PCI-DSS ISA EXAM QUESTIONS AND ANSWERS
Perimeter firewalls installed ______________________________. - (ANSWER)between all wireless
networks and the CHD environment.
Where should firewalls be installed? - (ANSWER)At each Internet connection and between any DMZ and
the internal network.
Review of firewall and router rule sets at least every __________________. - (ANSWER)6 months
If disk encryption is used - (ANSWER)logical access must be managed separately and independently of
native operating system authentication and access control mechanisms
Manual clear-text key-management procedures specify processes for the use of the following: -
(ANSWER)Split knowledge AND Dual control of keys
What is considered "Sensitive Authentication Data"? - (ANSWER)Card verification value
When a PAN is displayed to an employee who does NOT need to see the full PAN, the minimum digits to
be masked are: All digits between the ___________ and the __________. - (ANSWER)first 6; last 4
Regarding protection of PAN... - (ANSWER)PAN must be rendered unreadable during the transmission
over public and wireless networks.
Under requirement 3.4, what method must be used to render the PAN unreadable? - (ANSWER)Hashing
the entire PAN using strong cryptography
Weak security controls that should NOT be used - (ANSWER)WEP, SSL, and TLS 1.0 or earlier
Per requirement 5, anti-virus technology must be deployed_________________ - (ANSWER)on all
system components commonly affected by malicious software.
Key functions for anti-vius program per Requirement 5: - (ANSWER)1) Detect
, PCI-DSS ISA EXAM QUESTIONS AND ANSWERS
2) Remove
3) Protect
Anti-virus solutions may be temporarily disabled only if - (ANSWER)there is legitimate technical need, as
authorized by management on a case-by-case basis
When to install "critical" applicable vendor-supplied security patches? ---> within _________ of release.
- (ANSWER)1 month
When to install applicable vendor-supplied security patches? - (ANSWER)within an appropriate time
frame (for example, within three months).
When assessing requirement 6.5, testing to verify secure coding techniques are in place to address
common coding vulnerabilities includes: - (ANSWER)Reviewing software development policies and
procedures
Requirements 7 restricted access controls by: - (ANSWER)Need-to-know and least privilege
Inactive accounts over _____________days need to be removed or disabled. - (ANSWER)90 days
To verify user access termination policy, an ISA need to select a sample of user terminated in the past
_______________ months, and review current user access lists—for both local and remote access—to
verify that their IDs have been deactivated or removed from the access lists. - (ANSWER)6 months
How many logon attempts should be allowed until resulting temporarily account locked-out? -
(ANSWER)6 attempts
Once user account is locked-out, it will remain locked for a minimum of ________________________ or
until a system administrator resets the account. - (ANSWER)30 minutes
System/session idle time out must be set to_________ minutes or less. - (ANSWER)15 minutes
Perimeter firewalls installed ______________________________. - (ANSWER)between all wireless
networks and the CHD environment.
Where should firewalls be installed? - (ANSWER)At each Internet connection and between any DMZ and
the internal network.
Review of firewall and router rule sets at least every __________________. - (ANSWER)6 months
If disk encryption is used - (ANSWER)logical access must be managed separately and independently of
native operating system authentication and access control mechanisms
Manual clear-text key-management procedures specify processes for the use of the following: -
(ANSWER)Split knowledge AND Dual control of keys
What is considered "Sensitive Authentication Data"? - (ANSWER)Card verification value
When a PAN is displayed to an employee who does NOT need to see the full PAN, the minimum digits to
be masked are: All digits between the ___________ and the __________. - (ANSWER)first 6; last 4
Regarding protection of PAN... - (ANSWER)PAN must be rendered unreadable during the transmission
over public and wireless networks.
Under requirement 3.4, what method must be used to render the PAN unreadable? - (ANSWER)Hashing
the entire PAN using strong cryptography
Weak security controls that should NOT be used - (ANSWER)WEP, SSL, and TLS 1.0 or earlier
Per requirement 5, anti-virus technology must be deployed_________________ - (ANSWER)on all
system components commonly affected by malicious software.
Key functions for anti-vius program per Requirement 5: - (ANSWER)1) Detect
, PCI-DSS ISA EXAM QUESTIONS AND ANSWERS
2) Remove
3) Protect
Anti-virus solutions may be temporarily disabled only if - (ANSWER)there is legitimate technical need, as
authorized by management on a case-by-case basis
When to install "critical" applicable vendor-supplied security patches? ---> within _________ of release.
- (ANSWER)1 month
When to install applicable vendor-supplied security patches? - (ANSWER)within an appropriate time
frame (for example, within three months).
When assessing requirement 6.5, testing to verify secure coding techniques are in place to address
common coding vulnerabilities includes: - (ANSWER)Reviewing software development policies and
procedures
Requirements 7 restricted access controls by: - (ANSWER)Need-to-know and least privilege
Inactive accounts over _____________days need to be removed or disabled. - (ANSWER)90 days
To verify user access termination policy, an ISA need to select a sample of user terminated in the past
_______________ months, and review current user access lists—for both local and remote access—to
verify that their IDs have been deactivated or removed from the access lists. - (ANSWER)6 months
How many logon attempts should be allowed until resulting temporarily account locked-out? -
(ANSWER)6 attempts
Once user account is locked-out, it will remain locked for a minimum of ________________________ or
until a system administrator resets the account. - (ANSWER)30 minutes
System/session idle time out must be set to_________ minutes or less. - (ANSWER)15 minutes
