PCI SSC Assessor_New_V4 Exam With Confidence Using Practice Dumps

PCI DSS Requirement 12.10.1 requires entities to implement an incident response plan that includes roles, responsibilities, and communication and contact strategies for a data security incident, including notification of relevant payment brands1. This is important because each payment card brand has its own policies and procedures for dealing with a security breach, and failing to follow them or meet reporting deadlines could result in fines or loss of authority to process payment card transactions2. Therefore, an incident response plan must include procedures for notifying PCI SSC of the security incident, as well as any other entities that may require notification, whether by contract or law1. References:

• Guidance for PCI DSS Scoping and Network Segmentation
• Responding to a Cardholder Data Breach

PCI DSS Requirement 11.5 states that entities must deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly1. This is to ensure that any unauthorized or malicious changes to the files are detected and reported in a timely manner, and that the integrity and security of the files are maintained. Critical files are those that affect the security of the cardholder data environment (CDE), such as system files, application executables, configuration files, database files, and log files2. Therefore, the correct answer is option A.

The other options are not true regarding the frequency of critical file comparisons for a change-detection mechanism. Option B is not true because PCI DSS does not allow the entity to define the periodicity of the file comparisons, as it specifies a minimum frequency of at least weekly1. Option C is not true because PCI DSS does not limit the file comparisons to only after a valid change is installed, as it requires the file comparisons to be performed at least weekly regardless of the change status1. Option D is not true because PCI DSS does not allow the file comparisons to be performed at least monthly, as it requires a higher frequency of at least weekly1. References:

• PCI DSS v3.2.1
• File Integrity Monitoring Tools For PCI DSS

PCI DSS Requirement 9.1.1 requires entities to use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment (CDE)1. A badge access-control system is one example of such a control, as it can identify who entered and exited the server room and when. However, this control is only effective if it is protected from tampering or disabling by unauthorized persons, as PCI DSS Requirement 9.1.2 states1. Otherwise, the access-control system could be bypassed or compromised, allowing unauthorized access to the systems that store encrypted PAN data. Therefore, the badge access-control system must be protected from tampering or disabling, as stated in option A.

The other options are not true regarding PCI DSS physical security requirements for a server room. Option B is not true because PCI DSS does not mandate the use of video cameras in addition to the existing access-control system, although it is a recommended best practice2. Option C is not true because PCI DSS does not specify a data retention period for the access-control system, although it requires entities to retain audit trail history for at least one year, with a minimum of three months immediately available for analysis3. Option D is not true because PCI DSS does not require the use of motion-sensing alarms in addition to the existing access-control system, although it is another recommended best practice2. References:

• PCI DSS v3.2.1
• PCI DSS Requirement 9: Upping Your Physical Security
• PCI DSS Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data