QSA_New_V4 Practice Exam Questions and Answers

A.  

Visitors are escorted at all times within areas where cardholder data is processed or maintained.

B.  

Visitor badges are identical to badges used by onsite personnel.

C.  

Visitor log includes visitor name, address, and contact phone number.

D.  

Visitors retain their identification (for example, a visitor badge) for 30 days after completion of the visit.

A.  

There are different AOC templates for service providers and merchants.

B.  

The AOC must be signed by both the merchant/service provider and by PCI SS

C.  

C.  

The same AOC template is used W ROCs and SAQs.

D.  

The AOC must be signed by either the merchant/service provider or the QSA/IS

A.  

A.  

No,because a single approach must be selected.

B.  

No,because only compensating controls can be used with the Defined Approach.

C.  

Yes, if the entity uses no compensating controls.

D.  

Yes, if the entity is eligible to use both approaches.

A.  

Production (live) environments only.

B.  

Pre-production (test) environments only it located outside the CD

E.  

C.  

Pre-production environments thatare located within the CD

E.  

D.  

Testing with live PANs must only be performed in the OSA Company environment.

A.  

User access to the database Is only through programmatic methods.

B.  

User access to the database Is restricted to system and network administrators.

C.  

Application IDs for database applications can only be used by database administrators.

D.  

Direct queries to the database are restricted to shared database administrator accounts.

A.  

The badge access-control system must be protected from tampering or disabling.

B.  

The merchant must Install video cameras in addition to the existing access-control system.

C.  

Data from the access-control system must be securely deleted on a monthly basis.

D.  

The merchant must install motion-sensing alarms In addition to the existing access-control system.

A.  

Any payment software In the CD

E.  

B.  

Only software which runs on PCI PTS devices.

C.  

Validated Payment Applications that are listed by PCI SSC and have undergone a PA-DSS assessment.

D.  

Software developed by the entity in accordance with the Secure SLC Standard.

A.  

Ensure all vulnerabilities are addressed within 30 days.

B.  

Replace the need for quarterly ASV scans.

C.  

Prioritize the highest risk items so they can be addressed more quickly.

D.  

Ensure that critical security patches are installed at least quarterly

A.  

Certificates are assigned only to administrative groups, and not to regular users.

B.  

A different certificate is assigned to each individual user account, and certificates are not shared.

C.  

Certificates are logged so they can be retrieved when the employee leaves the company.

D.  

Change control processes are In place to ensure certificates are changed every 90 days.

A.  

Application vendor manuals

B.  

Files that regularly change

C.  

Security policy and procedure documents

D.  

System configuration and parameter files