Assessor_New_V4 Exam Questions Tutorials

an entity can use both the Customized Approach and the Defined Approach to meet the same requirement, as long as it uses compensating controls to address any weaknesses or gaps inthe customized control. This is one of the requirements for ensuring that an entity can use both approaches when appropriate.

PCI DSS Requirement 9.1.1 requires entities to use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment (CDE)1. A badge access-control system is one example of such a control, as it can identify who entered and exited the server room and when. However, this control is only effective if it is protected from tampering or disabling by unauthorized persons, as PCI DSS Requirement 9.1.2 states1. Otherwise, the access-control system could be bypassed or compromised, allowing unauthorized access to the systems that store encrypted PAN data. Therefore, the badge access-control system must be protected from tampering or disabling, as stated in option A.

The other options are not true regarding PCI DSS physical security requirements for a server room. Option B is not true because PCI DSS does not mandate the use of video cameras in addition to the existing access-control system, although it is a recommended best practice2. Option C is not true because PCI DSS does not specify a data retention period for the access-control system, although it requires entities to retain audit trail history for at least one year, with a minimum of three months immediately available for analysis3. Option D is not true because PCI DSS does not require the use of motion-sensing alarms in addition to the existing access-control system, although it is another recommended best practice2. References:

• PCI DSS v3.2.1
• PCI DSS Requirement 9: Upping Your Physical Security
• PCI DSS Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data

According to the PCI DSS v3.2.1 Quick Reference Guide1, installing one primary function per server is intended to prevent server functions with a lower security level from introducingsecurity weaknesses to higher-security functions on the same server. This is one of the requirements for ensuring that server functions are isolated from each other.

According to the PCI DSS v3.2.1 Quick Reference Guide1, track equivalent data on the chip of a payment card is sensitive authentication data, which means it can be used to authenticate a cardholder or a transaction, but it should not be stored or transmitted by merchants after authorization if encrypted. This is one of the requirements for preventing unauthorized access to sensitive authentication data.