PCI Practice Exam 3 Questions And
Answers With Verified Solutions 100%
Correct Rated A+ Newly Updated 2025
When must cryptographic keys be changed?
✔ Answer: At the end of their defined crypto period
Options:
At the end of their defined crypto period
At least annually
When a new key custodian is employed
Upon release of a new algorithm
What must assessors verify when testing that cardholder data is protected
whenever it is sent over the Internet?
✔ Answer: The encryption strength is appropriate for the technology in use
Options:
The security protocol is configured to support earlier versions
The encryption strength is appropriate for the technology in use
The security protocol is configured to accept all digital certificates
The cardholder data is securely deleted once the transmission has been sent
As defined in Requirement 8, what is the minimum complexity of user
passwords?
✔ Answer: 7 characters, both alphabetic and numeric characters
Options:
, 8 characters, either alphabetic or numeric
5 characters, either alphabetic or numeric
6 characters, both alphabetic and numeric characters
7 characters, both alphabetic and numeric characters
Which statement is correct regarding the use of production data (live PANs)
for testing and development?
✔ Answer: Live PANs must not be used for testing or development
Options:
Live PANs must not be used for testing or development
Access to live PANs must be used for testing and development must be
restricted to authorized personnel
Live PANs must be used for testing and development
All live PANs used for testing and development must be authorized by the
cardholder
Which of the following is an example of multi-factor authentication?
✔ Answer: A user password and a PIN-activated smart card
Options:
A token that must be presented twice during the login process
A user passphrase and an application-level password
A user password and a PIN-activated smart card
A user fingerprint and a user thumbprint
Which of the following types of events is required to be logged?
✔ Answer: All access to all audit trails
, Options:
All use of end-user messaging technologies
All access to external websites
All access to all audit trails
All network transmissions
Which of the following meets PCI DSS requirements for secure destruction of
media containing cardholder data?
✔ Answer: Electronic media is physically destroyed to ensure the data cannot
be reconstructed
Options:
Cardholder data on hard copy materials is copied to electronic media before
the hard copy materials are destroyed
Storage containers used for hardcopy materials are located outside of the
CDE
Electronic media is physically destroyed to ensure the data cannot be
reconstructed
Electronic media is stored in a secure location when the data is no longer
needed for business or legal reasons
Which scenario meets the intent of PCI DSS requirements for assigning users
access to cardholder data?
✔ Answer: Access is assigned to individual users based on the privileges
needed to perform their job
Options:
Access is assigned to all users based on the access needs of the least-
privileged user
Answers With Verified Solutions 100%
Correct Rated A+ Newly Updated 2025
When must cryptographic keys be changed?
✔ Answer: At the end of their defined crypto period
Options:
At the end of their defined crypto period
At least annually
When a new key custodian is employed
Upon release of a new algorithm
What must assessors verify when testing that cardholder data is protected
whenever it is sent over the Internet?
✔ Answer: The encryption strength is appropriate for the technology in use
Options:
The security protocol is configured to support earlier versions
The encryption strength is appropriate for the technology in use
The security protocol is configured to accept all digital certificates
The cardholder data is securely deleted once the transmission has been sent
As defined in Requirement 8, what is the minimum complexity of user
passwords?
✔ Answer: 7 characters, both alphabetic and numeric characters
Options:
, 8 characters, either alphabetic or numeric
5 characters, either alphabetic or numeric
6 characters, both alphabetic and numeric characters
7 characters, both alphabetic and numeric characters
Which statement is correct regarding the use of production data (live PANs)
for testing and development?
✔ Answer: Live PANs must not be used for testing or development
Options:
Live PANs must not be used for testing or development
Access to live PANs must be used for testing and development must be
restricted to authorized personnel
Live PANs must be used for testing and development
All live PANs used for testing and development must be authorized by the
cardholder
Which of the following is an example of multi-factor authentication?
✔ Answer: A user password and a PIN-activated smart card
Options:
A token that must be presented twice during the login process
A user passphrase and an application-level password
A user password and a PIN-activated smart card
A user fingerprint and a user thumbprint
Which of the following types of events is required to be logged?
✔ Answer: All access to all audit trails
, Options:
All use of end-user messaging technologies
All access to external websites
All access to all audit trails
All network transmissions
Which of the following meets PCI DSS requirements for secure destruction of
media containing cardholder data?
✔ Answer: Electronic media is physically destroyed to ensure the data cannot
be reconstructed
Options:
Cardholder data on hard copy materials is copied to electronic media before
the hard copy materials are destroyed
Storage containers used for hardcopy materials are located outside of the
CDE
Electronic media is physically destroyed to ensure the data cannot be
reconstructed
Electronic media is stored in a secure location when the data is no longer
needed for business or legal reasons
Which scenario meets the intent of PCI DSS requirements for assigning users
access to cardholder data?
✔ Answer: Access is assigned to individual users based on the privileges
needed to perform their job
Options:
Access is assigned to all users based on the access needs of the least-
privileged user
