Special Summer Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Free and Premium PCI SSC QSA_New_V4 Dumps Questions Answers

Page: 1 / 6
Total 75 questions

Qualified Security Assessor V4 Exam Questions and Answers

Question 1

What should the assessor verify when testing that cardholder data Is protected whenever It Is sent over open public networks?

Options:

A.

The security protocol Is configured to accept all digital certificates.

B.

A proprietary security protocol is used.

C.

The security protocol accepts only trusted keys.

D.

The security protocol accepts connections from systems with lower encryption strength than required by the protocol.

Buy Now
Question 2

Which statement about the Attestation of Compliance (AOC) is correct?

Options:

A.

There are different AOC templates for service providers and merchants.

B.

The AOC must be signed by both the merchant/service provider and by PCI SSC.

C.

The same AOC template is used W ROCs and SAQs.

D.

The AOC must be signed by either the merchant/service provider or the QSA/ISA.

Question 3

An entity wants to know if the Software Security Framework can be leveraged during their assessment. Which of the following software types would this apply to?

Options:

A.

Any payment software in the CDE.

B.

Only software which runs on PCI PTS devices.

C.

Validated Payment Applications that are listed by PCI SSC and have undergone a PA-DSS assessment.

D.

Software developed by the entity in accordance with the Secure SLC Standard.

Question 4

At which step in the payment transaction process does the merchant's bank pay the merchant for the purchase, and the cardholder's bank bill the cardholder?

Options:

A.

Authorization

B.

Clearing

C.

Settlement

D.

Chargeback

Question 5

What does the PCI PTS standard cover?

Options:

A.

Point-of-Interaction devices used to protect account data.

B.

Secure coding practices for commercial payment applications.

C.

Development of strong cryptographic algorithms.

D.

End-lo-end encryption solutions for transmission of account data.

Question 6

Which statement is true regarding the use of intrusion detection techniques, such as intrusion detection systems and/or intrusion protection systems (IDS/IPS)?

Options:

A.

Intrusion detection techniques are required on all system components.

B.

Intrusion detection techniques are required to alert personnel of suspected compromises.

C.

Intrusion detection techniques are required to isolate systems in the cardholder data environment from all other systems.

D.

Intrusion detection techniques are required to identify all instances of cardholder data.

Question 7

Assigning a unique ID to each person is intended to ensure?

Options:

A.

Strong passwords are used for each user account.

B.

Shared accounts are only used by administrators.

C.

Individual users are accountable for their own actions.

D.

Access is assigned to group accounts based on need-to-know.

Question 8

Which statement about PAN is true?

Options:

A.

It must be protected with strong cryptography for transmission over private wireless networks.

B.

It must be protected with strong cryptography for transmission over private wired networks.

C.

It does not require protection for transmission over public wireless networks.

D.

It does not require protection for transmission over public wired networks.

Question 9

Viewing of audit log files should be limited to?

Options:

A.

Individuals who performed the logged activity.

B.

Individuals with read/write access.

C.

Individuals with administrator privileges.

D.

Individuals with a job-related need.

Question 10

An organization has implemented a change-detection mechanism on their systems. How often must critical file comparisons be performed?

Options:

A.

At least weekly

B.

Periodically as defined by the entity

C.

Only after a valid change is installed

D.

At least monthly

Question 11

Which of the following is a requirement for multi-tenant service providers?

Options:

A.

Ensure that customers cannot access another entity’s cardholder data environment.

B.

Provide customers with access to the hosting provider's system configuration files.

C.

Provide customers with a shared user ID for access to critical system binaries.

D.

Ensure that a customer’s log files are available to all hosted entities.

Question 12

According to Requirement 1, what is the purpose of “Network Security Controls"?

Options:

A.

Manage anti-malware throughout the CDE.

B.

Control network traffic between two or more logical or physical network segments.

C.

Discover vulnerabilities and rank them.

D.

Encrypt PAN when stored.

Question 13

Which statement about the Attestation of Compliance (AOC) is correct?

Options:

A.

There are different AOC templates for service providers and merchants.

B.

The AOC must be signed by both the merchant/service provider and by PCI SSC.

C.

The same AOC template is used for ROCs and SAQs.

D.

The AOC must be signed by either the merchant/service provider or the QSA/ISA.

Question 14

Where can live PANs be used for testing?

Options:

A.

Production (live) environments only.

B.

Pre-production (test) environments only it located outside the CDE.

C.

Pre-production environments that are located within the CDE.

D.

Testing with live PANs must only be performed in the OSA Company environment.

Question 15

Which of the following parties is responsible for completion of the Controls Matrix for the Customized Approach?

Options:

A.

Only a Qualified Security Assessor (QSA).

B.

Either a QSA, AQSA, or PCIP.

C.

Entity being assessed.

D.

Card brands or acquirer.

Question 16

Which of the following describes “stateful responses” to communication initiated by a trusted network?

Options:

A.

Administrative access to respond to requests to change the firewall is limited to one individual at a time.

B.

Active network connections are tracked so that invalid “response” traffic can be identified.

C.

A current baseline of application configurations is maintained and any misconfiguration is responded to promptly.

D.

Logs of user activity on the firewall are correlated to identify and respond to suspicious behavior.

Question 17

Which of the following file types must be monitored by a change-detection mechanism (e.g., a file-integrity monitoring tool)?

Options:

A.

Application vendor manuals

B.

Files that regularly change

C.

Security policy and procedure documents

D.

System configuration and parameter files

Question 18

A retail merchant has a server room containing systems that store encrypted PAN data. The merchant has implemented a badge access-control system that identifies who entered and exited the room, on what date, and at what time. There are no video cameras located in the server room. Based on this information, which statement is true regarding PCI DSS physical security requirements?

Options:

A.

The badge access-control system must be protected from tampering or disabling.

B.

The merchant must install video cameras in addition to the existing access-control system.

C.

Data from the access-control system must be securely deleted on a monthly basis.

D.

The merchant must install motion-sensing alarms in addition to the existing access-control system.

Question 19

Which scenario meets PCI DSS requirements for restricting access to databases containing cardholder data?

Options:

A.

User access to the database is only through programmatic methods.

B.

User access to the database is restricted to system and network administrators.

C.

Application IDs for database applications can only be used by database administrators.

D.

Direct queries to the database are restricted to shared database administrator accounts.

Question 20

Which of the following meets the definition of "quarterly" as Indicated In the description of timeframes used In PCI DSS requirements?

Options:

A.

Occurring at some point in each quarter of a year.

B.

At least once every 95-97 days

C.

On the 15th of each third month.

D.

On the 1st of each fourth month.

Question 21

Which scenario meets PCI DSS requirements for critical systems to have correct and consistent time?

Options:

A.

Each internal system is configured to be its own time server.

B.

Access to time configuration settings is available to all users of the system.

C.

Central time servers receive time signals from specific, approved external sources.

D.

Each internal system peers directly with an external source to ensure accuracy of time updates.

Question 22

Where an entity under assessment is using the customized approach, which of the following steps is the responsibility of the assessor?

Options:

A.

Monitor the control.

B.

Derive testing procedures and document them in Appendix E of the ROC.

C.

Document and maintain evidence about each customized control as defined in Appendix E of PCI DSS.

D.

Perform the targeted risk analysis as per PCI DSS requirement 12.3.2.

Page: 1 / 6
Total 75 questions