Question 1

After the 31 of the March 2025, how frequent must you review the system and application account privileges?

Options :

A : At every quarter.

B : There are no requirements for system accounts, so they should never.

C : Biannually

D : Periodically. The frequency is defined in the TRA (targeted risk analysis) of the entity-s .

Answer: D

Question 2

Which scenario describes segmentation of the cardholder data environment (CDE) for the purposes of reducing PCI DSS scope?

Options :

A : Routers that monitor network traffic flows between the CDE and out-of-scope networks

B : Firewalls that log all network traffic flows between the CDE and out-of-scope networks

C : Virtual LANs that route network traffic between the CDE and out-of-scope networks

D : A network configuration that prevents all network traffic between the CDE and out-of-scope network

Answer: D

Question 3

When should penetration testing be performed?

Options :

A : At least quarterly, and after any change to user access or file access permission

B : At least annually, and after any change to user access permission

C : At least quarterly, and after any significant changes to the network

D : At least annually, and after any significant changes to infrastructure or applications

Answer: D

Question 4

After the 31 March 2025, what is considered to be the minimum acceptable length of the password used to authenticate a user account?

Options :

A : 9 characters

B : 6 characters

C : 8 characters

D : 7 characters

Answer: C

Question 5

Which of the following types of events is required to be logged?

Options :

A : All use of end-user messaging technologies

B : All access to external websites

C : All access to all audit trails

D : All network transmissions

Answer: C