Docsity
Docsity

Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity


Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan


Guidelines and tips
Guidelines and tips

PCI DSS Practice Exam 2024/25: Questions and Answers, Exams of Computer Security

A comprehensive set of questions and answers related to the payment card industry data security standard (pci dss). It covers various aspects of pci dss compliance, including data security, network security, vulnerability management, access control, and incident response. Useful for individuals preparing for pci dss certification exams or seeking to understand the requirements of the standard.

Typology: Exams

2023/2024

Available from 11/20/2024

tizian-kylan
tizian-kylan 🇺🇸

2.7

(21)

3.8K documents

1 / 10

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1 / 5
PCI ISA Practice Exam 2024/25 Questions and
Answers
1. QSAs must retain work papers for a minimum of years. It is a
recommendation for ISAs to do the same.: 3
2. According to PCI DSS requirement 1, Firewall and router rule sets need to
be reviewed every months.: 6
3. At least and prior to the annual assessment the assessed
entity:
- Identifies all locations and flows of cardholder data to verify they are
included in the CDE
- Confirms the accuracy of their PCI DSS scope
- Retains their scoping documentation for assessor reference: annually
4. scope includes: ppl process, tech
pf3
pf4
pf5
pf8
pf9
pfa

Partial preview of the text

Download PCI DSS Practice Exam 2024/25: Questions and Answers and more Exams Computer Security in PDF only on Docsity!

PCI ISA Practice Exam 2024/25 Questions and

Answers

  1. QSAs must retain work papers for a minimum of years. It is a recommendation for ISAs to do the same.: 3
  2. According to PCI DSS requirement 1, Firewall and router rule sets need to be reviewed every months.: 6
  3. At least and prior to the annual assessment the assessed entity:
  • Identifies all locations and flows of cardholder data to verify they are included in the CDE
  • Confirms the accuracy of their PCI DSS scope
  • Retains their scoping documentation for assessor reference: annually
  1. scope includes: ppl process, tech
  1. Evidence Retention It is recommended that the ISA secure and maintain digital and/or hard copies of case logs, audit results and work papers, notes, and any technical information that was created and/or obtained during the PCI Data Security Assessment for a minimum of or as applicable to company data retention policies: of three (3) years
  2. A (time) process for identifying and securely deleting stored card- holder data that exceeds defined retention requirements.: quarterly
  3. Do not store SAD after (even if encrypted). (track data / cvc / pin): authorization
  4. manual clear-text key-management procedures specify processes for the use of the following: Split knowledge.Dual control
  5. Dual control: least two people are required to perform any key-management operations and no one person has access to the authentication materials (for example, passwords or keys) of another
  6. Split knowledge: key components are under the control of at least two people who only have knowledge of their own key components
  1. Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within of release.: one month
  2. Installation of all applicable vendor-supplied security patches within an : appropriate time frame (for example, within three months)
  3. makes sure change control has these 4 things: impack testing (PCI review) backout approval
  4. Train developers at least in up-to-date secure coding tech- niques, including how to avoid common coding vulnerabilities, and under- standing how sensitive data is handled in memory.: annually
  5. Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least or

automated technical solution that detects and prevents web-based attacks active : annually and after any changes all the time

  1. Observe user accounts to verify that any inactive accounts over are either removed or disabled.: 90 days old
  2. For a sample of system components, inspect system configuration set- tings to verify that authentication parameters are set to require that user accounts be locked out after not more than invalid logon at- tempts.: 6
  3. once a user account is locked out, it remains locked for a minimum of or : 30 mins or until a system administrator resets the account
  4. idle time out features have been set to : 15 mins or less

All security events Logs of all system components that store, process, or transmit CHD and/or SAD Logs of all critical system components Logs of all servers and system components that perform security functions- : daily

  1. reviewing logs of all other system components either manually or via log tools based on the organization's policies and risk management strategy.: periodically
  2. retaining audit logs for at least , with a minimum of immediately available online: one year 3 months
  3. Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a basis: quarterly
  4. Run internal and external network vulnerability scans at least and in the network: quarterly and after any significant change
  1. verify that internal/(external ASV) scans occurred in the most recent : four quarterly 12 - month period
  2. penetration testing when? how about service providers on seg controls??: quarterly and after sig changes 6 months and sig changes
  3. IDS/IPS where?: at perimeter of CDE and at crit points in CDE
  4. perform critical file comparisons at least : weekly
  5. information security policy reviewed when?: annually and sig changes
  6. entities monitor its service providers' PCI DSS compliance status at least : annually
  7. incident response plan tested when?: annually
  8. service providers only: Perform reviews at least to confirm person- nel are following security policies and operational procedures.: quarterly
  9. Where POS POI terminals (and the SSL/TLS termination points to which they connect) use SSL and/or early TLS, the entity must either:: Confirm the devices are not susceptible to any known exploits for those protocols, or Have a formal Risk Mitigation and Migration Plan in place
  10. DESV User accounts and access privileges are reviewed at least every
  1. Examine documented results of scope reviews and interview personnel to verify that the reviews are performed:: At least quarterly After significant changes to the in-scope environment
  2. processes are defined and implemented to review hardware and software technologies when?: annually