PCI Practice Exam 3 Questions and Answers (Latest Update 2025) 58 Questions

1. When must cryptographic keys be changed? - At the end of their defined crypto period - At least annually - When a new key custodian is employed - Upon release of a new algorithm - At the end of their defined crypto period 2. What must the assessors verify when testing that cardholder data is protected whenever it is sent over the Internet? - The security protocol is configured to support earlier versions - The encryption strength is appropriate for the technology in use - The security protocol is configured to accept all digital certificates - The cardholder data is securely deleted once the transmission has been sent - The encryption strength is appropriate for the technology in use 3. As defined in Requirement 8, what is the minimum complexity of user passwords? - 8 characters, either alphabetic or numeric - 5 characters, either alphabetic or numeric - 6 characters, both alphabetic and numeric characters - 7 characters, both alphabetic and numeric characters - 7 characters, both alphabetic and numeric characters 4. Which statement is correct regarding use of production data (live PANs) for testing and development? - Live PANs must not be used for testing or development - Access to live PANs must be used for testing and development must be restricted to authorized personnel - Live PANs must be used for testing and development - All live PANs used for testing and development must be authorized by the cardholder - Live PANs must not be used for testing or development 5. Which of the following is an example of multi-factor authentication? - A token that must be presented twice during the login process - A user passphrase and an application-level password - A user password and a PIN-activated smart card - A user fingerprint and a user thumbprint - A user password and a PINactivated smart card 6. Which of the following types of events is required to be logged? - All use of end-user messaging technologies - All access to external websites - All access to all audit trails PCI Practice Exam 3 Questions and Answers (Latest Update 2025) 58 Questions - All network transmissions - All access to all audit trails 7. Which of the following meets PCI DSS requirements for secure destruction of media containing cardholder data? - Cardholder data on hard copy materials is copied to electronic media before the hard copy materials are destroyed - Storage containers used for hardcopy materials are located outside of the CDE - Electronic media is physically destroyed to ensure the data cannot be reconstructed - Electronic media is stored in a secure location when the data is no longer needed for business or legal reasons - Electronic media is physically destroyed to ensure the data cannot be reconstructed 8. Which scenario meets the intent of PCI DSS requirements for assigning users access to cardholder data? - Access is assigned to all users based on the access needs of the leastprivileged user - Access is assigned to individual users based on the highest privilege available - Access is assigned to an individual users based on the privileges needed to perform their job - Access is assigned to a group of users based on the privileges of the most senior user in the group - Access is assigned to an individual users based on the privileges needed to perform their job 9. Which of the following is an example of a system-level object? - A log file - An application executable or configuration file - A document containing cardholder data - Transaction data in a point-of-sale device - An application executable or configuration file 10. Which scenario would support a smaller sample size being used for a PCI DSS assessment of an entity with multiple facilities located in different regions? - Security policies and procedures are independently defined by each facility - Security policies and procedures are standardized for each region - Security policies are centralized, and procedures consistently implemented across all regions - Security policies are centrally defined, and each facility defines their own procedures for implementing the policies - Security policies and procedures are standardized for each region 11. Which of the following statements is correct regarding track equivalent data on the chip of a payment card? - It is allowed to be stored by merchants after authorization, if encrypted - It is sensitive authentication data - It is out of scope for PCI DSS - It is not applicable for PCI DSS Requirement 3.2 - It is sensitive authentication data 12. What is the intent of performing a risk assessment? - To document the names and contact details of individuals with access to cardholder data - To identify potential threats and vulnerabilities to critical assets - To allocate security resources equally across all levels of risk - To ensure separation of duties between assessors and the entity being assessed - To identify potential threats and vulnerabilities to critical assets 13. Which statement is correct regarding the PCI DSS Report on Compliance (ROC)? - The ROC Reporting Template and instructions provided by PCI SSC should be used for all ROCs - The assessors may use either their own template or the ROC Reporting Template provided by PCI SSC - The assessor must create their own ROC template for each assessment report - The ROC Reporting Template provided by PCI SSC is only required for service provider assessments - The ROC Reporting Template and instructions provided by PCI SSC should be used for all ROCs 14. What should be reviewed daily in order to meet PCI DSS requirements? - Vulnerability scans and penetration testing reports - Data retention policies and procedures - Security events and logs from critical system components - Firewall and router rule sets - Security events and logs from critical system components 15. What do PCI DSS requirements for protecting cryptographic keys include? - Public keys must be encrypted with a key-encrypting key - Data-encrypting keys must be stronger than the key-encrypting key that protects it - Private or secret keys must be encrypted, stored within an SCD, or stored as key components - Key-encrypting keys and data-encrypting keys must be assigned to the same key custodian - Data-encrypting keys must be stronger than the keyencrypting key that protects it 16. What should be included in an organization's procedures for managing visitors? - Visitors are escorted at all times within areas where cardholder data is processed or maintained - Visitor badges are identical to badges used by onsite personnel - Visitor log includes visitor name, address, and contact phone number - Visitors retain their identification (for example, a visitor badge) for 30 days after completion of the visit - Visitors are escorted at all times within areas where cardholder data is processed or maintained 17. An entity accepts e-commerce payment card transactions. The database server and web server are located in the same, secured DMZ network segment. The database server and web server are on separate physical servers. What is required for the entity to meet PCI DSS requirements? - The web server and database server should be installed on same physical server - The database server should be moved out of the DMZ and into the internal network - The web server should be moved out of DMZ and into the internal network - The database server should be moved to the separate DMZ segment from the web server - The database server should be moved out of the DMZ and into the internal network 18. The scenario meets PCI DSS requirements for restricting access to databases containing cardholder data. - User access to the database is only through programmatic methods - User direct access to database is restricted to system and network administrators - Application IDs for database application can only be used by database administrators - Direct queries to the database are restricted to shared database administrator account - User access to the database is only through programmatic methods 19. How often personnel are required to acknowledge that they have read and understood the security policy and procedures? - At least quarterly - At least every six months - At least annually - At least monthly - At least annually 20. If the assessors select the "In Place" option in the ROC Reporting Template, what information must be provided in the response for that requirement? - Details of the entity's project plan for implementing the requirement - Details of how the assessors observed the entity's systems for the compliant with the requirement - Details of the entity's reason for not implementing the requirement| - Details of how the assessors observed the entity's systems were not the compliant with the requirement - Details of how the assessors observed the entity's systems for the compliant with the requirement 21. If the merchant's cardholder data is shared with service providers, or could be impacted by service providers, what is the merchant required to maintain? - Copies of the service provider's Reports on Compliance (ROC) for at least three years - A program to visit service provider locations at least quarterly - A list of all PANs that the service provider has access to - Agreements with the service providers and a program to monitor their compliance status - Agreements with the service providers and a program to monitor their compliance status 22. Which of the following can be sampled for testing during a PCI DSS assessment? - PCI DSS requirements and testing procedures - Compensating controls - Business facilities and system components - Security policies and procedures - Business facilities and system components 23. Which of the following activities must be assessors perform to verify that user passwords are being changed as required by PCI DSS? - Set the system clock ahead 90 days to see if password expire - Require a user to change their password, and return in 60 days to see if it has expired - Review system configuration settings to verify passwords must be changed after 90 days - Interview service desk personnel to verify that user passwords are disabled every 60 days - Review system configuration settings to verify passwords must be changed after 90 days 24. Which of the following is correct regarding compensating controls? - Compensating controls are valid for three years - A separate compensating control worksheet must be completed fir each compensating control in use - Compensating controls used in the previous year's assessment that are still in use do not to be evaluated during this year's assessment - It is not necessary to complete a separate compensating control worksheet for each compensating control in a ROC - A separate compensating control worksheet must be completed fir each compensating control in use