[Q19-Q43] Get Special Discount Offer on QSA_New_V4 Dumps PDF [UPDATED Jan-2025]

NO.19 An organization wishes to implement multi-factor authentication for remote access, using the user’s Individual password and a digital certificate. Which of the following scenarios would meet PCI DSS requirements for multi-factor authentication?

Certificates are assigned only to administrative groups, and not to regular users.

A different certificate is assigned to each individual user account, and certificates are not shared.

Certificates are logged so they can be retrieved when the employee leaves the company.

Change control processes are In place to ensure certificates are changed every 90 days.

NO.20 Which of the following file types must be monitored by a change-detection mechanism (for example, a file- integrity monitoring tool)?

Application vendor manuals

Files that regularly change

Security policy and procedure documents

System configuration and parameter files

NO.21 Which of the following statements Is true whenever a cryptographic key Is retired and replaced with a new key?

Anew key custodian must be assigned.

All data encrypted under the retired key must be securely destroyed.

Cryptographic key components from the retired key must be retained for 3 months before disposal.

The retired key must not be used for encryption operations.

NO.22 Which scenario meets PCI DSS requirements for critical systems to have correct and consistent time?

Each Internal system Is configured to be Its own time server.

Access to time configuration settings is available to all users of the system.

Central time servers receive time signals from specific, approved external sources.

Each internal system peers directly with an external source to ensure accuracy of time updates.

NO.23 Which scenario meets PCI DSS requirements for restricting access to databases containing cardholder data?

User access to the database Is only through programmatic methods.

User access to the database Is restricted to system and network administrators.

Application IDs for database applications can only be used by database administrators.

Direct queries to the database are restricted to shared database administrator accounts.

NO.24 Which scenario describes segmentation of the cardholder data environment (CDE) for the purposes of reducing PCI DSS scope?

Routers that monitor network traffic flows between the CDE and out-of-scope networks.

Firewalls that log all network traffic flows between the CDE and out-of-scope networks.

Virtual LANs that route network traffic between the CDE and out-of-scope networks.

A network configuration that prevents all network traffic between the CDE and out-of-scope networks.

NO.25 Security policies and operational procedures should be?

Encrypted with strong cryptography.

Stored securely so that only management has access.

Reviewed and updated at least quarterly.

Distributed to and understood by ail affected parties.

NO.26 Which of the following describes “stateful responses” to communication Initiated by a trusted network?

Administrative access to respond to requests to change the firewall Is limited to one individual at a time.

Active network connections are tracked so that invalid “response” traffic can be identified.

A current baseline of application configurations is maintained and any mis-configuration is responded to promptly.

Logs of user activity on the firewall are correlated to identify and respond to suspicious behavior.

NO.27 Which statement is true regarding the PCI DSS Report on Compliance (ROC)?

The ROC Reporting Template and instructions provided by PCI SSC should be used for all ROCs.

The assessor may use either their own template or the ROC Reporting Template provided by PCI SSC.

The assessor must create their own ROC template tor each assessment report.

The ROC Reporting Template provided by PCI SSC is only required for service provider assessments.

NO.28 What do PCI DSS requirements for protecting cryptographic keys include?

Public keys must be encrypted with a key-encrypting key.

Data-encrypting keys must be stronger than the key-encrypting key that protects it.

Private or secret keys must be encrypted, stored within an SCD, or stored as key components.

Key-encrypting keys and data-encrypting keys must be assigned to the same key custodian.

NO.29 An LDAP server providing authentication services to the cardholder data environment is_____________?

in scope for PCI DSS.

not In scope for PCI DSS.

in scope only if it stores, processes or transmits cardholder data.

in scope only if itprovides authentication services to systems in the DMZ.

NO.30 Which statement about PAN is true?

It must be protected with strong cryptography for transmission over private wireless networks.

It must be protected with strong cryptography tor transmission over private wired networks.

It does not require protection for transmission over public wireless networks.

It does not require protection for transmission over public wired networks.

NO.31 Viewing of audit log files should be limited to?

Individuals who performed the logged activity.

Individuals with read/write access.

Individuals with administrator privileges.

Individuals with a job-related need.

NO.32 What should the assessor verify when testing that cardholder data Is protected whenever It Is sent over open public networks?

The security protocol Is configured to accept all digital certificates.

A proprietary security protocol is used.

The security protocol accepts only trusted keys.

The security protocol accepts connections from systems with lower encryption strength than required by the protocol.

NO.33 Which statement is true regarding the use of intrusion detection techniques, such as intrusion detection systems and/or Intrusion protection systems (IDS/IPS)?

Intrusion detection techniques are required on all system components.

Intrusion detection techniques are required to alert personnel of suspected compromises.

Intrusion detection techniques are required to isolate systems in the cardholder data environment from all other systems

Intrusion detection techniques are required to identify all instances of cardholder data.

NO.34 Which statement about the Attestation of Compliance (AOC) is correct?

The same AOC template is used W ROCs and SAQs.

The AOC must be signed by either the merchant/service provider or the QSA/ISA.

The AOC must be signed by both the merchant/service provider and by PCI SSC.

There are different AOC templates for service providers and merchants.

NO.35 An organization has implemented a change-detection mechanism on their systems. How often must critical file comparisons be performed?

At least weekly

Periodically as defined by the entity