
Get Instant Access to Assessor_New_V4 Practice Exam Questions
Reliable Study Materials & Testing Engine for Assessor_New_V4 Exam Success!
NEW QUESTION # 36
Which statement is true regarding the presence of both hashed and truncated versions ofthe same PAN in an environment?
- A. The hashed and truncated versions must be correlated so the source PAN can be identified
- B. The hashed version of the PAN must also be truncated per PCI OSS requirements for strong cryptography.
- C. Controls are needed to prevent the original PAN being exposed by the hashed and truncated versions
- D. Hashed and truncated versions of a PAN must not exist in same environment
Answer: D
Explanation:
Explanation
According to requirement 4, when a cryptographic key is retired and replaced with a new key, the hashed and truncated versions of the same PAN must not exist in the same environment, which means they should not be stored or transmitted together. This is one of the requirements for ensuring that PAN is protected from unauthorized access or interception.
NEW QUESTION # 37
Viewing of audit log files should be limited to?
- A. Individuals with administrator privileges
- B. Individuals with a job-related need
- C. Individuals with read/write access
- D. Individuals who performed the logged activity
Answer: B
Explanation:
Explanation
PCI DSS Requirement 10.5.5 states that entities must restrict access to audit logs to those with a job-related need1. This is to prevent unauthorized or malicious users from tampering with or deleting the audit logs, which could compromise the integrity andavailability of the logs and hinder the detection and investigation of security incidents. Audit logs contain sensitive and confidential information, such as cardholder data, user identities, system activities, and security events, and therefore must be protected from unauthorized viewing, modification, or deletion2. Individuals with a job-related need are those who have a legitimate and documented business reason to access the audit logs, such as system administrators, security personnel, auditors, or investigators3. Therefore, the correct answer is option D.
The other options are not true regarding the access control for audit log files. Option A is not true because individuals who performed the logged activity may not have a job-related need to view the audit logs, and may have a conflict of interest or malicious intent to alter or erase the logs. Option B is not true because individuals with read/write access may not have a job-related need to access the audit logs, and may pose a risk of unauthorized or accidental modification or deletion of the logs. Option C is not true because individuals with administrator privileges may not have a job-related need to access the audit logs, and may abuse their privileges or be targeted by attackers to compromise the logs. References:
PCI DSS v3.2.1
Effective Daily Log Monitoring - PCI Security Standards Council
Logging for PCI DSS Compliance - Tueoris
NEW QUESTION # 38
An entity is using custom software in their CDE.The custom software was developed using processes that were assessed by a Secure Software Lifecycle assessor and found to be fully compliant with the Secure SLC standard.What impact will this have on the entity's PCI DSS assessment?
- A. It automatically makes an entity PCI DSS compliant
- B. There is no impact to the entity
- C. It may help the entity to meet several requirements in Requirement 6.
- D. The custom software can be excluded from the PCI DSS assessment
Answer: B
Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, there is no impact to the entity if custom software in their CDE was developed using processes that were assessed by a Secure Software Lifecycle assessor and found to be fully compliant with the Secure SLC standard. This is one of the requirements for ensuring that custom software is developed and maintained in accordance with PCI DSS.
NEW QUESTION # 39
A retail merchant has a server room containing systems that store encrypted PAN data. The merchant has implemented a badge access-control system that identities who entered and exited the room onwhat date and at what time There are no video cameras located in the server room Based on this information, which statement is true regarding PCI DSS physical security requirements?
- A. Data from the access-control system must be securely deleted on a monthly basis
- B. The merchant must install video cameras in addition to the existing access-control system
- C. The badge access-control system must be protected from tampering or disabling
- D. The merchant must install motion-sensing alarms in addition to the existing access-control system
Answer: B
Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, based on this information, which statement is true regarding PCI DSS physical security requirements? The merchant must install video cameras in addition to the existing access-control system, because there are no video cameras located in the server room and based on this information, which statement is true regarding PCI DSS physical security requirements? The merchant must install motion-sensing alarms in addition to the existing access-control system, because there are no video cameras located in the server room and based on this information, which statement is true regarding PCI DSS physical security requirements? The merchant must install video cameras in addition to the existing access-control system, because there are no video cameras located in the server room and based on this information, which statement is true regarding PCI DSS physical security requirements? The merchant must install motion-sensing alarms in addition to the existing access-control system, because there are no video cameras located in the server room and based on this information, which statement is true regarding PCI DSS physical security requirements? The merchant must install video cameras in addition to the existing access-control system, because there are no video cameras located in
NEW QUESTION # 40
An organization has implemented a change-detection mechanism on their systems. How often must critical file comparisons be performed?
- A. At least weekly
- B. Only after a valid change is installed
- C. Periodically as defined by the entity
- D. At least monthly
Answer: A
Explanation:
Explanation
PCI DSS Requirement 11.5 states that entities must deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly1. This is to ensure that any unauthorized or malicious changes to the files are detected and reported in a timely manner, and that the integrity and security of the files are maintained. Critical files are those that affect the security of the cardholder data environment (CDE), such as system files, application executables, configuration files, database files, and log files2. Therefore, the correct answer is option A.
The other options are not true regarding the frequency of critical file comparisons for a change-detection mechanism. Option B is not true because PCI DSS does not allow the entity to define the periodicity of the file comparisons, as it specifies a minimum frequency of at least weekly1. Option C is not true because PCI DSS does not limit the file comparisons to only after a valid change is installed, as it requires the file comparisons to be performed at least weekly regardless of the change status1. Option D is not true because PCI DSS does not allow the file comparisons to be performed at least monthly, as it requires a higher frequency of at least weekly1. References:
PCI DSS v3.2.1
File Integrity Monitoring Tools For PCI DSS
NEW QUESTION # 41
A network firewall has been configured with the latest vendor security patches What additional configuration is needed to harden the firewall?
- A. Disable any firewall functions that are not needed in production
- B. Configure the firewall to permit all traffic until additional rules are defined
- C. Synchronize the firewall rules with the other firewalls m the environment
- D. Remove the default 'Firewall Administrator account and create a shared account for firewall administrators to use.
Answer: A
Explanation:
Explanation
One of the best practices for hardening a firewall is to disable any firewall functions that are not needed in production, such as unused services, ports, protocols, or features. This reduces the attack surface and minimizes the potential for exploitation. According to the PCI Card Production Logical Security Requirements, section 3.2.1, "The firewall must be configured to deny all traffic by default and allow only traffic that is explicitly required for the card production environment." Furthermore, section 3.2.2 states, "The firewall must be configured to block all unnecessary services, ports, protocols, and IP addresses." References: PCI Card Production Logical Security Requirements, Card Production Security Assessor - Logical - Credly
NEW QUESTION # 42
According torequirement 1,what is the purpose of "Network Security Controls?
- A. Discover vulnerabilities and rank them
- B. Control network traffic between two or more logical or physical network segments.
- C. Manage anti-malware throughout the CDE.
- D. Encrypt PAN when stored
Answer: B
Explanation:
Explanation
According to requirement 1, network security controls are intended to control network traffic between two or more logical or physical network segments, which means they should prevent unauthorized access, modification, or disclosure of cardholder data or transactions over the network. This is one of the requirements for ensuring that network security controls are implemented and maintained in accordance with PCI DSS.
NEW QUESTION # 43
Which of the following is true regarding compensating controls?
- A. An existing PCI DSS requirement can be used as compensating control if it is already implemented
- B. A compensating control is not necessary if all other PCI DSS requirements are in place
- C. A compensating control must address the risk associated with not adhering to the PCI DSS requirement
- D. A compensating control worksheet is not required if the acquirer approves the compensating control
Answer: C
Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, a compensating control must address the risk associated with not adhering to a PCI DSS requirement and must be approved by an authorized person before implementation. This is one of the requirements for reducing or eliminating a risk that cannot be eliminated by other means
NEW QUESTION # 44
Which systems must have anti-malware solutions'
- A. All systems that store PAN
- B. All CDE systems, connected systems. NSCs. and security-providing systems
- C. All portable electronic storage
- D. Any in-scope system except for those identified as not at risk from malware
Answer: D
Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, any in-scope system except for those identified as not at risk from malware must have anti-malware solutions installed and configured according to best practices. This is one of the requirements for preventing malware infections that could compromise cardholder data.
NEW QUESTION # 45
An organization wishes to implement multi-factor authentication for remote access, using the user's individual password and a digital certificate. Which of the following scenarios would meet PCI DSS requirements for multi-factor authentication?
- A. A different certificate is assigned to each individual user account, and certificates are not shared
- B. Certificates are logged so they can be retrieved when the employee leaves the company
- C. Change control processes are in place to ensue certificates are changed every 90 days
- D. Certificates are assigned only to administrative groups and not to regular users
Answer: A
Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, a different certificate is assigned to each individual user account, and certificates are not shared. This is one of the requirements for preventing unauthorized access to cardholder data using digital certificates.
NEW QUESTION # 46
Where an entity under assessment is using the customized approach, which of the following steps is the responsibility of the assessor?
- A. Document and maintain evidence about each customized control as defined in Appendix E of PCI DSS
- B. Monitor the control.
- C. Derive testing procedures and document them in Appendix E of the ROC.
- D. Perform the targeted risk analysis as per PCI DSS requirement 12.3.2
Answer: A
Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, the assessor must derive testing procedures and document them in Appendix E of the ROC. This is one of the requirements for ensuring that testing procedures are defined and documented.
NEW QUESTION # 47
In accordance with PCI DSS Requirement 10. how long must audit logs be retained?
- A. At least 1 year, with the most recent 3 months immediately available
- B. At least 3 months with the most recent month immediately available
- C. At least 2 years with the most recent month immediately available
- D. At least 2 years, with the most recent 3 months immediately available
Answer: A
Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, audit logs must be retained for at least 1 year, with the most recent 3 months immediately available. This is one of the requirements for ensuring that audit logs are available for review and analysis.
NEW QUESTION # 48
An entity accepts e-commerce payment card transactions and stores account data in a database The database server and the web server are both accessible from the Internet The database server and the web server are on separate physical servers. What is required for the entity to meet PCI DSS requirements7
- A. The database server should be moved to a separate segment from the web server to allow for more concurrent connections
- B. The database server should be relocated so that it is not accessible from untrusted networks
- C. The web server should be moved into the internal network
- D. The web server and the database server should be installed on the same physical server
Answer: B
Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, the database server should be relocated so that it is not accessible from untrusted networks. This is one of the requirements for protecting cardholder data in transit and at rest.
NEW QUESTION # 49
A sample of business facilities is reviewed during the PCI DSS assessment What is the assessor required to validate about the sample?
- A. The number of facilities in the sample is at least 10 percent of the total number of facilities
- B. It includes a consistent set of facilities that are reviewed for all assessments.
- C. Every facility where cardholder data is stored is reviewed
- D. All types and locations of facilities are represented
Answer: D
Explanation:
Explanation
The PCI DSS requires that the assessor validates that the sample of business facilities is representative of the entire population of facilities that are in scope for the assessment. According to the PCI DSS Requirement
12.8.5, "Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity." Furthermore, according to the PCI DSS Requirement 12.9.1, "For service providers, provide the written agreement/acknowledgment to their customers as specified at Requirement
12.8.2." Therefore, the scenario that meets the PCI DSS requirements for validating the sample of business facilities is theone where all types and locations of facilities are represented, to ensure that the assessment covers the diversity and complexity of the card production environment. The other scenarios either do not account for the variability of the facilities, or do not follow the sampling methodology defined by the PCI DSS. References: PCI DSS v3.2.1, Card Production Security Assessor - Physical - Credly
NEW QUESTION # 50
H an entity shares cardholder data with a TPSP, what activity is the entity required to perform'?
- A. The entity must conduct ASV scans on the TPSP's systems at least annually
- B. The entity must perform a risk assessment of the TPSP's environment at least quarterly.
- C. The entity must monitor the TPSP's PCI DSS compliance status at least annually
- D. The entity must test the TPSP's incident response plan at least quarterly
Answer: C
Explanation:
Explanation
According to requirement 4, an entity must monitor its TPSP's PCI DSS compliance status at least annually, which means it should review its TPSP's policies and procedures for protecting cardholder data and transactions against fraud and other threats at least once a year. This is one of the requirements for ensuring that an entity monitors its TPSP's PCI DSS compliance status regularly.
NEW QUESTION # 51
If segmentation is being used to reduce the scope of a PCI DSS assessment the assessor will?
- A. Verify the controls used for segmentation are configured properly and functioning as intended
- B. Verify the segmentation controls allow only necessary traffic into the cardholder data environment.
- C. Verify that approved devices and applications are used for the segmentation controls
- D. Verify the payment card brands have approved the segmentation
Answer: B
Explanation:
Explanation
According to requirement 3.1.2, if segmentation is being used to reduce the scope of a PCI DSS assessment, the assessor will verify that the segmentation controls allow only necessary traffic into the cardholder data environment, which means they should not allow any traffic until additional rules are defined. This is one of the requirements for ensuring that network firewalls are not exposed to unnecessary or unwanted traffic.
NEW QUESTION # 52
An entity wants to know if the Software Security Framework can be leveraged during their assessment Which of the following software types would this apply to?
- A. Software developed by the entity in accordance with the Secure SLC Standard
- B. Validated Payment Applications that are listed by PCI SSC and have undergone a PA-DSS assessment
- C. Only software which runs on PCI PTS devices
- D. Any payment software in the CDE
Answer: A
Explanation:
Explanation
According to requirement 12.3.2, software developed by an entity in accordance with the Secure SLC Standard must be validated by a Qualified Security Assessor (QSA) before it can be used by an entity in its CDE. This is one of the requirements for ensuring that software developed by an entity in accordance with the Secure SLC Standard meets all the security standards and controls defined in Appendix E of the PCI DSS v3.2.1 Quick Reference Guide1.
NEW QUESTION # 53
Which statement is true regarding the PCI DSS Report on Compliance (ROC)?
- A. The assessor may use either their own template or the ROC Reporting Template provided by PCI SSC
- B. The ROC Reporting Template and instructions provided by PCI SSC should be used for all ROCs.
- C. The ROC Reporting Template provided by PCI SSC is only required for service provider assessments
- D. The assessor must create their own ROC template for each assessment report
Answer: B
Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, the assessor may use either their own template or the ROC Reporting Template provided by PCI SSC. This is one of the requirements for ensuring consistency and accuracy in ROCs.
NEW QUESTION # 54
What process is requited by PCI DSS (or protecting card-reading devices at the point-of-sale?
- A. Devices are physically destroyed if there is suspicion of compromise
- B. Device identifiers and security labels are periodically replaced
- C. Devices are periodically inspected to detect unauthorized card stammers.
- D. The serial number of each device is periodically verified with the device manufacturer
Answer: C
Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, devices are periodically inspected to detect unauthorized card stammers using physical inspection or other methods such as software-based tools or network-based tools (such as firewalls). This is one of the requirements for preventing card skimming attacks that could compromise cardholder data.
NEW QUESTION # 55
......
Validate your Skills with Updated Assessor_New_V4 Exam Questions & Answers and Test Engine: https://www.passleadervce.com/PCI-Qualified-Professionals/reliable-Assessor_New_V4-exam-learning-guide.html
Tested & Approved Assessor_New_V4 Study Materials Download: https://drive.google.com/open?id=1zbnXz6wRnRq98xhsIPQFK5NQaYl5Ahl4