PCI PRACTICE EXAM 3 2025/2026
QUESTIONS AND ANSWERS 100% PASS
When must cryptographic keys be changed?
- At the end of their defined crypto period
- At least annually
- When a new key custodian is employed
- Upon release of a new algorithm - ANS At the end of their defined crypto period
What must the assessors verify when testing that cardholder data is protected whenever it is
sent over the Internet?
- The security protocol is configured to support earlier versions
- The encryption strength is appropriate for the technology in use
- The security protocol is configured to accept all digital certificates
- The cardholder data is securely deleted once the transmission has been sent - ANS The
encryption strength is appropriate for the technology in use
As defined in Requirement 8, what is the minimum complexity of user passwords?
- 8 characters, either alphabetic or numeric
- 5 characters, either alphabetic or numeric
- 6 characters, both alphabetic and numeric characters
- 7 characters, both alphabetic and numeric characters - ANS 7 characters, both alphabetic
and numeric characters
1 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
,Which statement is correct regarding use of production data (live PANs) for testing and
development?
- Live PANs must not be used for testing or development
- Access to live PANs must be used for testing and development must be restricted to authorized
personnel
- Live PANs must be used for testing and development
- All live PANs used for testing and development must be authorized by the cardholder -
ANS Live PANs must not be used for testing or development
Which of the following is an example of multi-factor authentication?
- A token that must be presented twice during the login process
- A user passphrase and an application-level password
- A user password and a PIN-activated smart card
- A user fingerprint and a user thumbprint - ANS A user password and a PIN-activated smart
card
Which of the following types of events is required to be logged?
- All use of end-user messaging technologies
- All access to external websites
- All access to all audit trails
- All network transmissions - ANS All access to all audit trails
Which of the following meets PCI DSS requirements for secure destruction of media containing
cardholder data?
- Cardholder data on hard copy materials is copied to electronic media before the hard copy
materials are destroyed
- Storage containers used for hardcopy materials are located outside of the CDE
- Electronic media is physically destroyed to ensure the data cannot be reconstructed
- Electronic media is stored in a secure location when the data is no longer needed for business
or legal reasons - ANS Electronic media is physically destroyed to ensure the data cannot be
reconstructed
2 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
, Which scenario meets the intent of PCI DSS requirements for assigning users access to
cardholder data?
- Access is assigned to all users based on the access needs of the least-privileged user
- Access is assigned to individual users based on the highest privilege available
- Access is assigned to an individual users based on the privileges needed to perform their job
- Access is assigned to a group of users based on the privileges of the most senior user in the
group - ANS Access is assigned to an individual users based on the privileges needed to
perform their job
Which of the following is an example of a system-level object?
- A log file
- An application executable or configuration file
- A document containing cardholder data
- Transaction data in a point-of-sale device - ANS An application executable or configuration
file
Which scenario would support a smaller sample size being used for a PCI DSS assessment of an
entity with multiple facilities located in different regions?
- Security policies and procedures are independently defined by each facility
- Security policies and procedures are standardized for each region
- Security policies are centralized, and procedures consistently implemented across all regions
- Security policies are centrally defined, and each facility defines their own procedures for
implementing the policies - ANS Security policies and procedures are standardized for each
region
Which of the following statements is correct regarding track equivalent data on the chip of a
payment card?
- It is allowed to be stored by merchants after authorization, if encrypted
- It is sensitive authentication data
- It is out of scope for PCI DSS
3 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
QUESTIONS AND ANSWERS 100% PASS
When must cryptographic keys be changed?
- At the end of their defined crypto period
- At least annually
- When a new key custodian is employed
- Upon release of a new algorithm - ANS At the end of their defined crypto period
What must the assessors verify when testing that cardholder data is protected whenever it is
sent over the Internet?
- The security protocol is configured to support earlier versions
- The encryption strength is appropriate for the technology in use
- The security protocol is configured to accept all digital certificates
- The cardholder data is securely deleted once the transmission has been sent - ANS The
encryption strength is appropriate for the technology in use
As defined in Requirement 8, what is the minimum complexity of user passwords?
- 8 characters, either alphabetic or numeric
- 5 characters, either alphabetic or numeric
- 6 characters, both alphabetic and numeric characters
- 7 characters, both alphabetic and numeric characters - ANS 7 characters, both alphabetic
and numeric characters
1 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
,Which statement is correct regarding use of production data (live PANs) for testing and
development?
- Live PANs must not be used for testing or development
- Access to live PANs must be used for testing and development must be restricted to authorized
personnel
- Live PANs must be used for testing and development
- All live PANs used for testing and development must be authorized by the cardholder -
ANS Live PANs must not be used for testing or development
Which of the following is an example of multi-factor authentication?
- A token that must be presented twice during the login process
- A user passphrase and an application-level password
- A user password and a PIN-activated smart card
- A user fingerprint and a user thumbprint - ANS A user password and a PIN-activated smart
card
Which of the following types of events is required to be logged?
- All use of end-user messaging technologies
- All access to external websites
- All access to all audit trails
- All network transmissions - ANS All access to all audit trails
Which of the following meets PCI DSS requirements for secure destruction of media containing
cardholder data?
- Cardholder data on hard copy materials is copied to electronic media before the hard copy
materials are destroyed
- Storage containers used for hardcopy materials are located outside of the CDE
- Electronic media is physically destroyed to ensure the data cannot be reconstructed
- Electronic media is stored in a secure location when the data is no longer needed for business
or legal reasons - ANS Electronic media is physically destroyed to ensure the data cannot be
reconstructed
2 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
, Which scenario meets the intent of PCI DSS requirements for assigning users access to
cardholder data?
- Access is assigned to all users based on the access needs of the least-privileged user
- Access is assigned to individual users based on the highest privilege available
- Access is assigned to an individual users based on the privileges needed to perform their job
- Access is assigned to a group of users based on the privileges of the most senior user in the
group - ANS Access is assigned to an individual users based on the privileges needed to
perform their job
Which of the following is an example of a system-level object?
- A log file
- An application executable or configuration file
- A document containing cardholder data
- Transaction data in a point-of-sale device - ANS An application executable or configuration
file
Which scenario would support a smaller sample size being used for a PCI DSS assessment of an
entity with multiple facilities located in different regions?
- Security policies and procedures are independently defined by each facility
- Security policies and procedures are standardized for each region
- Security policies are centralized, and procedures consistently implemented across all regions
- Security policies are centrally defined, and each facility defines their own procedures for
implementing the policies - ANS Security policies and procedures are standardized for each
region
Which of the following statements is correct regarding track equivalent data on the chip of a
payment card?
- It is allowed to be stored by merchants after authorization, if encrypted
- It is sensitive authentication data
- It is out of scope for PCI DSS
3 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
