PCI ISA EXAM QUESTIONS AND 100% CORRECT ANSWERS
QSAs shall retain work papers for a minimum of _______ years. It is good practice for
ISAs to do the same. - Answer 3
Under PCI DSS requirement 1, Firewall and router rule sets shall be reviewed every
_____ months. - Answer 6
At a minimum ______________ and prior to annual assessment the assessed entity:
Identifies all locations and flows of cardholder data to validate they are in scope for the
CDE Includes confirmation that their PCI DSS scope is accurate, retains their scoping
documentation for use by the assessor - Respond annually
Scope Includes
Response ppl process, technology
Evidence Retention
It is recommended that the ISA retain and maintain digital and/or hard copies of case
logs, audit results and work papers, notes and any technical information which was
created and/or obtained from during the PCI Data Security Assessment for at least
________ or as applicable to company data retention policies - Answer of three
A (time) ______ process for identifying and securely deleting stored cardholder data that
exceeds defined retention requirements. - Answer quarterly
Do not store SAD after ____________ (even if encrypted). (track data / cvc / pin) - Answer
authorization
manual clear-text key-management procedures specify processes for the use of the
, following - Answer Split knowledge.Dual control
Dual control - No single individual can execute any key-management operation without
another person and no one has access to the authentication materials of another, such
as passwords or keys
Split knowledge - Key components are under the control of at least two persons, who
only have knowledge of their own key components
PAN is made unreadable in what ways - Hash
Mask
Encrypt
Pad
Ensure that all system components and software are protected from known
vulnerabilities by installing applicable vendor-supplied security patches. Critical
security patches are installed within _____ of release. - Answer one month
Installation of all applicable vendor-supplied security patches within an
___________________ - Answer appropriate time frame for example, within three months)
ensures change control has these 4 things - Answer impack
testing (PCI review)
backout
approval
Train developers at least ________ in up-to-date secure coding techniques, including
how to avoid common coding vulnerabilities, and understanding how sensitive data is
handled in memory. - Answer annually
QSAs shall retain work papers for a minimum of _______ years. It is good practice for
ISAs to do the same. - Answer 3
Under PCI DSS requirement 1, Firewall and router rule sets shall be reviewed every
_____ months. - Answer 6
At a minimum ______________ and prior to annual assessment the assessed entity:
Identifies all locations and flows of cardholder data to validate they are in scope for the
CDE Includes confirmation that their PCI DSS scope is accurate, retains their scoping
documentation for use by the assessor - Respond annually
Scope Includes
Response ppl process, technology
Evidence Retention
It is recommended that the ISA retain and maintain digital and/or hard copies of case
logs, audit results and work papers, notes and any technical information which was
created and/or obtained from during the PCI Data Security Assessment for at least
________ or as applicable to company data retention policies - Answer of three
A (time) ______ process for identifying and securely deleting stored cardholder data that
exceeds defined retention requirements. - Answer quarterly
Do not store SAD after ____________ (even if encrypted). (track data / cvc / pin) - Answer
authorization
manual clear-text key-management procedures specify processes for the use of the
, following - Answer Split knowledge.Dual control
Dual control - No single individual can execute any key-management operation without
another person and no one has access to the authentication materials of another, such
as passwords or keys
Split knowledge - Key components are under the control of at least two persons, who
only have knowledge of their own key components
PAN is made unreadable in what ways - Hash
Mask
Encrypt
Pad
Ensure that all system components and software are protected from known
vulnerabilities by installing applicable vendor-supplied security patches. Critical
security patches are installed within _____ of release. - Answer one month
Installation of all applicable vendor-supplied security patches within an
___________________ - Answer appropriate time frame for example, within three months)
ensures change control has these 4 things - Answer impack
testing (PCI review)
backout
approval
Train developers at least ________ in up-to-date secure coding techniques, including
how to avoid common coding vulnerabilities, and understanding how sensitive data is
handled in memory. - Answer annually
