PCI ISA EXAM QUESTIONS WITH ANSWERS ;; ALREADY RATED A+ // GUARANTEED PASS 100%, Exams of Computer System Design and Architecture

Download PCI ISA EXAM QUESTIONS WITH ANSWERS ;; ALREADY RATED A+ // GUARANTEED PASS 100% and more Exams Computer System Design and Architecture in PDF only on Docsity!

PCI ISA EXAM QUESTIONS WITH ANSWERS

;; ALREADY RATED A+ // GUARANTEED

PASS 100%

Perimeter firewalls installed ______________________________. - ANSWER between all wireless networks and the CHD environment. Where should firewalls be installed? - ANSWER At each Internet connection and between any DMZ and the internal network. Review of firewall and router rule sets at least every __________________. - ANSWER 6 months If disk encryption is used - ANSWER logical access must be managed separately and independently of native operating system authentication and access control mechanisms Manual clear-text key-management procedures specify processes for the use of the following: - ANSWER Split knowledge AND Dual control of keys What is considered "Sensitive Authentication Data"? - ANSWER Card verification value When a PAN is displayed to an employee who does NOT need to see the full PAN, the minimum digits to be masked are: All digits between the ___________ and the __________. - ANSWER first 6; last 4 Regarding protection of PAN... - ANSWER PAN must be rendered unreadable during the transmission over public and wireless networks. Under requirement 3.4, what method must be used to render the PAN unreadable? - ANSWER Hashing the entire PAN using strong cryptography

Weak security controls that should NOT be used - ANSWER WEP, SSL, and TLS 1.0 or earlier Per requirement 5, anti-virus technology must be deployed_________________ - ANSWER on all system components commonly affected by malicious software. Key functions for anti-vius program per Requirement 5: - ANSWER 1) Detect

2. Remove
3. Protect Anti-virus solutions may be temporarily disabled only if - ANSWER there is legitimate technical need, as authorized by management on a case-by-case basis When to install "critical" applicable vendor-supplied security patches? ---> within _________ of release. - ANSWER 1 month When to install applicable vendor-supplied security patches? - ANSWER within an appropriate time frame (for example, within three months). When assessing requirement 6.5, testing to verify secure coding techniques are in place to address common coding vulnerabilities includes: - ANSWER Reviewing software development policies and procedures Requirements 7 restricted access controls by: - ANSWER Need-to-know and least privilege Inactive accounts over _____________days need to be removed or disabled. - ANSWER 90 days To verify user access termination policy, an ISA need to select a sample of user terminated in the past _______________ months, and review current user access lists—for both local and remote access—to verify that their IDs have been deactivated or removed from the access lists. - ANSWER 6 months How many logon attempts should be allowed until resulting temporarily account locked-out? - ANSWER 6 attempts

Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for: - ANSWER acquiring, distributing, and storing time All security events and logs of (a) all system components that store, process, or transmit CHD; (b) critical system components; (c) components that perform security functions (for example, firewalls, intrusion- detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.) to be reviewed at least ______________. - ANSWER daily Audit logs must be immediately available for analysis for a period of ________ and must be retained for a period of _________. - ANSWER 3 months; 1 year Detection and identification of authorized and unauthorized wireless access points must occur _________________. - ANSWER quarterly Run internal and external network vulnerability scans at least ____________________ and after any significant change in the network - ANSWER quarterly "External" vulnerability scans must be run by ____________ and perform ________________. - ANSWER an ASV; quarterly For external scans, no vulnerabilities exist that are scored _____________ by the CVSS. - ANSWER 4.0 or higher Penetration testing for "Service Provider" in which targeting segmentation controls must be perform every __________________. - ANSWER 6 months FIM tools must be configured to perform critical file comparisons check at least_______________, - ANSWER weekly A retail location that does not use wireless devices in store must test for the presence of unauthorized wireless devices every ________________. - ANSWER quarter

Verify that personnel attend security awareness training upon hire and at least ___________________. - ANSWER annually Appendix A1 applies to - ANSWER hosting providers Appendix A2 applies to - ANSWER entities using SSL/Early TLS Appendix A3 applies to - ANSWER Designated Entities Supplemental Validation (DESV) An entity is required to undergo an assessment according to this Appendix ONLY if instructed to do so by an acquirer or a payment brand. Designated entities (DESV) must document and confirm the accuracy of PCI DSS scope at least_________ and upon significant changes to the in-scope environment. - ANSWER quarterly Designated Entities (DESV) must ensure that pen tests are performed on "segmentation controls" every _________________, and after significant changes. - ANSWER 6 months In regards to DESV, user accounts and access privileges are reviewed at least every______________. - ANSWER 6 months ASV scans must cover__________________________________. - ANSWER ALL Internet-Facing IP addresses in existence at the entity. Compensating controls need to be evaluated at least_________________. - ANSWER annually Compensating controls requirement 1: - ANSWER Constrains Compensating controls requirement 2: - ANSWER Objective Compensating controls requirement 3: - ANSWER Risk

Do not store _____ AFTER authorization even if ___________. - ANSWER sensitive authentication data; encrypted (sensitive auth data: track data, verification code, PIN) Req 3.3: Protection of PAN that displayed on screens, paper receipts, etc. by _____________________ - ANSWER masking the PAN and only show first 6 digits and last 4 digits. Req 3.4: Protection of PAN when stored in files, databases, etc. by ______________. (hint: do what to the information?) - ANSWER render the information unreadable. Disk Encryption - ANSWER Must verify that logical access to encrypted file systems is implemented via a mechanism that is separate from the native operating system's authentication mechanism. Key-encrypting keys are ___________________ as data-encrypting keys and ___________________. - ANSWER at least as strong; stored separately. Key Management documentation must specifies the following: - ANSWER Procedures to:

1. Generate strong keys
2. Securely distribute keys
3. Securely store keys
4. Defined cryptoperiod PAN must be - ANSWER render unreadable during transmission over PUBLIC wireless network. Split knowledge - ANSWER Two or more entities need to separately have key components that individually convey no knowledge of the resultant cryptographic key Dual control - ANSWER Required the present of two individuals to perform a task

Critical vendor supplied patches should be installed within_______________. - ANSWER 1 month What is the proper handling of displaying an error message? - ANSWER by returning generic rather than specific error details (to not leak too much information about the system) For public web facing application, do we use both or either one of these methods?

1. Use either manual or automated vulnerability security assessment tools or methods at least annually and after any changes.
2. Use of automated technical solution that detects and prevents web-based attacks (WAP) - ANSWER Either One Req 7.1 - Limited access to what user roles based on _______________. - ANSWER Least privileges and need-to-know basis based on job functions. Req 7.2 - Access control system must be set to _____________ by default. - ANSWER deny-all Multi-factor authentication is required for: ______________________ and _________. - ANSWER All remote access by personnel (user and administrator) and all third-party/vendor remote access An example of a "one-way" cryptographic function used to render data unreadable is: - ANSWER SHA- 2 Req 10.4: Time-synchronization technology - What type of server is required to receives time signals from external sources, and time signals from external sources are based on International Atomic Time or UTC. - ANSWER Central time server(s)

• Where there is more than one designated time server, the time servers peer with one another to keep accurate time
• Systems receive time information only from designated central time server(s). IDS and IPS must be in place to monitor all traffic at ______________ and ____________. - ANSWER the perimeter and at critical points

Requirement #1 - ANSWER Install and Maintain Network Security Controls Requirement #2 - ANSWER Apply secure configurations to all system components Requirement #3 - ANSWER Protect Stored Account Data Requirement #4 - ANSWER Protect cardholder Data with strong cryptography Requirement #5 - ANSWER Protect all systems and networks from Malicious Software Requirement #6 - ANSWER Develop and maintain secure systems and software Requirement #7 - ANSWER Restrict Access to system components and cardholder data by business need to know Requirement #8 - ANSWER Identify users and authenticate access to system components Requirement #9 - ANSWER Restrict physical access to cardholder data Requirement #10 - ANSWER Log and monitor all access to system components and cardholder data Requirement #11 - ANSWER Test security and networks regularly Requirement #12 - ANSWER Support Information Security with organizational Polices and Programs Appendix A - ANSWER Additional PCI DSS requirements - Third parties, POS POI terminals, etc.

Appendix B - ANSWER Compensation Controls - when an org can't meet PCI DSS requirement, due to technical or legitimate business constraint Appendix C - ANSWER Compensating Controls Worksheet Appendix D - ANSWER Customized approach Appendix E - ANSWER Sample templates to support customized approach Appendix F - ANSWER Leveraging the PCI Software Security Framework to support Req. # Appendix G - ANSWER PCI DSS Glossary, abbreviation, and acronyms ROC - ANSWER Report on Compliance-required for level 1 merchants, completed by QSA and documents that entities assessment results for each requirement SAQ - ANSWER Self-Assessment Questionnaire- typically done by small merchants and service providers , can be completed by the entity itself Steps of the PCI DSS Assessment Process - ANSWER 1. Assessor

2. Scope
3. Assess
4. Report
5. Attest
6. Submit
7. Compliance Accepting Entity AOC - ANSWER Attestation of Compliance-official PCI SSC form for merchants and service providers for attest to a SAQ or ROC

Individuals are not allowed to submit a new password that is the same as the last ___ passwords - ANSWER last 4 passwords How often are passwords changed if that is the only authentication? - ANSWER 90 days How many types of authentication factors must be used? 8.1.1 (Best practice until March 31st, 2025, till it's a requirement) - ANSWER 2 different types Individual physical access to sensitive areas within the CDE is monitored with either video cameras or physical access controls from both entry and exit points, monitoring devices from tampering, collected data is reviewed and stored for ____ months. - ANSWER 3 months Visitor badge log is recorded and logged for __ months. - ANSWER 3 months The security of the offline media backup location with cardholder data is reviewed at least every ____months - ANSWER 12 months Inventories of electronic media with cardholder data are conducted at least once every ____months - ANSWER 12 Months What must audit logs contain? - ANSWER user, type of event, date and time, success or failure identification, organization of event, identity or name of system, component, etc. Retain audit log history for at least ___months. The most recent ___ months immediately available for analysis - ANSWER 12 ; 3 Testing, detection and identification occurs at least once every ___ months and if automated monitoring is used, personnel are notified via generated alerts - ANSWER 3 months How often are internal vulnerability scans? - ANSWER 3 months How often are external vulnerability scans? - ANSWER Every 3 months

Internal penetration testing is performed per the entity defined methodology, at least one every ____ months, after any big upgrade or infrastructure change, by a qualified internal resource or 3rd party and organizational independence of the tester exists - ANSWER 12 months External penetrations testing performed every ___ months. - ANSWER 12 months