PCI DSS Fundamentals Exam Questions and Answers 2022/2023
A Sustainable Compliance Program must: - ANSWER-Be implemented into Business-
as-usual (BAU) activities as part of the organizations overall security strategy.
True or False: The driving objective behind all PCI DSS compliance activities is to attain
a compliant report. - ANSWER-False ongoing security of cardholder data is the driving objective which will lead to a compliant report
Effective metrics program can provide useful data for: - ANSWER-Allocation of resources to minimize risk occurrence and measure the business consequences of security events.
Security Goals should include: - ANSWER-Continuous monitoring, testing, documenting
implementation, effectiveness, efficiency, impact, and status of controls and activities.
Control-failure response processes should include: - ANSWER-minimizing the impact of
the incident, restoring controls, performing root-cause analysis and remediation, implementing hardening standards and enhancing monitoring.
True or False: 3rd party providers are monitored by issuers - ANSWER-False, Organizations should develop and implement processes to monitor the compliance status of its service providers to determine whether a change in status requires a change in the relationship.
True or False: Organizations should evolve their controls with the threat landscape, changes in organizations structure, new business initiatives, and changes in business processes and technologies - ANSWER-True Evolving security reduces the negative impact on an organizations security posture.
How can organizations prevent "fall-off" between assessments - ANSWER-Develop a well designed program of security controls and monitoring practices.
True or False: Network segmentation is one method that can help reduce the number of
system components in scope for PCI DSS - ANSWER-True, outsourcing to a 3rd party service provider and using P2PE are other methods of reducing scope.
Who is ultimately responsible for making its own PCI DSS scoping decisions, designing effective segmentation and ensuring its own PCI DSS compliance and related validation
requirements are met - ANSWER-Each entity is responsible for themselves. What does segmentation involve - ANSWER-additional controls to separate systems with different security needs.
Segmentation can consist of: - ANSWER-logical controls, physical controls or a combination of both
Name some commonly used segmentation methods - ANSWER-Firewalls and router configurations (preventing traffic in & out), network configurations (preventing communication) and physical controls
E-commerce Payment Gateway/Payment Processor - ANSWER-may facilitate payment authorization by forwarding transactions to the processors/acquirers that perform the actual payment authorization.
E-Commerce infrastructure may include: - ANSWER-consumers browser, application servers, database servers and any other underlying servers or devices such as network devices.
Merchants infrastructure may include: - ANSWER-networking and operating system, firewalls, switches, routers and any virtual infrastructure such as hypervisors.
E-commerce infrastructure typically follows what 3-tier computing model - ANSWER-1) Presentation layer (web) 2) processing layer (application) 3) data-storage layer
Requirements for firewall configuration standards are: - ANSWER-a firewall at each internet connection and between any demilitarized zone (DMZ) and the internal network
zone.
Examine firewall and router configurations to verify that a DMZ is implemented to limit - ANSWER-inbound traffic to only a system components that provide authorized publicly accessible services, protocols, and ports
Examine firewall and router configurations to verify that inbound internet traffic is limited to - ANSWER-IP addresses within the DMZ
How often should information security policies and risk assessments be completed - ANSWER-Annually and with any changes
Which items are included in a risk assessment - ANSWER-Identify critical assets, threats, vulnerabilities, formal documented analysis.
National Institute of Standards and Technology (NIST) proposes what 3 security metrics
- ANSWER-1) implementation measures 2) efficiency and effectiveness measures, 3) impact measures
A Sustainable Compliance Program must: - ANSWER-Be implemented into Business-
as-usual (BAU) activities as part of the organizations overall security strategy.
True or False: The driving objective behind all PCI DSS compliance activities is to attain
a compliant report. - ANSWER-False ongoing security of cardholder data is the driving objective which will lead to a compliant report
Effective metrics program can provide useful data for: - ANSWER-Allocation of resources to minimize risk occurrence and measure the business consequences of security events.
Security Goals should include: - ANSWER-Continuous monitoring, testing, documenting
implementation, effectiveness, efficiency, impact, and status of controls and activities.
Control-failure response processes should include: - ANSWER-minimizing the impact of
the incident, restoring controls, performing root-cause analysis and remediation, implementing hardening standards and enhancing monitoring.
True or False: 3rd party providers are monitored by issuers - ANSWER-False, Organizations should develop and implement processes to monitor the compliance status of its service providers to determine whether a change in status requires a change in the relationship.
True or False: Organizations should evolve their controls with the threat landscape, changes in organizations structure, new business initiatives, and changes in business processes and technologies - ANSWER-True Evolving security reduces the negative impact on an organizations security posture.
How can organizations prevent "fall-off" between assessments - ANSWER-Develop a well designed program of security controls and monitoring practices.
True or False: Network segmentation is one method that can help reduce the number of
system components in scope for PCI DSS - ANSWER-True, outsourcing to a 3rd party service provider and using P2PE are other methods of reducing scope.
Who is ultimately responsible for making its own PCI DSS scoping decisions, designing effective segmentation and ensuring its own PCI DSS compliance and related validation
requirements are met - ANSWER-Each entity is responsible for themselves. What does segmentation involve - ANSWER-additional controls to separate systems with different security needs.
Segmentation can consist of: - ANSWER-logical controls, physical controls or a combination of both
Name some commonly used segmentation methods - ANSWER-Firewalls and router configurations (preventing traffic in & out), network configurations (preventing communication) and physical controls
E-commerce Payment Gateway/Payment Processor - ANSWER-may facilitate payment authorization by forwarding transactions to the processors/acquirers that perform the actual payment authorization.
E-Commerce infrastructure may include: - ANSWER-consumers browser, application servers, database servers and any other underlying servers or devices such as network devices.
Merchants infrastructure may include: - ANSWER-networking and operating system, firewalls, switches, routers and any virtual infrastructure such as hypervisors.
E-commerce infrastructure typically follows what 3-tier computing model - ANSWER-1) Presentation layer (web) 2) processing layer (application) 3) data-storage layer
Requirements for firewall configuration standards are: - ANSWER-a firewall at each internet connection and between any demilitarized zone (DMZ) and the internal network
zone.
Examine firewall and router configurations to verify that a DMZ is implemented to limit - ANSWER-inbound traffic to only a system components that provide authorized publicly accessible services, protocols, and ports
Examine firewall and router configurations to verify that inbound internet traffic is limited to - ANSWER-IP addresses within the DMZ
How often should information security policies and risk assessments be completed - ANSWER-Annually and with any changes
Which items are included in a risk assessment - ANSWER-Identify critical assets, threats, vulnerabilities, formal documented analysis.
National Institute of Standards and Technology (NIST) proposes what 3 security metrics
- ANSWER-1) implementation measures 2) efficiency and effectiveness measures, 3) impact measures
