Assessor_New_V4 Exam Dumps - PCI SSC Certification Questions and Answers

According to the PCI DSS v3.2.1 Quick Reference Guide1, an internal NTP server that provides time services to the cardholder data environment is in scope for PCI DSS if it stores processes or transmits cardholder data, regardless of whether it provides authentication services to systems in the DMZ or not. This is one of the requirements for preventing unauthorized access to cardholder data using time services.

According to the PCI DSS v3.2.1 Quick Reference Guide1, assigning a unique ID to each person is intended to ensure individual users are accountable for their own actions, rather than shared accounts or group accounts based on need-to-know. This is one of the requirements for ensuring that user accounts are properly managed and controlled.

PCI DSS Requirement 11.5 states that entities must deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly1. This is to ensure that any unauthorized or malicious changes to the files are detected and reported in a timely manner, and that the integrity and security of the files are maintained. Critical files are those that affect the security of the cardholder data environment (CDE), such as system files, application executables, configuration files, database files, and log files2. Therefore, the correct answer is option A.

The other options are not true regarding the frequency of critical file comparisons for a change-detection mechanism. Option B is not true because PCI DSS does not allow the entity to define the periodicity of the file comparisons, as it specifies a minimum frequency of at least weekly1. Option C is not true because PCI DSS does not limit the file comparisons to only after a valid change is installed, as it requires the file comparisons to be performed at least weekly regardless of the change status1. Option D is not true because PCI DSS does not allow the file comparisons to be performed at least monthly, as it requires a higher frequency of at least weekly1. References:

• PCI DSS v3.2.1
• File Integrity Monitoring Tools For PCI DSS

an entity can use both the Customized Approach and the Defined Approach to meet the same requirement, as long as it uses compensating controls to address any weaknesses or gaps inthe customized control. This is one of the requirements for ensuring that an entity can use both approaches when appropriate.