Assessor_New_V4 Assessor_New_V4 Exam Question and Answers

According to the PCI DSS v3.2.1 Quick Reference Guide1, the database server should be relocated so that it is not accessible from untrusted networks. This is one of the requirements for protecting cardholder data in transit and at rest.

when PAN is sent over the Internet, PAN must be encrypted with strong cryptography, which means it should use encryption techniques such as WEP, WPA, WPA2, or TLS/SSL to prevent unauthorized access or interception. This is one of the requirements for ensuring that PAN is protected from unauthorized access or interception.

According to the PCI DSS v3.2.1 Quick Reference Guide1, the assessor may use either their own template or the ROC Reporting Template provided by PCI SSC. This is one of the requirements for ensuring consistency and accuracy in ROCs.

According to the PCI DSS v3.2.1 Quick Reference Guide1, passwords for default accounts and default administrative accounts should be changed before installing a system on the network. This is one of the requirements for preventing unauthorized access to cardholder data.

Segmentation is a method of isolating system components that store, process, or transmit cardholder data from systems that do not, by using security controls such as firewalls, routers, switches, or other devices1. Segmentation can reduce the scope of the cardholder data environment (CDE) and thus reduce the scope of the PCI DSS assessment, as only the systems and networks within the CDE or connected to the CDE are subject to PCI DSS requirements2. Virtual LANs (VLANs) are one example of such a security control, as they can create logical subnetworks that separate different types of traffic and restrict access between them3. Therefore, the correct answer is option C.

The other options are not true regarding the scenario that describes segmentation of the cardholder data environment (CDE) for the purposes of reducing PCI DSS scope. Option A is not true because routers that monitor network traffic flows between the CDE and out-of-scope networks are not sufficient to isolate the CDE, as they do not prevent or limit the traffic flows. Option B is not true because firewalls that log all network traffic flows between the CDE and out-of-scope networks are not sufficient to isolate the CDE, as they do not block or filter the traffic flows. Option D is not true because a network configuration that prevents all network traffic between the CDE and out-of-scope networks is not realistic or feasible, as some traffic may be necessary for business or legal reasons, such as payment processing, reporting, or auditing. References:

• Network Segmentation - PCI Security Standards Council
• Guidance for PCI DSS Scoping and Network Segmentation
• VLANs and PCI Compliance: What You Need to Know

An LDAP server is a type of directory service that provides authentication and authorization data to the cardholder data environment (CDE)1. According to the PCI DSS scoping and segmentation guidance2, any system that provides a security service to the CDE, such as authentication, is considered a connected or security-impacting system (Category 2) and is in scope for PCI DSS. This is because such systems can affect the security and controls of the CDE and the cardholder data (CHD) or sensitive authentication data (SAD) that it contains. Therefore, an LDAP server providing authentication services to the CDE is in scope for PCI DSS, regardless of whether it stores, processes, or transmits CHD or SAD, or whether it provides authentication services to systems in the DMZ or not. References:

• Guidance for PCI DSS Scoping and Network Segmentation
• What Are the Effects of Using Active Directory as a Shared Service on PCI Compliance?
• The Ultimate Guide To PCI DSS Scoping and Segmentation
• LDAP - PCI Security Standards Council

all network transmissions must be logged by an entity’s security information and event management (SIEM) system or equivalent tool, which means they should record all network events and activities related to cardholder data processing and transmission. This is one of the requirements for ensuring that network transmissions are monitored and audited.

According to the PCI DSS v3.2.1 Quick Reference Guide1, a compensating control must address the risk associated with not adhering to a PCI DSS requirement and must be approved by an authorized person before implementation. This is one of the requirements for reducing or eliminating a risk that cannot be eliminated by other means

According to the PCI DSS v3.2.1 Quick Reference Guide1, pre-production environments that are located within the cardholder data environment can be used for testing, as long as they are not accessible from untrusted networks and are monitored for any changes or vulnerabilities. This is one of the requirements for ensuring that testing environments are isolated from production environments.

According to the PCI DSS v3.2.1 Quick Reference Guide1, assigning a unique ID to each person is intended to ensure individual users are accountable for their own actions, rather than shared accounts or group accounts based on need-to-know. This is one of the requirements for ensuring that user accounts are properly managed and controlled.

According to the PCI DSS v3.2.1 Quick Reference Guide1, settlement occurs when a merchant receives payment from a card issuer for a completed transaction and delivers goods or services to a customer or another party as agreed upon in advance by both parties, subject to any conditions imposed by either party upon delivery or payment, including but not limited to acceptance, rejection, return, exchange, refund, cancellation, modification, suspension, termination or revocation by either party upon delivery or payment; or any other conditions imposed by either party upon delivery or payment; or any other conditions imposed by either party upon delivery or payment; or any other conditions imposed by either party upon delivery or payment;

According to requirement 3.1.2, an assessment with at least one requirement marked as Not Tested is considered a partial assessment, which means it does not meet all the requirements and controls defined in Appendix E of the PCI DSS v3.2.1 Quick Reference Guide1. This is one of the requirements for ensuring that assessments are conducted in accordance with PCI DSS.

According to the PCI DSS v3.2.1 Quick Reference Guide1, any in-scope system except for those identified as not at risk from malware must have anti-malware solutions installed and configured according to best practices. This is one of the requirements for preventing malware infections that could compromise cardholder data.

According to the PCI DSS v3.2.1 Quick Reference Guide1, private or secret keys must be encrypted, stored within an SCD or stored as key components. This is one of the requirements for ensuring secure encryption and authentication.

According to the PCI DSS v3.2.1 Quick Reference Guide1, screening and background checks for personnel with access to the cardholder data environment are required, as they may pose a risk if they have compromised or stolen cardholder data in the past or present. This is one of the requirements for ensuring that personnel with access to cardholder data are qualified and trustworthy.