PCI Practice Quiz 1 || with Complete Solutions.
When confirming PCI-DSS requirements have been met, the accessors must always use
which of the following?
- previous reports on compliance (ROCs)
- independent judgment
- hard-copy documents
- Live testing correct answers independent judgment
Strong encryption of cardholder data is required during transmission over which of the
following?
- Webservers in the DMZ and databases in an internal segment
- Any connection between host in the CDE
- Call center applications and data bases
- 4G connections from mobile terminal to the acquirer correct answers 4G connections from
mobile terminal to the acquirer
If network segmentation is being used to reduce the scope of the PCI-DSS assessment, what
must the assessor verify?
- All controls used for segmentation are configured properly
- The payment card brands have approved the segmentation
- The segmentation solution is one of the PCI SSC is approved segmentation solution
- The segmentation is controlled by firewall correct answers All controls used for
segmentation are configured properly
Which of the following statement is true concerning transaction volumes of merchants?
- Transaction volume is based on the total number of combined transactions from all payment
card brands
- Transaction volume is determined by each acquirer
- If transactions are split between two different acquirers, the merchant level is determined by
halving the transaction volume for each payment card brand
- If the transactions for different payment card brands are handled by the same acquirer, the
merchant level is determined by the total combined transaction volume of the acquirer correct
answers Transaction volume is determined by each acquirer
Which of the following is true related to use of EMV chip technology?
- PCI-DSS does not apply to the environment using EMV chip technology
- PCI-DSS applies to environments using EMV chip technology
- EMV chip technology increases the risk of fraudulent transactions in card -present
environment
- Merchants are permitted to store the track equivalent data from EMV chip after
authorization correct answers PCI-DSS applies to environments using EMV chip technology
Which of the following statement is true regarding card verification values/codes
(CAV2/CVC2/CVV2/CID)?
- They are sensitive authentication data (SAD), and must not be stored after authorization,
even if encrypted
- They are cardholder data and may be stored after authorization if encrypted with strong
cryptography
- They are required for each recurring card-not-present transaction
, - They are required for each recurring card-present transaction correct answers They are
sensitive authentication data (SAD), and must not be stored after authorization, even if
encrypted
In order to reduce PCI-DSS scope, what must adequate network segmentation do?
- Isolate systems that store, process, or transmit cardholder data from those that do not
- Connect databases containing cardholder data in the DMZ to the internet
- Control traffic between systems that store, process, and transmit cardholder data to those
that do not
- Connect system that can store, process, or transmit cardholder data to those that do not
correct answers Isolate systems that store, process, or transmit cardholder data from those
that do not
Which of the following merchant environments could be eligible for SAQ B?
- Merchant with imprint machines, and electronic storage of less than 1M cardholder data
records
- Merchant with stand-alone dial out terminals, and electronic storage of less than 1M
cardholder data records
- Merchant with standalone dial-out terminals, and no electronic cardholder data storage
- Merchant or service provider with imprint machines, and no electronic cardholder data
storage correct answers Merchant or service provider with imprint machines, and no
electronic cardholder data storage
Which of the following technologies can be configured in accordance with the requirement
2.3 for the non-console admin access?
- FTP,VNC,SSL
- SSH, VPN, TLS
- RLOGIN, VPN, HTTPS
- SFTP, VNC, TLCS correct answers SSH, VPN, TLS
When is it permissible to use live PANs in the test environment?
- It is never permitted
- At the documented stage in the SDLC
- During QA testing
- When trouble shooting a specific problem correct answers It is never permitted
Based on PCI-DSS requirement 12.2 when must a risk-assessment be performed?
- Immediately following a suspected incident involving CHD
- Annually and upon significant changes to the environment
- Within 30 days of discovering a critical vulnerability
- Periodically depending on the risk appetite correct answers Annually and upon significant
changes to the environment
Which of the following are ASVs responsible for?
- Scanning all IP ranges and domains provided by the scan customer
- Confirming a merchant's or service provider's PCI-DSS compliance
- Performing denial-of-service (DOS) attacks on scan customers
- Performing internal scanning for merchants and service providers correct answers Scanning
all IP ranges and domains provided by the scan customer
When confirming PCI-DSS requirements have been met, the accessors must always use
which of the following?
- previous reports on compliance (ROCs)
- independent judgment
- hard-copy documents
- Live testing correct answers independent judgment
Strong encryption of cardholder data is required during transmission over which of the
following?
- Webservers in the DMZ and databases in an internal segment
- Any connection between host in the CDE
- Call center applications and data bases
- 4G connections from mobile terminal to the acquirer correct answers 4G connections from
mobile terminal to the acquirer
If network segmentation is being used to reduce the scope of the PCI-DSS assessment, what
must the assessor verify?
- All controls used for segmentation are configured properly
- The payment card brands have approved the segmentation
- The segmentation solution is one of the PCI SSC is approved segmentation solution
- The segmentation is controlled by firewall correct answers All controls used for
segmentation are configured properly
Which of the following statement is true concerning transaction volumes of merchants?
- Transaction volume is based on the total number of combined transactions from all payment
card brands
- Transaction volume is determined by each acquirer
- If transactions are split between two different acquirers, the merchant level is determined by
halving the transaction volume for each payment card brand
- If the transactions for different payment card brands are handled by the same acquirer, the
merchant level is determined by the total combined transaction volume of the acquirer correct
answers Transaction volume is determined by each acquirer
Which of the following is true related to use of EMV chip technology?
- PCI-DSS does not apply to the environment using EMV chip technology
- PCI-DSS applies to environments using EMV chip technology
- EMV chip technology increases the risk of fraudulent transactions in card -present
environment
- Merchants are permitted to store the track equivalent data from EMV chip after
authorization correct answers PCI-DSS applies to environments using EMV chip technology
Which of the following statement is true regarding card verification values/codes
(CAV2/CVC2/CVV2/CID)?
- They are sensitive authentication data (SAD), and must not be stored after authorization,
even if encrypted
- They are cardholder data and may be stored after authorization if encrypted with strong
cryptography
- They are required for each recurring card-not-present transaction
, - They are required for each recurring card-present transaction correct answers They are
sensitive authentication data (SAD), and must not be stored after authorization, even if
encrypted
In order to reduce PCI-DSS scope, what must adequate network segmentation do?
- Isolate systems that store, process, or transmit cardholder data from those that do not
- Connect databases containing cardholder data in the DMZ to the internet
- Control traffic between systems that store, process, and transmit cardholder data to those
that do not
- Connect system that can store, process, or transmit cardholder data to those that do not
correct answers Isolate systems that store, process, or transmit cardholder data from those
that do not
Which of the following merchant environments could be eligible for SAQ B?
- Merchant with imprint machines, and electronic storage of less than 1M cardholder data
records
- Merchant with stand-alone dial out terminals, and electronic storage of less than 1M
cardholder data records
- Merchant with standalone dial-out terminals, and no electronic cardholder data storage
- Merchant or service provider with imprint machines, and no electronic cardholder data
storage correct answers Merchant or service provider with imprint machines, and no
electronic cardholder data storage
Which of the following technologies can be configured in accordance with the requirement
2.3 for the non-console admin access?
- FTP,VNC,SSL
- SSH, VPN, TLS
- RLOGIN, VPN, HTTPS
- SFTP, VNC, TLCS correct answers SSH, VPN, TLS
When is it permissible to use live PANs in the test environment?
- It is never permitted
- At the documented stage in the SDLC
- During QA testing
- When trouble shooting a specific problem correct answers It is never permitted
Based on PCI-DSS requirement 12.2 when must a risk-assessment be performed?
- Immediately following a suspected incident involving CHD
- Annually and upon significant changes to the environment
- Within 30 days of discovering a critical vulnerability
- Periodically depending on the risk appetite correct answers Annually and upon significant
changes to the environment
Which of the following are ASVs responsible for?
- Scanning all IP ranges and domains provided by the scan customer
- Confirming a merchant's or service provider's PCI-DSS compliance
- Performing denial-of-service (DOS) attacks on scan customers
- Performing internal scanning for merchants and service providers correct answers Scanning
all IP ranges and domains provided by the scan customer
