• Home
  • Articles
  • The PCI SSC Assessor_New_V4 Questions & Practice Test are Available On-Demand [Q19-Q41]

The PCI SSC Assessor_New_V4 Questions & Practice Test are Available On-Demand [Q19-Q41]

Share

The PCI SSC Assessor_New_V4 Questions & Practice Test are Available On-Demand

Valid Assessor_New_V4 Exam Dumps Ensure you a HIGH SCORE

NEW QUESTION # 19
An LDAP server providing authentication services to the cardholder data environment is

  • A. not in scope for PCI DSS
  • B. in scope only if it stores processes or transmits cardholder data
  • C. in scope for PCI DSS.
  • D. in scope only if it provides authentication services to systems in the DMZ

Answer: C

Explanation:
Explanation
An LDAP server is a type of directory service that provides authentication and authorization data to the cardholder data environment (CDE)1. According to the PCI DSS scoping and segmentation guidance2, any system that provides a security service to the CDE, such as authentication, is considered a connected or security-impacting system (Category 2) and is in scope for PCI DSS. This is because such systems can affect the security and controls of the CDE and the cardholder data (CHD) or sensitive authentication data (SAD) that it contains. Therefore, an LDAP server providing authentication services to the CDE is in scope for PCI DSS, regardless of whether it stores, processes, or transmits CHD or SAD, or whether it provides authentication services to systems in the DMZ or not. References:
Guidance for PCI DSS Scoping and Network Segmentation
What Are the Effects of Using Active Directory as a Shared Service on PCI Compliance?
The Ultimate Guide To PCI DSS Scoping and Segmentation
LDAP - PCI Security Standards Council


NEW QUESTION # 20
An entity wants to use the Customized Approach. They are unsure how to complete the Controls Matrix or TRA. During the assessment, you spend time completing the Controls Matrix and the TRA. while also ensuing that the customized control is implemented securely. Which of the following statements is true?

  • A. You can assess the customized control but another assessor must verify that you completed the TRA correctly.
  • B. You can assess the customized control and verify that the customized approach was correctly followed but you must document this in the ROC.
  • C. Assessors are not allowed to assist an entity with the completion of the Controls Matrix or the TRA.
  • D. You must document the work on the customized control in the ROC but you can not assess the control or the documentation.

Answer: B

Explanation:
Explanation
The customized approach is a new option in PCI DSS v4.0 that allows entities to use alternate security controls or new technologies that meet the PCI DSS Customized Approach Objective for a requirement1. The customized approach requires the entity to complete and document a Controls Matrix and a Targeted Risk Analysis (TRA) for each customized control, and to provide this documentation to the assessor2. The assessor's role is to review the documentation, assess the customized control, and verify that the customized approach was correctly followed3. The assessor must also document the assessment of the customized control in the Report on Compliance (ROC), using the ROC Template provided by PCI SSC4. Therefore, the correct answer is option B.
The other options are not true regarding the role of the assessor in the customized approach. Option A is not true because the assessor does not need another assessor to verify the TRA, as the assessor is responsible for reviewing and validating the TRA as part of the assessment process3. Option C is not true because the assessor can and must assess the control and the documentation, as well as document the work on the customized control in the ROC34. Option D is not true because the assessor is allowed to assist the entity with the completion of the Controls Matrix or the TRA, as long as the assessor does not design, develop, or implement the customized control for the entity5. References:
PCI DSS v4.0: Is the Customized Approach Right For Your Organization?
PCI DSS v4.0: Roles and Responsibilities for the Customized Approach
PCI DSS v4.0 Report on Compliance Template
PCI DSS v4.0
PCI DSS v4.0: Customized Approach Explained


NEW QUESTION # 21
What is the intent of classifying media that contains cardholder data?

  • A. Ensuring that all media is consistently destroyed on the same schedule regardless of the contents
  • B. Ensuring that media is property protected according to the sensitivity of the data it contains
  • C. Ensuring that media is clearly and visibly labeled as 'Confidential so all personnel know that the media contains cardholder data
  • D. Ensuring that media containing cardholder data is moved from secured areas an a quarterly basis

Answer: B

Explanation:
Explanation
classifying media that contains cardholder data is intended to ensure that media is property protected according to the sensitivity of the data it contains, which means it should be marked with labels or tags that indicate its level of confidentiality or integrity. This is one of the requirements for ensuring that media containing cardholder data is properly labeled.


NEW QUESTION # 22
Which of the following is required to be included in an incident response plan?

  • A. Procedures for notifying PCI SSC of the security incident
  • B. Procedures for responding to the detection of unauthorized wireless access points
  • C. Procedures forlaunching a reverse-attack on the individual(s) responsible for the security incident
  • D. Procedures for securely deleting incident response records immediately upon resolution of the incident

Answer: D

Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, procedures for securely deleting incident response records immediately upon resolution of the incident must be included in an incident response plan. This is one of the requirements for ensuring that incident response records are not retained indefinitely


NEW QUESTION # 23
An organization wishes to implement multi-factor authentication for remote access, using the user's individual password and a digital certificate. Which of the following scenarios would meet PCI DSS requirements for multi-factor authentication?

  • A. Certificates are assigned only to administrative groups and not to regular users
  • B. Change control processes are in place to ensue certificates are changed every 90 days
  • C. Certificates are logged so they can be retrieved when the employee leaves the company
  • D. A different certificate is assigned to each individual user account, and certificates are not shared

Answer: D

Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, a different certificate is assigned to each individual user account, and certificates are not shared. This is one of the requirements for preventing unauthorized access to cardholder data using digital certificates.


NEW QUESTION # 24
What process is requited by PCI DSS for protecting card-reading devices at the point-of-sale?

  • A. Device identifiers and security labels are periodically replaced
  • B. The serial number of each device is periodically verified with the device manufacturer
  • C. Devices are physically destroyed if there is suspicion of compromise
  • D. Devices are periodically inspected to detect unauthorized card stammers.

Answer: D

Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, devices are periodically inspected to detect unauthorized card stammers using physical inspection or other methods such as software-based tools or network-based tools (such as firewalls). This is one of the requirements for preventing card skimming attacks that could compromise cardholder data.


NEW QUESTION # 25
Which scenario describes segmentation of the cardholder data environment (CDE) for the purposes of reducing PCI DSS scope?

  • A. A network configuration that prevents all network traffic between the CDE and out-of-scope networks
  • B. Routers that monitor network traffic flows between the CDE and out-of-scope networks
  • C. Firewalls that log all network traffic flows between the CDE and out of-scope networks
  • D. Virtual LANs that route network traffic between the CDE and out-of-scope networks

Answer: A

Explanation:
Explanation
According to requirement 3.1.2, a network configuration that prevents all network traffic between the cardholder data environment and out-of-scope networks can be used as a segmentation approach for reducing PCI DSS scope, which means it should isolate each customer's cardholder data from other customers' cardholder data and prevent unauthorized access or disclosure. This is one of the requirements for ensuring that network firewalls are not exposed to unnecessary or unwanted traffic.


NEW QUESTION # 26
The intent of assigning a risk ranking to vulnerabilities is to?

  • A. Prioritize the highest risk items so they can be addressed more quickly
  • B. Ensure all vulnerabilities are addressed within 30 days
  • C. Ensure that critical security patches are installed at least quarterly
  • D. Replace the need toquarterly ASV scans

Answer: A

Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, the intent of assigning a risk ranking to vulnerabilities is to prioritize the highest risk items so they can be addressed more quickly, rather than ensuring all vulnerabilities are addressed within 30 days or replacing the need to quarterly ASV scans or ensuring that critical security patches are installed at least quarterly. This is one of the requirements for ensuring that vulnerabilities are identified and mitigated as soon as possible.


NEW QUESTION # 27
A sample of business facilities is reviewed during the PCI DSS assessment What is the assessor required to validate about the sample?

  • A. The number of facilities in the sample is at least 10 percent of the total number of facilities
  • B. Every facility where cardholder data is stored is reviewed
  • C. It includes a consistent set of facilities that are reviewed for all assessments.
  • D. All types and locations of facilities are represented

Answer: D

Explanation:
Explanation
The PCI DSS requires that the assessor validates that the sample of business facilities is representative of the entire population of facilities that are in scope for the assessment. According to the PCI DSS Requirement
12.8.5, "Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity." Furthermore, according to the PCI DSS Requirement 12.9.1, "For service providers, provide the written agreement/acknowledgment to their customers as specified at Requirement
12.8.2." Therefore, the scenario that meets the PCI DSS requirements for validating the sample of business facilities is theone where all types and locations of facilities are represented, to ensure that the assessment covers the diversity and complexity of the card production environment. The other scenarios either do not account for the variability of the facilities, or do not follow the sampling methodology defined by the PCI DSS. References: PCI DSS v3.2.1, Card Production Security Assessor - Physical - Credly


NEW QUESTION # 28
Which of the following parties is responsible for completion of the Controls Matrix for the Customized Approach?

  • A. Either a QSA, AQSA, or PClP.
  • B. Card brands or acquirer
  • C. Only a Qualified Security Assessor (QSA)
  • D. Entity being assessed

Answer: D

Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, assigning a unique ID to each person is intended to ensure individual users are accountable for their own actions, rather than shared accounts or group accounts based on need-to-know. This is one of the requirements for ensuring that user accounts are properly managed and controlled.


NEW QUESTION # 29
An organization has implemented a change-detection mechanism on their systems. How often must critical file comparisons be performed?

  • A. Only after a valid change is installed
  • B. At least monthly
  • C. At least weekly
  • D. Periodically as defined by the entity

Answer: C

Explanation:
Explanation
PCI DSS Requirement 11.5 states that entities must deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly1. This is to ensure that any unauthorized or malicious changes to the files are detected and reported in a timely manner, and that the integrity and security of the files are maintained. Critical files are those that affect the security of the cardholder data environment (CDE), such as system files, application executables, configuration files, database files, and log files2. Therefore, the correct answer is option A.
The other options are not true regarding the frequency of critical file comparisons for a change-detection mechanism. Option B is not true because PCI DSS does not allow the entity to define the periodicity of the file comparisons, as it specifies a minimum frequency of at least weekly1. Option C is not true because PCI DSS does not limit the file comparisons to only after a valid change is installed, as it requires the file comparisons to be performed at least weekly regardless of the change status1. Option D is not true because PCI DSS does not allow the file comparisons to be performed at least monthly, as it requires a higher frequency of at least weekly1. References:
PCI DSS v3.2.1
File Integrity Monitoring Tools For PCI DSS


NEW QUESTION # 30
In the ROC Repotting Template, which of the following is the best approach for a response where the requirement was in Place''?

  • A. Details of how the assessor observed the entity s systems were compliant with the requirement
  • B. Details of how the assessor observed the entity s systems were not compliant with the requirement
  • C. Details of the entity s reason for not implementing the requirement
  • D. Details of the entity s project plan for implementing the requirement

Answer: A

Explanation:
Explanation
when a cryptographic key is retired and replaced with a new key, the assessor will verify that the assessor observed the entity's systems were compliant with the requirement, which means they should have implemented compensating controls to address any weaknesses or gaps in the customized control. This is one of the requirements for ensuring that an entity can use both approaches when appropriate.


NEW QUESTION # 31
Which statement is true regarding the presence of both hashed and truncated versions ofthe same PAN in an environment?

  • A. Controls are needed to prevent the original PAN being exposed by the hashed and truncated versions
  • B. The hashed and truncated versions must be correlated so the source PAN can be identified
  • C. The hashed version of the PAN must also be truncated per PCI OSS requirements for strong cryptography.
  • D. Hashed and truncated versions of a PAN must not exist in same environment

Answer: D

Explanation:
Explanation
According to requirement 4, when a cryptographic key is retired and replaced with a new key, the hashed and truncated versions of the same PAN must not exist in the same environment, which means they should not be stored or transmitted together. This is one of the requirements for ensuring that PAN is protected from unauthorized access or interception.


NEW QUESTION # 32
an entity under assessment is using the customized approach, which of the following steps is the responsibility of the assessor?

  • A. Derive testing procedures and document them in Appendix E of the ROC.
  • B. Perform the targeted risk analysis as per PCI DSS requirement 12.3.2
  • C. Document and maintain evidence about each customized control as defined in Appendix E of PCI DSS
  • D. Monitor the control.

Answer: A

Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, the assessor must derive testing procedures and document them in Appendix E of the ROC. This is one of the requirements for ensuring that testing procedures are defined and documented.


NEW QUESTION # 33
Which of the following describes the intent of installing one primary function per server?

  • A. To reduce the security level of functions with higher-security needs to meet the needs of lower-security functions
  • B. To allow higher-security functions to protect lower-security functions installed on the same server
  • C. To prevent server functions with a lower security level from introducing security weaknesses to higher
    -security functions on the same server
  • D. To allow functions with different security levels to be implemented on the same server

Answer: C

Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, installing one primary function per server is intended to prevent server functions with a lower security level from introducing security weaknesses to higher-security functions on the same server. This is one of the requirements for ensuring that server functions are isolated from each other.


NEW QUESTION # 34
An internal NTP server that provides lime services to the Cardholder Data Environment is?

  • A. In scope for PCI DSS
  • B. Only in scope if it provides time services to database servers.
  • C. Only m scope if it stores processes or transmits cardholder data
  • D. Not in scope for PCI DSS

Answer: A

Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, an internal NTP server that provides time services to the cardholder data environment is in scope for PCI DSS if it stores processes or transmits cardholder data, regardless of whether it provides authentication services to systems in the DMZ or not. This is one of the requirements for preventing unauthorized access to cardholder data using time services.


NEW QUESTION # 35
A network firewall has been configured with the latest vendor security patches What additional configuration is needed to harden the firewall?

  • A. Configure the firewall to permit all traffic until additional rules are defined
  • B. Disable any firewall functions that are not needed in production
  • C. Synchronize the firewall rules with the other firewalls m the environment
  • D. Remove the default 'Firewall Administrator account and create a shared account for firewall administrators to use.

Answer: B

Explanation:
Explanation
One of the best practices for hardening a firewall is to disable any firewall functions that are not needed in production, such as unused services, ports, protocols, or features. This reduces the attack surface and minimizes the potential for exploitation. According to the PCI Card Production Logical Security Requirements, section 3.2.1, "The firewall must be configured to deny all traffic by default and allow only traffic that is explicitly required for the card production environment." Furthermore, section 3.2.2 states, "The firewall must be configured to block all unnecessary services, ports, protocols, and IP addresses." References: PCI Card Production Logical Security Requirements, Card Production Security Assessor - Logical - Credly


NEW QUESTION # 36
At which step in the payment transaction process does the merchants bank pay the merchant for the purchase and the cardholder s bank bill the cardholder?

  • A. Clearing
  • B. Authorization
  • C. Settlement
  • D. Chargeback

Answer: C

Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, settlement occurs when a merchant receives payment from a card issuer for a completed transaction and delivers goods or services to a customer or another party as agreed upon in advance by both parties, subject to any conditions imposed by either party upon delivery or payment, including but not limited to acceptance, rejection, return, exchange, refund, cancellation, modification, suspension, termination or revocation by either party upon delivery or payment; or any other conditions imposed by either party upon delivery or payment; or any other conditions imposed by either party upon delivery or payment; or any other conditions imposed by either party upon delivery or payment;


NEW QUESTION # 37
Which of the following is true regarding compensating controls?

  • A. A compensating control is not necessary if all other PCI DSS requirements are in place
  • B. A compensating control must address the risk associated with not adhering to the PCI DSS requirement
  • C. An existing PCI DSS requirement can be used as compensating control if it is already implemented
  • D. A compensating control worksheet is not required if the acquirer approves the compensating control

Answer: B

Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, a compensating control must address the risk associated with not adhering to a PCI DSS requirement and must be approved by an authorized person before implementation. This is one of the requirements for reducing or eliminating a risk that cannot be eliminated by other means


NEW QUESTION # 38
An entity wants to know if the Software Security Framework can be leveraged during their assessment Which of the following software types would this apply to?

  • A. Only software which runs on PCI PTS devices
  • B. Any payment software in the CDE
  • C. Validated Payment Applications that are listed by PCI SSC and have undergone a PA-DSS assessment
  • D. Software developed by the entity in accordance with the Secure SLC Standard

Answer: D

Explanation:
Explanation
According to requirement 12.3.2, software developed by an entity in accordance with the Secure SLC Standard must be validated by a Qualified Security Assessor (QSA) before it can be used by an entity in its CDE. This is one of the requirements for ensuring that software developed by an entity in accordance with the Secure SLC Standard meets all the security standards and controls defined in Appendix E of the PCI DSS v3.2.1 Quick Reference Guide1.


NEW QUESTION # 39
Which scenario meets PCI DSS requirements for restricting access to databases containing cardholder data?

  • A. User access to the database is restricted to system and network administrators
  • B. User access to the database is only through programmatic methods
  • C. Direct queries to the database are restricted to shared database administrator accounts
  • D. Application IDs for database applications can only be used by database administrators

Answer: B

Explanation:
Explanation
The PCI DSS requires that access to databases containing cardholder data is restricted to authorized users and applications, and that direct access to such databases is prohibited. According to the PCI DSS Requirement
7.1.2, "Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities." Furthermore, according to the PCI DSS Requirement 8.3.1, "Implement multi-factor authentication for all non-console access into the cardholder data environment for personnel with administrative access." Therefore, the scenario that meets the PCI DSS requirements for restricting access to databases containing cardholder data is the one where user access to the database is only through programmatic methods, such as through an application interface that enforces authentication, authorization, and encryption. The other scenarios either allow direct access to the database, or do not limit the access to the least privileges necessary, or do not use multi-factor authentication for administrative access. References: [PCI DSS v3.2.1], Card Production Security Assessor - Logical - Credly


NEW QUESTION # 40
What process is requited by PCI DSS (or protecting card-reading devices at the point-of-sale?

  • A. Device identifiers and security labels are periodically replaced
  • B. The serial number of each device is periodically verified with the device manufacturer
  • C. Devices are physically destroyed if there is suspicion of compromise
  • D. Devices are periodically inspected to detect unauthorized card stammers.

Answer: D

Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, devices are periodically inspected to detect unauthorized card stammers using physical inspection or other methods such as software-based tools or network-based tools (such as firewalls). This is one of the requirements for preventing card skimming attacks that could compromise cardholder data.


NEW QUESTION # 41
......

Assessor_New_V4 Exam Practice Questions prepared by PCI SSC Professionals: https://www.testkingfree.com/PCI-SSC/Assessor_New_V4-practice-exam-dumps.html

Pass Assessor_New_V4 Exam with Latest Questions: https://drive.google.com/open?id=19sP_JPwU-XW2WA8FdLjl13OQ292svCrL

Related Articles

more
PCI SSC Assessor_New_V4 Certification Practice Exam