Which of the following file types must be monitored by a change-detection mechanism (for example,
a file-integrity monitoring tool)?
D
Explanation:
Scope of Change-Detection Mechanisms
PCI DSS v4.0 requires the implementation of a change-detection mechanism (e.g., file-integrity
monitoring) to monitor unauthorized changes to critical files.
Critical files include system configuration and parameter files, application executable files, and
scripts used in administrative functions.
Intent of Monitoring System Files
These files often control security settings and operational parameters of systems within the
Cardholder Data Environment (CDE). Unauthorized changes could compromise system security.
Exclusions
Documents like application vendor manuals and security policies do not qualify as files requiring
integrity monitoring since they do not directly impact the security posture or operational functions of
systems in the CDE.
Which scenario describes segmentation of the cardholder data environment (CDE) for the purposes
of reducing PCI DSS scope?
D
Explanation:
Segmentation Defined
PCI DSS v4.0 specifies that effective segmentation separates the CDE from out-of-scope
environments, minimizing the risk of unauthorized access to cardholder data.
Key Requirements for Segmentation
Network traffic between the CDE and out-of-scope networks must be completely prevented. This
ensures that out-of-scope systems cannot introduce risks to the CDE.
Methods like firewalls, ACLs (Access Control Lists), and other technologies may be used to enforce
segmentation.
Incorrect Options
Monitoring or logging traffic (Options A and B) without preventing access does not achieve
segmentation.
Virtual LANs (Option C) alone are insufficient unless properly configured to enforce traffic isolation.
What is the intent of classifying media that contains cardholder data?
A
Explanation:
Purpose of Classifying Media
PCI DSS v4.0 emphasizes the need to classify media based on the sensitivity of the data it contains.
Media classification ensures appropriate handling, storage, and destruction processes.
Media Protection Requirements
Media containing cardholder data must be securely stored, transferred, and destroyed when no
longer needed.
Classification informs the level of protection required, such as encryption, physical security, or
controlled access.
Incorrect Options
Option B: Moving media quarterly is not a requirement.
Option C: Labeling as "Confidential" is insufficient without a comprehensive protection strategy.
Option D: Destruction schedules should depend on retention requirements and data sensitivity, not a
universal timeline.
Which statement is true regarding the use of intrusion detection techniques, such as intrusion
detection systems and/or Intrusion protection systems (IDS/IPS)?
B
Explanation:
PCI DSS Requirement:
Requirement 11.4 mandates the implementation of intrusion detection and/or intrusion prevention
techniques to alert personnel of suspected compromises within the cardholder data environment
(CDE).
Purpose of IDS/IPS:
These systems are deployed to identify potential threats and alert relevant personnel, enabling them
to take corrective actions to prevent data breaches.
Rationale Behind Correct Answer:
A: Intrusion detection is required only for in-scope components, not all system components.
C/D: Intrusion detection systems do not perform isolation or identification of all cardholder data;
they monitor for and alert on potential intrusions.
Which scenario meets PCI DSS requirements for critical systems to have correct and consistent time?
C
Explanation:
Time Synchronization Standards:
PCI DSS Requirement 10.4 mandates that all critical systems use a centralized time server to ensure
time accuracy across systems. Approved external sources provide a reliable and consistent time
signal.
Correctness and Consistency of Time:
Using a central time server ensures uniformity of timestamps, which is critical for forensic analysis,
log correlation, and monitoring activities.
Invalid Options:
A: Internal systems acting as their own servers could lead to inconsistent timestamps.
B: Allowing all users access to time settings poses a security risk.
D: Peering directly with external sources bypasses centralized control, violating consistency
requirements.
A network firewall has been configured with the latest vendor security patches. What additional
configuration Is needed to harden the firewall?
D
Explanation:
Firewall Hardening:
Requirement 1.2 mandates that firewalls should be configured with only the necessary functionality
to reduce attack surfaces. Disabling unused functions eliminates potential vulnerabilities.
Explanation of Other Options:
A: Shared accounts violate Requirement 8.1.5, which prohibits shared or generic accounts.
B: Allowing all traffic initially violates Requirement 1.2.1, which requires a restrictive firewall policy.
C: Synchronization of rules may not always be necessary, especially for firewalls with different scopes
or roles.
What must be included in an organization's procedures for managing visitors?
A
Explanation:
Visitor Management Requirements:
PCI DSS Requirement 9.3 specifies that visitors must be escorted at all times in areas where
cardholder data is present to prevent unauthorized access or breaches.
Invalid Options:
B: Visitor badges must be distinguishable from employee badges.
C: Visitor logs are necessary but do not need detailed personal information like addresses.
D: Retaining visitor identification for 30 days is not a requirement.
Which of the following meets the definition of "quarterly" as Indicated In the description of
timeframes used In PCI DSS requirements?
A
Explanation:
Definition of Quarterly:
PCI DSS defines "quarterly" as occurring once within each calendar quarter. This means the activity
must happen at least once in Q1, Q2, Q3, and Q4, with no rigid restrictions on specific days.
Clarification on Other Options:
B: While 95–97 days approximates a quarter, it is not mandated as a rigid timeframe.
C/D: Fixed dates (e.g., 15th or 1st of specific months) are not prescribed in PCI DSS.
Which systems must have anti-malware solutions?
D
Explanation:
Scope of Anti-Malware Requirements
PCI DSS Requirement 5 mandates the use of anti-malware solutions on all in-scope systems unless
the system is specifically documented as not being at risk from malware.
Examples of systems not at risk include those using operating systems that do not support anti-
malware tools, provided proper justifications and alternative controls are implemented.
Assessment Considerations
QSAs must verify and document why a system is considered "not at risk."
Systems storing, processing, or transmitting cardholder data or that could impact the CDE are
generally in-scope for anti-malware.
Incorrect Options
Option A: While CDE systems and connected systems require protection, the requirement applies
specifically to systems at risk from malware.
Option B: Portable electronic storage is not explicitly called out for universal anti-malware but must
be controlled in line with overall security policies.
Option C: Systems storing PAN are only a subset of in-scope systems.
Which scenario meets PCI DSS requirements for restricting access to databases containing cardholder
data?
A
Explanation:
Restricting Database Access
PCI DSS Requirement 7.2 specifies that access to cardholder data, including databases, must be
restricted by business need-to-know.
Restricting access to programmatic methods minimizes the risk of unauthorized queries and data
breaches.
Eliminating Direct Access
Direct database access by end-users or administrators poses significant risk unless strictly controlled
and monitored. Programmatic methods (e.g., via applications with role-based access controls) align
with security best practices.
Incorrect Options
Option B: Administrators might need access, but access should not be limited to system/network
administrators.
Option C: Application IDs should not be used directly by individuals, as this circumvents
accountability.
Option D: Shared accounts are discouraged due to a lack of traceability.