Assessor_New_V4 Exam Dumps : Assessor_New_V4 Exam

Hashing is a form of one-way encryption that transforms a data element into a unique fixed-size data element (hash value) without a way to get the original data element from the hash value1. Truncation is a method of rendering the full PAN unreadable by permanently removing a segment of the PAN data2. PCI DSS Requirement 3.4 states that entities must render the PAN unreadable wherever it is stored, using any of the following methods: one-way hashes based on strong cryptography, truncation, index tokens and pads, or strong cryptography with associated key-management processes and procedures3. However, PCI DSS Requirement 3.4e also states that if hashed and truncated versions of the same PAN are present in the environment, additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN3. This is because if an attacker obtains both the hashed and truncated versions of the same PAN, they may be able to use a brute-force or dictionary attack to guess the original PAN by hashing and truncating different PAN values until they find a match4. Therefore, the correct answer is option A.

The other options are not true regarding the presence of both hashed and truncated versions of the same PAN in an environment. Option B is not true because PCI DSS does not require the hashed version of the PAN to be also truncated, although it is a recommended best practice to further reduce the risk of exposing the original PAN5. Option C is not true because PCI DSS does not require the hashed and truncated versions to be correlated, as this would defeat the purpose of rendering the PAN unreadable and increase the risk of exposing the original PAN. Option D is not true because PCI DSS does not prohibit the presence of both hashed and truncated versions of the same PAN in the same environment, as long as additional controls are in place to prevent the reconstruction of the original PAN. References:

• Protect hashed CardHolder Data according to PCI DSS 3.4 - Advantio
• PCI DSS Truncation Rules and Guidelines - Truvantis
• PCI DSS v3.2.1
• Storing Card Numbers using hashed and truncated version of PAN
• pci dss - Credit card data security - hashing, truncation and encryption - Information Security Stack Exchange

PCI DSS Requirement 11.5 states that entities must deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly1. This is to ensure that any unauthorized or malicious changes to the files are detected and reported in a timely manner, and that the integrity and security of the files are maintained. Critical files are those that affect the security of the cardholder data environment (CDE), such as system files, application executables, configuration files, database files, and log files2. Therefore, the correct answer is option A.

The other options are not true regarding the frequency of critical file comparisons for a change-detection mechanism. Option B is not true because PCI DSS does not allow the entity to define the periodicity of the file comparisons, as it specifies a minimum frequency of at least weekly1. Option C is not true because PCI DSS does not limit the file comparisons to only after a valid change is installed, as it requires the file comparisons to be performed at least weekly regardless of the change status1. Option D is not true because PCI DSS does not allow the file comparisons to be performed at least monthly, as it requires a higher frequency of at least weekly1. References:

• PCI DSS v3.2.1
• File Integrity Monitoring Tools For PCI DSS

The PCI DSS requires that access to databases containing cardholder data is restricted to authorized users and applications, and that direct access to such databases is prohibited. According to the PCI DSS Requirement 7.1.2, “Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.” Furthermore, according to the PCI DSS Requirement 8.3.1, “Implement multi-factor authentication for all non-console access into the cardholder data environment for personnel with administrative access.” Therefore, the scenario that meets the PCI DSS requirements for restricting access to databases containing cardholder data is the one where user access to the database is only through programmatic methods, such as through an application interface that enforces authentication, authorization, and encryption. The other scenarios either allow direct access to the database, or do not limit the access to the least privileges necessary, or do not use multi-factor authentication for administrative access. References: [PCI DSS v3.2.1], Card Production Security Assessor - Logical - Credly