PCI ISA Flashcards 3.2.1|Exam Question
and Answers 2023/2024
For PCI DSS requirement 1, firewall and router rule sets need to be reviewed every
_____________ months - ANSWER-6 months
Non-console administrator access to any web-based management interfaces must be
encrypted with technology such as......... - ANSWER-HTTPS
Requirements 2.2.2 and 2.2.3 cover the use of secure services, protocols and
daemons. Which of the following is considered to be secure? - ANSWER-SSH
Which of the following is considered "Sensitive Authentication Data"? - ANSWER-Card
Verification Value (CAV2/CVC2/CVV2/CID), Full Track Data, PIN/PIN Block
True or False: It is acceptable for merchants to store Sensitive Authentication after
authorization as long as it is strongly encrypted? - ANSWER-False
When a PAN is displayed to an employee who does NOT need to see the full PAN, the
minimum digits to be masked are: - ANSWER-All digits between the first six and last
four
Which of the following is true regarding protection of PAN? - ANSWER-PAN must be
rendered unreadable during transmission over public, wireless networks
Which of the following may be used to render PAN unreadable in order to meet
requirement 3.4? - ANSWER-Hashing the entire PAN using strong cryptography
True or False Where keys are stored on production systems, split knowledge and dual
control is required? - ANSWER-True
When assessing requirement 6.5, testing to verify secure coding techniques are in place
to address common coding vulnerabilities includes: - ANSWER-Reviewing software
development policies and procedures
One of the principles to be used when granting user access to systems in CDE is: -
ANSWER-Least privilege
An example of a "one-way" cryptographic function used to render data unreadable is: -
ANSWER-SHA-2
A set of cryptographic hash functions designed by the National Security Agency (NS). -
ANSWER-SHA-2 (Secure Hash Algorithm
, Inactive user accounts should be either removed or disabled within___ - ANSWER-90
days
True or False: Procedures must be developed to easily distinguish the difference
between onsite personnel and visitors. - ANSWER-True
When should access be revoked of recently terminated employees? - ANSWER-
immediately
True or False: A visitor with a badge may enter sensitive area unescorted. - ANSWER-
False, visitors must be escorted at all times.
Protection of keys used for encryption of cardholder data against disclosure must
include at least: (4 items) - ANSWER-*Access to keys is restricted to the fewest number
of custodians necessary
*Key-encrypting keys are at least as strong as the data-encrypting keys they protect
*Key encrypting keys are stored separately from data-encrypting keys
*Keys are stored securely in the fewest possible locations
Description of cryptographic architecture includes: - ANSWER-*Details of all algorithms,
protocols, and keys used for the protection of cardholder data, including key strength
and expiry date
*Description of the key usage for each key
*Inventory of any HSMs and other SCDs used for key management
What 2 methods must NOT be used to be disk-level encryption compliant - ANSWER-
*Cannot use the same user account authenticator as the operating system
*Cannot use a decryption key that is associated with or derived from the systems local
user account database or general network login credentials.
6 months - ANSWER-DESV User accounts and access privileges are reviewed at least
every______
Track 1 (Length up to 79 characters) - ANSWER-Contains all fields of both Track 1 and
Track 2
Track 2 (Length up to 40 characters) - ANSWER-Provides shorter processing time for
older dial-up transmissions.
DESV - ANSWER-Designated Entities Supplemental Validation
DESV Requirements: - ANSWER-*Implementing a PCI DSS Compliance program
*Document and validate PCI DSS Scope
*Validate PCI DSS is incorporated into business-as-usual (BAU) activities
*Control and manage logical access to cardholder data environment
and Answers 2023/2024
For PCI DSS requirement 1, firewall and router rule sets need to be reviewed every
_____________ months - ANSWER-6 months
Non-console administrator access to any web-based management interfaces must be
encrypted with technology such as......... - ANSWER-HTTPS
Requirements 2.2.2 and 2.2.3 cover the use of secure services, protocols and
daemons. Which of the following is considered to be secure? - ANSWER-SSH
Which of the following is considered "Sensitive Authentication Data"? - ANSWER-Card
Verification Value (CAV2/CVC2/CVV2/CID), Full Track Data, PIN/PIN Block
True or False: It is acceptable for merchants to store Sensitive Authentication after
authorization as long as it is strongly encrypted? - ANSWER-False
When a PAN is displayed to an employee who does NOT need to see the full PAN, the
minimum digits to be masked are: - ANSWER-All digits between the first six and last
four
Which of the following is true regarding protection of PAN? - ANSWER-PAN must be
rendered unreadable during transmission over public, wireless networks
Which of the following may be used to render PAN unreadable in order to meet
requirement 3.4? - ANSWER-Hashing the entire PAN using strong cryptography
True or False Where keys are stored on production systems, split knowledge and dual
control is required? - ANSWER-True
When assessing requirement 6.5, testing to verify secure coding techniques are in place
to address common coding vulnerabilities includes: - ANSWER-Reviewing software
development policies and procedures
One of the principles to be used when granting user access to systems in CDE is: -
ANSWER-Least privilege
An example of a "one-way" cryptographic function used to render data unreadable is: -
ANSWER-SHA-2
A set of cryptographic hash functions designed by the National Security Agency (NS). -
ANSWER-SHA-2 (Secure Hash Algorithm
, Inactive user accounts should be either removed or disabled within___ - ANSWER-90
days
True or False: Procedures must be developed to easily distinguish the difference
between onsite personnel and visitors. - ANSWER-True
When should access be revoked of recently terminated employees? - ANSWER-
immediately
True or False: A visitor with a badge may enter sensitive area unescorted. - ANSWER-
False, visitors must be escorted at all times.
Protection of keys used for encryption of cardholder data against disclosure must
include at least: (4 items) - ANSWER-*Access to keys is restricted to the fewest number
of custodians necessary
*Key-encrypting keys are at least as strong as the data-encrypting keys they protect
*Key encrypting keys are stored separately from data-encrypting keys
*Keys are stored securely in the fewest possible locations
Description of cryptographic architecture includes: - ANSWER-*Details of all algorithms,
protocols, and keys used for the protection of cardholder data, including key strength
and expiry date
*Description of the key usage for each key
*Inventory of any HSMs and other SCDs used for key management
What 2 methods must NOT be used to be disk-level encryption compliant - ANSWER-
*Cannot use the same user account authenticator as the operating system
*Cannot use a decryption key that is associated with or derived from the systems local
user account database or general network login credentials.
6 months - ANSWER-DESV User accounts and access privileges are reviewed at least
every______
Track 1 (Length up to 79 characters) - ANSWER-Contains all fields of both Track 1 and
Track 2
Track 2 (Length up to 40 characters) - ANSWER-Provides shorter processing time for
older dial-up transmissions.
DESV - ANSWER-Designated Entities Supplemental Validation
DESV Requirements: - ANSWER-*Implementing a PCI DSS Compliance program
*Document and validate PCI DSS Scope
*Validate PCI DSS is incorporated into business-as-usual (BAU) activities
*Control and manage logical access to cardholder data environment
