Download PCIISAEXAMLATEST(100REALEXAMQUESTIONS ANDCORRECTANSWERS)2024 and more Exams Computer Security in PDF only on Docsity!
PCI ISA EXAM LATEST (100 REAL EXAM QUESTIONS
AND CORRECT ANSWERS) 2024
For PCI DSS requirement 1, firewall and router rule sets need to be reviewed every months - ANSWER- 6 months Non-console administrator access to any web-based management interfaces must be encrypted with technology such as......... - ANSWER- HTTPS Requirements 2.2.2 and 2.2.3 cover the use of secure services, protocols and daemons. Which of the following is considered to be secure? - ANSWER- SSH, TLS, IPSEC, VPN Which of the following is considered "Sensitive Authentication Data"? - ANSWER- Card Verification Value (CAV2/CVC2/CVV2/CID), Full Track Data, PIN/PIN Block True or False: It is acceptable for merchants to store Sensitive Authentication after authorization as long as it is strongly encrypted? - ANSWER- False When a PAN is displayed to an employee who does NOT need to see the full PAN, the minimum digits to be masked are: - ANSWER- All digits between the first six and last four Which of the following is true regarding protection of PAN? - ANSWER- PAN must be rendered unreadable during transmission over public, wireless networks Which of the following may be used to render PAN unreadable in order to meet requirement 3.4? - ANSWER- Hashing the entire PAN using strong cryptography, truncation, index tokens and pads with pads being securely stored, strong cryptography with associated key-management processes and procedures True or False Manual clear-text key-management procedures specify processes for the use of keys that are stored on production systems, use of split knowledge and dual control is required. - ANSWER- True
When assessing requirement 6.5, testing to verify secure coding techniques are in place to address common coding vulnerabilities includes: - ANSWER- Examine software development policies and procedures to verify that up-to-date training in secure coding techniques is required for developers at least annually, based on industry best practices and guidance One of the principles to be used when granting user access to systems in CDE is: - ANSWER- Least privilege An example of a "one-way" cryptographic function used to render data unreadable is: - ANSWER- SHA- A set of cryptographic hash functions designed by the National Security Agency (NS). - ANSWER- SHA-2 (Secure Hash Algorithm Inactive user accounts should be either removed or disabled within - ANSWER- 90 days True or False: Procedures must be developed to easily distinguish the difference between onsite personnel and visitors. - ANSWER- True When should access be revoked of recently terminated employees? - ANSWER- immediately True or False: A visitor with a badge may enter sensitive area unescorted. - ANSWER- False, visitors must be escorted at all times. Description of cryptographic architecture includes: - ANSWER- *Details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date *Description of the key usage for each key *Inventory of any HSMs and other SCDs used for key management Protection of keys used for encryption of cardholder data against disclosure must include at least: (4 items) - ANSWER- *Access to keys is restricted to the fewest number of custodians necessary *Key-encrypting keys are at least as strong as the data-encrypting keys they protect *Key encrypting keys are stored separately from data-encrypting keys *Keys are stored securely in the fewest possible locations
What pre-assessment activities should an assessor consider when preparing for an assessment? - ANSWER- *Ensure assessor(s) has competent knowledge of the technologies being assessed *Identify types of system components and locations of facilities to be reviewed *Consider size and complexity of the environment to be assessed. When does authorization occur - ANSWER- At time of purchase When does clearing occur - ANSWER- usually within one day When does settlement occur - ANSWER- Usually within 2 days Where does an assessor document their sampling methodology? - ANSWER- Report on Compliance (ROC) Manual clear-text key-management procedures specify processes for the use of the following - ANSWER- Split knowledge & Dual Control What is dual control? - ANSWER- At least people are required to perform any key-management operations and no one person has access to the authentication materials (for example, passwords or keys) of another. What is split knowledge? - ANSWER- Key components are under the control of at least 2 people who only have knowledge of their own key components. True or False: Encryption key management is an optional PA-DSS requirement to be used only if the customer requests encryption requirements above and beyond PCI. - ANSWER- False- must use encryption key management When should keys be retired or replaced? - ANSWER- When keys are deemed weakened, no longer needed, become suspected and/or compromised, a key custodian no longer works for the company. Archived cryptographic keys are only used for what purpose? - ANSWER- decryption/verification purposes. What is masking? - ANSWER- applies to displaying of information and implies that data can be accessed behind the scenes.
Once a user account is locked out, it remains locked out for a minimum of or - ANSWER- 30 mins or until a system administrator resets the account. What is truncation? - ANSWER- applies to storage and implies the permanent and irrecoverable transformation of the original data. What is hashing? - ANSWER- applies to storage uses a special cryptographic method that takes a block of data (PAN) and passes it through a one-way process to produce a block of encrypted data. It cannot be reversed to recover the original data. It eliminates the risks involved in managing and keep keys secure. How often should unnecessary stored data be purged? - ANSWER- at least quarterly A user is locked out after wrong attempts - ANSWER- 6 If a session has been idle for minutes, a user must re-authenticate to re- activate the terminal or session - ANSWER- 15 mins Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least or - ANSWER- Annually and after any changes or all the time What are "shared services"? - ANSWER- common system components that provide services to many system components across an organization such as domain name service and network time protocol What is NTP and is it in scope? - ANSWER- Network Time Protocol-sets all system computers to the same time. Yes, this server has access into cardholder data environment to provide set time and date Active Directory, NTP, DNS, Patches, and SMTP are examples of - ANSWER- Shared Services that are in scope for PCI Verify that storage location security is reviewed at least to confirm that backup media storage is secure - ANSWER- annually Review media inventory logs to verify that logs are maintained and media inventories are performed at least - ANSWER- annually
Encryption key management is an optional PA-DSS requirement to be used only if the customer requests encryption requirements above and beyond PCI - ANSWER- False- encryption is always used not optional True or False If a payment product is deployed in such away at the customers CDE, that the payment product never stores, processes or handles credit card data, PA-DSS is not in scope. Examples of this include products that only process loyalty cards. - ANSWER- True- only card holder data (i.e. PAN and Track data) is in PCI scope When should a PA-DSS policy exception be used to document a security breach when card data is stolen. - ANSWER- When a customer cannot meet PA-DSS requirements due to business, operational or technical constraints. True or False A PCI pre-engagement check list form is used to determine if a payment vendor's PA-DSS validated application can meet the PCI-DSS requirements of a merchant customer. - ANSWER- True What is the main purpose of PA-DSS validation - ANSWER- Customers point of view is liability shift. When installed correctly in the customers CDE as per the payment vendors installation guide, card fraud liability shifts from the merchants PCI-DSS to the payment vendors PA-DSS if a forensic audit proves that the vendors payment application was at fault. SAQ P2PE - ANSWER- Merchants who is validated P2PE solution listed on the PCI SSC website SAQ A-EP - ANSWER- An online merchant with a payment page that accepts cardholder data, but transmits the data to a PCI DSS compliant service provider SAQ A - ANSWER- An online merchant that displays a PCI DSS compliant service providers payment page in a IFRAME, all page content is in the PSP SAQ B-IP - ANSWER- Merchant using an end-to-end encryption solution (E2EE) that utilizes PCI PTS-approved POI devices which communicate with the acquirer over an IP network.
What does PA-DSS apply to? - ANSWER- Applications that store, process or transmit cardholder data for authorization or settlement, and are sold, licensed or distributed "off-the-shelf" to third parties. Who is responsible for enforcing compliance? - ANSWER- Payment Brands Which entity is responsible for forensic investigations of account data? - ANSWER- Payment Brands are responsible for enforcement of compliance and forensic investigations of data breaches. Storing track data "long-term" or "persistently" is permitted when - ANSWER- it is being stored by issuers PCI DSS states that PAN must be rendered unreadable when stored. Which of the following may be used to meet this requirement - ANSWER- Hashing the entire PAN using strong cryptography PCI DSS requirement 5 states that anti-virus software must be: - ANSWER- Installed on systems commonly affected by malware As defined by PCI DSS requirement 7, access to cardholder data should be restricted based on which principle - ANSWER- Business need to know PCI DSS Requirement 12.6 requires personnel to acknowledge at least that they have read and understood the security policy and procedures - ANSWER- Annually Access to keys is restricted to: - ANSWER- The fewest number of custodians necessary Key-encrypting keys must be - ANSWER- At least as strong as the data-encrypting keys they protect Key-encrypting keys are stored: - ANSWER- Separately from data-encrypting keys ASV Solutions (scans) must be non-disruptive to customers' systems and data and never... - ANSWER- Cause a system reboot, or interfere with or change domain name server (DNS) routing, switching, or address resolution.
SAQ B - ANSWER- Merchants only- Imprint machines with no electronic cardholder data storage and/or Standalone, dial-out terminals with no electronic cardholder data storage. SAQ C-VT - ANSWER- Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution. SAQ C - ANSWER- Merchants with payment application systems connected to the internet, no electronic cardholder data storage SAQ D - ANSWER- Merchants & Service Providers with all other payment solutionse How often should user passwords be changed? - ANSWER- Every 90 Days Development of internal and external software software applications including web-based administrative access to applications in accordance with - ANSWER- Industry best practice
