PCIP EXAM 2023-2024 ACTUAL EXAM 300 QUESTIONS AND CORRECT DETAILED ANSWERS WITH RATIONALES (VERIFIED ANSWERS) |AGRADE

PCIP EXAM 2023-2024 ACTUAL EXAM 300 QUESTIONS AND

CORRECT DETAILED ANSWERS WITH RATIONALES

(VERIFIED ANSWERS) |AGRADE

When planning for an assessment what 4 activities should be included

during planning? - ANSWER- *List of people to be interviewed, system

components used, documentation (training, payment logs), facilities

(physical security)

*Ensure assessor is familiar with technologies in assessment

*If sampling, verify sample section and size is representative of the

entire population

*Identify the roles and the individuals within each role to be interviewed

as part of the assessment

What pre-assessment activities should an assessor consider when

preparing for an assessment? - ANSWER- *Ensure assessor(s) has

competent knowledge of the technologies being assessed

*Identify types of system components and locations of facilities to be

reviewed

*Consider size and complexity of the environment to be assessed.

When does authorization occur - ANSWER- At time of purchase

When does clearing occur - ANSWER- usually within one day

When does settlement occur - ANSWER- Usually within 2 days

Where does an assessor document their sampling methodology? -

ANSWER- Report on Compliance (ROC)

Manual clear-text key-management procedures specify processes for the

use of the following - ANSWER- Split knowledge & Dual Control

What is dual control? - ANSWER- At least people are required to

perform any key-management operations and no one person has access

to the authentication materials (for example, passwords or keys) of

another.

What is split knowledge? - ANSWER- Key components are under the

control of at least 2 people who only have knowledge of their own key

components.

True or False: Encryption key management is an optional PA-DSS

requirement to be used only if the customer requests encryption

requirements above and beyond PCI. - ANSWER- False- must use

encryption key management

When should keys be retired or replaced? - ANSWER- When keys are

deemed weakened, no longer needed, become suspected and/or

compromised, a key custodian no longer works for the company.

Archived cryptographic keys are only used for what purpose? -

ANSWER- decryption/verification purposes.

What is masking? - ANSWER- applies to displaying of information and

implies that data can be accessed behind the scenes.

What is truncation? - ANSWER- applies to storage and implies the

permanent and irrecoverable transformation of the original data.

What is hashing? - ANSWER- applies to storage uses a special

cryptographic method that takes a block of data (PAN) and passes it

through a one-way process to produce a block of encrypted data. It

cannot be reversed to recover the original data. It eliminates the risks

involved in managing and keep keys secure.

How often should unnecessary stored data be purged? - ANSWER- at

least quarterly

A user is locked out after _____ wrong attempts - ANSWER- 6

If a session has been idle for _____ minutes, a user must re-authenticate

to re-activate the terminal or session - ANSWER- 15 mins

Once a user account is locked out, it remains locked out for a minimum

of _____ or _____ - ANSWER- 30 mins or until a system administrator

resets the account.

Reviewing public-facing web applications via manual or automated

application vulnerability security assessment tools or methods, at least

____ or ____ - ANSWER- Annually and after any changes or all the

time

What are "shared services"? - ANSWER- common system components

that provide services to many system components across an organization

such as domain name service and network time protocol

What is NTP and is it in scope? - ANSWER- Network Time Protocolsets all system computers to the same time. Yes, this server has access

into cardholder data environment to provide set time and date

Active Directory, NTP, DNS, Patches, and SMTP are examples of ____

- ANSWER- Shared Services that are in scope for PCI

Verify that storage location security is reviewed at least _____ to

confirm that backup media storage is secure - ANSWER- annually

Review media inventory logs to verify that logs are maintained and

media inventories are performed at least - ANSWER- annually

Data (media)from video camera's, access controls to sensitive area's is

stored for at least______ - ANSWER- 3 months

Software should be configured to perform critical file comparisons at

least - ANSWER- weekly