1
PCI Practice Exam 3 Questions with Answers (100%
Correct Answers)
When must cryptographic keys be changed?
- At the end of their defined crypto period
- At least annually
- When a new key custodian is employed
- Upon release of a new algorithm— Answer: At the end of their
defined crypto period
What must the assessors verify when testing that cardholder data is
protected whenever it is sent over the Internet?
- The security protocol is configured to support earlier versions
- The encryption strength is appropriate for the technology in use
- The security protocol is configured to accept all digital certificates
- The cardholder data is securely deleted once the transmission has
been sent— Answer: The encryption strength is appropriate for the
technology in use
© 2025 All rights reserved
,2
As defined in Requirement 8, what is the minimum complexity of user
passwords?
- 8 characters, either alphabetic or numeric
- 5 characters, either alphabetic or numeric
- 6 characters, both alphabetic and numeric characters
- 7 characters, both alphabetic and numeric characters— Answer: 7
characters, both alphabetic and numeric characters
Which statement is correct regarding use of production data (live
PANs) for testing and development?
- Live PANs must not be used for testing or development
- Access to live PANs must be used for testing and development must
be restricted to authorized personnel
- Live PANs must be used for testing and development
- All live PANs used for testing and development must be authorized
by the cardholder— Answer: Live PANs must not be used for testing
or development
© 2025 All rights reserved
,3
Which of the following is an example of multi-factor authentication?
- A token that must be presented twice during the login process
- A user passphrase and an application-level password
- A user password and a PIN-activated smart card
- A user fingerprint and a user thumbprint— Answer: A user
password and a PIN-activated smart card
Which of the following types of events is required to be logged?
- All use of end-user messaging technologies
- All access to external websites
- All access to all audit trails
- All network transmissions— Answer: All access to all audit trails
Which of the following meets PCI DSS requirements for secure
destruction of media containing cardholder data?
- Cardholder data on hard copy materials is copied to electronic media
before the hard copy materials are destroyed
© 2025 All rights reserved
, 4
- Storage containers used for hardcopy materials are located outside of
the CDE
- Electronic media is physically destroyed to ensure the data cannot be
reconstructed
- Electronic media is stored in a secure location when the data is no
longer needed for business or legal reasons— Answer: Electronic
media is physically destroyed to ensure the data cannot be
reconstructed
Which scenario meets the intent of PCI DSS requirements for assigning
users access to cardholder data?
- Access is assigned to all users based on the access needs of the least-
privileged user
- Access is assigned to individual users based on the highest privilege
available
- Access is assigned to an individual users based on the privileges
needed to perform their job
© 2025 All rights reserved
PCI Practice Exam 3 Questions with Answers (100%
Correct Answers)
When must cryptographic keys be changed?
- At the end of their defined crypto period
- At least annually
- When a new key custodian is employed
- Upon release of a new algorithm— Answer: At the end of their
defined crypto period
What must the assessors verify when testing that cardholder data is
protected whenever it is sent over the Internet?
- The security protocol is configured to support earlier versions
- The encryption strength is appropriate for the technology in use
- The security protocol is configured to accept all digital certificates
- The cardholder data is securely deleted once the transmission has
been sent— Answer: The encryption strength is appropriate for the
technology in use
© 2025 All rights reserved
,2
As defined in Requirement 8, what is the minimum complexity of user
passwords?
- 8 characters, either alphabetic or numeric
- 5 characters, either alphabetic or numeric
- 6 characters, both alphabetic and numeric characters
- 7 characters, both alphabetic and numeric characters— Answer: 7
characters, both alphabetic and numeric characters
Which statement is correct regarding use of production data (live
PANs) for testing and development?
- Live PANs must not be used for testing or development
- Access to live PANs must be used for testing and development must
be restricted to authorized personnel
- Live PANs must be used for testing and development
- All live PANs used for testing and development must be authorized
by the cardholder— Answer: Live PANs must not be used for testing
or development
© 2025 All rights reserved
,3
Which of the following is an example of multi-factor authentication?
- A token that must be presented twice during the login process
- A user passphrase and an application-level password
- A user password and a PIN-activated smart card
- A user fingerprint and a user thumbprint— Answer: A user
password and a PIN-activated smart card
Which of the following types of events is required to be logged?
- All use of end-user messaging technologies
- All access to external websites
- All access to all audit trails
- All network transmissions— Answer: All access to all audit trails
Which of the following meets PCI DSS requirements for secure
destruction of media containing cardholder data?
- Cardholder data on hard copy materials is copied to electronic media
before the hard copy materials are destroyed
© 2025 All rights reserved
, 4
- Storage containers used for hardcopy materials are located outside of
the CDE
- Electronic media is physically destroyed to ensure the data cannot be
reconstructed
- Electronic media is stored in a secure location when the data is no
longer needed for business or legal reasons— Answer: Electronic
media is physically destroyed to ensure the data cannot be
reconstructed
Which scenario meets the intent of PCI DSS requirements for assigning
users access to cardholder data?
- Access is assigned to all users based on the access needs of the least-
privileged user
- Access is assigned to individual users based on the highest privilege
available
- Access is assigned to an individual users based on the privileges
needed to perform their job
© 2025 All rights reserved
