PCI Practice Exam 3 Questions and Correct Answers | Latest Update

1 for specific request mail




PCI Practice Exam 3 Questions and Correct Answers |
Latest Update
When must cryptographic keys be changed?

- At the end of their defined crypto period

- At least annually

- When a new key custodian is employed

- Upon release of a new algorithm
Assignment Expert




Ans: At the end of their defined crypto period
Guru01 - Stuvia




What must the assessors verify when testing that cardholder data is
protected whenever it is sent over the Internet?

- The security protocol is configured to support earlier versions
2026




- The encryption strength is appropriate for the technology in use

- The security protocol is configured to accept all digital certificates
©




- The cardholder data is securely deleted once the transmission has been
sent

Ans: The encryption strength is appropriate for the technology in use

As defined in Requirement 8, what is the minimum complexity of user
passwords?

- 8 characters, either alphabetic or numeric

- 5 characters, either alphabetic or numeric

- 6 characters, both alphabetic and numeric characters

- 7 characters, both alphabetic and numeric characters

, 2 for specific request mail




Ans: 7 characters, both alphabetic and numeric characters

Which statement is correct regarding use of production data (live PANs)
for testing and development?

- Live PANs must not be used for testing or development

- Access to live PANs must be used for testing and development must be
restricted to authorized personnel

- Live PANs must be used for testing and development

- All live PANs used for testing and development must be authorized by
Assignment Expert




the cardholder
Guru01 - Stuvia




Ans: Live PANs must not be used for testing or development

Which of the following is an example of multi-factor authentication?

- A token that must be presented twice during the login process
2026




- A user passphrase and an application-level password
©




- A user password and a PIN-activated smart card

- A user fingerprint and a user thumbprint

Ans: A user password and a PIN-activated smart card

Which of the following types of events is required to be logged?

- All use of end-user messaging technologies

- All access to external websites

- All access to all audit trails

- All network transmissions

Ans: All access to all audit trails

, 3 for specific request mail




Which of the following meets PCI DSS requirements for secure
destruction of media containing cardholder data?

- Cardholder data on hard copy materials is copied to electronic media
before the hard copy materials are destroyed

- Storage containers used for hardcopy materials are located outside of
the CDE

- Electronic media is physically destroyed to ensure the data cannot be
reconstructed
Assignment Expert




- Electronic media is stored in a secure location when the data is no
longer needed for business or legal reasons
Guru01 - Stuvia




Ans: Electronic media is physically destroyed to ensure the data cannot
be reconstructed

Which scenario meets the intent of PCI DSS requirements for assigning
2026




users access to cardholder data?

- Access is assigned to all users based on the access needs of the least-
©




privileged user

- Access is assigned to individual users based on the highest privilege
available

- Access is assigned to an individual users based on the privileges needed
to perform their job

- Access is assigned to a group of users based on the privileges of the
most senior user in the group

Ans: Access is assigned to an individual users based on the privileges
needed to perform their job

Which of the following is an example of a system-level object?