A retail merchant has a server room containing systems that store encrypted PAN dat
a. The merchant has Implemented a badge access-control system that Identifies who entered and exited the room, on what date, and at what time. There are no video cameras located in the server room. Based on this information, which statement is true regarding PCI DSS physical security requirements?
Answer : A
Physical Security Requirements:
PCI DSS Requirement 9.1.1 mandates that physical access control systems (like badge readers) must be protected against tampering or disabling to ensure continuous security.
Current Implementation:
The merchant's badge access-control system provides essential logging of access events but must also be protected against tampering to comply with PCI DSS.
Invalid Options:
B: Video cameras are recommended but not explicitly required if access controls effectively ensure security.
C: Secure deletion of access-control logs is not a PCI DSS requirement; logs must be retained as per retention policies.
D: Motion-sensing alarms are not mandatory under PCI DSS physical security requirements.
A network firewall has been configured with the latest vendor security patches. What additional configuration Is needed to harden the firewall?
Answer : D
Firewall Hardening:
Requirement 1.2 mandates that firewalls should be configured with only the necessary functionality to reduce attack surfaces. Disabling unused functions eliminates potential vulnerabilities.
Explanation of Other Options:
A: Shared accounts violate Requirement 8.1.5, which prohibits shared or generic accounts.
B: Allowing all traffic initially violates Requirement 1.2.1, which requires a restrictive firewall policy.
C: Synchronization of rules may not always be necessary, especially for firewalls with different scopes or roles.
In the ROC Reporting Template, which of the following Is the best approach for a response where the requirement was "In Place'?
Answer : B
PCI DSS Reporting Expectations:
When documenting that a requirement is 'In Place,' the ROC must clearly describe how compliance was validated by the assessor. This involves detailing the evidence observed, such as system configurations, documentation, and personnel interviews.
ROC Documentation Guidelines:
The ROC Reporting Template specifies that each 'In Place' response must include evidence demonstrating compliance with the requirement, such as testing observations and validation of implemented controls.
Eliminating Incorrect Options:
A: Project plans are not sufficient to demonstrate current compliance.
C/D: Responses discussing non-implementation or non-compliance are irrelevant when the requirement is 'In Place.'
PCI DSS v4.0 ROC Template Guidance:
Appendix sections in the ROC provide specific instructions for assessors to document the testing performed, evidence reviewed, and results.
In accordance with PCI DSS Requirement 10, how long must audit logs be retained?
Answer : A
Audit Log Retention Requirements
PCI DSS Requirement 10.7 specifies audit logs must be retained for a minimum of one year. The most recent three months must be immediately accessible for incident analysis and reporting.
Purpose of Log Retention
Retaining logs aids in forensic investigations, regulatory compliance, and operational oversight.
Incorrect Options
Options B, C, and D specify durations that are not consistent with PCI DSS requirements.
Security policies and operational procedures should be?
Answer : D
Requirement Context:
PCI DSS Requirement 12.5 mandates that security policies and operational procedures are not only documented but also distributed to relevant parties to ensure clarity and compliance.
Importance of Distribution and Awareness:
All affected parties, including employees, contractors, and third parties with access to the cardholder data environment (CDE), must receive and understand the policies. This ensures they adhere to the security measures.
Review and Updates:
Security policies must be kept up to date and reviewed at least annually or after significant changes in the environment. While other options such as encryption or restricted access are important for security, the critical focus is on distribution and awareness to ensure operational effectiveness.
Testing and Validation:
During assessments, QSAs validate the implementation by examining training records, communication logs, and acknowledgment forms signed by affected parties.
Relevant PCI DSS v4.0 Guidance:
Section 12.5.1 of PCI DSS v4.0 outlines that the dissemination of policies must ensure that all personnel understand their roles in securing the environment.
Which of the following statements Is true whenever a cryptographic key Is retired and replaced with a new key?
Answer : A
Key Management Requirements:
PCI DSS Requirement 3.6.5 specifies that when a cryptographic key is retired, it must no longer be used for encryption operations but may still be retained for decryption purposes as needed (e.g., to decrypt historical data until it is re-encrypted with the new key).
Secure Key Retirement:
Retired keys should be securely stored or destroyed based on the organization's key management policy to prevent unauthorized access or misuse.
Reference in PCI DSS Documentation:
Section 3.6.5 emphasizes that retired keys must be rendered inactive for further encryption while allowing use for decryption, ensuring data continuity and compliance.
An entity accepts e-commerce payment card transactions and stores account data in a database. The database server and the web server are both accessible from the Internet. The database server and the web server are on separate physical servers. What is required for the entity to meet PCI DSS requirements?
Answer : B
Protecting the Database Server
PCI DSS v4.0 requires that systems storing cardholder data, such as database servers, must not be directly accessible from untrusted networks (Requirement 1.3).
The database server should be behind network security controls like firewalls and placed in a segmented network isolated from untrusted networks.
Segmentation Best Practices
The web server, which interfaces with external users, can remain accessible from the Internet but should reside in a DMZ to prevent direct access to the internal network.
This separation protects the database server from external threats while maintaining system functionality.
Incorrect Options
Option A: Combining the web and database servers increases the attack surface and violates best practices.
Option C: Moving the web server to the internal network exposes the internal environment.
Option D: Segmentation is critical, but the reason is not solely to allow more concurrent connections.