Assessor_New_V4 Assessor_New_V4 Exam Questions and Answers

According to the PCI DSS v3.2.1 Quick Reference Guide 1 , any in-scope system except for those identified as not at risk from malware must have anti-malware solutions installed and configured according to best practices. This is one of the requirements for preventing malware infections that could compromise cardholder data.

According to the PCI DSS v3.2.1 Quick Reference Guide 1 , pre-production environments that are located within the cardholder data environment can be used for testing, as long as they are not accessible from untrusted networks and are monitored for any changes or vulnerabilities. This is one of the requirements for ensuring that testing environments are isolated from production environments.

The PCI DSS requires that access to databases containing cardholder data is restricted to authorized users and applications, and that direct access to such databases is prohibited. According to the PCI DSS Requirement 7.1.2, “Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.” Furthermore, according to the PCI DSS Requirement 8.3.1, “Implement multi-factor authentication for all non-console access into the cardholder data environment for personnel with administrative access.” Therefore, the scenario that meets the PCI DSS requirements for restricting access to databases containing cardholder data is the one where user access to the database is only through programmatic methods, such as through an application interface that enforces authentication, authorization, and encryption. The other scenarios either allow direct access to the database, or do not limit the access to the least privileges necessary, or do not use multi-factor authentication for administrative access.  References : [PCI DSS v3.2.1],  Card Production Security Assessor - Logical - Credly

According to the PCI DSS v3.2.1 Quick Reference Guide 1 , the database server should be relocated so that it is not accessible from untrusted networks. This is one of the requirements for protecting cardholder data in transit and at rest.

According to the PCI DSS v3.2.1 Quick Reference Guide 1 , the intent of assigning a risk ranking to vulnerabilities is to prioritize the highest risk items so they can be addressed more quickly, rather than ensuring all vulnerabilities are addressed within 30 days or replacing the need to quarterly ASV scans or ensuring that critical security patches are installed at least quarterly. This is one of the requirements for ensuring that vulnerabilities are identified and mitigated as soon as possible.

when PAN is sent over the Internet, PAN must be encrypted with strong cryptography, which means it should use encryption techniques such as WEP, WPA, WPA2, or TLS/SSL to prevent unauthorized access or interception. This is one of the requirements for ensuring that PAN is protected from unauthorized access or interception.

According to the PCI DSS v3.2.1 Quick Reference Guide 1 , the security protocol accepts only trusted keys. This is one of the requirements for ensuring secure encryption and authentication.

According to the PCI DSS v3.2.1 Quick Reference Guide 1 , active network connections are tracked so that invalid response traffic can be identified. This is one of the requirements for preventing replay attacks and ensuring secure communication.

According to the PCI DSS v3.2.1 Quick Reference Guide 1 , assigning a unique ID to each person is intended to ensure individual users are accountable for their own actions, rather than shared accounts or group accounts based on need-to-know. This is one of the requirements for ensuring that user accounts are properly managed and controlled.

Hashing is a form of one-way encryption that transforms a data element into a unique fixed-size data element (hash value) without a way to get the original data element from the hash value 1 .  Truncation is a method of rendering the full PAN unreadable by permanently removing a segment of the PAN data 2 .  PCI DSS Requirement 3.4 states that entities must render the PAN unreadable wherever it is stored, using any of the following methods: one-way hashes based on strong cryptography, truncation, index tokens and pads, or strong cryptography with associated key-management processes and procedures 3 .  However, PCI DSS Requirement 3.4e also states that if hashed and truncated versions of the same PAN are present in the environment, additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN 3 .  This is because if an attacker obtains both the hashed and truncated versions of the same PAN, they may be able to use a brute-force or dictionary attack to guess the original PAN by hashing and truncating different PAN values until they find a match 4 . Therefore, the correct answer is option A.

The other options are not true regarding the presence of both hashed and truncated versions of the same PAN in an environment.  Option B is not true because PCI DSS does not require the hashed version of the PAN to be also truncated, although it is a recommended best practice to further reduce the risk of exposing the original PAN 5 . Option C is not true because PCI DSS does not require the hashed and truncated versions to be correlated, as this would defeat the purpose of rendering the PAN unreadable and increase the risk of exposing the original PAN. Option D is not true because PCI DSS does not prohibit the presence of both hashed and truncated versions of the same PAN in the same environment, as long as additional controls are in place to prevent the reconstruction of the original PAN.  References :

Protect hashed CardHolder Data according to PCI DSS 3.4 - Advantio

PCI DSS Truncation Rules and Guidelines - Truvantis

PCI DSS v3.2.1

Storing Card Numbers using hashed and truncated version of PAN

pci dss - Credit card data security - hashing, truncation and encryption - Information Security Stack Exchange

According to the PCI DSS v3.2.1 Quick Reference Guide 1 , passwords for default accounts and default administrative accounts should be changed before installing a system on the network. This is one of the requirements for preventing unauthorized access to cardholder data.

According to the PCI DSS v3.2.1 Quick Reference Guide 1 , screening and background checks for personnel with access to the cardholder data environment are required, as they may pose a risk if they have compromised or stolen cardholder data in the past or present. This is one of the requirements for ensuring that personnel with access to cardholder data are qualified and trustworthy.

all network transmissions must be logged by an entity’s security information and event management (SIEM) system or equivalent tool, which means they should record all network events and activities related to cardholder data processing and transmission. This is one of the requirements for ensuring that network transmissions are monitored and audited.

An LDAP server is a type of directory service that provides authentication and authorization data to the cardholder data environment (CDE) 1 .  According to the PCI DSS scoping and segmentation guidance 2 , any system that provides a security service to the CDE, such as authentication, is considered a connected or security-impacting system (Category 2) and is in scope for PCI DSS. This is because such systems can affect the security and controls of the CDE and the cardholder data (CHD) or sensitive authentication data (SAD) that it contains. Therefore, an LDAP server providing authentication services to the CDE is in scope for PCI DSS, regardless of whether it stores, processes, or transmits CHD or SAD, or whether it provides authentication services to systems in the DMZ or not.  References :

Guidance for PCI DSS Scoping and Network Segmentation

What Are the Effects of Using Active Directory as a Shared Service on PCI Compliance?

The Ultimate Guide To PCI DSS Scoping and Segmentation

LDAP - PCI Security Standards Council

According to the PCI DSS v3.2.1 Quick Reference Guide 1 , a different certificate is assigned to each individual user account, and certificates are not shared. This is one of the requirements for preventing unauthorized access to cardholder data using digital certificates.