Special Summer Sale - Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70dumps

QSA_New_V4 Questions and Answers

Question # 6

Security policies and operational procedures should be?

A.

Encrypted with strong cryptography.

B.

Stored securely so that only management has access.

C.

Reviewed and updated at least quarterly.

D.

Distributed to and understood by all affected parties.

Full Access
Question # 7

According to the glossary, "bespoke and custom software” describes which type of software?

A.

Any software developed by a third party.

B.

Any software developed by a third party that can be customized by an entity.

C.

Software developed by an entity for the entity’s own use.

D.

Virtual payment terminals.

Full Access
Question # 8

Which of the following file types must be monitored by a change-detection mechanism (e.g., a file-integrity monitoring tool)?

A.

Application vendor manuals

B.

Files that regularly change

C.

Security policy and procedure documents

D.

System configuration and parameter files

Full Access
Question # 9

An LDAP server providing authentication services to the cardholder data environment is?

A.

In scope for PCI DSS.

B.

Not in scope for PCI DSS.

C.

In scope only if it stores, processes or transmits cardholder data.

D.

In scope only if it provides authentication services to systems in the DMZ.

Full Access
Question # 10

Which of the following is true regarding compensating controls?

A.

A compensating control is not necessary if all other PCI DSS requirements are in place.

B.

A compensating control must address the risk associated with not adhering to the PCI DSS requirement.

C.

An existing PCI DSS requirement can be used as a compensating control if it is already implemented.

D.

A compensating control worksheet is not required if the acquirer approves the compensating control.

Full Access
Question # 11

Which statement about the Attestation of Compliance (AOC) is correct?

A.

There are different AOC templates for service providers and merchants.

B.

The AOC must be signed by both the merchant/service provider and by PCI SSC.

C.

The same AOC template is used for ROCs and SAQs.

D.

The AOC must be signed by either the merchant/service provider or the QSA/ISA.

Full Access
Question # 12

An entity wants to use the Customized Approach. They are unsure how to complete the Controls Matrix or TRA. During the assessment, you spend time completing the Controls Matrix and the TRA, while also ensuring that the customized control is implemented securely. Which of the following statements is true?

A.

You can assess the customized control, but another assessor must verify that you completed the TRA correctly.

B.

You can assess the customized control and verify that the customized approach was correctly followed, but you must document this in the ROC.

C.

You must document the work on the customized control in the ROC, but you can not assess the control or the documentation.

D.

Assessors are not allowed to assist an entity with the completion of the Controls Matrix or the TRA.

Full Access
Question # 13

Which of the following describes the intent of installing one primary function per server?

A.

To allow functions with different security levels to be implemented on the same server.

B.

To prevent server functions with a lower security level from introducing security weaknesses to higher-security functions on the same server.

C.

To allow higher-security functions to protect lower-security functions installed on the same server.

D.

To reduce the security level of functions with higher-security needs to meet the needs of lower-security functions.

Full Access
Question # 14

Which statement is true regarding the PCI DSS Report on Compliance (ROC)?

A.

The ROC Reporting Template and instructions provided by PCI SSC should be used for all ROCs.

B.

The assessor may use either their own template or the ROC Reporting Template provided by PCI SSC.

C.

The assessor must create their own ROC template for each assessment report.

D.

The ROC Reporting Template provided by PCI SSC is only required for service provider assessments.

Full Access
Question # 15

Which of the following types of events is required to be logged?

A.

All use of end-user messaging technologies.

B.

All access to external web sites.

C.

All access to all audit trails.

D.

All network transmissions.

Full Access
Question # 16

Assigning a unique ID to each person is intended to ensure?

A.

Strong passwords are used for each user account.

B.

Shared accounts are only used by administrators.

C.

Individual users are accountable for their own actions.

D.

Access is assigned to group accounts based on need-to-know.

Full Access
Question # 17

An entity wants to know if the Software Security Framework can be leveraged during their assessment. Which of the following software types would this apply to?

A.

Any payment software in the CDE.

B.

Only software which runs on PCI PTS devices.

C.

Validated Payment Applications that are listed by PCI SSC and have undergone a PA-DSS assessment.

D.

Software developed by the entity in accordance with the Secure SLC Standard.

Full Access
Question # 18

At which step in the payment transaction process does the merchant's bank pay the merchant for the purchase, and the cardholder's bank bill the cardholder?

A.

Authorization

B.

Clearing

C.

Settlement

D.

Chargeback

Full Access
Question # 19

Which statement about the Attestation of Compliance (AOC) is correct?

A.

There are different AOC templates for service providers and merchants.

B.

The AOC must be signed by both the merchant/service provider and by PCI SSC.

C.

The same AOC template is used W ROCs and SAQs.

D.

The AOC must be signed by either the merchant/service provider or the QSA/ISA.

Full Access
Question # 20

An entity is using custom software in their CDE. The custom software was developed using processes that were assessed by a Secure Software Lifecycle assessor and found to be fully compliant with the Secure SLC standard. What impact will this have on the entity’s PCI DSS assessment?

A.

It automatically makes an entity PCI DSS compliant.

B.

It may help the entity to meet several requirements in Requirement 6.

C.

There is no impact to the entity.

D.

The custom software can be excluded from the PCI DSS assessment.

Full Access
Question # 21

Which statement is true regarding the use of intrusion detection techniques, such as intrusion detection systems and/or intrusion protection systems (IDS/IPS)?

A.

Intrusion detection techniques are required on all system components.

B.

Intrusion detection techniques are required to alert personnel of suspected compromises.

C.

Intrusion detection techniques are required to isolate systems in the cardholder data environment from all other systems.

D.

Intrusion detection techniques are required to identify all instances of cardholder data.

Full Access
Question # 22

An internal NTP server that provides time services to the Cardholder Data Environment is?

A.

Only in scope if it provides time services to database servers.

B.

Not in scope for PCI DSS.

C.

Only in scope if it stores, processes or transmits cardholder data.

D.

In scope for PCI DSS.

Full Access