PCI ISA Exam Question And Answers 2023

QSAs must retain work papers for a minimum of _ years. It is a recommendation for ISAs to do the same.
3

According to PCI DSS requirement 1, Firewall and router rule sets need to be reviewed every _ months.
6

At least __ and prior to the annual assessment the assessed entity:

  • Identifies all locations and flows of cardholder data to verify they are included in the CDE
  • Confirms the accuracy of their PCI DSS scope
  • Retains their scoping documentation for assessor reference
    annually

scope includes
ppl process, tech

Evidence Retention
It is recommended that the ISA secure and maintain digital and/or hard copies of case logs, audit results and work papers, notes, and any technical information that was created and/or obtained during the PCI Data Security Assessment for a minimum of __ or as applicable to company data retention policies
of three (3) years

A (time) __ process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements.
quarterly

Do not store SAD after __ (even if encrypted). (track data / cvc / pin)
authorization

manual clear-text key-management procedures specify processes for the use of the following
Split knowledge.Dual control

Dual control
least two people are required to perform any key-management operations and no one person has access to the authentication materials (for example, passwords or keys) of another

Split knowledge
key components are under the control of at least two people who only have knowledge of their own key components

PAN is rendered unreadable in which ways
hash
mask
encrypt
pad

Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within _ of release.
one month

Installation of all applicable vendor-supplied security patches within an _______
appropriate time frame (for example, within three months)

makes sure change control has these 4 things
impack
testing (PCI review)
backout
approval

Train developers at least __ in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory.
annually

Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least _______

or

automated technical solution that detects and prevents web-based attacks active _
annually and after any changes

all the time

Observe user accounts to verify that any inactive accounts over __ are either removed or disabled.
90 days old

For a sample of system components, inspect system configuration settings to verify that authentication parameters are set to require that user accounts be locked out after not more than _ invalid logon attempts.
6

once a user account is locked out, it remains locked for a minimum of _ or __
30 mins or until a system administrator resets the account

idle time out features have been set to __
15 mins or less

For a sample of system components, inspect system configuration settings to verify that user password/passphrase parameters are set to require users to change passwords at least once every __.
90 days

new passwords/passphrases cannot be the same as the __ previously used passwords/passphrases
4

Verify that data from video cameras and/or access control mechanisms is reviewed, and that data is stored for __
at least three months.

visitor log is
retains for 3 month
name,
firm,
escort

Verify that the storage location security is reviewed at least _ to confirm that backup media storage is secure.
annually

Review media inventory logs to verify that logs are maintained and media inventories are performed at least _
annually

reviewing the following at least __, either manually or via log tools:

All security events
Logs of all system components that store, process, or transmit CHD and/or SAD
Logs of all critical system components
Logs of all servers and system components that perform security functions
daily

reviewing logs of all other system components _—either manually or via log tools—based on the organization’s policies and risk management strategy.
periodically

retaining audit logs for at least , with a minimum of _______ immediately available online
one year

3 months

Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a ___ basis
quarterly

Run internal and external network vulnerability scans at least _ and __________ in the network
quarterly and after any significant change

verify that _ internal/(external ASV) scans occurred in the most recent
four quarterly

12-month period

penetration testing when?

how about service providers on seg controls??
quarterly and after sig changes

6 months and sig changes

IDS/IPS where?
at perimeter of CDE and at crit points in CDE

perform critical file comparisons at least _
weekly

information security policy reviewed when?
annually and sig changes

entities monitor its service providers’ PCI DSS compliance status at least __
annually

incident response plan tested when?
annually

service providers only: Perform reviews at least _ to confirm personnel are following security policies and operational procedures.
quarterly

Where POS POI terminals (and the SSL/TLS termination points to which they connect) use SSL and/or early TLS, the entity must either:
Confirm the devices are not susceptible to any known exploits for those protocols, or
Have a formal Risk Mitigation and Migration Plan in place

DESV User accounts and access privileges are reviewed at least every _
six months

PCI DSS requirements are applicable wherever ___ is stored, processed, or transmitted
PAN or SAD

Contains all fields of both Track 1 and Track 2
track 1 (Length up to 79 characters)

track 2 contains?
Provides shorter processing time for older dial-up transmissions
Length up to 40 characters

If you find a potential card number, you can use a __ check to see if it is a valid card number
mod 10 (luhn)

Examine documented results of scope reviews and interview personnel to verify that the reviews are performed:
At least quarterly
After significant changes to the in-scope environment

processes are defined and implemented to review hardware and software technologies when?
annually

Leave a Comment

Scroll to Top