A.  

Point-of-interaction devices used to protect account data.

B.  

Secure coding practices for commercial payment applications.

C.  

Development of strong cryptographic algorithms.

D.  

End-to-end encryption solutions for transmission of account data.

A.  

The entity must conduct ASV scans on the TPSP’s systems at least annually.

B.  

The entity must perform a risk assessment of the TPSP's environment at least quarterly.

C.  

The entity must test the TPSP's incident response plan at least quarterly.

D.  

The entity must monitor the TPSP’s PCI DSS compliance status at least annually.

A.  

Ensuring that media is properly protected according to the sensitivity of the data it contains.

B.  

Ensuring that media containing cardholder data is moved from secured areas on a quarterly basis.

C.  

Ensuring that media is clearly and visibly labeled as "Confidential” so all personnel know that the media contains cardholder data.

D.  

Ensuring that all media is consistently destroyed on the same schedule, regardless of the contents.

A.  

There are different AOC templates for service providers and merchants.

B.  

The AOC must be signed by both the merchant/service provider and by PCI SSC.

C.  

The same AOC template is used for ROCs and SAQs.

D.  

The AOC must be signed by either the merchant/service provider or the QSA/ISA.

A.  

Occurring at some point in each quarter of a year.

B.  

At least once every 95–97 days.

C.  

On the 15th of each third month.

D.  

On the 1st of each fourth month.

A.  

It must be protected with strong cryptography for transmission over private wireless networks.

B.  

It must be protected with strong cryptography for transmission over private wired networks.

C.  

It does not require protection for transmission over public wireless networks.

D.  

It does not require protection for transmission over public wired networks.

A.  

The security protocol is configured to support earlier versions.

B.  

The PAN is encrypted with strong cryptography.

C.  

The security protocol is configured to accept all digital certificates.

D.  

The PAN is securely deleted once the transmission has been sent.

A.  

Controls are needed to prevent the original PAN being exposed by the hashed and truncated versions.

B.  

The hashed version of the PAN must also be truncated per PCI DSS requirements for strong cryptography.

C.  

The hashed and truncated versions must be correlated so the source PAN can be identified.

D.  

Hashed and truncated versions of a PAN must not exist in same environment.

A.  

Visitors are escorted at all times within areas where cardholder data is processed or maintained.

B.  

Visitor badges are identical to badges used by onsite personnel.

C.  

Visitor log includes visitor name, address, and contact phone number.

D.  

Visitors retain their identification (for example, a visitor badge) for 30 days after completion of the visit.

A.  

A compensating control is not necessary if all other PCI DSS requirements are in place.

B.  

A compensating control must address the risk associated with not adhering to the PCI DSS requirement.

C.  

An existing PCI DSS requirement can be used as compensating control if it is already implemented.

D.  

A compensating control worksheet is not required if the acquirer approves the compensating control.

A.  

PCI DSS requirements and testing procedures.

B.  

Compensating controls.

C.  

Business facilities and system components.

D.  

Security policies and procedures.

A.  

At least weekly

B.  

Periodically as defined by the entity

C.  

Only after a valid change is installed

D.  

At least monthly

A.  

There are different AOC templates for service providers and merchants.

B.  

The AOC must be signed by both the merchant/service provider and by PCI SSC.

C.  

The same AOC template is used W ROCs and SAQs.

D.  

The AOC must be signed by either the merchant/service provider or the QSA/ISA.

A.  

Production (live) environments only.

B.  

Pre-production (test) environments only if located outside the CDE.

C.  

Pre-production environments that are located within the CDE.

D.  

Testing with live PANs must only be performed in the QSA Company environment.

A.  

Strong passwords are used for each user account.

B.  

Shared accounts are only used by administrators.

C.  

Individual users are accountable for their own actions.

D.  

Access is assigned to group accounts based on need-to-know.

A.  

The ROC Reporting Template and instructions provided by PCI SSC should be used for all ROCs.

B.  

The assessor may use either their own template or the ROC Reporting Template provided by PCI SSC.

C.  

The assessor must create their own ROC template for each assessment report.

D.  

The ROC Reporting Template provided by PCI SSC is only required for service provider assessments.

A.  

Details of the entity's project plan for implementing the requirement.

B.  

Details of how the assessor observed the entity's systems were compliant with the requirement.

C.  

Details of the entity's reason for not implementing the requirement

D.  

Details of how the assessor observed the entity's systems were not compliant with the requirement

A.  

Point-of-Interaction devices used to protect account data.

B.  

Secure coding practices for commercial payment applications.

C.  

Development of strong cryptographic algorithms.

D.  

End-lo-end encryption solutions for transmission of account data.

A.  

It includes a consistent set of facilities that are reviewed for all assessments.

B.  

The number of facilities in the sample is at least 10 percent of the total number of facilities.

C.  

Every facility where cardholder data is stored is reviewed.

D.  

All types and locations of facilities are represented.

A.  

All personnel employed by the organization.

B.  

Personnel with access to the cardholder data environment.

C.  

Visitors with access to the organization’s facilities.

D.  

Cashiers with access to one card number at a time.

A.  

Ensure that customers cannot access another entity’s cardholder data environment.

B.  

Provide customers with access to the hosting provider's system configuration files.

C.  

Provide customers with a shared user ID for access to critical system binaries.

D.  

Ensure that a customer’s log files are available to all hosted entities.

A.  

Any software developed by a third party.

B.  

Any software developed by a third party that can be customized by an entity.

C.  

Software developed by an entity for the entity’s own use.

D.  

Virtual payment terminals.