QSA_New_V4 無料問題集「PCI SSC Qualified Security Assessor V4」

（A）Details of how the assessor observed the entity's systems were compliant with the requirement.

（B）Details of how the assessor observed the entity's systems were not compliant with the requirement.

（C）Details of the entity's reason for not implementing the requirement.

（D）Details of the entity's project plan for implementing the requirement.

（A）At least 1 year, with the most recent 3 months immediately available.

（B）At least 2 years, with the most recent 3 months immediately available.

（C）At least 2 years, with the most recent month immediately available.

（D）At least 3 months, with the most recent month immediately available.

（A）You must document the work on the customized control in the ROC, but you can not assess the control or the documentation.

（B）Assessors are not allowed to assist an entity with the completion of the Controls Matrix or the TRA.

（C）You can assess the customized control, but another assessor must verify that you completed the TRA correctly.

（D）You can assess the customized control and verify that the customized approach was correctly followed, but you must document this in the ROC.

（A）A compensating control must address the risk associated with not adhering to the PCI DSS requirement.

（B）An existing PCI DSS requirement can be used as a compensating control if it is already implemented.

（C）A compensating control is not necessary if all other PCI DSS requirements are in place.

（D）A compensating control worksheet is not required if the acquirer approves the compensating control.

（A）An interim result before the final ROC has been completed.

（B）A ROC that has been completed after using an SAQ to determine which requirements should be tested, as per FAQ 1331.

（C）An assessment with at least one requirement marked as "Not Tested".

（D）A term used by payment brands and acquirers to describe entities that have multiple payment channels, with each channel having its own assessment.

（A）Ensure that customers cannot access another entity's cardholder data environment.

（B）Ensure that a customer's log files are available to all hosted entities.

（C）Provide customers with access to the hosting provider's system configuration files.

（D）Provide customers with a shared user ID for access to critical system binaries.

（A）The serial number of each device is periodically verified with the device manufacturer.

（B）Devices are physically destroyed if there is suspicion of compromise.

（C）Device identifiers and security labels are periodically replaced.

（D）Devices are periodically inspected to detect unauthorized card skimmers.