PCI - ISA Exam Study Questions 2023/2024 Answered 100%
5 views 0 purchase
Course
PCI - ISA
Institution
PCI - ISA
What makes up SAD? - ANSWER-Track Data/ (CAV2/CVC2/CVV2/CID) / PINs & PIN Blocks
Track 1 vs Track 2 - ANSWER-Track 1: contains all fields of both Track 1 and Track 2, up to 79 characters long
11.2 Internal Scans - Frequency and performed by who? - ANSWER-Quarterly and after significant change...
PCI - ISA Exam Study Questions
2023/2024 Answered 100%
What makes up SAD? - ANSWER-Track Data/ (CAV2/CVC2/CVV2/CID) / PINs & PIN
Blocks
Track 1 vs Track 2 - ANSWER-Track 1: contains all fields of both Track 1 and Track 2,
up to 79 characters long
11.2 Internal Scans - Frequency and performed by who? - ANSWER-Quarterly and after
significant changes in the network - Performed by qualified internal or qualified external
resource
11.3 Penetration Tests (SERVICE PROVIDERS) - Frequency and performed by who? -
ANSWER-Every 6 months; qualified internal or external resource
11.2 External Scans - Frequency and performed by who? - ANSWER-Quarterly and
after significant changes in the network - Performed by PCI SSC Approved Scanning
Vendor (ASV)
11.3 Penetration Tests - Frequency and performed by who? - ANSWER-At least
annually and after significant changes in the network - Performed by qualified internal or
qualified external resource
11.2 Review scan reports and verify scan process includes rescans until: - ANSWER--
External scans: no vulnerabilities exists that scored 4.0 or higher by the CVSS
- Internal scans: all high-risk vulnerabilities as defined in PCI DSS requirement 6.1 are
resolved
Who decides if a ROC or SAQ is required? - ANSWER-payment brands / acquirers
10.2 Implement audit trails for all system components to reconstruct the following
events: - ANSWER-- Individual accesses to CHD
- Actions taken by any invidivudal with root or admin privileges
- Access to all audit trails
- Invalid logical access attempts
- Use of identification and authentication mechanisms
- Initialization of the audit logs
- Creation and deleting of system-level objects
How long must QSA's retain work papers? - ANSWER-3 years, recommend the same
for ISAs
1 / 2
Firewall and router rule sets must be reviewed every _ months - ANSWER-every 6
months
Things to consider when assessing: - ANSWER-People, processes, technology
How often should an entity undergo a process to securely delete stored CHD that
exceeds defined retention requirements? - ANSWER-at least quarterly
3.6 Key-management operations - ANSWER-Dual Control: at least two people are
required to perform any key-management operations and no one person has access to
the authentication materials (for example, passwords or keys) of another
Split Knowledge: key components are under the control of at least two people who only
have knowledge of their own key components
3.4 Pan is rendered unreadable in which ways? - ANSWER-hash, truncation, encrypt,
index token and pads
6.2 Critical Security patches should be installed within _ of release. - ANSWER-one
month
6.2 Installation of applicable vendor-supplied security patches (non-critical) should be
installed: - ANSWER-within an appropriate time frame (e.g., 3 months)
6.4.5 Change control procedures must include the following - ANSWER--
Documentation of impact
- Documented change approval by authorized parties
- Functionality testing to verify change does not adversely impact security of the system
- Back-out procedures
6.5 Developers must be trained at least _ in up-to-date secure coding techniques. -
ANSWER-annually
6.6 For public-facing web applications, address new threats and vulnerabilities on an
ongoing basis and ensure these applications are protected against known attacks by
either of the following methods - ANSWER-- At least annually, and after any changes,
review via manual or automated application vulnerability assessment tools/methods
- Automated technical solution that detects and prevents web-based attacks
continuously
1.3.2 Examine firewall and router configurations to verify inbound traffic is: - ANSWER-
limited to IP addresses within the DMZ
7.1.4 Select sample of user IDs and compare with documented approvals to verify: -
ANSWER-Documented approval exists for the assigned privileges
Approval by authorized parties
Specified privileges match the role of the user IDPowered by TCPDF (www.tcpdf.org)
2 / 2
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller CLOUND. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $11.49. You're not tied to anything after your purchase.
