
[Jun 02, 2024] Assessor_New_V4 Questions Truly Valid For Your PCI SSC Exam!
Assessor_New_V4 Actual Questions - Instant Download Tests Free Updated Today!
NEW QUESTION # 28
H an entity shares cardholder data with a TPSP, what activity is the entity required to perform'?
- A. The entity must perform a risk assessment of the TPSP's environment at least quarterly.
- B. The entity must monitor the TPSP's PCI DSS compliance status at least annually
- C. The entity must conduct ASV scans on the TPSP's systems at least annually
- D. The entity must test the TPSP's incident response plan at least quarterly
Answer: B
Explanation:
Explanation
According to requirement 4, an entity must monitor its TPSP's PCI DSS compliance status at least annually, which means it should review its TPSP's policies and procedures for protecting cardholder data and transactions against fraud and other threats at least once a year. This is one of the requirements for ensuring that an entity monitors its TPSP's PCI DSS compliance status regularly.
NEW QUESTION # 29
An organization has implemented a change-detection mechanism on their systems. How often must critical file comparisons be performed?
- A. Periodically as defined by the entity
- B. Only after a valid change is installed
- C. At least weekly
- D. At least monthly
Answer: C
Explanation:
Explanation
PCI DSS Requirement 11.5 states that entities must deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly1. This is to ensure that any unauthorized or malicious changes to the files are detected and reported in a timely manner, and that the integrity and security of the files are maintained. Critical files are those that affect the security of the cardholder data environment (CDE), such as system files, application executables, configuration files, database files, and log files2. Therefore, the correct answer is option A.
The other options are not true regarding the frequency of critical file comparisons for a change-detection mechanism. Option B is not true because PCI DSS does not allow the entity to define the periodicity of the file comparisons, as it specifies a minimum frequency of at least weekly1. Option C is not true because PCI DSS does not limit the file comparisons to only after a valid change is installed, as it requires the file comparisons to be performed at least weekly regardless of the change status1. Option D is not true because PCI DSS does not allow the file comparisons to be performed at least monthly, as it requires a higher frequency of at least weekly1. References:
PCI DSS v3.2.1
File Integrity Monitoring Tools For PCI DSS
NEW QUESTION # 30
An LDAP server providing authentication services to the cardholder data environment is
- A. in scope only if it provides authentication services to systems in the DMZ
- B. in scope for PCI DSS.
- C. not in scope for PCI DSS
- D. in scope only if it stores processes or transmits cardholder data
Answer: B
Explanation:
Explanation
An LDAP server is a type of directory service that provides authentication and authorization data to the cardholder data environment (CDE)1. According to the PCI DSS scoping and segmentation guidance2, any system that provides a security service to the CDE, such as authentication, is considered a connected or security-impacting system (Category 2) and is in scope for PCI DSS. This is because such systems can affect the security and controls of the CDE and the cardholder data (CHD) or sensitive authentication data (SAD) that it contains. Therefore, an LDAP server providing authentication services to the CDE is in scope for PCI DSS, regardless of whether it stores, processes, or transmits CHD or SAD, or whether it provides authentication services to systems in the DMZ or not. References:
Guidance for PCI DSS Scoping and Network Segmentation
What Are the Effects of Using Active Directory as a Shared Service on PCI Compliance?
The Ultimate Guide To PCI DSS Scoping and Segmentation
LDAP - PCI Security Standards Council
NEW QUESTION # 31
What would be an appropriate strength for the key-encrypting key (KEK) used to protect an AES 128-bit data-encrypting key (DEK)
- A. ROT 13
- B. RSA512
- C. AES 128
- D. DES256
Answer: C
Explanation:
Explanation
The key-encrypting key (KEK) is used to protect the data-encrypting key (DEK) from unauthorized access or disclosure. The KEK should have a strength that is equal to or greater than the DEK, to prevent a weaker link in the encryption chain. According to the PCI Card Production Logical Security Requirements, section 4.1.1,
"The key-encrypting key (KEK) must be at least as strong as the data-encrypting key (DEK) it protects." Furthermore, section 4.1.2 states, "The KEK must be generated using a secure random number generator (RNG) that meets the requirements of NIST SP 800-90A or equivalent." AES 128 is a symmetric encryption algorithm that uses a 128-bit key and meets the NIST standards. Therefore, it would be an appropriate strength for the KEK used to protect an AES 128-bit DEK. The other options are either weaker or asymmetric encryption algorithms, which are not suitable for the KEK. References: PCI Card Production Logical Security Requirements, [NIST SP 800-90A]
NEW QUESTION # 32
Which statement is true regarding the use of intrusion detection techniques, such as intrusion detection systems and/or intrusion protection systems (IDS'IPS)?
- A. Intrusion detection techniques are required to identify all instances of cardholder data
- B. Intrusion detection techniques are required on all system components
- C. Intrusion detection techniques are required to alert personnel of suspected compromises
- D. Intrusion detection techniques are required to isolate systems in the cardholder data environment from all other systems
Answer: C
Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, intrusion detection techniques are required to alert personnel of suspected compromises that could compromise cardholder data or payment processing systems.
This is one of the requirements for identifying and mitigating vulnerabilities that could compromise cardholder data.
NEW QUESTION # 33
Which of the following is true regarding internal vulnerability scans?
- A. They must be performed by an Approved Scanning Vendor (ASV)
- B. They must be performed after a significant change
- C. They must be performed by QSA personnel
- D. They must be performed at least annually
Answer: B
Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, internal vulnerability scans must be performed after a significant change in any component or configuration that affects cardholder data or payment processing systems. This is one of the requirements for identifying and mitigating vulnerabilities that could compromise cardholder data.
NEW QUESTION # 34
Which of the following is an example of multi-factor authentication?
- A. A user password and a PIN-activated smart card
- B. A user fingerprint and a user thumbprint
- C. A token that must be presented twice during the login process
- D. A user passphrase and an application level password.
Answer: A
Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, a user password and a PIN-activated smart card is an example of multi-factor authentication. This is one of the requirements for preventing unauthorized access to cardholder data using digital certificates.
NEW QUESTION # 35
Passwords for default accounts and default administrative accounts should be?
- A. Changed before installing a system on the network
- B. Configured to expire in 30 days
- C. Reset to the default password before installing a system on the network
- D. Changed within 30 days after installing a system on the network.
Answer: A
Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, passwords for default accounts and default administrative accounts should be changed before installing a system on the network. This is one of the requirements for preventing unauthorized access to cardholder data.
NEW QUESTION # 36
Security policies and operational procedures should be?
- A. Distributed to and understood by all affected parties
- B. Stored securely so that only management has access
- C. Reviewed and updated at least quarterly
- D. Encrypted with strong cryptography
Answer: A
NEW QUESTION # 37
What is the intent of classifying media that contains cardholder data?
- A. Ensuring that media containing cardholder data is moved from secured areas an a quarterly basis
- B. Ensuring that media is property protected according to the sensitivity of the data it contains
- C. Ensuring that all media is consistently destroyed on the same schedule regardless of the contents
- D. Ensuring that media is clearly and visibly labeled as 'Confidential so all personnel know that the media contains cardholder data
Answer: B
Explanation:
Explanation
classifying media that contains cardholder data is intended to ensure that media is property protected according to the sensitivity of the data it contains, which means it should be marked with labels or tags that indicate its level of confidentiality or integrity. This is one of the requirements for ensuring that media containing cardholder data is properly labeled.
NEW QUESTION # 38
Which scenario meets PCI DSS requirements for restricting access to databases containing cardholder data?
- A. Application IDs for database applications can only be used by database administrators
- B. User access to the database is only through programmatic methods
- C. Direct queries to the database are restricted to shared database administrator accounts
- D. User access to the database is restricted to system and network administrators
Answer: A
Explanation:
Explanation
application IDs for database applications can only be used by database administrators, which means they should have access to all database applications and their settings. This is one of the requirements for ensuring that database administrators have full control over database applications.
NEW QUESTION # 39
Which of the following meets the definition of 'quarterly' as indicated in the description of timeframes used in PCI DSS requirements?
- A. On the 1st of each fourth month
- B. At least once every 95 97 days.
- C. On the 15th of each third month
- D. Occurring at some point in each quarter of a year
Answer: C
Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, quarterly means occurring at some point in each quarter of a year, not at least once every 95 or 97 days. This is one of the requirements for ensuring that PCI DSS assessments are conducted on a regular basis.
NEW QUESTION # 40
What do PCI DSS requirements for protecting cryptographic keys include?
- A. Data-encrypting keys must be stronger than the key-encrypting key that protects it.
- B. Private or secret keys must be encrypted, stored within an SCD or stored as key components
- C. Key-encrypting keys and data-encrypting keys must be assigned to the same key custodian
- D. Public keys must be encrypted with a key-encrypting key.
Answer: B
Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, private or secret keys must be encrypted, stored within an SCD or stored as key components. This is one of the requirements for ensuring secure encryption and authentication.
NEW QUESTION # 41
A sample of business facilities is reviewed during the PCI DSS assessment What is the assessor required to validate about the sample?
- A. It includes a consistent set of facilities that are reviewed for all assessments.
- B. Every facility where cardholder data is stored is reviewed
- C. The number of facilities in the sample is at least 10 percent of the total number of facilities
- D. All types and locations of facilities are represented
Answer: A
Explanation:
Explanation
when a sample of business facilities is reviewed during a PCI DSS assessment, the assessor will verify that it includes a consistent set of facilities that are reviewed for all assessments, which means it should cover all types and locations of facilities where cardholder data is stored. This is one of the requirements for ensuring that all facilities are reviewed.
NEW QUESTION # 42
What must the assessor verify when testing that PAN is protected whenever it is sent over the Internet?
- A. The security protocol is configured to support earlier versions
- B. The PAN is securely deleted once the transmission has been sent
- C. The PAN is encrypted with strong cryptography
- D. The security protocol is configured to accept all digital certificates
Answer: C
Explanation:
Explanation
when PAN is sent over the Internet, PAN must be encrypted with strong cryptography, which means it should use encryption techniques such as WEP, WPA, WPA2, or TLS/SSL to prevent unauthorized access or interception. This is one of the requirements for ensuring that PAN is protected from unauthorized access or interception.
NEW QUESTION # 43
......
Get instant access of 100% real exam questions with verified answers: https://www.actual4dump.com/PCI-SSC/Assessor_New_V4-actualtests-dumps.html
Exam Dumps for the Preparation of Latest Assessor_New_V4 Exam Questions: https://drive.google.com/open?id=1rlDmB-hWmPNBhmZ9mFjWLn6z0KSsq0o5