PCI Exam QSA_New_V4 Topic 4 Question 9 Discussion

Actual exam question for PCI's QSA_New_V4 exam

Question #: 9
Topic #: 4

What should the assessor verify when testing that cardholder data Is protected whenever It Is sent over open public networks?

AThe security protocol Is configured to accept all digital certificates.

BA proprietary security protocol is used.

CThe security protocol accepts only trusted keys.

DThe security protocol accepts connections from systems with lower encryption strength than required by the protocol.

Show Suggested Answer

Suggested Answer: C

Requirement for Secure Transmission:

PCI DSS Requirement 4.1 mandates that cardholder data sent over open public networks must be protected with strong cryptographic protocols. Accepting only trusted keys ensures data integrity and prevents unauthorized access.

Key Validation Practices:

Trusted keys and certificates are verified to ensure authenticity. Using untrusted keys compromises the security of the encrypted communication.

Prohibited Practices:

A/D: Configuring protocols to accept all certificates or lower encryption strength violates PCI DSS encryption guidelines.

B: Proprietary protocols are not inherently compliant unless they meet strong cryptographic standards.

Testing and Verification:

Assessors verify the implementation of trusted keys by examining encryption settings, reviewing certificate chains, and conducting tests to confirm only trusted connections are accepted.

by Xuan at Apr 07, 2025, 09:05 PM

Limited Time Offer

25%

Off

Get Premium QSA_New_V4 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Ernie

27 days ago

C is the way to go. The assessor needs to make sure the protocol is configured to only trust the right keys, not just anything that comes along.

upvoted 0 times

...

Ena

29 days ago

I don't know, maybe the assessor should just throw a dice to decide. That seems as reliable as some of these answer choices!

upvoted 0 times

...

Adelaide

1 months ago

I disagree. I think the security protocol should accept connections from systems with lower encryption strength than required by the protocol to ensure compatibility with all systems.

upvoted 0 times

...

Virgilio

1 months ago

I agree with Almeta. Using trusted keys ensures that only authorized parties can access the cardholder data.

upvoted 0 times

...

Lettie

1 months ago

D sounds like a terrible idea! Accepting lower encryption strength? That's just asking for trouble. The security protocol should be rock-solid.

upvoted 0 times

Shawna

16 days ago

B) A proprietary security protocol is used.

upvoted 0 times

...

Annmarie

21 days ago

A) The security protocol Is configured to accept all digital certificates.

upvoted 0 times

...

Almeta

1 months ago

I think the assessor should verify that the security protocol accepts only trusted keys.

upvoted 0 times

...

Albina

2 months ago

B sounds interesting, but I'm not sure a proprietary protocol is really the best option in this case. Open standards are usually more secure and reliable.

upvoted 0 times

Juan

21 days ago

User 2: Yeah, I think C) is the best option, accepting only trusted keys.

upvoted 0 times

...

Bernardine

28 days ago

User 1: I agree, open standards are usually more secure.

upvoted 0 times

...

Noel

2 months ago

C seems like the obvious choice here. The assessor needs to verify that the security protocol only accepts trusted keys, not any random certificate or lower encryption strength.

upvoted 0 times