PCI Practice Exam Questions With Verified Answers

PCI Practice Exam Questions With Verified Answers When must cryptographic keys be changed? - At the end of their defined crypto period - At least annually - When a new key custodian is employed - Upon release of a new algorithm - ANSWER At the end of their defined crypto period What must the assessors verify when testing that cardholder data is protected whenever it is sent over the Internet? - The security protocol is configured to support earlier versions - The encryption strength is appropriate for the technology in use - The security protocol is configured to accept all digital certificates - The cardholder data is securely deleted once the transmission has been sent - ANSWER The encryption strength is appropriate for the technology in use As defined in Requirement 8, what is the minimum complexity of user passwords? - 8 characters, either alphabetic or numeric - 5 characters, either alphabetic or numeric - 6 characters, both alphabetic and numeric characters - 7 characters, both alphabetic and numeric characters - ANSWER 7 characters, both alphabetic and numeric characters Which statement is correct regarding use of production data (live PANs) for testing and development? - Live PANs must not be used for testing or development - Access to live PANs must be used for testing and development must be restricted to authorized personnel - Live PANs must be used for testing and development - All live PANs used for testing and development must be authorized by the cardholder - ANSWER Live PANs must not be used for testing or development Which of the following is an example of multi-factor authentication? - A token that must be presented twice during the login process - A user passphrase and an application-level password - A user password and a PIN-activated smart card - A user fingerprint and a user thumbprint - ANSWER A user password and a PIN-activated smart card Which of the following types of events is required to be logged? - All use of end-user messaging technologies - All access to external websites - All access to all audit trails - All network transmissions - ANSWER All access to all audit trails Which of the following meets PCI DSS requirements for secure destruction of media containing cardholder data? - Cardholder data on hard copy materials is copied to electronic media before the hard copy materials are destroyed - Storage containers used for hardcopy materials are located outside of the CDE - Electronic media is physically destroyed to ensure the data cannot be reconstructed - Electronic media is stored in a secure location when the data is no longer needed for business or legal reasons - ANSWER Electronic media is physically destroyed to ensure the data cannot be reconstructed Which scenario meets the intent of PCI DSS requirements for assigning users access to cardholder data? - Access is assigned to all users based on the access needs of the leastprivileged user - Access is assigned to individual users based on the highest privilege available - Access is assigned to an individual users based on the privileges needed to perform their job - Access is assigned to a group of users based on the privileges of the most senior user in the group - ANSWER Access is assigned to an individual users based on the privileges needed to perform their job Which of the following is an example of a system-level object? - A log file - An application executable or configuration file - A document containing cardholder data - Transaction data in a point-of-sale device - ANSWER An application executable or configuration file Which scenario would support a smaller sample size being used for a PCI DSS assessment of an entity with multiple facilities located in different regions? - Security policies and procedures are independently defined by each facility - Security policies and procedures are standardized for each region - Security policies are centralized, and procedures consistently implemented across all regions - Security policies are centrally defined, and each facility defines their own procedures for implementing the policies - ANSWER Security policies and procedures are standardized for each region Which of the following statements is correct regarding track equivalent data on the chip of a payment card?