A "Partial Assessment is a new assessment result What is a ‘Partial Assessment’?
Options:
A.
A ROC that has been completed after using an SAQ to determine which requirements should be tested. As per FAQ 1331. (As long as the entity meets the SAQs eligibility criteria)
B.
An interim result before the final ROC has been completed
C.
A term used by payment brands and acquirers to describe entities that have multiple payment channels with each channel having its own assessment
D.
An assessment with at least one requirement marked as Not Tested”
According to requirement 3.1.2, an assessment with at least one requirement marked as Not Tested is considered a partial assessment, which means it does not meet all the requirements and controls defined in Appendix E of the PCI DSS v3.2.1 Quick Reference Guide1. This is one of the requirements for ensuring that assessments are conducted in accordance with PCI DSS.
Question 2
Which scenario meets PCI DSS requirements for restricting access to databases containing cardholder data?
Options:
A.
User access to the database is only through programmatic methods
B.
User access to the database is restricted to system and network administrators
C.
Application IDs for database applications can only be used by database administrators
D.
Direct queries to the database are restricted to shared database administrator accounts
Answer:
A
Explanation:
Explanation:
The PCI DSS requires that access to databases containing cardholder data is restricted to authorized users and applications, and that direct access to such databases is prohibited. According to the PCI DSS Requirement 7.1.2, “Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.” Furthermore, according to the PCI DSS Requirement 8.3.1, “Implement multi-factor authentication for all non-console access into the cardholder data environment for personnel with administrative access.” Therefore, the scenario that meets the PCI DSS requirements for restricting access to databases containing cardholder data is the one where user access to the database is only through programmatic methods, such as through an application interface that enforces authentication, authorization, and encryption. The other scenarios either allow direct access to the database, or do not limit the access to the least privileges necessary, or do not use multi-factor authentication for administrative access. References: [PCI DSS v3.2.1], Card Production Security Assessor - Logical - Credly
Question 3
Which of the following is true regarding internal vulnerability scans?
Options:
A.
They must be performed after a significant change
B.
They must be performed by an Approved Scanning Vendor (ASV)
C.
They must be performed by QSA personnel
D.
They must be performed at least annually
Answer:
A
Explanation:
Explanation:
According to the PCI DSS v3.2.1 Quick Reference Guide1, internal vulnerability scans must be performed after a significant change in any component or configuration that affects cardholder data or payment processing systems. This is one of the requirements for identifying and mitigating vulnerabilities that could compromise cardholder data.