
100% Pass Guaranteed Accurate Assessor_New_V4 Answers 365 Days Free Updates
Assessor_New_V4 DUMPS Q&As with Explanations Verified & Correct Answers
NEW QUESTION # 12
In accordance with PCI DSS Requirement 10. how long must audit logs be retained?
- A. At least 1 year, with the most recent 3 months immediately available
- B. At least 2 years, with the most recent 3 months immediately available
- C. At least 2 years with the most recent month immediately available
- D. At least 3 months with the most recent month immediately available
Answer: A
Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, audit logs must be retained for at least 1 year, with the most recent 3 months immediately available. This is one of the requirements for ensuring that audit logs are available for review and analysis.
NEW QUESTION # 13
If segmentation is being used to reduce the scope of a PCI DSS assessment the assessor will?
- A. Verify the payment card brands have approved the segmentation
- B. Verify the controls used for segmentation are configured properly and functioning as intended
- C. Verify that approved devices and applications are used for the segmentation controls
- D. Verify the segmentation controls allow only necessary traffic into the cardholder data environment.
Answer: D
Explanation:
Explanation
According to requirement 3.1.2, if segmentation is being used to reduce the scope of a PCI DSS assessment, the assessor will verify that the segmentation controls allow only necessary traffic into the cardholder data environment, which means they should not allow any traffic until additional rules are defined. This is one of the requirements for ensuring that network firewalls are not exposed to unnecessary or unwanted traffic.
NEW QUESTION # 14
An internal NTP server that provides time services to the Cardholder Data Environment is?
- A. In scope for PCI DSS
- B. Not in scope for PCI DSS
- C. Only m scope if it stores processes or transmits cardholder data
- D. Only in scope if it provides time services to database servers.
Answer: A
Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, an internal NTP server that provides time services to the cardholder data environment is in scope for PCI DSS if it stores processes or transmits cardholder data, regardless of whether it provides authentication services to systems in the DMZ or not. This is one of the requirements for preventing unauthorized access to cardholder data using time services.
NEW QUESTION # 15
What must the assessor verify when testing that PAN is protected whenever it is sent over the Internet?
- A. The PAN is encrypted with strong cryptography
- B. The PAN is securely deleted once the transmission has been sent
- C. The security protocol is configured to support earlier versions
- D. The security protocol is configured to accept all digital certificates
Answer: A
Explanation:
Explanation
when PAN is sent over the Internet, PAN must be encrypted with strong cryptography, which means it should use encryption techniques such as WEP, WPA, WPA2, or TLS/SSL to prevent unauthorized access or interception. This is one of the requirements for ensuring that PAN is protected from unauthorized access or interception.
NEW QUESTION # 16
Passwords for default accounts and default administrative accounts should be?
- A. Changed before installing a system on the network
- B. Configured to expire in 30 days
- C. Changed within 30 days after installing a system on the network.
- D. Reset to the default password before installing a system on the network
Answer: A
Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, passwords for default accounts and default administrative accounts should be changed before installing a system on the network. This is one of the requirements for preventing unauthorized access to cardholder data.
NEW QUESTION # 17
Which of the following is required to be included in an incident response plan?
- A. Procedures for securely deleting incident response records immediately upon resolution of the incident
- B. Procedures for responding to the detection of unauthorized wireless access points
- C. Procedures for launching a reverse-attack on the individual(s) responsible for the security incident
- D. Procedures for notifying PCI SSC of the security incident
Answer: D
Explanation:
Explanation
PCI DSS Requirement 12.10.1 requires entities to implement an incident response plan that includes roles, responsibilities, and communication and contact strategies for a data security incident, including notification of relevant payment brands1. This is important because each payment card brand has its own policies and procedures for dealing with a security breach, and failing to follow them or meet reporting deadlines could result in fines or loss of authority to process payment card transactions2. Therefore, an incident response plan must include procedures for notifying PCI SSC of the security incident, as well as any other entities that may require notification, whether by contract or law1. References:
Guidance for PCI DSS Scoping and Network Segmentation
Responding to a Cardholder Data Breach
NEW QUESTION # 18
In the ROC Repotting Template, which of the following is the best approach for a response where the requirement was in Place''?
- A. Details of how the assessor observed the entity s systems were not compliant with the requirement
- B. Details of the entity s project plan for implementing the requirement
- C. Details of the entity s reason for not implementing the requirement
- D. Details of how the assessor observed the entity s systems were compliant with the requirement
Answer: D
Explanation:
Explanation
when a cryptographic key is retired and replaced with a new key, the assessor will verify that the assessor observed the entity's systems were compliant with the requirement, which means they should have implemented compensating controls to address any weaknesses or gaps in the customized control. This is one of the requirements for ensuring that an entity can use both approaches when appropriate.
NEW QUESTION # 19
An organization has implemented a change-detection mechanism on their systems. How often must critical file comparisons be performed?
- A. Periodically as defined by the entity
- B. At least monthly
- C. Only after a valid change is installed
- D. At least weekly
Answer: D
Explanation:
Explanation
PCI DSS Requirement 11.5 states that entities must deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly1. This is to ensure that any unauthorized or malicious changes to the files are detected and reported in a timely manner, and that the integrity and security of the files are maintained. Critical files are those that affect the security of the cardholder data environment (CDE), such as system files, application executables, configuration files, database files, and log files2. Therefore, the correct answer is option A.
The other options are not true regarding the frequency of critical file comparisons for a change-detection mechanism. Option B is not true because PCI DSS does not allow the entity to define the periodicity of the file comparisons, as it specifies a minimum frequency of at least weekly1. Option C is not true because PCI DSS does not limit the file comparisons to only after a valid change is installed, as it requires the file comparisons to be performed at least weekly regardless of the change status1. Option D is not true because PCI DSS does not allow the file comparisons to be performed at least monthly, as it requires a higher frequency of at least weekly1. References:
PCI DSS v3.2.1
File Integrity Monitoring Tools For PCI DSS
NEW QUESTION # 20
Which of the following can be sampled for testing during a PCI DSS assessment?
- A. Business facilities and system components
- B. Compensating controls
- C. Security policies and procedures
- D. PCI DSS requirements and testing procedures.
Answer: A
Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, business facilities and system components can be sampled for testing during a PCI DSS assessment, as long as they are not critical components or components that are not in scope for testing. This is one of the requirements for ensuring that testing covers all relevant components and processes.
NEW QUESTION # 21
Which of the following is true regarding compensating controls?
- A. An existing PCI DSS requirement can be used as compensating control if it is already implemented
- B. A compensating control must address the risk associated with not adhering to the PCI DSS requirement
- C. A compensating control worksheet is not required if the acquirer approves the compensating control
- D. A compensating control is not necessary if all other PCI DSS requirements are in place
Answer: B
Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, a compensating control must address the risk associated with not adhering to a PCI DSS requirement and must be approved by an authorized person before implementation. This is one of the requirements for reducing or eliminating a risk that cannot be eliminated by other means
NEW QUESTION # 22
PCI DSS Requirement 12.7 requires screening and background checks for which of the following?
- A. Cashiers with access to one card number at a time
- B. All personnel employed by the organization
- C. Visitors with access to the organization s facilities
- D. Personnel with access to the cardholder data environment.
Answer: D
Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, screening and background checks for personnel with access to the cardholder data environment are required, as they may pose a risk if they have compromised or stolen cardholder data in the past or present. This is one of the requirements for ensuring that personnel with access to cardholder data are qualified and trustworthy.
NEW QUESTION # 23
What would be an appropriate strength for the key-encrypting key (KEK) used to protect an AES 128-bit data-encrypting key (DEK)
- A. AES 128
- B. DES256
- C. RSA512
- D. ROT 13
Answer: A
Explanation:
Explanation
The key-encrypting key (KEK) is used to protect the data-encrypting key (DEK) from unauthorized access or disclosure. The KEK should have a strength that is equal to or greater than the DEK, to prevent a weaker link in the encryption chain. According to the PCI Card Production Logical Security Requirements, section 4.1.1,
"The key-encrypting key (KEK) must be at least as strong as the data-encrypting key (DEK) it protects." Furthermore, section 4.1.2 states, "The KEK must be generated using a secure random number generator (RNG) that meets the requirements of NIST SP 800-90A or equivalent." AES 128 is a symmetric encryption algorithm that uses a 128-bit key and meets the NIST standards. Therefore, it would be an appropriate strength for the KEK used to protect an AES 128-bit DEK. The other options are either weaker or asymmetric encryption algorithms, which are not suitable for the KEK. References: PCI Card Production Logical Security Requirements, [NIST SP 800-90A]
NEW QUESTION # 24
If an entity shares cardholder data with a TPSP, what activity is the entity required to perform'?
- A. The entity must test the TPSP's incident response plan at least quarterly
- B. The entity must monitor the TPSP's PCI DSS compliance status at least annually
- C. The entity must perform a risk assessment of the TPSP's environment at least quarterly.
- D. The entity must conduct ASV scans on the TPSP's systems at least annually
Answer: B
Explanation:
Explanation
According to requirement 4, an entity must monitor its TPSP's PCI DSS compliance status at least annually, which means it should review its TPSP's policies and procedures for protecting cardholder data and transactions against fraud and other threats at least once a year. This is one of the requirements for ensuring that an entity monitors its TPSP's PCI DSS compliance status regularly.
NEW QUESTION # 25
Which of the following is an example of multi-factor authentication?
- A. A user passphrase and an application level password.
- B. A user password and a PIN-activated smart card
- C. A user fingerprint and a user thumbprint
- D. A token that must be presented twice during the login process
Answer: B
Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, a user password and a PIN-activated smart card is an example of multi-factor authentication. This is one of the requirements for preventing unauthorized access to cardholder data using digital certificates.
NEW QUESTION # 26
An LDAP server providing authentication services to the cardholder data environment is
- A. in scope only if it provides authentication services to systems in the DMZ
- B. not in scope for PCI DSS
- C. in scope for PCI DSS.
- D. in scope only if it stores processes or transmits cardholder data
Answer: D
Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, an LDAP server providing authentication services to the cardholder data environment is in scope only if it provides authentication services to systems in the DMZ. This is one of the requirements for preventing unauthorized access to cardholder data.
NEW QUESTION # 27
Which of the following describes "stateful responses' to communication initiated by a trusted network?
- A. Administrative access to respond to requests to change the firewall is limited to one individual at a time
- B. A current baseline of application configurations is maintained and any mis-configuration is responded to promptly
- C. Active network connections are tracked so that invalid response' traffic can be identified.
- D. Logs of user activity on the firewall are correlated to identify and respond to suspicious behavior
Answer: C
Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, active network connections are tracked so that invalid response traffic can be identified. This is one of the requirements for preventing replay attacks and ensuring secure communication.
NEW QUESTION # 28
What is the intent of classifying media that contains cardholder data?
- A. Ensuring that media is property protected according to the sensitivity of the data it contains
- B. Ensuring that media is clearly and visibly labeled as 'Confidential so all personnel know that the media contains cardholder data
- C. Ensuring that media containing cardholder data is moved from secured areas an a quarterly basis
- D. Ensuring that all media is consistently destroyed on the same schedule regardless of the contents
Answer: A
Explanation:
Explanation
classifying media that contains cardholder data is intended to ensure that media is property protected according to the sensitivity of the data it contains, which means it should be marked with labels or tags that indicate its level of confidentiality or integrity. This is one of the requirements for ensuring that media containing cardholder data is properly labeled.
NEW QUESTION # 29
What must be included m an organization's procedures for managing visitors?
- A. Visitor log includes visitor name, address, and contact phone number
- B. Visitors are escorted at all times within areas where cardholder data is processed or maintained
- C. Visitors retain their identification (for example a visitor badge) for 30 days after completion of the visit
- D. Visitor badges are identical to badges used by onsite personnel
Answer: B
Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, visitors are escorted at all times within areas where cardholder data is processed or maintained, visitor badges are identical to badges used by onsite personnel, visitor log includes visitor name, address, and contact phone number, visitors retain their identification (for example a visitor badge) for 30 days after completion of the visit. These are some examples of procedures that must be included in an organization's procedures for managing visitors who access in-scope systems where cardholder data is processed or maintained.
NEW QUESTION # 30
Which scenario meets PCI DSS requirements for restricting access to databases containing cardholder data?
- A. User access to the database is restricted to system and network administrators
- B. User access to the database is only through programmatic methods
- C. Application IDs for database applications can only be used by database administrators
- D. Direct queries to the database are restricted to shared database administrator accounts
Answer: C
Explanation:
Explanation
application IDs for database applications can only be used by database administrators, which means they should have access to all database applications and their settings. This is one of the requirements for ensuring that database administrators have full control over database applications.
NEW QUESTION # 31
A "Partial Assessment is a new assessment result What is a 'Partial Assessment'?
- A. An interim result before the final ROC has been completed
- B. A term used by payment brands and acquirers to describe entities that have multiple payment channels with each channel having its own assessment
- C. A ROC that has been completed after using an SAQ to determine which requirements should be tested.
As per FAQ 1331. (As long as the entity meets the SAQs eligibility criteria) - D. An assessment with at least one requirement marked as Not Tested*
Answer: D
Explanation:
Explanation
According to requirement 3.1.2, an assessment with at least one requirement marked as Not Tested is considered a partial assessment, which means it does not meet all the requirements and controls defined in Appendix E of the PCI DSS v3.2.1 Quick Reference Guide1. This is one of the requirements for ensuring that assessments are conducted in accordance with PCI DSS.
NEW QUESTION # 32
What must be included m an organization's procedures for managing visitors9
- A. Visitor log includes visitor name, address, and contact phone number
- B. Visitors are escorted at all times within areas where cardholder data is processed or maintained
- C. Visitors retain their identification (for example a visitor badge) for 30 days after completion of the visit
- D. Visitor badges are identical to badges used by onsite personnel
Answer: B
Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, visitors are escorted at all times within areas where cardholder data is processed or maintained, visitor badges are identical to badges used by onsite personnel, visitor log includes visitor name, address, and contact phone number, visitors retain their identification (for example a visitor badge) for 30 days after completion of the visit. These are some examples of procedures that must be included in an organization's procedures for managing visitors who access in-scope systems where cardholder data is processed or maintained.
NEW QUESTION # 33
H an entity shares cardholder data with a TPSP, what activity is the entity required to perform'?
- A. The entity must test the TPSP's incident response plan at least quarterly
- B. The entity must monitor the TPSP's PCI DSS compliance status at least annually
- C. The entity must perform a risk assessment of the TPSP's environment at least quarterly.
- D. The entity must conduct ASV scans on the TPSP's systems at least annually
Answer: B
Explanation:
Explanation
According to requirement 4, an entity must monitor its TPSP's PCI DSS compliance status at least annually, which means it should review its TPSP's policies and procedures for protecting cardholder data and transactions against fraud and other threats at least once a year. This is one of the requirements for ensuring that an entity monitors its TPSP's PCI DSS compliance status regularly.
NEW QUESTION # 34
A network firewall has been configured with the latest vendor security patches What additional configuration is needed to harden the firewall?
- A. Remove the default 'Firewall Administrator account and create a shared account for firewall administrators to use.
- B. Synchronize the firewall rules with the other firewalls m the environment
- C. Disable any firewall functions that are not needed in production
- D. Configure the firewall to permit all traffic until additional rules are defined
Answer: B
Explanation:
Explanation
According to requirement 3.1.2, a network firewall should be configured to permit only traffic that is necessary for its operation and security, which means it should not allow any traffic until additional rules are defined. This is one of the requirements for ensuring that network firewalls are not exposed to unnecessary or unwanted traffic.
NEW QUESTION # 35
......
Assessor_New_V4 dumps Exam Material with 62 Questions: https://www.actualvce.com/PCI-SSC/Assessor_New_V4-valid-vce-dumps.html
Assessor_New_V4 Questions and Answers Guarantee you Oass the Test Easily: https://drive.google.com/open?id=1pkjSnLK0ty2aL67QYU3hbJVvcICPRngX