PCI PRACTICE EXAM 3 QUESTIONS AND ANSWER1

PCI PRACTICE EXAM 3 QUESTIONS AND ANSWERS
When must cryptographic keys be changed?

- At the end of their defined crypto period

- At least annually

- When a new key custodian is employed

- Upon release of a new algorithm - CORRECT ANSWER✅✅At the end of their defined crypto period



What must the assessors verify when testing that cardholder data is protected whenever it is sent over
the Internet?

- The security protocol is configured to support earlier versions

- The encryption strength is appropriate for the technology in use

- The security protocol is configured to accept all digital certificates

- The cardholder data is securely deleted once the transmission has been sent - CORRECT
ANSWER✅✅The encryption strength is appropriate for the technology in use



As defined in Requirement 8, what is the minimum complexity of user passwords?

- 8 characters, either alphabetic or numeric

- 5 characters, either alphabetic or numeric

- 6 characters, both alphabetic and numeric characters

- 7 characters, both alphabetic and numeric characters - CORRECT ANSWER✅✅7 characters, both
alphabetic and numeric characters



Which statement is correct regarding use of production data (live PANs) for testing and development?

- Live PANs must not be used for testing or development

- Access to live PANs must be used for testing and development must be restricted to authorized
personnel

- Live PANs must be used for testing and development

- All live PANs used for testing and development must be authorized by the cardholder - CORRECT
ANSWER✅✅Live PANs must not be used for testing or development

, Which of the following is an example of multi-factor authentication?

- A token that must be presented twice during the login process

- A user passphrase and an application-level password

- A user password and a PIN-activated smart card

- A user fingerprint and a user thumbprint - CORRECT ANSWER✅✅A user password and a PIN-activated
smart card



Which of the following types of events is required to be logged?

- All use of end-user messaging technologies

- All access to external websites

- All access to all audit trails

- All network transmissions - CORRECT ANSWER✅✅All access to all audit trails



Which of the following meets PCI DSS requirements for secure destruction of media containing
cardholder data?

- Cardholder data on hard copy materials is copied to electronic media before the hard copy materials
are destroyed

- Storage containers used for hardcopy materials are located outside of the CDE

- Electronic media is physically destroyed to ensure the data cannot be reconstructed

- Electronic media is stored in a secure location when the data is no longer needed for business or legal
reasons - CORRECT ANSWER✅✅Electronic media is physically destroyed to ensure the data cannot be
reconstructed



Which scenario meets the intent of PCI DSS requirements for assigning users access to cardholder data?

- Access is assigned to all users based on the access needs of the least-privileged user

- Access is assigned to individual users based on the highest privilege available

- Access is assigned to an individual users based on the privileges needed to perform their job

- Access is assigned to a group of users based on the privileges of the most senior user in the group -
CORRECT ANSWER✅✅Access is assigned to an individual users based on the privileges needed to
perform their job