Test your understanding of requirements 12.3 and 12.4

A targeted risk analysis must be completed for the requirements that provide flexibility for how frequently its performed only when the entity can’t meet the suggested frequency *

True

False

Each targeted risk analysis must identify the assets being protected *

True

False

Entities must use the TRA template provided by the PCI SSC *

True

False

TRA’s must be reviewed at least every *

Month

Quarter

12 months

6 Months

TRA’s are required for every instance where the entity is using a customized control *

True

False

Beginning March 31, 2025, cryptographic suites and protocols must be documented and reviewed every 12 months *

True

False

Entities must have a(n) ___________ to respond to anticipated changes in cryptographic vulnerabilities *

Unwritten agreement

Documented strategy

Budget

Allocated resources

Hardware and software technologies are part of a continuous PCI scope management process *

True

False

End of life technologies must have a plan for remediation that’s been approved by *

Change management

Security operations

Senior management

The vendor

Requirements 12.4.1 and 12.4.2 are for all merchants and service providers *

True

False

Service providers must have a(n) __________________ for a PCI DSS Compliance Program *

Charter

Idea

Party

Memo

Review are performed at least once every ________________ to confirm that personnel are performing their tasks. *

Day

12 months

3 months

Week

Reviews can be performed by the same person responsible for completing the task *

True

False

Results must be included in the reviews *

True

False

Remediation plans for any gaps noted in the reviews are unnecessary *

True

False

Merchants which haven’t reduced their scope would be wise to adopt requirements 12.4.1 and 12.4.2 *

True

False

Requirement 12: An overview of the Information Security Policy and Supporting Security Policies and Programs

Test your understanding of requirements 12.3 and 12.4