PCI SSC Assessor_New_V4 Assessor_New_V4 Exam Practice Test

According to the PCI DSS v3.2.1 Quick Reference Guide1, audit logs must be retained for at least 1 year, with the most recent 3 months immediately available. This is one of the requirements for ensuring that audit logs are available for review and analysis.

According to the PCI DSS v3.2.1 Quick Reference Guide1, visitors are escorted at all times within areas where cardholder data is processed or maintained, visitor badges are identical to badges used by onsite personnel, visitor log includes visitor name, address, and contact phone number, visitors retain their identification (for example a visitor badge) for 30 days after completion of the visit. These are some examples of procedures that must be included in an organization’s procedures for managing visitors who access in-scope systems where cardholder data is processed or maintained.

According to the PCI DSS v3.2.1 Quick Reference Guide1, internal vulnerability scans must be performed after a significant change in any component or configuration that affects cardholder data or payment processing systems. This is one of the requirements for identifying and mitigating vulnerabilities that could compromise cardholder data.

classifying media that contains cardholder data is intended to ensure that media is property protected according to the sensitivity of the data it contains, which means it should be markedwith labels or tags that indicate its level of confidentiality or integrity. This is one of the requirements for ensuring that media containing cardholder data is properly labeled.

 One of the best practices for hardening a firewall is to disable any firewall functions that are not needed in production, such as unused services, ports, protocols, or features. This reduces the attack surface and minimizes the potential for exploitation. According to the PCI Card Production Logical Security Requirements, section 3.2.1, “The firewall must be configured to deny all traffic by default and allow only traffic that is explicitly required for the card production environment.” Furthermore, section 3.2.2 states, “The firewall must be configured to block all unnecessary services, ports, protocols, and IP addresses.” References: PCI Card Production Logical Security Requirements, Card Production Security Assessor - Logical - Credly

PCI DSS Requirement 3.6.4 states that entities must retire or replace keys when the keys have reached the end of their cryptoperiod, which is the time span during which a specific key can be used for cryptographic operations1. The retired key must not be used for encryption operations, as it may have been compromised or weakened by cryptanalysis, and may not provide adequate protection for the data. The retired key may still be used for decryption operations, if needed, to access historical data that was encrypted under the retired key2. Therefore, the correct answer is option A.

The other options are not true regarding the cryptographic key retirement and replacement. Option B is not true because PCI DSS does not specify a retention period for the cryptographic key components from the retired key, although it requires entities to securely delete cryptographic material when it is no longer needed for business or legal reasons1. Option C is not true because PCI DSS does not require a new key custodian tobe assigned, although it requires entities to define and document the roles, responsibilities, and accountability of all key custodians1. Option D is not true because PCI DSS does not require all data encrypted under the retired key to be securely destroyed, although it requires entities to render cardholder data unreadable when it is no longer needed for business or legal reasons1. References:

• PCI DSS v3.2.1
• Cryptographic Key Blocks - PCI Security Standards Council

An LDAP server is a type of directory service that provides authentication and authorization data to the cardholder data environment (CDE)1. According to the PCI DSS scoping and segmentation guidance2, any system that provides a security service to the CDE, such as authentication, is considered a connected or security-impacting system (Category 2) and is in scope for PCI DSS. This is because such systems can affect the security and controls of the CDE and the cardholder data (CHD) or sensitive authentication data (SAD) that it contains. Therefore, an LDAP server providing authentication services to the CDE is in scope for PCI DSS, regardless of whether it stores, processes, or transmits CHD or SAD, or whether it provides authentication services to systems in the DMZ or not. References:

• Guidance for PCI DSS Scoping and Network Segmentation
• What Are the Effects of Using Active Directory as a Shared Service on PCI Compliance?
• The Ultimate Guide To PCI DSS Scoping and Segmentation
• LDAP - PCI Security Standards Council

when disk encryption is used to protect account data, access to the disk encryption must be managed independently of the operating system access control mechanisms, which means it should not be affected by changes in the operating system settings or permissions. This is one of the requirements for ensuring that disk encryption is secure and effective.

According to requirement 4, an entity must monitor its TPSP’s PCI DSS compliance status at least annually, which means it should review its TPSP’s policies and procedures for protecting cardholder data and transactions against fraud and other threats at least once a year. This is one of the requirements for ensuring that an entity monitors its TPSP’s PCI DSS compliance status regularly.

According to the PCI DSS v3.2.1 Quick Reference Guide1, business facilities and system components can be sampled for testing during a PCI DSS assessment, as long as they are not critical components or components that are not in scope for testing. This is one of the requirements for ensuring that testing covers all relevant components and processes.

According to the PCI PTS standard2, point-of-interaction devices used to protect account data are point-of-interaction devices (POI), which are devices that are used to authenticate, authorize, or verify cardholder data or transactions. This is one of the requirements for ensuring that POI devices are used in accordance with PCI DSS.

PCI DSS Requirement 12.10.1 requires entities to implement an incident response plan that includes roles, responsibilities, and communication and contact strategies for a data security incident, including notification of relevant payment brands1. This is important because each payment card brand has its own policies and procedures for dealing with a security breach, and failing to follow them or meet reporting deadlines could result in fines or loss of authority to process payment card transactions2. Therefore, an incident response plan must include procedures for notifying PCI SSC of the security incident, as well as any other entities that may require notification, whether by contract or law1. References:

• Guidance for PCI DSS Scoping and Network Segmentation
• Responding to a Cardholder Data Breach

According to the PCI DSS v3.2.1 Quick Reference Guide1, screening and background checks for personnel with access to the cardholder data environment are required, as they may pose a risk if they have compromised or stolen cardholder data in the past or present. This is one of the requirements for ensuring that personnel with access to cardholder data are qualified and trustworthy.

According to the PCI DSS v3.2.1 Quick Reference Guide1, any in-scope system except for those identified as not at risk from malware must have anti-malware solutions installed and configured according to best practices. This is one of the requirements for preventing malware infections that could compromise cardholder data.

According to the PCI DSS v3.2.1 Quick Reference Guide1, a compensating control must address the risk associated with not adhering to a PCI DSS requirement and must be approved by an authorized person before implementation. This is one of the requirements for reducing or eliminating a risk that cannot be eliminated by other means

According to requirement 1, network security controls are intended to control network traffic between two or more logical or physical network segments, which means they should prevent unauthorized access, modification, or disclosure of cardholder data or transactions over the network. This is one of the requirements for ensuring that network security controls are implemented and maintained in accordance with PCI DSS.

PCI DSS Requirement 9.1.1 requires entities to use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment (CDE)1. A badge access-control system is one example of such a control, as it can identify who entered and exited the server room and when. However, this control is only effective if it is protected from tampering or disabling by unauthorized persons, as PCI DSS Requirement 9.1.2 states1. Otherwise, the access-control system could be bypassed or compromised, allowing unauthorized access to the systems that store encrypted PAN data. Therefore, the badge access-control system must be protected from tampering or disabling, as stated in option A.

The other options are not true regarding PCI DSS physical security requirements for a server room. Option B is not true because PCI DSS does not mandate the use of video cameras in addition to the existing access-control system, although it is a recommended best practice2. Option C is not true because PCI DSS does not specify a data retention period for the access-control system, although it requires entities to retain audit trail history for at least one year, with a minimum of three months immediately available for analysis3. Option D is not true because PCI DSS does not require the use of motion-sensing alarms in addition to the existing access-control system, although it is another recommended best practice2. References:

• PCI DSS v3.2.1
• PCI DSS Requirement 9: Upping Your Physical Security
• PCI DSS Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data

 The Software Security Framework (SSF) is a collection of standards and programs for the secure design and development of payment software1. The SSF replaces the Payment Application Data Security Standard (PA-DSS) with modern requirements that support a broader array of payment software types, technologies, and development methodologies2. The SSF applies to any payment software that is part of the cardholder data environment (CDE), which is the people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data3. Therefore, the correct answer is option A.

The other options are not true regarding the applicability of the SSF to different software types. Option B is not true because the SSF is not limited to software that runs on PCI PTS devices, which are hardware devices that accept payment card data at the point of interaction. The SSF covers software that runs on various platforms and devices, such as web servers, mobile devices, cloud services, and embedded systems. Option C is not true because the SSF is not limited to validated payment applications that are listed by PCI SSC and have undergone a PA-DSS assessment, which are payment applications that have been validated by PA-DSS assessors and meet the PA-DSS requirements. The SSF covers payment software that may not be eligible for PA-DSS validation, such as software that is developed by merchants or service providers for their own use, or software that is not sold, distributed, or licensed to a third party. Option D is not true because the SSF is not limited to software that is developed by the entity in accordance with the Secure SLC Standard, which is one of the two standards that are part of the SSF and provides security requirements and assessment procedures for software vendors to integrate into their software development lifecycles. The SSF covers payment software that is developed by any entity, whether it is a software vendor, a merchant, a service provider, or a third party, as long as it meets the security requirements and validation procedures of the Secure Software Standard, which is the other standardthat is part of the SSF and provides security requirements and assessment procedures for payment software products. References:

• Understanding the PCI Software Security Framework: New Educational Resources
• PCI Software Security Framework Provides a Modern Approach to Payment Software Security
• PCI DSS v3.2.1
• [PCI PTS POI Security Requirements]
• [Software Security Framework Secure Software Standard]
• [Payment Application Data Security Standard]
• [Software Security Framework Secure Software Life Cycle (Secure SLC) Standard]
• [PCI DSS v4.0: Is the Customized Approach Right For Your Organization?]