A.  

The web server and the database server should be installed on the same physical server

B.  

The database server should be relocated so that it is not accessible from untrusted networks

C.  

The web server should be moved into the internal network

D.  

The database server should be moved to a separate segment from the web server to allow for more concurrent connections

A.  

Remove the default 'Firewall Administrator account and create a shared account for firewall administrators to use.

B.  

Configure the firewall to permit all traffic until additional rules are defined

C.  

Synchronize the firewall rules with the other firewalls m the environment

D.  

Disable any firewall functions that are not needed in production

A.  

Ensure that customers cannot access another entity s cardholder data environment

B.  

Provide customers with access to the hosting provider s system configuration files.

C.  

Provide customers with a shared user ID for access to critical system binaries

D.  

Ensure that a customer's log files are available to all hosted entities

A.  

Ensure all vulnerabilities are addressed within 30 days

B.  

Replace the need to quarterly ASV scans

C.  

Prioritize the highest risk items so they can be addressed more quickly

D.  

Ensure that critical security patches are installed at least quarterly

A.  

A ROC that has been completed after using an SAQ to determine which requirements should be tested. As per FAQ 1331. (As long as the entity meets the SAQs eligibility criteria)

B.  

An interim result before the final ROC has been completed

C.  

A term used by payment brands and acquirers to describe entities that have multiple payment channels with each channel having its own assessment

D.  

An assessment with at least one requirement marked as Not Tested”

A.  

Intrusion detection techniques are required on all system components

B.  

Intrusion detection techniques are required to alert personnel of suspected compromises

C.  

Intrusion detection techniques are required to isolate systems in the cardholder data environment from all other systems

D.  

Intrusion detection techniques are required to identify all instances of cardholder data

A.  

Occurring at some point in each quarter of a year

B.  

At least once every 95 97 days.

C.  

On the 15th of each third month

D.  

On the 1st of each fourth month

A.  

A compensating control is not necessary if all other PCI DSS requirements are in place

B.  

A compensating control must address the risk associated with not adhering to the PCI DSS requirement

C.  

An existing PCI DSS requirement can be used as compensating control if it is already implemented

D.  

A compensating control worksheet is not required if the acquirer approves the compensating control

A.  

To allow functions with different security levels to be implemented on the same server

B.  

To prevent server functions with a lower security level from introducing security weaknesses to higher -security functions on the same server

C.  

To allow higher-security functions to protect lower-security functions installed on the same server

D.  

To reduce the security level of functions with higher-security needs to meet the needs of lower-security functions

A.  

It is allowed to be stored by merchants after authorization if encrypted

B.  

It is sensitive authentication data

C.  

It is out of scope for PCI DSS

D.  

It is not applicable for PCI DSS Requirement 3.2

A.  

Devices are periodically inspected to detect unauthorized card stammers.

B.  

The serial number of each device is periodically verified with the device manufacturer

C.  

Device identifiers and security labels are periodically replaced

D.  

Devices are physically destroyed if there is suspicion of compromise

A.  

DES256

B.  

RSA512

C.  

AES 128

D.  

ROT 13

A.  

Changed within 30 days after installing a system on the network.

B.  

Reset to the default password before installing a system on the network

C.  

Changed before installing a system on the network

D.  

Configured to expire in 30 days

A.  

Details of the entity s project plan for implementing the requirement

B.  

Details of how the assessor observed the entity s systems were compliant with the requirement

C.  

Details of the entity s reason for not implementing the requirement

D.  

Details of how the assessor observed the entity s systems were not compliant with the requirement

A.  

Administrative access to respond to requests to change the firewall is limited to one individual at a time

B.  

Active network connections are tracked so that invalid response' traffic can be identified.

C.  

A current baseline of application configurations is maintained and any mis-configuration is responded to promptly

D.  

Logs of user activity on the firewall are correlated to identify and respond to suspicious behavior

A.  

All CDE systems, connected systems. NSCs. and security-providing systems

B.  

All portable electronic storage

C.  

All systems that store PAN

D.  

Any in-scope system except for those identified as not at risk from malware

A.  

There are different AOC templates for service providers and merchants

B.  

The AOC must be signed by both the merchant/service provider and by PCI SSC

C.  

The same AOC template is used for ROCs and SAQs

D.  

The AOC must be signed by either the merchant service provider or the QSA'ISA

A.  

Only a Qualified Security Assessor (QSA)

B.  

Either a QSA, AQSA, or PClP.

C.  

Entity being assessed

D.  

Card brands or acquirer