PCI Practice Exam 3 – Questions with Answers
When must cryptographic keys be changed?
- At the end of their defined crypto period
- At least annually
- When a new key custodian is employed
- Upon release of a new algorithm - -At the end of their defined crypto period
-What must the assessors verify when testing that cardholder data is protected whenever
it is sent over the Internet?
- The security protocol is configured to support earlier versions
- The encryption strength is appropriate for the technology in use
- The security protocol is configured to accept all digital certificates
- The cardholder data is securely deleted once the transmission has been sent - -The
encryption strength is appropriate for the technology in use
-As defined in Requirement 8, what is the minimum complexity of user passwords?
- 8 characters, either alphabetic or numeric
- 5 characters, either alphabetic or numeric
- 6 characters, both alphabetic and numeric characters
- 7 characters, both alphabetic and numeric characters - -7 characters, both alphabetic and
numeric characters
-Which statement is correct regarding use of production data (live PANs) for testing and
development?
- Live PANs must not be used for testing or development
- Access to live PANs must be used for testing and development must be restricted to
authorized personnel
- Live PANs must be used for testing and development
- All live PANs used for testing and development must be authorized by the cardholder - -
Live PANs must not be used for testing or development
-Which of the following is an example of multi-factor authentication?
- A token that must be presented twice during the login process
- A user passphrase and an application-level password
- A user password and a PIN-activated smart card
- A user fingerprint and a user thumbprint - -A user password and a PIN-activated smart
card
-Which of the following types of events is required to be logged?
- All use of end-user messaging technologies
- All access to external websites
- All access to all audit trails
- All network transmissions - -All access to all audit trails
, -Which of the following meets PCI DSS requirements for secure destruction of media
containing cardholder data?
- Cardholder data on hard copy materials is copied to electronic media before the hard copy
materials are destroyed
- Storage containers used for hardcopy materials are located outside of the CDE
- Electronic media is physically destroyed to ensure the data cannot be reconstructed
- Electronic media is stored in a secure location when the data is no longer needed for
business or legal reasons - -Electronic media is physically destroyed to ensure the data
cannot be reconstructed
-Which scenario meets the intent of PCI DSS requirements for assigning users access to
cardholder data?
- Access is assigned to all users based on the access needs of the least-privileged user
- Access is assigned to individual users based on the highest privilege available
- Access is assigned to an individual users based on the privileges needed to perform their
job
- Access is assigned to a group of users based on the privileges of the most senior user in
the group - -Access is assigned to an individual users based on the privileges needed to
perform their job
-Which of the following is an example of a system-level object?
- A log file
- An application executable or configuration file
- A document containing cardholder data
- Transaction data in a point-of-sale device - -An application executable or configuration
file
-Which scenario would support a smaller sample size being used for a PCI DSS assessment
of an entity with multiple facilities located in different regions?
- Security policies and procedures are independently defined by each facility
- Security policies and procedures are standardized for each region
- Security policies are centralized, and procedures consistently implemented across all
regions
- Security policies are centrally defined, and each facility defines their own procedures for
implementing the policies - -Security policies and procedures are standardized for each
region
-Which of the following statements is correct regarding track equivalent data on the chip
of a payment card?
- It is allowed to be stored by merchants after authorization, if encrypted
- It is sensitive authentication data
- It is out of scope for PCI DSS
- It is not applicable for PCI DSS Requirement 3.2 - -It is sensitive authentication data
-What is the intent of performing a risk assessment?
- To document the names and contact details of individuals with access to cardholder data
When must cryptographic keys be changed?
- At the end of their defined crypto period
- At least annually
- When a new key custodian is employed
- Upon release of a new algorithm - -At the end of their defined crypto period
-What must the assessors verify when testing that cardholder data is protected whenever
it is sent over the Internet?
- The security protocol is configured to support earlier versions
- The encryption strength is appropriate for the technology in use
- The security protocol is configured to accept all digital certificates
- The cardholder data is securely deleted once the transmission has been sent - -The
encryption strength is appropriate for the technology in use
-As defined in Requirement 8, what is the minimum complexity of user passwords?
- 8 characters, either alphabetic or numeric
- 5 characters, either alphabetic or numeric
- 6 characters, both alphabetic and numeric characters
- 7 characters, both alphabetic and numeric characters - -7 characters, both alphabetic and
numeric characters
-Which statement is correct regarding use of production data (live PANs) for testing and
development?
- Live PANs must not be used for testing or development
- Access to live PANs must be used for testing and development must be restricted to
authorized personnel
- Live PANs must be used for testing and development
- All live PANs used for testing and development must be authorized by the cardholder - -
Live PANs must not be used for testing or development
-Which of the following is an example of multi-factor authentication?
- A token that must be presented twice during the login process
- A user passphrase and an application-level password
- A user password and a PIN-activated smart card
- A user fingerprint and a user thumbprint - -A user password and a PIN-activated smart
card
-Which of the following types of events is required to be logged?
- All use of end-user messaging technologies
- All access to external websites
- All access to all audit trails
- All network transmissions - -All access to all audit trails
, -Which of the following meets PCI DSS requirements for secure destruction of media
containing cardholder data?
- Cardholder data on hard copy materials is copied to electronic media before the hard copy
materials are destroyed
- Storage containers used for hardcopy materials are located outside of the CDE
- Electronic media is physically destroyed to ensure the data cannot be reconstructed
- Electronic media is stored in a secure location when the data is no longer needed for
business or legal reasons - -Electronic media is physically destroyed to ensure the data
cannot be reconstructed
-Which scenario meets the intent of PCI DSS requirements for assigning users access to
cardholder data?
- Access is assigned to all users based on the access needs of the least-privileged user
- Access is assigned to individual users based on the highest privilege available
- Access is assigned to an individual users based on the privileges needed to perform their
job
- Access is assigned to a group of users based on the privileges of the most senior user in
the group - -Access is assigned to an individual users based on the privileges needed to
perform their job
-Which of the following is an example of a system-level object?
- A log file
- An application executable or configuration file
- A document containing cardholder data
- Transaction data in a point-of-sale device - -An application executable or configuration
file
-Which scenario would support a smaller sample size being used for a PCI DSS assessment
of an entity with multiple facilities located in different regions?
- Security policies and procedures are independently defined by each facility
- Security policies and procedures are standardized for each region
- Security policies are centralized, and procedures consistently implemented across all
regions
- Security policies are centrally defined, and each facility defines their own procedures for
implementing the policies - -Security policies and procedures are standardized for each
region
-Which of the following statements is correct regarding track equivalent data on the chip
of a payment card?
- It is allowed to be stored by merchants after authorization, if encrypted
- It is sensitive authentication data
- It is out of scope for PCI DSS
- It is not applicable for PCI DSS Requirement 3.2 - -It is sensitive authentication data
-What is the intent of performing a risk assessment?
- To document the names and contact details of individuals with access to cardholder data
