先試後買

A. Discover vulnerabilities and rank them.

B. Control network traffic between two or more logical or physical network segments.

C. Encrypt PAN when stored.

D. Manage anti-malware throughout the CDE.

A. Central time servers receive time signals from specific, approved external sources.

B. Each internal system peers directly with an external source to ensure accuracy of time updates.

C. Access to time configuration settings is available to all users of the system.

D. Each internal system is configured to be its own time server.

A. Pre-production (test) environments only it located outside the CDE.

B. Pre-production environments that are located within the CDE.

C. Production (live) environments only.

D. Testing with live PANs must only be performed in the OSA Company environment.

A. They must be performed by an Approved Scanning Vendor (ASV).

B. They must be performed after a significant change.

C. They must be performed at least annually.

D. They must be performed by QSA personnel.

A. Changed within 30 days after installing a system on the network.

B. Changed before installing a system on the network.

C. Reset to the default password before installing a system on the network.

D. Configured to expire in 30 days.

A. At least 3 months, with the most recent month immediately available.

B. At least 2 years, with the most recent 3 months immediately available.

C. At least 1 year, with the most recent 3 months immediately available.

D. At least 2 years, with the most recent month immediately available.

A. Software developed by the entity in accordance with the Secure SLC Standard.

B. Any payment software in the CDE.

C. Validated Payment Applications that are listed by PCI SSC and have undergone a PA-DSS assessment.

D. Only software which runs on PCI PTS devices.

A. A compensating control must address the risk associated with not adhering to the PCI DSS requirement.

B. An existing PCI DSS requirement can be used as a compensating control if it is already implemented.

C. A compensating control is not necessary if all other PCI DSS requirements are in place.

D. A compensating control worksheet is not required if the acquirer approves the compensating control.