PCI SSC PCI SSC Certification Assessor_New_V4 New Questions

According to the PCI DSS v3.2.1 Quick Reference Guide1, any in-scope system except for those identified as not at risk from malware must have anti-malware solutions installed and configured according to best practices. This is one of the requirements for preventing malware infections that could compromise cardholder data.

According to requirement 1, network security controls are intended to control network traffic between two or more logical or physical network segments, which means they should prevent unauthorized access, modification, or disclosure of cardholder data or transactions over the network. This is one of the requirements for ensuring that network security controls are implemented and maintained in accordance with PCI DSS.

According to the PCI DSS v3.2.1 Quick Reference Guide1, system configuration and parameter files must be monitored by a change-detection mechanism (for example, a file-integrity monitoring tool). This is one of the requirements for ensuring that changes to system configuration and parameter files are detected and verified.

An LDAP server is a type of directory service that provides authentication and authorization data to the cardholder data environment (CDE)1. According to the PCI DSS scoping and segmentation guidance2, any system that provides a security service to the CDE, such as authentication, is considered a connected or security-impacting system (Category 2) and is in scope for PCI DSS. This is because such systems can affect the security and controls of the CDE and the cardholder data (CHD) or sensitive authentication data (SAD) that it contains. Therefore, an LDAP server providing authentication services to the CDE is in scope for PCI DSS, regardless of whether it stores, processes, or transmits CHD or SAD, or whether it provides authentication services to systems in the DMZ or not. References:

• Guidance for PCI DSS Scoping and Network Segmentation
• What Are the Effects of Using Active Directory as a Shared Service on PCI Compliance?
• The Ultimate Guide To PCI DSS Scoping and Segmentation
• LDAP - PCI Security Standards Council