Special Summer Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > PCI SSC > PCI Qualified Professionals > QSA_New_V4

QSA_New_V4 Qualified Security Assessor V4 Exam Question and Answers

Question # 4

Which statement about the Attestation of Compliance (AOC) is correct?

A.

There are different AOC templates for service providers and merchants.

B.

The AOC must be signed by both the merchant/service provider and by PCI SSC.

C.

The same AOC template is used W ROCs and SAQs.

D.

The AOC must be signed by either the merchant/service provider or the QSA/ISA.

Full Access
Question # 5

What would be an appropriate strength for the key-encrypting key (KEK) used to protect an AES 128-bit data-encrypting key (DEK)?

A.

DES 256

B.

RSA 512

C.

AES 128

D.

ROT 13

Full Access
Question # 6

An entity accepts e-commerce payment card transactions and stores account data in a database. The database server and the web server are both accessible from the Internet. The database server and the web server are on separate physical servers. What is required for the entity to meet PCI DSS requirements?

A.

The web server and the database server should be installed on the same physical server.

B.

The database server should be relocated so that it is not accessible from untrusted networks.

C.

The web server should be moved into the internal network.

D.

The database server should be moved to a separate segment from the web server to allow for more concurrent connections.

Full Access
Question # 7

Where can live PANs be used for testing?

A.

Production (live) environments only.

B.

Pre-production (test) environments only if located outside the CDE.

C.

Pre-production environments that are located within the CDE.

D.

Testing with live PANs must only be performed in the QSA Company environment.

Full Access
Question # 8

Which of the following is true regarding compensating controls?

A.

A compensating control is not necessary if all other PCI DSS requirements are in place.

B.

A compensating control must address the risk associated with not adhering to the PCI DSS requirement.

C.

An existing PCI DSS requirement can be used as compensating control if it is already implemented.

D.

A compensating control worksheet is not required if the acquirer approves the compensating control.

Full Access
Question # 9

Which of the following is required to be included in an incident response plan?

A.

Procedures for notifying PCI SSC of the security incident.

B.

Procedures for responding to the detection of unauthorized wireless access points.

C.

Procedures for securely deleting incident response records immediately upon resolution of the incident.

D.

Procedures for launching a reverse-attack on the individual(s) responsible for the security incident.

Full Access
Question # 10

If an entity shares cardholder data with a TPSP, what activity is the entity required to perform?

A.

The entity must conduct ASV scans on the TPSP’s systems at least annually.

B.

The entity must perform a risk assessment of the TPSP's environment at least quarterly.

C.

The entity must test the TPSP's incident response plan at least quarterly.

D.

The entity must monitor the TPSP’s PCI DSS compliance status at least annually.

Full Access
Question # 11

Viewing of audit log files should be limited to?

A.

Individuals who performed the logged activity.

B.

Individuals with read/write access.

C.

Individuals with administrator privileges.

D.

Individuals with a job-related need.

Full Access
Question # 12

Which of the following file types must be monitored by a change-detection mechanism (e.g., a file-integrity monitoring tool)?

A.

Application vendor manuals

B.

Files that regularly change

C.

Security policy and procedure documents

D.

System configuration and parameter files

Full Access
Question # 13

Security policies and operational procedures should be?

A.

Encrypted with strong cryptography.

B.

Stored securely so that only management has access.

C.

Reviewed and updated at least quarterly.

D.

Distributed to and understood by all affected parties.

Full Access
Question # 14

Which of the following meets the definition of "quarterly" as Indicated In the description of timeframes used In PCI DSS requirements?

A.

Occurring at some point in each quarter of a year.

B.

At least once every 95-97 days

C.

On the 15th of each third month.

D.

On the 1st of each fourth month.

Full Access
Question # 15

What must be included in an organization's procedures for managing visitors?

A.

Visitors are escorted at all times within areas where cardholder data is processed or maintained.

B.

Visitor badges are identical to badges used by onsite personnel.

C.

Visitor log includes visitor name, address, and contact phone number.

D.

Visitors retain their identification (for example, a visitor badge) for 30 days after completion of the visit.

Full Access
Question # 16

An entity wants to use the Customized Approach. They are unsure how to complete the Controls Matrix or TRA. During the assessment, you spend time completing the Controls Matrix and the TRA, while also ensuring that the customized control is implemented securely. Which of the following statements is true?

A.

You can assess the customized control, but another assessor must verify that you completed the TRA correctly.

B.

You can assess the customized control and verify that the customized approach was correctly followed, but you must document this in the ROC.

C.

You must document the work on the customized control in the ROC, but you can not assess the control or the documentation.

D.

Assessors are not allowed to assist an entity with the completion of the Controls Matrix or the TRA.

Full Access
Question # 17

What does the PCI PTS standard cover?

A.

Point-of-Interaction devices used to protect account data.

B.

Secure coding practices for commercial payment applications.

C.

Development of strong cryptographic algorithms.

D.

End-lo-end encryption solutions for transmission of account data.

Full Access
Question # 18

Which of the following parties is responsible for completion of the Controls Matrix for the Customized Approach?

A.

Only a Qualified Security Assessor (QSA).

B.

Either a QSA, AQSA, or PCIP.

C.

Entity being assessed.

D.

Card brands or acquirer.

Full Access
Question # 19

A network firewall has been configured with the latest vendor security patches. What additional configuration is needed to harden the firewall?

A.

Remove the default “Firewall Administrator” account and create a shared account for firewall administrators to use.

B.

Configure the firewall to permit all traffic until additional rules are defined.

C.

Synchronize the firewall rules with the other firewalls in the environment.

D.

Disable any firewall functions that are not needed in production.

Full Access
Question # 20

Which of the following file types must be monitored by a change-detection mechanism (for example, a file-integrity monitoring tool)?

A.

Application vendor manuals

B.

Files that regularly change

C.

Security policy and procedure documents

D.

System configuration and parameter files

Full Access
Question # 21

Which of the following describes the intent of installing one primary function per server?

A.

To allow functions with different security levels to be implemented on the same server.

B.

To prevent server functions with a lower security level from introducing security weaknesses to higher-security functions on the same server.

C.

To allow higher-security functions to protect lower-security functions installed on the same server.

D.

To reduce the security level of functions with higher-security needs to meet the needs of lower-security functions.

Full Access
Question # 22

What process is required by PCI DSS for protecting card-reading devices at the point-of-sale?

A.

Devices are periodically inspected to detect unauthorized card skimmers.

B.

The serial number of each device is periodically verified with the device manufacturer.

C.

Device identifiers and security labels are periodically replaced.

D.

Devices are physically destroyed if there is suspicion of compromise.

Full Access