Docsity
Log inSign up
Docsity
Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity

Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan

Guidelines and tips
Guidelines and tips
Sell on Docsity
Sell on Docsity
Log inSign up

Prepare for your exams

Study with the several resources on Docsity

Find documents

Prepare for your exams with the study notes shared by other students like you on Docsity

Search Store documents

The best documents sold by students who completed their studies

Search through all study resources
Docsity AINEW

Summarize your documents, ask them questions, convert them into quizzes and concept maps

Explore questions

Clear up your doubts by reading the answers to questions asked by your fellow students

Earn points to download

Earn points by helping other students or get them with a premium plan

Share documents
download point icon20 Points

For each uploaded document

Answer questions
download point icon5 Points

For each given answer (max 1 per day)

All the ways to get free points
Get points immediately

Choose a premium plan with all the points you need

Study Opportunities

Choose your next study program

Get in touch with the best universities in the world. Search through thousands of universities and official partners

Community

Ask the community

Ask the community for help and clear up your study doubts

University Rankings

Discover the best universities in your country according to Docsity users

Free resources

Our save-the-student-ebooks!

Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors

From our blog

Exams and Study
Go to the blog

PCI-DSS ISA Exam Questions And Answers, Exams of Security Analysis

University of RedlandsSecurity Analysis

It's a program offered by the PCI Security Standards Council (PCI SSC) to train individuals within organizations to assess their own PCI DSS compliance. The certification process involves a PCI Fundamentals primer, followed by an in-depth training course and exam

Typology: Exams

2024/2025

Available from 06/24/2025

joyce-wangui-2
joyce-wangui-2 🇺🇸

96 documents

1 / 6

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
PCI ISA Test Prep | Correct Answers |
100% Verified | Latest 2025
Version
QSAs must retain work papers for a minimum of years. It is a recommendation for ISAs to do
the same. - ✔✔3
According to PCI DSS requirement 1, Firewall and router rule sets need to be reviewed every
months. - ✔✔6
At least and prior to the annual assessment the assessed entity:
- Identifies all locations and flows of cardholder data to verify they are included in the CDE
- Confirms the accuracy of their PCI DSS scope
- Retains their scoping documentation for assessor reference - ✔✔annually
scope includes - ✔✔ppl process, tech
Evidence Retention
It is recommended that the ISA secure and maintain digital and/or hard copies of case logs, audit results
and work papers, notes, and any technical information that was created and/or obtained during the PCI
Data Security Assessment for a minimum of or as applicable to company data retention
policies - ✔✔of three (3) years
A (time) process for identifying and securely deleting stored cardholder data that exceeds
defined retention requirements. - ✔✔quarterly
Do not store SAD after (even if encrypted). (track data / cvc / pin) - ✔✔authorization
manual clear-text key-management procedures specify processes for the use of the following - ✔✔Split
knowledge.Dual control
pf3
pf4
pf5

Partial preview of the text

Download PCI-DSS ISA Exam Questions And Answers and more Exams Security Analysis in PDF only on Docsity!

PCI ISA Test Prep | Correct Answers |

100% Verified | Latest 2025

Version

QSAs must retain work papers for a minimum of years. It is a recommendation for ISAs to do the same. - ✔✔ 3 According to PCI DSS requirement 1 , Firewall and router rule sets need to be reviewed every months. - ✔✔ 6 At least and prior to the annual assessment the assessed entity:

  • Identifies all locations and flows of cardholder data to verify they are included in the CDE
  • Confirms the accuracy of their PCI DSS scope
  • Retains their scoping documentation for assessor reference - ✔✔annually scope includes - ✔✔ppl process, tech Evidence Retention It is recommended that the ISA secure and maintain digital and/or hard copies of case logs, audit results and work papers, notes, and any technical information that was created and/or obtained during the PCI Data Security Assessment for a minimum of or as applicable to company data retention policies - ✔✔of three ( 3 ) years A (time) process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements. - ✔✔quarterly Do not store SAD after (even if encrypted). (track data / cvc / pin) - ✔✔authorization manual clear-text key-management procedures specify processes for the use of the following - ✔✔Split knowledge.Dual control

Dual control - ✔✔least two people are required to perform any key-management operations and no one person has access to the authentication materials (for example, passwords or keys) of another Split knowledge - ✔✔key components are under the control of at least two people who only have knowledge of their own key components PAN is rendered unreadable in which ways - ✔✔hash mask encrypt pad Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within of release. - ✔✔one month Installation of all applicable vendor-supplied security patches within an - ✔✔appropriate time frame (for example, within three months) makes sure change control has these 4 things - ✔✔impack testing (PCI review) backout approval Train developers at least in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory. - ✔✔annually Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least

name, firm, escort Verify that the storage location security is reviewed at least to confirm that backup media storage is secure. - ✔✔annually Review media inventory logs to verify that logs are maintained and media inventories are performed at least - ✔✔annually reviewing the following at least _, either manually or via log tools: All security events Logs of all system components that store, process, or transmit CHD and/or SAD Logs of all critical system components Logs of all servers and system components that perform security functions - ✔✔daily reviewing logs of all other system components —either manually or via log tools—based on the organization's policies and risk management strategy. - ✔✔periodically retaining audit logs for at least , with a minimum of immediately available online - ✔✔one year 3 months Implement processes to test for the presence of wireless access points ( 802. 11 ), and detect and identify all authorized and unauthorized wireless access points on a basis - ✔✔quarterly Run internal and external network vulnerability scans at least and in the network - ✔✔quarterly and after any significant change

verify that internal/(external ASV) scans occurred in the most recent - ✔✔four quarterly 12 - month period penetration testing when? how about service providers on seg controls?? - ✔✔quarterly and after sig changes 6 months and sig changes IDS/IPS where? - ✔✔at perimeter of CDE and at crit points in CDE perform critical file comparisons at least - ✔✔weekly information security policy reviewed when? - ✔✔annually and sig changes entities monitor its service providers' PCI DSS compliance status at least - ✔✔annually incident response plan tested when? - ✔✔annually service providers only: Perform reviews at least to confirm personnel are following security policies and operational procedures. - ✔✔quarterly Where POS POI terminals (and the SSL/TLS termination points to which they connect) use SSL and/or early TLS, the entity must either: - ✔✔Confirm the devices are not susceptible to any known exploits for those protocols, or Have a formal Risk Mitigation and Migration Plan in place