• Home
  • Articles
  • The Best Practice Test Preparation for the Assessor_New_V4 Certification Exam [Q18-Q43]

The Best Practice Test Preparation for the Assessor_New_V4 Certification Exam [Q18-Q43]

Share

The Best Practice Test Preparation for the Assessor_New_V4 Certification Exam

Assessor_New_V4 Exam Dumps, Practice Test Questions BUNDLE PACK

NEW QUESTION # 18
An LDAP server providing authentication services to the cardholder data environment is

  • A. in scope only if it provides authentication services to systems in the DMZ
  • B. not in scope for PCI DSS
  • C. in scope for PCI DSS.
  • D. in scope only if it stores processes or transmits cardholder data

Answer: D

Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, an LDAP server providing authentication services to the cardholder data environment is in scope only if it provides authentication services to systems in the DMZ. This is one of the requirements for preventing unauthorized access to cardholder data.


NEW QUESTION # 19
Which statement is true regarding the presence of both hashed and truncated versions ofthe same PAN in an environment?

  • A. The hashed and truncated versions must be correlated so the source PAN can be identified
  • B. Controls are needed to prevent the original PAN being exposed by the hashed and truncated versions
  • C. Hashed and truncated versions of a PAN must not exist in same environment
  • D. The hashed version of the PAN must also be truncated per PCI OSS requirements for strong cryptography.

Answer: C

Explanation:
Explanation
According to requirement 4, when a cryptographic key is retired and replaced with a new key, the hashed and truncated versions of the same PAN must not exist in the same environment, which means they should not be stored or transmitted together. This is one of the requirements for ensuring that PAN is protected from unauthorized access or interception.


NEW QUESTION # 20
What must the assessor verify when testing that PAN is protected whenever it is sent over the Internet?

  • A. The security protocol is configured to accept all digital certificates
  • B. The PAN is securely deleted once the transmission has been sent
  • C. The security protocol is configured to support earlier versions
  • D. The PAN is encrypted with strong cryptography

Answer: D

Explanation:
Explanation
when PAN is sent over the Internet, PAN must be encrypted with strong cryptography, which means it should use encryption techniques such as WEP, WPA, WPA2, or TLS/SSL to prevent unauthorized access or interception. This is one of the requirements for ensuring that PAN is protected from unauthorized access or interception.


NEW QUESTION # 21
Which of the following is true regarding internal vulnerability scans?

  • A. They must be performed by QSA personnel
  • B. They must be performed at least annually
  • C. They must be performed after a significant change
  • D. They must be performed by an Approved Scanning Vendor (ASV)

Answer: C

Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, internal vulnerability scans must be performed after a significant change in any component or configuration that affects cardholder data or payment processing systems. This is one of the requirements for identifying and mitigating vulnerabilities that could compromise cardholder data.


NEW QUESTION # 22
Which systems must have anti-malware solutions'

  • A. All portable electronic storage
  • B. Any in-scope system except for those identified as not at risk from malware
  • C. All systems that store PAN
  • D. All CDE systems, connected systems. NSCs. and security-providing systems

Answer: B

Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, any in-scope system except for those identified as not at risk from malware must have anti-malware solutions installed and configured according to best practices. This is one of the requirements for preventing malware infections that could compromise cardholder data.


NEW QUESTION # 23
Which statement is true regarding the PCI DSS Report on Compliance (ROC)?

  • A. The assessor may use either their own template or the ROC Reporting Template provided by PCI SSC
  • B. The assessor must create their own ROC template for each assessment report
  • C. The ROC Reporting Template and instructions provided by PCI SSC should be used for all ROCs.
  • D. The ROC Reporting Template provided by PCI SSC is only required for service provider assessments

Answer: C

Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, the assessor may use either their own template or the ROC Reporting Template provided by PCI SSC. This is one of the requirements for ensuring consistency and accuracy in ROCs.


NEW QUESTION # 24
What should the assessor verify when testing that cardholder data is protected whenever it is sent over open public networks?

  • A. The security protocol accepts connections from systems with lower encryption strength than required by the protocol
  • B. The security protocol accepts only trusted keys
  • C. The security protocol is configured to accept all digital certificates
  • D. A proprietary security protocol is used

Answer: B

Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, the security protocol accepts only trusted keys.
This is one of the requirements for ensuring secure encryption and authentication.


NEW QUESTION # 25
Which statement about PAN is true?

  • A. It does not require protection for transmission over public wired networks
  • B. It must be protected with strong cryptography for transmission over private wireless networks
  • C. It does not require protection for transmission over public wireless networks
  • D. It must be protected with strong cryptography (or transmission over private wired networks

Answer: B

Explanation:
Explanation
According to requirement 4, PAN must be protected with strong cryptography for transmission over private wireless networks, which means it should use encryption techniques such as WEP, WPA, WPA2, or TLS/SSL to prevent unauthorized access or interception of cardholder data over wireless networks. This is one of the requirements for ensuring that PAN is protected from unauthorized access or interception.


NEW QUESTION # 26
In the ROC Repotting Template, which of the following is the best approach for a response where the requirement was in Place''?

  • A. Details of the entity s reason for not implementing the requirement
  • B. Details of how the assessor observed the entity s systems were not compliant with the requirement
  • C. Details of the entity s project plan for implementing the requirement
  • D. Details of how the assessor observed the entity s systems were compliant with the requirement

Answer: D

Explanation:
Explanation
when a cryptographic key is retired and replaced with a new key, the assessor will verify that the assessor observed the entity's systems were compliant with the requirement, which means they should have implemented compensating controls to address any weaknesses or gaps in the customized control. This is one of the requirements for ensuring that an entity can use both approaches when appropriate.


NEW QUESTION # 27
In accordance with PCI DSS Requirement 10. how long must audit logs be retained?

  • A. At least 2 years, with the most recent 3 months immediately available
  • B. At least 2 years with the most recent month immediately available
  • C. At least 1 year, with the most recent 3 months immediately available
  • D. At least 3 months with the most recent month immediately available

Answer: C

Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, audit logs must be retained for at least 1 year, with the most recent 3 months immediately available. This is one of the requirements for ensuring that audit logs are available for review and analysis.


NEW QUESTION # 28
An entity wants to know if the Software Security Framework can be leveraged during their assessment Which of the following software types would this apply to?

  • A. Software developed by the entity in accordance with the Secure SLC Standard
  • B. Any payment software in the CDE
  • C. Only software which runs on PCI PTS devices
  • D. Validated Payment Applications that are listed by PCI SSC and have undergone a PA-DSS assessment

Answer: A

Explanation:
Explanation
According to requirement 12.3.2, software developed by an entity in accordance with the Secure SLC Standard must be validated by a Qualified Security Assessor (QSA) before it can be used by an entity in its CDE. This is one of the requirements for ensuring that software developed by an entity in accordance with the Secure SLC Standard meets all the security standards and controls defined in Appendix E of the PCI DSS v3.2.1 Quick Reference Guide1.


NEW QUESTION # 29
an entity under assessment is using the customized approach, which of the following steps is the responsibility of the assessor?

  • A. Monitor the control.
  • B. Document and maintain evidence about each customized control as defined in Appendix E of PCI DSS
  • C. Derive testing procedures and document them in Appendix E of the ROC.
  • D. Perform the targeted risk analysis as per PCI DSS requirement 12.3.2

Answer: C

Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, the assessor must derive testing procedures and document them in Appendix E of the ROC. This is one of the requirements for ensuring that testing procedures are defined and documented.


NEW QUESTION # 30
What must be included m an organization's procedures for managing visitors9

  • A. Visitor badges are identical to badges used by onsite personnel
  • B. Visitors are escorted at all times within areas where cardholder data is processed or maintained
  • C. Visitor log includes visitor name, address, and contact phone number
  • D. Visitors retain their identification (for example a visitor badge) for 30 days after completion of the visit

Answer: B

Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, visitors are escorted at all times within areas where cardholder data is processed or maintained, visitor badges are identical to badges used by onsite personnel, visitor log includes visitor name, address, and contact phone number, visitors retain their identification (for example a visitor badge) for 30 days after completion of the visit. These are some examples of procedures that must be included in an organization's procedures for managing visitors who access in-scope systems where cardholder data is processed or maintained.


NEW QUESTION # 31
An entity wants to use the Customized Approach. They are unsure how to complete the Controls Matrix or TRA During the assessment, you spend time completing the Controls Matrix and the TRA. while also ensuing that the customized control is implemented securely Which of the following statements is true?

  • A. You can assess the customized control but another assessor must verify that you completed the TRA correctly
  • B. You must document the work on the customized control in the ROC but you can not assess the control or the documentation
  • C. Assessors are not allowed to assist an entity with the completion of the Controls Matrix or the TRA
  • D. You can assess the customized control and verify that the customized approach was correctly followed but you must document this in the ROC

Answer: B

Explanation:
Explanation
According to requirement 1, assessing a customized control means verifying that it meets all the requirements and controls defined in Appendix E of the PCI DSS v3.2.1 Quick Reference Guide1, which includes documenting and maintaining evidence about each customized control as defined in Appendix E. This is one of the requirements for ensuring that assessing a customized control is done correctly and consistently.


NEW QUESTION # 32
What would be an appropriate strength for the key-encrypting key (KEK) used to protect an AES 128 bit data-encrypting key (DEK)

  • A. ROT 13
  • B. DES256
  • C. RSA512
  • D. AES 128

Answer: B

Explanation:
Explanation
when a cryptographic key is retired and replaced with a new key, the new key must have an appropriate strength for its intended use, which means it should have a sufficient length and complexity to resist brute-force attacks. This is one of the requirements for ensuring that cryptographic keys are secure and effective.


NEW QUESTION # 33
Viewing of audit log files should be limited to?

  • A. Individuals who performed the logged activity
  • B. Individuals with a job-related need
  • C. Individuals with read/write access
  • D. Individuals with administrator privileges

Answer: B

Explanation:
Explanation
According to requirement 4, viewing of audit log files should be limited to individuals with a job-related need, which means they should only access the audit log files for legitimate purposes related to their job functions.
This is one of the requirements for ensuring that audit log files are not accessed by unauthorized or unnecessary personnel.


NEW QUESTION # 34
A retail merchant has a server room containing systems that store encrypted PAN data. The merchant has implemented a badge access-control system that identities who entered and exited the room onwhat date and at what time There are no video cameras located in the server room Based on this information, which statement is true regarding PCI DSS physical security requirements?

  • A. The merchant must install motion-sensing alarms in addition to the existing access-control system
  • B. Data from the access-control system must be securely deleted on a monthly basis
  • C. The badge access-control system must be protected from tampering or disabling
  • D. The merchant must install video cameras in addition to the existing access-control system

Answer: D

Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, based on this information, which statement is true regarding PCI DSS physical security requirements? The merchant must install video cameras in addition to the existing access-control system, because there are no video cameras located in the server room and based on this information, which statement is true regarding PCI DSS physical security requirements? The merchant must install motion-sensing alarms in addition to the existing access-control system, because there are no video cameras located in the server room and based on this information, which statement is true regarding PCI DSS physical security requirements? The merchant must install video cameras in addition to the existing access-control system, because there are no video cameras located in the server room and based on this information, which statement is true regarding PCI DSS physical security requirements? The merchant must install motion-sensing alarms in addition to the existing access-control system, because there are no video cameras located in the server room and based on this information, which statement is true regarding PCI DSS physical security requirements? The merchant must install video cameras in addition to the existing access-control system, because there are no video cameras located in


NEW QUESTION # 35
If disk encryption is used to protect account data what requirement should be met for the disk encryption solution?

  • A. The decryption keys must be associated with the local user account database
  • B. Access to the disk encryption must be managed independently of the operating system access control mechanisms
  • C. The disk encryption system must use the same user account authenticator as the operating system
  • D. The decryption keys must be stored within the local user account database

Answer: B

Explanation:
Explanation
when disk encryption is used to protect account data, access to the disk encryption must be managed independently of the operating system access control mechanisms, which means it should not be affected by changes in the operating system settings or permissions. This is one of the requirements for ensuring that disk encryption is secure and effective.


NEW QUESTION # 36
Which of the following describes "stateful responses' to communication initiated by a trusted network?

  • A. A current baseline of application configurations is maintained and any mis-configuration is responded to promptly
  • B. Logs of user activity on the firewall are correlated to identify and respond to suspicious behavior
  • C. Administrative access to respond to requests to change the firewall is limited to one individual at a time
  • D. Active network connections are tracked so that invalid response' traffic can be identified.

Answer: D

Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, active network connections are tracked so that invalid response traffic can be identified. This is one of the requirements for preventing replay attacks and ensuring secure communication.


NEW QUESTION # 37
A network firewall has been configured with the latest vendor security patches What additional configuration is needed to harden the firewall?

  • A. Synchronize the firewall rules with the other firewalls m the environment
  • B. Configure the firewall to permit all traffic until additional rules are defined
  • C. Disable any firewall functions that are not needed in production
  • D. Remove the default 'Firewall Administrator account and create a shared account for firewall administrators to use.

Answer: A

Explanation:
Explanation
According to requirement 3.1.2, a network firewall should be configured to permit only traffic that is necessary for its operation and security, which means it should not allow any traffic until additional rules are defined. This is one of the requirements for ensuring that network firewalls are not exposed to unnecessary or unwanted traffic.


NEW QUESTION # 38
Which statement about the Attestation of Compliance (AOC) is correct?

  • A. There are different AOC templates for service providers and merchants
  • B. The same AOC template is used for ROCs and SAQs
  • C. The AOC must be signed by both the merchant/service provider and by PCI SSC
  • D. The AOC must be signed by either the merchant service provider or the QSA'ISA

Answer: B

Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, the same AOC template is used for ROCs and SAQs. This is one of the requirements for ensuring consistency and accuracy in ROCs and SAQs.


NEW QUESTION # 39
What process is requited by PCI DSS (or protecting card-reading devices at the point-of-sale?

  • A. Devices are physically destroyed if there is suspicion of compromise
  • B. Devices are periodically inspected to detect unauthorized card stammers.
  • C. Device identifiers and security labels are periodically replaced
  • D. The serial number of each device is periodically verified with the device manufacturer

Answer: B

Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, devices are periodically inspected to detect unauthorized card stammers using physical inspection or other methods such as software-based tools or network-based tools (such as firewalls). This is one of the requirements for preventing card skimming attacks that could compromise cardholder data.


NEW QUESTION # 40
Which of the following is required to be included in an incident response plan?

  • A. Procedures for responding to the detection of unauthorized wireless access points
  • B. Procedures for notifying PCI SSC of the security incident
  • C. Procedures for securely deleting incident response records immediately upon resolution of the incident
  • D. Procedures forlaunching a reverse-attack on the individual(s) responsible for the security incident

Answer: C

Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, procedures for securely deleting incident response records immediately upon resolution of the incident must be included in an incident response plan. This is one of the requirements for ensuring that incident response records are not retained indefinitely


NEW QUESTION # 41
If segmentation is being used to reduce the scope of a PCI DSS assessment the assessor will?

  • A. Verify that approved devices and applications are used for the segmentation controls
  • B. Verify the segmentation controls allow only necessary traffic into the cardholder data environment.
  • C. Verify the controls used for segmentation are configured properly and functioning as intended
  • D. Verify the payment card brands have approved the segmentation

Answer: B

Explanation:
Explanation
According to requirement 3.1.2, if segmentation is being used to reduce the scope of a PCI DSS assessment, the assessor will verify that the segmentation controls allow only necessary traffic into the cardholder data environment, which means they should not allow any traffic until additional rules are defined. This is one of the requirements for ensuring that network firewalls are not exposed to unnecessary or unwanted traffic.


NEW QUESTION # 42
Where can live PANs be used for testing?

  • A. Pre-production environments that are located within the CDE
  • B. Production (live) environments only
  • C. Pre-production (test) environments only if located outside the CDE.
  • D. Testing with live PANs must only be performed in the QSA Company environment

Answer: A

Explanation:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, pre-production environments that are located within the cardholder data environment can be used for testing, as long as they are not accessible from untrusted networks and are monitored for any changes or vulnerabilities. This is one of the requirements for ensuring that testing environments are isolated from production environments.


NEW QUESTION # 43
......

Prepare for the Actual PCI Qualified Professionals Assessor_New_V4 Exam Practice Materials Collection: https://www.newpassleader.com/PCI-SSC/Assessor_New_V4-exam-preparation-materials.html

PCI Qualified Professionals Certification Assessor_New_V4 Sample Questions Reliable: https://drive.google.com/open?id=1A87VKUCIWirkg0NRviQpGn8KFyDHvTOQ

Related Articles

more
PCI SSC Assessor_New_V4 Certification Practice Exam