QSA_New_V4 Practice Questions

A.  

Public keys must be encrypted with a key-encrypting key.

B.  

Data-encrypting keys must be stronger than the key-encrypting key that protects it.

C.  

Private or secret keys must be encrypted, stored within an SCD, or stored as key components.

D.  

Key-encrypting keys and data-encrypting keys must be assigned to the same key custodian.

A.  

Production (live) environments only.

B.  

Pre-production (test) environments only it located outside the CD

E.  

C.  

Pre-production environments that are located within the CD

E.  

D.  

Testing with live PANs must only be performed in the OSA Company environment.

A.  

Production (live) environments only.

B.  

Pre-production (test) environments only if located outside the CD

E.  

C.  

Pre-production environments that are located within the CD

E.  

D.  

Testing with live PANs must only be performed in the QSA Company environment.

A.  

Details of the entity’s project plan for implementing the requirement.

B.  

Details of how the assessor observed the entity's systems were compliant with the requirement.

C.  

Details of the entity's reason for not implementing the requirement.

D.  

Details of how the assessor observed the entity's systems were not compliant with the requirement.

A.  

Controls are needed to prevent the original PAN being exposed by the hashed and truncated versions.

B.  

The hashed version of the PAN must also be truncated per PCI DSS requirements for strong cryptography.

C.  

The hashed and truncated versions must be correlated so the source PAN can be identified.

D.  

Hashed and truncated versions of a PAN must not exist in same environment.

A.  

There are different AOC templates for service providers and merchants.

B.  

The AOC must be signed by both the merchant/service provider and by PCI SS

C.  

C.  

The same AOC template is used W ROCs and SAQs.

D.  

The AOC must be signed by either the merchant/service provider or the QSA/IS

A.  

A.  

You can assess the customized control, but another assessor must verify that you completed the TRA correctly.

B.  

You can assess the customized control and verify that the customized approach was correctly followed, but you must document this in the RO

C.  

C.  

You must document the work on the customized control in the ROC, but you can not assess the control or the documentation.

D.  

Assessors are not allowed to assist an entity with the completion of the Controls Matrix or the TR

A.  

A.  

A token that must be presented twice during the login process.

B.  

A user passphrase and an application-level password.

C.  

A user password and a PIN-activated smart card.

D.  

A user fingerprint and a user thumbprint.

A.  

Monitor the control.

B.  

Derive testing procedures and document them in Appendix E of the RO

C.  

C.  

Document and maintain evidence about each customized control as defined in Appendix E of PCI DSS.

D.  

Perform the targeted risk analysis as per PCI DSS requirement 12.3.2.

A.  

The retired key must not be used for encryption operations.

B.  

Cryptographic key components from the retired key must be retained for 3 months before disposal.

C.  

A new key custodian must be assigned.

D.  

All data encrypted under the retired key must be securely destroyed.