PCI SSC Assessor_New_V4 Assessor_New_V4 Exam Exam Practice Test

The PCI DSS requires that the assessor validates that the sample of business facilities is representative of the entire population of facilities that are in scope for the assessment. According to the PCI DSS Requirement 12.8.5, “Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.” Furthermore, according to the PCI DSS Requirement 12.9.1, “For service providers, provide the written agreement/acknowledgment to their customers as specified at Requirement 12.8.2.” Therefore, the scenario that meets the PCI DSS requirements for validating the sample of business facilities is theone where all types and locations of facilities are represented, to ensure that the assessment covers the diversity and complexity of the card production environment. The other scenarios either do not account for the variability of the facilities, or do not follow the sampling methodology defined by the PCI DSS. References: PCI DSS v3.2.1, Card Production Security Assessor - Physical - Credly

According to requirement 1, network security controls are intended to control network traffic between two or more logical or physical network segments, which means they should prevent unauthorized access, modification, or disclosure of cardholder data or transactions over the network. This is one of the requirements for ensuring that network security controls are implemented and maintained in accordance with PCI DSS.

critical systems must have correct and consistent time, which means they should use a reliable time source and synchronize their clocks with other systems. This is one of the requirements for ensuring that critical systems have accurate time.

Segmentation is a method of isolating system components that store, process, or transmit cardholder data from systems that do not, by using security controls such as firewalls, routers, switches, or other devices1. Segmentation can reduce the scope of the cardholder data environment (CDE) and thus reduce the scope of the PCI DSS assessment, as only the systems and networks within the CDE or connected to the CDE are subject to PCI DSS requirements2. However, segmentation is not mandatory for PCI DSS compliance, and it is the responsibility of the entity to define and document the scope of their CDE and the segmentation controls they use2.

The assessor’s role is to verify the scope of the CDE and the effectiveness of the segmentation controls, as specified in PCI DSS Requirement 11.3.43. The assessor must verify that the segmentation controls are configured properly and functioning as intended, and that they allow only necessary traffic into the CDE. The assessor must also perform penetration testing on the segmentation controls at least annually and after anychanges to the segmentation methods, to confirm that there are no exploitable vulnerabilities that could allow an attacker to access the CDE from out-of-scope systems3. Therefore, the correct answer is option D.

The other options are not true regarding the role of the assessor in verifying segmentation for PCI DSS. Option A is not true because the assessor must verify not only that the segmentation controls allow only necessary traffic into the CDE, but also that they are configured properly and functioning as intended, as stated in option D. Option B is not true because the assessor does not need to verify that the payment card brands have approved the segmentation, as PCI DSS does not require such approval, although the payment card brands may have their own policies and procedures for segmentation that the entity must follow2. Option C is not true because the assessor does not need to verify that approved devices and applications are used for the segmentation controls, as PCI DSS does not mandate the use of specific devices or applications for segmentation, although it requires the entity to use industry-accepted and strong methods for segmentation2. References:

• Network Segmentation - PCI Security Standards Council
• Guidance for PCI DSS Scoping and Network Segmentation
• PCI DSS v3.2.1

According to the PCI DSS v3.2.1 Quick Reference Guide1, any in-scope system except for those identified as not at risk from malware must have anti-malware solutions installed and configured according to best practices. This is one of the requirements for preventing malware infections that could compromise cardholder data.

According to the PCI DSS v3.2.1 Quick Reference Guide1, the assessor must derive testing procedures and document them in Appendix E of the ROC. This is one of the requirements for ensuring that testing procedures are defined and documented.

According to the PCI DSS v3.2.1 Quick Reference Guide1, the intent of assigning a risk ranking to vulnerabilities is to prioritize the highest risk items so they can be addressed more quickly, rather than ensuring all vulnerabilities are addressed within 30 days or replacing the need to quarterly ASV scans or ensuring that critical security patches are installed at least quarterly. This is one of the requirements for ensuring that vulnerabilities are identified and mitigated as soon as possible.

According to the PCI PTS standard2, point-of-interaction devices used to protect account data are point-of-interaction devices (POI), which are devices that are used to authenticate, authorize, or verify cardholder data or transactions. This is one of the requirements for ensuring that POI devices are used in accordance with PCI DSS.

According to the PCI DSS v3.2.1 Quick Reference Guide1, internal vulnerability scans must be performed after a significant change in any component or configuration that affects cardholder data or payment processing systems. This is one of the requirements for identifying and mitigating vulnerabilities that could compromise cardholder data.

According to the PCI DSS v3.2.1 Quick Reference Guide1, active network connections are tracked so that invalid response traffic can be identified. This is one of the requirements for preventing replay attacks and ensuring secure communication.

The key-encrypting key (KEK) is used to protect the data-encrypting key (DEK) from unauthorized access or disclosure. The KEK should have a strength that is equal to or greater than the DEK, to prevent a weaker link in the encryption chain. According to the PCI Card Production Logical Security Requirements, section 4.1.1, “The key-encrypting key (KEK) must be at least as strong as the data-encrypting key (DEK) it protects.” Furthermore, section 4.1.2 states, “The KEK must be generated using a secure random number generator (RNG) that meets the requirements of NIST SP 800-90A or equivalent.” AES 128 is a symmetric encryption algorithm that uses a 128-bit key and meets the NIST standards. Therefore, it would be an appropriate strength for the KEK used to protect an AES 128-bit DEK. The other options are either weaker or asymmetric encryption algorithms, which are not suitable for the KEK. References: PCI Card Production Logical Security Requirements, [NIST SP 800-90A]

The customized approach is a new option in PCI DSS v4.0 that allows entities to use alternate security controls or new technologies that meet the PCI DSS Customized Approach Objective for a requirement1. The customized approach requires the entity to complete and document a Controls Matrix and a Targeted Risk Analysis (TRA) for each customized control, and to provide this documentation to the assessor2. The assessor’s role is to review the documentation, assess the customized control, and verify that the customized approach was correctly followed3. The assessor must also document the assessment of the customized control in the Report on Compliance (ROC), using the ROC Template provided by PCI SSC4. Therefore, the correct answer is option B.

The other options are not true regarding the role of the assessor in the customized approach. Option A is not true because the assessor does not need another assessor to verify the TRA, as the assessor is responsible for reviewing and validating the TRA as part of the assessment process3. Option C is not true because the assessor can and must assess the control and the documentation, as well as document the work on the customized control in the ROC34. Option D is not true because the assessor is allowed to assist the entity with the completion of the Controls Matrix or the TRA, as long as the assessor does not design, develop, or implement the customized control for the entity5. References:

• PCI DSS v4.0: Is the Customized Approach Right For Your Organization?
• PCI DSS v4.0: Roles and Responsibilities for the Customized Approach
• PCI DSS v4.0 Report on Compliance Template
• PCI DSS v4.0
• PCI DSS v4.0: Customized Approach Explained

The PCI DSS requires that access to databases containing cardholder data is restricted to authorized users and applications, and that direct access to such databases is prohibited. According to the PCI DSS Requirement 7.1.2, “Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.” Furthermore, according to the PCI DSS Requirement 8.3.1, “Implement multi-factor authentication for all non-console access into the cardholder data environment for personnel with administrative access.” Therefore, the scenario that meets the PCI DSS requirements for restricting access to databases containing cardholder data is the one where user access to the database is only through programmatic methods, such as through an application interface that enforces authentication, authorization, and encryption. The other scenarios either allow direct access to the database, or do not limit the access to the least privileges necessary, or do not use multi-factor authentication for administrative access. References: [PCI DSS v3.2.1], Card Production Security Assessor - Logical - Credly

According to the PCI DSS v3.2.1 Quick Reference Guide1, intrusion detection techniques are required to alert personnel of suspected compromises that could compromise cardholder data or payment processing systems. This is one of the requirements for identifying and mitigating vulnerabilities that could compromise cardholder data.

classifying media that contains cardholder data is intended to ensure that media is property protected according to the sensitivity of the data it contains, which means it should be markedwith labels or tags that indicate its level of confidentiality or integrity. This is one of the requirements for ensuring that media containing cardholder data is properly labeled.

According to the PCI DSS v3.2.1 Quick Reference Guide1, a user password and a PIN-activated smart card is an example of multi-factor authentication. This is one of the requirements for preventing unauthorized access to cardholder data using digital certificates.

According to the PCI DSS v3.2.1 Quick Reference Guide1, system configuration and parameter files must be monitored by a change-detection mechanism (for example, a file-integrity monitoring tool). This is one of the requirements for ensuring that changes to system configuration and parameter files are detected and verified.

According to the PCI DSS v3.2.1 Quick Reference Guide1, the database server should be relocated so that it is not accessible from untrusted networks. This is one of the requirements for protecting cardholder data in transit and at rest.