Fast2test Assessor_New_V4問題集でリアル試験問題でテストエンジン問題集でトレーニング [Q21-Q45]

Share

Fast2test Assessor_New_V4問題集でリアル試験問題でテストエンジン問題集でトレーニング

PCI SSC Assessor_New_V4テスト問題集とオンライン試験エンジン

質問 # 21
What is the intent of classifying media that contains cardholder data?

  • A. Ensuring that media is property protected according to the sensitivity of the data it contains
  • B. Ensuring that media containing cardholder data is moved from secured areas an a quarterly basis
  • C. Ensuring that all media is consistently destroyed on the same schedule regardless of the contents
  • D. Ensuring that media is clearly and visibly labeled as 'Confidential so all personnel know that the media contains cardholder data

正解:A

解説:
Explanation
classifying media that contains cardholder data is intended to ensure that media is property protected according to the sensitivity of the data it contains, which means it should be marked with labels or tags that indicate its level of confidentiality or integrity. This is one of the requirements for ensuring that media containing cardholder data is properly labeled.


質問 # 22
An entity wants to know if the Software Security Framework can be leveraged during their assessment Which of the following software types would this apply to?

  • A. Software developed by the entity in accordance with the Secure SLC Standard
  • B. Only software which runs on PCI PTS devices
  • C. Any payment software in the CDE
  • D. Validated Payment Applications that are listed by PCI SSC and have undergone a PA-DSS assessment

正解:C

解説:
Explanation
The Software Security Framework (SSF) is a collection of standards and programs for the secure design and development of payment software1. The SSF replaces the Payment Application Data Security Standard (PA-DSS) with modern requirements that support a broader array of payment software types, technologies, and development methodologies2. The SSF applies to any payment software that is part of the cardholder data environment (CDE), which is the people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data3. Therefore, the correct answer is option A.
The other options are not true regarding the applicability of the SSF to different software types. Option B is not true because the SSF is not limited to software that runs on PCI PTS devices, which are hardware devices that accept payment card data at the point of interaction. The SSF covers software that runs on various platforms and devices, such as web servers, mobile devices, cloud services, and embedded systems. Option C is not true because the SSF is not limited to validated payment applications that are listed by PCI SSC and have undergone a PA-DSS assessment, which are payment applications that have been validated by PA-DSS assessors and meet the PA-DSS requirements. The SSF covers payment software that may not be eligible for PA-DSS validation, such as software that is developed by merchants or service providers for their own use, or software that is not sold, distributed, or licensed to a third party. Option D is not true because the SSF is not limited to software that is developed by the entity in accordance with the Secure SLC Standard, which is one of the two standards that are part of the SSF and provides security requirements and assessment procedures for software vendors to integrate into their software development lifecycles. The SSF covers payment software that is developed by any entity, whether it is a software vendor, a merchant, a service provider, or a third party, as long as it meets the security requirements and validation procedures of the Secure Software Standard, which is the other standardthat is part of the SSF and provides security requirements and assessment procedures for payment software products. References:
Understanding the PCI Software Security Framework: New Educational Resources PCI Software Security Framework Provides a Modern Approach to Payment Software Security PCI DSS v3.2.1
[PCI PTS POI Security Requirements]
[Software Security Framework Secure Software Standard]
[Payment Application Data Security Standard]
[Software Security Framework Secure Software Life Cycle (Secure SLC) Standard]
[PCI DSS v4.0: Is the Customized Approach Right For Your Organization?]


質問 # 23
An organization wishes to implement multi-factor authentication for remote access, using the user's individual password and a digital certificate. Which of the following scenarios would meet PCI DSS requirements for multi-factor authentication?

  • A. A different certificate is assigned to each individual user account, and certificates are not shared
  • B. Certificates are logged so they can be retrieved when the employee leaves the company
  • C. Certificates are assigned only to administrative groups and not to regular users
  • D. Change control processes are in place to ensue certificates are changed every 90 days

正解:A

解説:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, a different certificate is assigned to each individual user account, and certificates are not shared. This is one of the requirements for preventing unauthorized access to cardholder data using digital certificates.


質問 # 24
An LDAP server providing authentication services to the cardholder data environment is

  • A. in scope for PCI DSS.
  • B. in scope only if it stores processes or transmits cardholder data
  • C. not in scope for PCI DSS
  • D. in scope only if it provides authentication services to systems in the DMZ

正解:B

解説:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, an LDAP server providing authentication services to the cardholder data environment is in scope only if it provides authentication services to systems in the DMZ. This is one of the requirements for preventing unauthorized access to cardholder data.


質問 # 25
In the ROC Repotting Template, which of the following is the best approach for a response where the requirement was in Place''?

  • A. Details of the entity s project plan for implementing the requirement
  • B. Details of the entity s reason for not implementing the requirement
  • C. Details of how the assessor observed the entity s systems were compliant with the requirement
  • D. Details of how the assessor observed the entity s systems were not compliant with the requirement

正解:C

解説:
Explanation
when a cryptographic key is retired and replaced with a new key, the assessor will verify that the assessor observed the entity's systems were compliant with the requirement, which means they should have implemented compensating controls to address any weaknesses or gaps in the customized control. This is one of the requirements for ensuring that an entity can use both approaches when appropriate.


質問 # 26
An entity wants to use the Customized Approach. They are unsure how to complete the Controls Matrix or TRA. During the assessment, you spend time completing the Controls Matrix and the TRA. while also ensuing that the customized control is implemented securely. Which of the following statements is true?

  • A. You must document the work on the customized control in the ROC but you can not assess the control or the documentation.
  • B. You can assess the customized control and verify that the customized approach was correctly followed but you must document this in the ROC.
  • C. You can assess the customized control but another assessor must verify that you completed the TRA correctly.
  • D. Assessors are not allowed to assist an entity with the completion of the Controls Matrix or the TRA.

正解:B

解説:
Explanation
The customized approach is a new option in PCI DSS v4.0 that allows entities to use alternate security controls or new technologies that meet the PCI DSS Customized Approach Objective for a requirement1. The customized approach requires the entity to complete and document a Controls Matrix and a Targeted Risk Analysis (TRA) for each customized control, and to provide this documentation to the assessor2. The assessor's role is to review the documentation, assess the customized control, and verify that the customized approach was correctly followed3. The assessor must also document the assessment of the customized control in the Report on Compliance (ROC), using the ROC Template provided by PCI SSC4. Therefore, the correct answer is option B.
The other options are not true regarding the role of the assessor in the customized approach. Option A is not true because the assessor does not need another assessor to verify the TRA, as the assessor is responsible for reviewing and validating the TRA as part of the assessment process3. Option C is not true because the assessor can and must assess the control and the documentation, as well as document the work on the customized control in the ROC34. Option D is not true because the assessor is allowed to assist the entity with the completion of the Controls Matrix or the TRA, as long as the assessor does not design, develop, or implement the customized control for the entity5. References:
PCI DSS v4.0: Is the Customized Approach Right For Your Organization?
PCI DSS v4.0: Roles and Responsibilities for the Customized Approach
PCI DSS v4.0 Report on Compliance Template
PCI DSS v4.0
PCI DSS v4.0: Customized Approach Explained


質問 # 27
What must be included m an organization's procedures for managing visitors9

  • A. Visitors retain their identification (for example a visitor badge) for 30 days after completion of the visit
  • B. Visitor log includes visitor name, address, and contact phone number
  • C. Visitors are escorted at all times within areas where cardholder data is processed or maintained
  • D. Visitor badges are identical to badges used by onsite personnel

正解:C

解説:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, visitors are escorted at all times within areas where cardholder data is processed or maintained, visitor badges are identical to badges used by onsite personnel, visitor log includes visitor name, address, and contact phone number, visitors retain their identification (for example a visitor badge) for 30 days after completion of the visit. These are some examples of procedures that must be included in an organization's procedures for managing visitors who access in-scope systems where cardholder data is processed or maintained.


質問 # 28
A sample of business facilities is reviewed during the PCI DSS assessment What is the assessor required to validate about the sample?

  • A. It includes a consistent set of facilities that are reviewed for all assessments.
  • B. Every facility where cardholder data is stored is reviewed
  • C. The number of facilities in the sample is at least 10 percent of the total number of facilities
  • D. All types and locations of facilities are represented

正解:D

解説:
Explanation
The PCI DSS requires that the assessor validates that the sample of business facilities is representative of the entire population of facilities that are in scope for the assessment. According to the PCI DSS Requirement
12.8.5, "Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity." Furthermore, according to the PCI DSS Requirement 12.9.1, "For service providers, provide the written agreement/acknowledgment to their customers as specified at Requirement
12.8.2." Therefore, the scenario that meets the PCI DSS requirements for validating the sample of business facilities is theone where all types and locations of facilities are represented, to ensure that the assessment covers the diversity and complexity of the card production environment. The other scenarios either do not account for the variability of the facilities, or do not follow the sampling methodology defined by the PCI DSS. References: PCI DSS v3.2.1, Card Production Security Assessor - Physical - Credly


質問 # 29
An entity is using custom software in their CDE. The custom software was developed using processes that were assessed by a Secure Software Lifecycle assessor and found to be fully compliant with the Secure SLC standard. What impact will this have on the entity's PCI DSS assessment?

  • A. There is no impact to the entity
  • B. It may help the entity to meet several requirements in Requirement 6.
  • C. It automatically makes an entity PCI DSS compliant
  • D. The custom software can be excluded from the PCI DSS assessment

正解:B

解説:
Explanation
The Secure SLC standard is one of the two standards that are part of the PCI Software Security Framework (SSF), which provides security requirements and assessment procedures for software vendors to integrate into their software development lifecycles and to validate that secure lifecycle management practices are in place12. The Secure SLC standard is designed to offer a more flexible approach to how the security and integrity of payment software is tested, and to address the evolving threat landscape and changes in software development practices3.
The PCI DSS Requirement 6 states that entities must develop and maintain secure systems and applications, and it includes several sub-requirements that cover variousaspects of software security, such as change control, secure coding, vulnerability management, and patching4. By using custom software that is compliant with the Secure SLC standard, an entity may be able to meet some or all of these sub-requirements, as the Secure SLC standard covers similar topics and ensures that the software is developed and maintained in a secure manner throughout its entire lifecycle1. However, this does not automatically make the entity PCI DSS compliant, as there are other requirements and controls that the entity must implement and validate, such as network security, access control, monitoring, and incident response4. Therefore, the correct answer is option B.
The other options are not true regarding the impact of using custom software that is compliant with the Secure SLC standard on the PCI DSS assessment. Option A is not true because, as explained above, the entity still has to comply with other PCI DSS requirements and controls that are not covered by the Secure SLC standard.
Option C is not true because there is a positive impact to the entity, as it may help the entity to meet several requirements in Requirement 6 and to demonstrate that the custom software is secure and reliable. Option D is not true because the custom software cannot be excluded from the PCI DSS assessment, as it is part of the cardholder data environment (CDE) and it may store, process, or transmit cardholder data or sensitive authentication data. The entity must ensure that the custom software meets the PCI DSS requirements and controls that are applicable to it, and that the assessor validates its compliance4. References:
Software Security Framework Secure Software Life Cycle (Secure SLC) Standard PCI Security Standards Council Publishes Version 1.1 of Secure Software Lifecycle (SLC) Standard and Program PCI Security Standards Council Publishes Version 1.1 of Secure Software Standard and Program PCI DSS v3.2.1


質問 # 30
If segmentation is being used to reduce the scope of a PCI DSS assessment the assessor will?

  • A. Verify the segmentation controls allow only necessary traffic into the cardholder data environment.
  • B. Verify the payment card brands have approved the segmentation
  • C. Verify the controls used for segmentation are configured properly and functioning as intended
  • D. Verify that approved devices and applications are used for the segmentation controls

正解:A

解説:
Explanation
According to requirement 3.1.2, if segmentation is being used to reduce the scope of a PCI DSS assessment, the assessor will verify that the segmentation controls allow only necessary traffic into the cardholder data environment, which means they should not allow any traffic until additional rules are defined. This is one of the requirements for ensuring that network firewalls are not exposed to unnecessary or unwanted traffic.


質問 # 31
Which systems must have anti-malware solutions'

  • A. Any in-scope system except for those identified as not at risk from malware
  • B. All portable electronic storage
  • C. All CDE systems, connected systems. NSCs. and security-providing systems
  • D. All systems that store PAN

正解:A

解説:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, any in-scope system except for those identified as not at risk from malware must have anti-malware solutions installed and configured according to best practices. This is one of the requirements for preventing malware infections that could compromise cardholder data.


質問 # 32
If an entity shares cardholder data with a TPSP, what activity is the entity required to perform'?

  • A. The entity must conduct ASV scans on the TPSP's systems at least annually
  • B. The entity must monitor the TPSP's PCI DSS compliance status at least annually
  • C. The entity must test the TPSP's incident response plan at least quarterly
  • D. The entity must perform a risk assessment of the TPSP's environment at least quarterly.

正解:B

解説:
Explanation
According to requirement 4, an entity must monitor its TPSP's PCI DSS compliance status at least annually, which means it should review its TPSP's policies and procedures for protecting cardholder data and transactions against fraud and other threats at least once a year. This is one of the requirements for ensuring that an entity monitors its TPSP's PCI DSS compliance status regularly.


質問 # 33
An organization wishes to implement multi-factor authentication for remote access, using the user's individual password and a digital certificate. Which of the following scenarios would meet PCI DSS requirements for multi-factor authentication?

  • A. A different certificate is assigned to each individual user account, and certificates are not shared
  • B. Certificates are logged so they can be retrieved when the employee leaves the company
  • C. Certificates are assigned only to administrative groups and not to regular users
  • D. Change control processes are in place to ensue certificates are changed every 90 days

正解:A

解説:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, a different certificate is assigned to each individual user account, and certificates are not shared. This is one of the requirements for preventing unauthorized access to cardholder data using digital certificates.


質問 # 34
The intent of assigning a risk ranking to vulnerabilities is to?

  • A. Replace the need toquarterly ASV scans
  • B. Ensure all vulnerabilities are addressed within 30 days
  • C. Prioritize the highest risk items so they can be addressed more quickly
  • D. Ensure that critical security patches are installed at least quarterly

正解:C

解説:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, the intent of assigning a risk ranking to vulnerabilities is to prioritize the highest risk items so they can be addressed more quickly, rather than ensuring all vulnerabilities are addressed within 30 days or replacing the need to quarterly ASV scans or ensuring that critical security patches are installed at least quarterly. This is one of the requirements for ensuring that vulnerabilities are identified and mitigated as soon as possible.


質問 # 35
Which of the following is true regarding internal vulnerability scans?

  • A. They must be performed by an Approved Scanning Vendor (ASV)
  • B. They must be performed after a significant change
  • C. They must be performed at least annually
  • D. They must be performed by QSA personnel

正解:B

解説:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, internal vulnerability scans must be performed after a significant change in any component or configuration that affects cardholder data or payment processing systems. This is one of the requirements for identifying and mitigating vulnerabilities that could compromise cardholder data.


質問 # 36
Which scenario describes segmentation of the cardholder data environment (CDE) for the purposes of reducing PCI DSS scope?

  • A. Virtual LANs that route network traffic between the CDE and out-of-scope networks
  • B. Routers that monitor network traffic flows between the CDE and out-of-scope networks
  • C. A network configuration that prevents all network traffic between the CDE and out-of-scope networks
  • D. Firewalls that log all network traffic flows between the CDE and out of-scope networks

正解:A

解説:
Explanation
Segmentation is a method of isolating system components that store, process, or transmit cardholder data from systems that do not, by using security controls such as firewalls, routers, switches, or other devices1. Segmentation can reduce the scope of the cardholder data environment (CDE) and thus reduce the scope of the PCI DSS assessment, as only the systems and networks within the CDE or connected to the CDE are subject to PCI DSS requirements2. Virtual LANs (VLANs) are one example of such a security control, as they can create logical subnetworks that separate different types of traffic and restrict access between them3.
Therefore, the correct answer is option C.
The other options are not true regarding the scenario that describes segmentation of the cardholder data environment (CDE) for the purposes of reducing PCI DSS scope. Option A is not true because routers that monitor network traffic flows between the CDE and out-of-scope networks are not sufficient to isolate the CDE, as they do not prevent or limit the traffic flows. Option B is not true because firewalls that log all network traffic flows between the CDE and out-of-scope networks are not sufficient to isolate the CDE, as they do not block or filter the traffic flows. Option D is not true because a network configuration that prevents all network traffic between the CDE and out-of-scope networks is not realistic or feasible, as some traffic may be necessary for business or legal reasons, such as payment processing, reporting, or auditing. References:
Network Segmentation - PCI Security Standards Council
Guidance for PCI DSS Scoping and Network Segmentation
VLANs and PCI Compliance: What You Need to Know


質問 # 37
At which step in the payment transaction process does the merchants bank pay the merchant for the purchase and the cardholder s bank bill the cardholder?

  • A. Chargeback
  • B. Authorization
  • C. Settlement
  • D. Clearing

正解:C

解説:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, settlement occurs when a merchant receives payment from a card issuer for a completed transaction and delivers goods or services to a customer or another party as agreed upon in advance by both parties, subject to any conditions imposed by either party upon delivery or payment, including but not limited to acceptance, rejection, return, exchange, refund, cancellation, modification, suspension, termination or revocation by either party upon delivery or payment; or any other conditions imposed by either party upon delivery or payment; or any other conditions imposed by either party upon delivery or payment; or any other conditions imposed by either party upon delivery or payment;


質問 # 38
Which of the following is a requirement for multi-tenant service providers?

  • A. Ensure that customers cannot access another entity s cardholder data environment
  • B. Provide customers with access to the hosting provider s system configuration files.
  • C. Ensure that a customer's log files are available to all hosted entities
  • D. Provide customers with a shared user ID for access to critical system binaries

正解:A

解説:
Explanation
According to requirement 3.1.2, multi-tenant service providers must ensure that customers cannot access another entity's cardholder data environment, which means they should isolate each customer's cardholder data from other customers' cardholder data and prevent unauthorized access or disclosure. This is one of the requirements for ensuring that multi-tenant service providers protect each customer's cardholder data.


質問 # 39
Which of the following meets the definition of 'quarterly' as indicated in the description of timeframes used in PCI DSS requirements?

  • A. On the 15th of each third month
  • B. At least once every 95 97 days.
  • C. On the 1st of each fourth month
  • D. Occurring at some point in each quarter of a year

正解:A

解説:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, quarterly means occurring at some point in each quarter of a year, not at least once every 95 or 97 days. This is one of the requirements for ensuring that PCI DSS assessments are conducted on a regular basis.


質問 # 40
A retail merchant has a server room containing systems that store encrypted PAN data. The merchant has implemented a badge access-control system that identities who entered and exited the room onwhat date and at what time There are no video cameras located in the server room Based on this information, which statement is true regarding PCI DSS physical security requirements?

  • A. The merchant must install motion-sensing alarms in addition to the existing access-control system
  • B. The merchant must install video cameras in addition to the existing access-control system
  • C. Data from the access-control system must be securely deleted on a monthly basis
  • D. The badge access-control system must be protected from tampering or disabling

正解:B

解説:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, based on this information, which statement is true regarding PCI DSS physical security requirements? The merchant must install video cameras in addition to the existing access-control system, because there are no video cameras located in the server room and based on this information, which statement is true regarding PCI DSS physical security requirements? The merchant must install motion-sensing alarms in addition to the existing access-control system, because there are no video cameras located in the server room and based on this information, which statement is true regarding PCI DSS physical security requirements? The merchant must install video cameras in addition to the existing access-control system, because there are no video cameras located in the server room and based on this information, which statement is true regarding PCI DSS physical security requirements? The merchant must install motion-sensing alarms in addition to the existing access-control system, because there are no video cameras located in the server room and based on this information, which statement is true regarding PCI DSS physical security requirements? The merchant must install video cameras in addition to the existing access-control system, because there are no video cameras located in


質問 # 41
If an entity shares cardholder data with a TPSP, what activity is the entity required to perform'?

  • A. The entity must conduct ASV scans on the TPSP's systems at least annually
  • B. The entity must monitor the TPSP's PCI DSS compliance status at least annually
  • C. The entity must test the TPSP's incident response plan at least quarterly
  • D. The entity must perform a risk assessment of the TPSP's environment at least quarterly.

正解:B

解説:
Explanation
According to requirement 4, an entity must monitor its TPSP's PCI DSS compliance status at least annually, which means it should review its TPSP's policies and procedures for protecting cardholder data and transactions against fraud and other threats at least once a year. This is one of the requirements for ensuring that an entity monitors its TPSP's PCI DSS compliance status regularly.


質問 # 42
What process is requited by PCI DSS (or protecting card-reading devices at the point-of-sale?

  • A. The serial number of each device is periodically verified with the device manufacturer
  • B. Devices are periodically inspected to detect unauthorized card stammers.
  • C. Devices are physically destroyed if there is suspicion of compromise
  • D. Device identifiers and security labels are periodically replaced

正解:B

解説:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, devices are periodically inspected to detect unauthorized card stammers using physical inspection or other methods such as software-based tools or network-based tools (such as firewalls). This is one of the requirements for preventing card skimming attacks that could compromise cardholder data.


質問 # 43
Which of the following parties is responsible for completion of the Controls Matrix for the Customized Approach?

  • A. Card brands or acquirer
  • B. Entity being assessed
  • C. Only a Qualified Security Assessor (QSA)
  • D. Either a QSA, AQSA, or PClP.

正解:B

解説:
Explanation
According to the PCI DSS v3.2.1 Quick Reference Guide1, assigning a unique ID to each person is intended to ensure individual users are accountable for their own actions, rather than shared accounts or group accounts based on need-to-know. This is one of the requirements for ensuring that user accounts are properly managed and controlled.


質問 # 44
A retail merchant has a server room containing systems that store encrypted PAN data. The merchant has implemented a badge access-control system that identities who entered and exited the room on what date and at what time There are no video cameras located in the server room Based on this information, which statement is true regarding PCI DSS physical security requirements?

  • A. The merchant must install motion-sensing alarms in addition to the existing access-control system
  • B. Data from the access-control system must be securely deleted on a monthly basis
  • C. The badge access-control system must be protected from tampering or disabling
  • D. The merchant must install video cameras in addition to the existing access-control system

正解:C

解説:
Explanation
PCI DSS Requirement 9.1.1 requires entities to use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment (CDE)1. A badge access-control system is one example of such a control, as it can identify who entered and exited the server room and when. However, this control is only effective if it is protected from tampering or disabling by unauthorized persons, as PCI DSS Requirement 9.1.2 states1. Otherwise, the access-control system could be bypassed or compromised, allowing unauthorized access to the systems that store encrypted PAN data. Therefore, the badge access-control system must be protected from tampering or disabling, as stated in option A.
The other options are not true regarding PCI DSS physical security requirements for a server room. Option B is not true because PCI DSS does not mandate the use of video cameras in addition to the existing access-control system, although it is a recommended best practice2. Option C is not true because PCI DSS does not specify a data retention period for the access-control system, although it requires entities to retain audit trail history for at least one year, with a minimum of three months immediately available for analysis3. Option D is not true because PCI DSS does not require the use of motion-sensing alarms in addition to the existing access-control system, although it is another recommended best practice2. References:
PCI DSS v3.2.1
PCI DSS Requirement 9: Upping Your Physical Security
PCI DSS Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data


質問 # 45
......

PCI SSC Assessor_New_V4問題を提供していますPCI Qualified Professionals問題集と完璧な解答付き:https://jp.fast2test.com/Assessor_New_V4-premium-file.html


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어