PCI ISA FLASHCARDS 3.2.1 QUESTIONS AND ANSWERS
Non-console administrator access to any web-based management interfaces must be encrypted with
technology such as......... - (ANSWER)HTTPS
Requirements 2.2.2 and 2.2.3 cover the use of secure services, protocols and daemons. Which of the
following is considered to be secure? - (ANSWER)SSH
Which of the following is considered "Sensitive Authentication Data"? - (ANSWER)Card Verification
Value (CAV2/CVC2/CVV2/CID), Full Track Data, PIN/PIN Block
True or False: It is acceptable for merchants to store Sensitive Authentication after authorization as long
as it is strongly encrypted? - (ANSWER)False
When a PAN is displayed to an employee who does NOT need to see the full PAN, the minimum digits to
be masked are: - (ANSWER)All digits between the first six and last four
Which of the following is true regarding protection of PAN? - (ANSWER)PAN must be rendered
unreadable during transmission over public, wireless networks
Which of the following may be used to render PAN unreadable in order to meet requirement 3.4? -
(ANSWER)Hashing the entire PAN using strong cryptography
True or False Where keys are stored on production systems, split knowledge and dual control is
required? - (ANSWER)True
When assessing requirement 6.5, testing to verify secure coding techniques are in place to address
common coding vulnerabilities includes: - (ANSWER)Reviewing software development policies and
procedures
One of the principles to be used when granting user access to systems in CDE is: - (ANSWER)Least
privilege
, PCI ISA FLASHCARDS 3.2.1 QUESTIONS AND ANSWERS
An example of a "one-way" cryptographic function used to render data unreadable is: - (ANSWER)SHA-2
A set of cryptographic hash functions designed by the National Security Agency (NS). - (ANSWER)SHA-2
(Secure Hash Algorithm
True or False: Procedures must be developed to easily distinguish the difference between onsite
personnel and visitors. - (ANSWER)True
When should access be revoked of recently terminated employees? - (ANSWER)immediately
True or False: A visitor with a badge may enter sensitive area unescorted. - (ANSWER)False, visitors must
be escorted at all times.
Protection of keys used for encryption of cardholder data against disclosure must include at least: (4
items) - (ANSWER)*Access to keys is restricted to the fewest number of custodians necessary
*Key-encrypting keys are at least as strong as the data-encrypting keys they protect
*Key encrypting keys are stored separately from data-encrypting keys
*Keys are stored securely in the fewest possible locations
Description of cryptographic architecture includes: - (ANSWER)*Details of all algorithms, protocols, and
keys used for the protection of cardholder data, including key strength and expiry date
*Description of the key usage for each key
*Inventory of any HSMs and other SCDs used for key management
What 2 methods must NOT be used to be disk-level encryption compliant - (ANSWER)*Cannot use the
same user account authenticator as the operating system
*Cannot use a decryption key that is associated with or derived from the systems local user account
database or general network login credentials.
6 months - (ANSWER)DESV User accounts and access privileges are reviewed at least every______
Non-console administrator access to any web-based management interfaces must be encrypted with
technology such as......... - (ANSWER)HTTPS
Requirements 2.2.2 and 2.2.3 cover the use of secure services, protocols and daemons. Which of the
following is considered to be secure? - (ANSWER)SSH
Which of the following is considered "Sensitive Authentication Data"? - (ANSWER)Card Verification
Value (CAV2/CVC2/CVV2/CID), Full Track Data, PIN/PIN Block
True or False: It is acceptable for merchants to store Sensitive Authentication after authorization as long
as it is strongly encrypted? - (ANSWER)False
When a PAN is displayed to an employee who does NOT need to see the full PAN, the minimum digits to
be masked are: - (ANSWER)All digits between the first six and last four
Which of the following is true regarding protection of PAN? - (ANSWER)PAN must be rendered
unreadable during transmission over public, wireless networks
Which of the following may be used to render PAN unreadable in order to meet requirement 3.4? -
(ANSWER)Hashing the entire PAN using strong cryptography
True or False Where keys are stored on production systems, split knowledge and dual control is
required? - (ANSWER)True
When assessing requirement 6.5, testing to verify secure coding techniques are in place to address
common coding vulnerabilities includes: - (ANSWER)Reviewing software development policies and
procedures
One of the principles to be used when granting user access to systems in CDE is: - (ANSWER)Least
privilege
, PCI ISA FLASHCARDS 3.2.1 QUESTIONS AND ANSWERS
An example of a "one-way" cryptographic function used to render data unreadable is: - (ANSWER)SHA-2
A set of cryptographic hash functions designed by the National Security Agency (NS). - (ANSWER)SHA-2
(Secure Hash Algorithm
True or False: Procedures must be developed to easily distinguish the difference between onsite
personnel and visitors. - (ANSWER)True
When should access be revoked of recently terminated employees? - (ANSWER)immediately
True or False: A visitor with a badge may enter sensitive area unescorted. - (ANSWER)False, visitors must
be escorted at all times.
Protection of keys used for encryption of cardholder data against disclosure must include at least: (4
items) - (ANSWER)*Access to keys is restricted to the fewest number of custodians necessary
*Key-encrypting keys are at least as strong as the data-encrypting keys they protect
*Key encrypting keys are stored separately from data-encrypting keys
*Keys are stored securely in the fewest possible locations
Description of cryptographic architecture includes: - (ANSWER)*Details of all algorithms, protocols, and
keys used for the protection of cardholder data, including key strength and expiry date
*Description of the key usage for each key
*Inventory of any HSMs and other SCDs used for key management
What 2 methods must NOT be used to be disk-level encryption compliant - (ANSWER)*Cannot use the
same user account authenticator as the operating system
*Cannot use a decryption key that is associated with or derived from the systems local user account
database or general network login credentials.
6 months - (ANSWER)DESV User accounts and access privileges are reviewed at least every______
