Assessor_New_V4 Exam Dumps : Assessor_New_V4 Exam

 One of the best practices for hardening a firewall is to disable any firewall functions that are not needed in production, such as unused services, ports, protocols, or features. This reduces the attack surface and minimizes the potential for exploitation. According to the PCI Card Production Logical Security Requirements, section 3.2.1, “The firewall must be configured to deny all traffic by default and allow only traffic that is explicitly required for the card production environment.” Furthermore, section 3.2.2 states, “The firewall must be configured to block all unnecessary services, ports, protocols, and IP addresses.” References: PCI Card Production Logical Security Requirements, Card Production Security Assessor - Logical - Credly

PCI DSS Requirement 9.1.1 requires entities to use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment (CDE)1. A badge access-control system is one example of such a control, as it can identify who entered and exited the server room and when. However, this control is only effective if it is protected from tampering or disabling by unauthorized persons, as PCI DSS Requirement 9.1.2 states1. Otherwise, the access-control system could be bypassed or compromised, allowing unauthorized access to the systems that store encrypted PAN data. Therefore, the badge access-control system must be protected from tampering or disabling, as stated in option A.

The other options are not true regarding PCI DSS physical security requirements for a server room. Option B is not true because PCI DSS does not mandate the use of video cameras in addition to the existing access-control system, although it is a recommended best practice2. Option C is not true because PCI DSS does not specify a data retention period for the access-control system, although it requires entities to retain audit trail history for at least one year, with a minimum of three months immediately available for analysis3. Option D is not true because PCI DSS does not require the use of motion-sensing alarms in addition to the existing access-control system, although it is another recommended best practice2. References:

• PCI DSS v3.2.1
• PCI DSS Requirement 9: Upping Your Physical Security
• PCI DSS Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data

Hashing is a form of one-way encryption that transforms a data element into a unique fixed-size data element (hash value) without a way to get the original data element from the hash value1. Truncation is a method of rendering the full PAN unreadable by permanently removing a segment of the PAN data2. PCI DSS Requirement 3.4 states that entities must render the PAN unreadable wherever it is stored, using any of the following methods: one-way hashes based on strong cryptography, truncation, index tokens and pads, or strong cryptography with associated key-management processes and procedures3. However, PCI DSS Requirement 3.4e also states that if hashed and truncated versions of the same PAN are present in the environment, additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN3. This is because if an attacker obtains both the hashed and truncated versions of the same PAN, they may be able to use a brute-force or dictionary attack to guess the original PAN by hashing and truncating different PAN values until they find a match4. Therefore, the correct answer is option A.

The other options are not true regarding the presence of both hashed and truncated versions of the same PAN in an environment. Option B is not true because PCI DSS does not require the hashed version of the PAN to be also truncated, although it is a recommended best practice to further reduce the risk of exposing the original PAN5. Option C is not true because PCI DSS does not require the hashed and truncated versions to be correlated, as this would defeat the purpose of rendering the PAN unreadable and increase the risk of exposing the original PAN. Option D is not true because PCI DSS does not prohibit the presence of both hashed and truncated versions of the same PAN in the same environment, as long as additional controls are in place to prevent the reconstruction of the original PAN. References:

• Protect hashed CardHolder Data according to PCI DSS 3.4 - Advantio
• PCI DSS Truncation Rules and Guidelines - Truvantis
• PCI DSS v3.2.1
• Storing Card Numbers using hashed and truncated version of PAN
• pci dss - Credit card data security - hashing, truncation and encryption - Information Security Stack Exchange