Individual accesses to CHD
- Actions taken by any invidivudal with root or admin privileges
- Access to all audit trails
- Invalid logical access attempts
- Use of identification and authentication mechanisms
- Initialization of the audit logs
- Creation and deleting of system-level objects
How long must QSA's retain work papers? - ANSWER: 3 years, recommend the same
for ISAs
Firewall and router rule sets must be reviewed every _ months - ANSWER: every 6
months
, Things to consider when assessing: - ANSWER: People, processes, technology
How often should an entity undergo a process to securely delete stored CHD that
exceeds defined retention requirements? - ANSWER: at least quarterly
3.6 Key-management operations - ANSWER: Dual Control: at least two people are
required to perform any key-management operations and no one person has access
to the authentication materials (for example, passwords or keys) of another
Split Knowledge: key components are under the control of at least two people who
only have knowledge of their own key components
3.4 Pan is rendered unreadable in which ways? - ANSWER: hash, truncation, encrypt,
index token and pads
6.2 Critical Security patches should be installed within _ of release. - ANSWER: one
month
6.2 Installation of applicable vendor-supplied security patches (non-critical) should
be installed: - ANSWER: within an appropriate time frame (e.g., 3 months)
6.4.5 Change control procedures must include the following - ANSWER: -
Documentation of impact
- Documented change approval by authorized parties
- Functionality testing to verify change does not adversely impact security of the
system
- Back-out procedures
6.5 Developers must be trained at least _ in up-to-date secure coding techniques. -
ANSWER: annually
6.6 For public-facing web applications, address new threats and vulnerabilities on an
ongoing basis and ensure these applications are protected against known attacks by
either of the following methods - ANSWER: - At least annually, and after any
changes, review via manual or automated application vulnerability assessment
tools/methods
- Automated technical solution that detects and prevents web-based attacks
continuously
1.3.2 Examine firewall and router configurations to verify inbound traffic is: -
ANSWER: limited to IP addresses within the DMZ
7.1.4 Select sample of user IDs and compare with documented approvals to verify: -
ANSWER: Documented approval exists for the assigned privileges
Approval by authorized parties
Specified privileges match the role of the user ID
