Free Access to PCISSC.Assessor_New_V4.v2024-04-13.q29 with Valid Practice Test (Page 5)

Question 16

Which statement is true regarding the presence of both hashed and truncated versions of the same PAN in an environment?

A.Controls are needed to prevent the original PAN being exposed by the hashed and truncated versions
B.The hashed version of the PAN must also be truncated per PCI OSS requirements for strong cryptography.
C.The hashed and truncated versions must be correlated so the source PAN can be identified
D.Hashed and truncated versions of a PAN must not exist in same environment

Correct Answer: A

Explanation
Hashing is a form of one-way encryption that transforms a data element into a unique fixed-size data element (hash value) without a way to get the original data element from the hash value1. Truncation is a method of rendering the full PAN unreadable by permanently removing a segment of the PAN data2. PCI DSS Requirement 3.4 states that entities must render the PAN unreadable wherever it is stored, using any of the following methods: one-way hashes based on strong cryptography, truncation, index tokens and pads, or strong cryptography with associated key-management processes and procedures3. However, PCI DSS Requirement 3.4e also states that if hashed and truncated versions of the same PAN are present in the environment, additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN3. This is because if an attacker obtains both the hashed and truncated versions of the same PAN, they may be able to use a brute-force or dictionary attack to guess the original PAN by hashing and truncating different PAN values until they find a match4. Therefore, the correct answer is option A.
The other options are not true regarding the presence of both hashed and truncated versions of the same PAN in an environment. Option B is not true because PCI DSS does not require the hashed version of the PAN to be also truncated, although it is a recommended best practice to further reduce the risk of exposing the original PAN5. Option C is not true because PCI DSS does not require the hashed and truncated versions to be correlated, as this would defeat the purpose of rendering the PAN unreadable and increase the risk of exposing the original PAN. Option D is not true because PCI DSS does not prohibit the presence of both hashed and truncated versions of the same PAN in the same environment, as long as additional controls are in place to prevent the reconstruction of the original PAN. References:
Protect hashed CardHolder Data according to PCI DSS 3.4 - Advantio
PCI DSS Truncation Rules and Guidelines - Truvantis
PCI DSS v3.2.1
Storing Card Numbers using hashed and truncated version of PAN
pci dss - Credit card data security - hashing, truncation and encryption - Information Security Stack Exchange

Question 17

Which scenario meets PCI DSS requirements for restricting access to databases containing cardholder data?

A.User access to the database is only through programmatic methods
B.User access to the database is restricted to system and network administrators
C.Application IDs for database applications can only be used by database administrators
D.Direct queries to the database are restricted to shared database administrator accounts

Question 18

Passwords for default accounts and default administrative accounts should be?

A.Changed within 30 days after installing a system on the network.
B.Reset to the default password before installing a system on the network
C.Changed before installing a system on the network
D.Configured to expire in 30 days

Question 19

A retail merchant has a server room containing systems that store encrypted PAN data. The merchant has implemented a badge access-control system that identities who entered and exited the room onwhat date and at what time There are no video cameras located in the server room Based on this information, which statement is true regarding PCI DSS physical security requirements?

A.The badge access-control system must be protected from tampering or disabling
B.The merchant must install video cameras in addition to the existing access-control system
C.Data from the access-control system must be securely deleted on a monthly basis
D.The merchant must install motion-sensing alarms in addition to the existing access-control system

Question 20

What would be an appropriate strength for the key-encrypting key (KEK) used to protect an AES 128 bit data-encrypting key (DEK)

A.DES256
B.RSA512
C.AES 128
D.ROT 13

Question 16

Question 17

Question 18

Question 19

Question 20

Download PDF File