Special Summer Sale Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

PCI SSC QSA_New_V4 Qualified Security Assessor V4 Exam Exam Practice Test

Page: 1 / 8
Total 75 questions

Qualified Security Assessor V4 Exam Questions and Answers

Question 1

What does the PCI PTS standard cover?

Options:

A.

Point-of-Interaction devices used to protect account data.

B.

Secure coding practices for commercial payment applications.

C.

Development of strong cryptographic algorithms.

D.

End-lo-end encryption solutions for transmission of account data.

Question 2

A network firewall has been configured with the latest vendor security patches. What additional configuration is needed to harden the firewall?

Options:

A.

Remove the default “Firewall Administrator” account and create a shared account for firewall administrators to use.

B.

Configure the firewall to permit all traffic until additional rules are defined.

C.

Synchronize the firewall rules with the other firewalls in the environment.

D.

Disable any firewall functions that are not needed in production.

Question 3

What should the assessor verify when testing that cardholder data Is protected whenever It Is sent over open public networks?

Options:

A.

The security protocol Is configured to accept all digital certificates.

B.

A proprietary security protocol is used.

C.

The security protocol accepts only trusted keys.

D.

The security protocol accepts connections from systems with lower encryption strength than required by the protocol.

Question 4

An LDAP server providing authentication services to the cardholder data environment is?

Options:

A.

In scope for PCI DSS.

B.

Not in scope for PCI DSS.

C.

In scope only if it stores, processes or transmits cardholder data.

D.

In scope only if it provides authentication services to systems in the DMZ.

Question 5

What must the assessor verify when testing that PAN is protected whenever it is sent over the Internet?

Options:

A.

The security protocol is configured to support earlier versions.

B.

The PAN is encrypted with strong cryptography.

C.

The security protocol is configured to accept all digital certificates.

D.

The PAN is securely deleted once the transmission has been sent.

Question 6

If segmentation is being used to reduce the scope of a PCI DSS assessment, the assessor will?

Options:

A.

Verify the segmentation controls allow only necessary traffic into the cardholder data environment.

B.

Verify the payment card brands have approved the segmentation.

C.

Verify that approved devices and applications are used for the segmentation controls.

D.

Verify the controls used for segmentation are configured properly and functioning as intended.

Question 7

An entity accepts e-commerce payment card transactions and stores account data in a database. The database server and the web server are both accessible from the Internet. The database server and the web server are on separate physical servers. What is required for the entity to meet PCI DSS requirements?

Options:

A.

The web server and the database server should be installed on the same physical server.

B.

The database server should be relocated so that it is not accessible from untrusted networks.

C.

The web server should be moved into the internal network.

D.

The database server should be moved to a separate segment from the web server to allow for more concurrent connections.

Question 8

A retail merchant has a server room containing systems that store encrypted PAN data. The merchant has implemented a badge access-control system that identifies who entered and exited the room, on what date, and at what time. There are no video cameras located in the server room. Based on this information, which statement is true regarding PCI DSS physical security requirements?

Options:

A.

The badge access-control system must be protected from tampering or disabling.

B.

The merchant must install video cameras in addition to the existing access-control system.

C.

Data from the access-control system must be securely deleted on a monthly basis.

D.

The merchant must install motion-sensing alarms in addition to the existing access-control system.

Question 9

A "Partial Assessment" is a new assessment result. What is a “Partial Assessment"?

Options:

A.

A ROC that has been completed after using an SAQ to determine which requirements should be tested, as per FAQ 1331.

B.

An interim result before the final ROC has been completed.

C.

A term used by payment brands and acquirers to describe entities that have multiple payment channels, with each channel having its own assessment.

D.

An assessment with at least one requirement marked as “Not Tested".

Question 10

Which of the following describes “stateful responses” to communication initiated by a trusted network?

Options:

A.

Administrative access to respond to requests to change the firewall is limited to one individual at a time.

B.

Active network connections are tracked so that invalid “response” traffic can be identified.

C.

A current baseline of application configurations is maintained and any misconfiguration is responded to promptly.

D.

Logs of user activity on the firewall are correlated to identify and respond to suspicious behavior.

Question 11

Which of the following is true regarding internal vulnerability scans?

Options:

A.

They must be performed after a significant change.

B.

They must be performed by an Approved Scanning Vendor (ASV).

C.

They must be performed by QSA personnel.

D.

They must be performed at least annually.

Question 12

Which statement about PAN is true?

Options:

A.

It must be protected with strong cryptography for transmission over private wireless networks.

B.

It must be protected with strong cryptography for transmission over private wired networks.

C.

It does not require protection for transmission over public wireless networks.

D.

It does not require protection for transmission over public wired networks.

Question 13

Which of the following file types must be monitored by a change-detection mechanism (e.g., a file-integrity monitoring tool)?

Options:

A.

Application vendor manuals

B.

Files that regularly change

C.

Security policy and procedure documents

D.

System configuration and parameter files

Question 14

An entity wants to use the Customized Approach. They are unsure how to complete the Controls Matrix or TRA. During the assessment, you spend time completing the Controls Matrix and the TRA, while also ensuring that the customized control is implemented securely. Which of the following statements is true?

Options:

A.

You can assess the customized control, but another assessor must verify that you completed the TRA correctly.

B.

You can assess the customized control and verify that the customized approach was correctly followed, but you must document this in the ROC.

C.

You must document the work on the customized control in the ROC, but you can not assess the control or the documentation.

D.

Assessors are not allowed to assist an entity with the completion of the Controls Matrix or the TRA.

Question 15

Which of the following types of events is required to be logged?

Options:

A.

All use of end-user messaging technologies.

B.

All access to external web sites.

C.

All access to all audit trails.

D.

All network transmissions.

Question 16

Which of the following is true regarding compensating controls?

Options:

A.

A compensating control is not necessary if all other PCI DSS requirements are in place.

B.

A compensating control must address the risk associated with not adhering to the PCI DSS requirement.

C.

An existing PCI DSS requirement can be used as a compensating control if it is already implemented.

D.

A compensating control worksheet is not required if the acquirer approves the compensating control.

Question 17

If disk encryption is used to protect account data, what requirement should be met for the disk encryption solution?

Options:

A.

Access to the disk encryption must be managed independently of the operating system access control mechanisms.

B.

The disk encryption system must use the same user account authenticator as the operating system.

C.

The decryption keys must be associated with the local user account database.

D.

The decryption keys must be stored within the local user account database.

Question 18

A sample of business facilities is reviewed during the PCI DSS assessment. What is the assessor required to validate about the sample?

Options:

A.

It includes a consistent set of facilities that are reviewed for all assessments.

B.

The number of facilities in the sample is at least 10 percent of the total number of facilities.

C.

Every facility where cardholder data is stored is reviewed.

D.

All types and locations of facilities are represented.

Question 19

Which of the following is a requirement for multi-tenant service providers?

Options:

A.

Ensure that customers cannot access another entity’s cardholder data environment.

B.

Provide customers with access to the hosting provider's system configuration files.

C.

Provide customers with a shared user ID for access to critical system binaries.

D.

Ensure that a customer’s log files are available to all hosted entities.

Question 20

Which statement about the Attestation of Compliance (AOC) is correct?

Options:

A.

There are different AOC templates for service providers and merchants.

B.

The AOC must be signed by both the merchant/service provider and by PCI SSC.

C.

The same AOC template is used for ROCs and SAQs.

D.

The AOC must be signed by either the merchant/service provider or the QSA/ISA.

Question 21

Where can live PANs be used for testing?

Options:

A.

Production (live) environments only.

B.

Pre-production (test) environments only it located outside the CDE.

C.

Pre-production environments that are located within the CDE.

D.

Testing with live PANs must only be performed in the OSA Company environment.

Question 22

An organization has implemented a change-detection mechanism on their systems. How often must critical file comparisons be performed?

Options:

A.

At least weekly

B.

Periodically as defined by the entity

C.

Only after a valid change is installed

D.

At least monthly

Page: 1 / 8
Total 75 questions