Special Summer Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70special

PCI SSC QSA_New_V4 Qualified Security Assessor V4 Exam Exam Practice Test

Page: 1 / 8
Total 75 questions

Qualified Security Assessor V4 Exam Questions and Answers

Testing Engine

  • Product Type: Testing Engine
$37.5  $124.99

PDF Study Guide

  • Product Type: PDF Study Guide
$33  $109.99
Question 1

An internal NTP server that provides time services to the Cardholder Data Environment is?

Options:

A.

Only in scope if it provides time services to database servers.

B.

Not in scope for PCI DSS.

C.

Only in scope if it stores, processes or transmits cardholder data.

D.

In scope for PCI DSS.

Question 2

Which statement about the Attestation of Compliance (AOC) is correct?

Options:

A.

There are different AOC templates for service providers and merchants.

B.

The AOC must be signed by both the merchant/service provider and by PCI SSC.

C.

The same AOC template is used W ROCs and SAQs.

D.

The AOC must be signed by either the merchant/service provider or the QSA/ISA.

Question 3

Passwords for default accounts and default administrative accounts should be?

Options:

A.

Changed within 30 days after installing a system on the network.

B.

Reset to the default password before installing a system on the network.

C.

Changed before installing a system on the network.

D.

Configured to expire in 30 days.

Question 4

A network firewall has been configured with the latest vendor security patches. What additional configuration is needed to harden the firewall?

Options:

A.

Remove the default “Firewall Administrator” account and create a shared account for firewall administrators to use.

B.

Configure the firewall to permit all traffic until additional rules are defined.

C.

Synchronize the firewall rules with the other firewalls in the environment.

D.

Disable any firewall functions that are not needed in production.

Question 5

The intent of assigning a risk ranking to vulnerabilities is to?

Options:

A.

Ensure all vulnerabilities are addressed within 30 days.

B.

Replace the need for quarterly ASV scans.

C.

Prioritize the highest risk items so they can be addressed more quickly.

D.

Ensure that critical security patches are installed at least quarterly.

Question 6

In the ROC Reporting Template, which of the following Is the best approach for a response where the requirement was "In Place’?

Options:

A.

Details of the entity's project plan for implementing the requirement.

B.

Details of how the assessor observed the entity's systems were compliant with the requirement.

C.

Details of the entity's reason for not implementing the requirement

D.

Details of how the assessor observed the entity's systems were not compliant with the requirement

Question 7

A retail merchant has a server room containing systems that store encrypted PAN data. The merchant has implemented a badge access-control system that identifies who entered and exited the room, on what date, and at what time. There are no video cameras located in the server room. Based on this information, which statement is true regarding PCI DSS physical security requirements?

Options:

A.

The badge access-control system must be protected from tampering or disabling.

B.

The merchant must install video cameras in addition to the existing access-control system.

C.

Data from the access-control system must be securely deleted on a monthly basis.

D.

The merchant must install motion-sensing alarms in addition to the existing access-control system.

Question 8

Which of the following is a requirement for multi-tenant service providers?

Options:

A.

Ensure that customers cannot access another entity’s cardholder data environment.

B.

Provide customers with access to the hosting provider's system configuration files.

C.

Provide customers with a shared user ID for access to critical system binaries.

D.

Ensure that a customer’s log files are available to all hosted entities.

Question 9

Which statement is true regarding the PCI DSS Report on Compliance (ROC)?

Options:

A.

The ROC Reporting Template and instructions provided by PCI SSC should be used for all ROCs.

B.

The assessor may use either their own template or the ROC Reporting Template provided by PCI SSC.

C.

The assessor must create their own ROC template tor each assessment report.

D.

The ROC Reporting Template provided by PCI SSC is only required for service provider assessments.

Question 10

Security policies and operational procedures should be?

Options:

A.

Encrypted with strong cryptography.

B.

Stored securely so that only management has access.

C.

Reviewed and updated at least quarterly.

D.

Distributed to and understood by all affected parties.

Question 11

Security policies and operational procedures should be?

Options:

A.

Encrypted with strong cryptography.

B.

Stored securely so that only management has access.

C.

Reviewed and updated at least quarterly.

D.

Distributed to and understood by ail affected parties.

Question 12

If disk encryption is used to protect account data, what requirement should be met for the disk encryption solution?

Options:

A.

Access to the disk encryption must be managed independently of the operating system access control mechanisms.

B.

The disk encryption system must use the same user account authenticator as the operating system.

C.

The decryption keys must be associated with the local user account database.

D.

The decryption keys must be stored within the local user account database.

Question 13

Which scenario meets PCI DSS requirements for restricting access to databases containing cardholder data?

Options:

A.

User access to the database is only through programmatic methods.

B.

User access to the database is restricted to system and network administrators.

C.

Application IDs for database applications can only be used by database administrators.

D.

Direct queries to the database are restricted to shared database administrator accounts.

Question 14

In accordance with PCI DSS Requirement 10, how long must audit logs be retained?

Options:

A.

At least 1 year, with the most recent 3 months immediately available.

B.

At least 2 years, with the most recent 3 months immediately available.

C.

At least 2 years, with the most recent month immediately available.

D.

At least 3 months, with the most recent month immediately available.

Question 15

Which of the following can be sampled for testing during a PCI DSS assessment?

Options:

A.

PCI DSS requirements and testing procedures.

B.

Compensating controls.

C.

Business facilities and system components.

D.

Security policies and procedures.

Question 16

Where can live PANs be used for testing?

Options:

A.

Production (live) environments only.

B.

Pre-production (test) environments only it located outside the CDE.

C.

Pre-production environments that are located within the CDE.

D.

Testing with live PANs must only be performed in the OSA Company environment.

Question 17

Viewing of audit log files should be limited to?

Options:

A.

Individuals who performed the logged activity.

B.

Individuals with read/write access.

C.

Individuals with administrator privileges.

D.

Individuals with a job-related need.

Question 18

Where can live PANs be used for testing?

Options:

A.

Production (live) environments only.

B.

Pre-production (test) environments only if located outside the CDE.

C.

Pre-production environments that are located within the CDE.

D.

Testing with live PANs must only be performed in the QSA Company environment.

Question 19

Which of the following statements is true regarding track equivalent data on the chip of a payment card?

Options:

A.

It is allowed to be stored by merchants after authorization, if encrypted.

B.

It is sensitive authentication data.

C.

It is out of scope for PCI DSS.

D.

It is not applicable for PCI DSS Requirement 3.2.

Question 20

Which of the following parties is responsible for completion of the Controls Matrix for the Customized Approach?

Options:

A.

Only a Qualified Security Assessor (QSA).

B.

Either a QSA, AQSA, or PCIP.

C.

Entity being assessed.

D.

Card brands or acquirer.

Question 21

Which systems must have anti-malware solutions?

Options:

A.

All CDE systems, connected systems. NSCs, and security-providing systems.

B.

All portable electronic storage.

C.

All systems that store PAN.

D.

Any in-scope system except for those identified as 'not at risk' from malware.

Question 22

Which of the following is an example of multi-factor authentication?

Options:

A.

A token that must be presented twice during the login process.

B.

A user passphrase and an application-level password.

C.

A user password and a PIN-activated smart card.

D.

A user fingerprint and a user thumbprint.

Page: 1 / 8
Total 75 questions