Which statement is true regarding the PCI DSS Report on Compliance (ROC)?
Correct Answer: A
Explanation According to the PCI DSS v3.2.1 Quick Reference Guide1, the assessor may use either their own template or the ROC Reporting Template provided by PCI SSC. This is one of the requirements for ensuring consistency and accuracy in ROCs.
Question 2
Which of the following statements is true whenever a cryptographic key is retired and replaced with a new key?
Correct Answer: A
Explanation PCI DSS Requirement 3.6.4 states that entities must retire or replace keys when the keys have reached the end of their cryptoperiod, which is the time span during which a specific key can be used for cryptographic operations1. The retired key must not be used for encryption operations, as it may have been compromised or weakened by cryptanalysis, and may not provide adequate protection for the data. The retired key may still be used for decryption operations, if needed, to access historical data that was encrypted under the retired key2. Therefore, the correct answer is option A. The other options are not true regarding the cryptographic key retirement and replacement. Option B is not true because PCI DSS does not specify a retention period for the cryptographic key components from the retired key, although it requires entities to securely delete cryptographic material when it is no longer needed for business or legal reasons1. Option C is not true because PCI DSS does not require a new key custodian tobe assigned, although it requires entities to define and document the roles, responsibilities, and accountability of all key custodians1. Option D is not true because PCI DSS does not require all data encrypted under the retired key to be securely destroyed, although it requires entities to render cardholder data unreadable when it is no longer needed for business or legal reasons1. References: PCI DSS v3.2.1 Cryptographic Key Blocks - PCI Security Standards Council
Question 3
An entity wants to know if the Software Security Framework can be leveraged during their assessment Which of the following software types would this apply to?
Correct Answer: D
Explanation According to requirement 12.3.2, software developed by an entity in accordance with the Secure SLC Standard must be validated by a Qualified Security Assessor (QSA) before it can be used by an entity in its CDE. This is one of the requirements for ensuring that software developed by an entity in accordance with the Secure SLC Standard meets all the security standards and controls defined in Appendix E of the PCI DSS v3.2.1 Quick Reference Guide1.
Question 4
An entity wants to know if the Software Security Framework can be leveraged during their assessment Which of the following software types would this apply to?
Correct Answer: A
Explanation The Software Security Framework (SSF) is a collection of standards and programs for the secure design and development of payment software1. The SSF replaces the Payment Application Data Security Standard (PA-DSS) with modern requirements that support a broader array of payment software types, technologies, and development methodologies2. The SSF applies to any payment software that is part of the cardholder data environment (CDE), which is the people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data3. Therefore, the correct answer is option A. The other options are not true regarding the applicability of the SSF to different software types. Option B is not true because the SSF is not limited to software that runs on PCI PTS devices, which are hardware devices that accept payment card data at the point of interaction. The SSF covers software that runs on various platforms and devices, such as web servers, mobile devices, cloud services, and embedded systems. Option C is not true because the SSF is not limited to validated payment applications that are listed by PCI SSC and have undergone a PA-DSS assessment, which are payment applications that have been validated by PA-DSS assessors and meet the PA-DSS requirements. The SSF covers payment software that may not be eligible for PA-DSS validation, such as software that is developed by merchants or service providers for their own use, or software that is not sold, distributed, or licensed to a third party. Option D is not true because the SSF is not limited to software that is developed by the entity in accordance with the Secure SLC Standard, which is one of the two standards that are part of the SSF and provides security requirements and assessment procedures for software vendors to integrate into their software development lifecycles. The SSF covers payment software that is developed by any entity, whether it is a software vendor, a merchant, a service provider, or a third party, as long as it meets the security requirements and validation procedures of the Secure Software Standard, which is the other standardthat is part of the SSF and provides security requirements and assessment procedures for payment software products. References: Understanding the PCI Software Security Framework: New Educational Resources PCI Software Security Framework Provides a Modern Approach to Payment Software Security PCI DSS v3.2.1 [PCI PTS POI Security Requirements] [Software Security Framework Secure Software Standard] [Payment Application Data Security Standard] [Software Security Framework Secure Software Life Cycle (Secure SLC) Standard] [PCI DSS v4.0: Is the Customized Approach Right For Your Organization?]
Question 5
A retail merchant has a server room containing systems that store encrypted PAN data. The merchant has implemented a badge access-control system that identities who entered and exited the room on what date and at what time There are no video cameras located in the server room Based on this information, which statement is true regarding PCI DSS physical security requirements?
Correct Answer: A
Explanation PCI DSS Requirement 9.1.1 requires entities to use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment (CDE)1. A badge access-control system is one example of such a control, as it can identify who entered and exited the server room and when. However, this control is only effective if it is protected from tampering or disabling by unauthorized persons, as PCI DSS Requirement 9.1.2 states1. Otherwise, the access-control system could be bypassed or compromised, allowing unauthorized access to the systems that store encrypted PAN data. Therefore, the badge access-control system must be protected from tampering or disabling, as stated in option A. The other options are not true regarding PCI DSS physical security requirements for a server room. Option B is not true because PCI DSS does not mandate the use of video cameras in addition to the existing access-control system, although it is a recommended best practice2. Option C is not true because PCI DSS does not specify a data retention period for the access-control system, although it requires entities to retain audit trail history for at least one year, with a minimum of three months immediately available for analysis3. Option D is not true because PCI DSS does not require the use of motion-sensing alarms in addition to the existing access-control system, although it is another recommended best practice2. References: PCI DSS v3.2.1 PCI DSS Requirement 9: Upping Your Physical Security PCI DSS Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data
