Which statement accurately describes handling of insecure protocols in documentation?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Study for the PCI Data Security Standard Exam. Master your knowledge with interactive flashcards and multiple-choice questions, each with hints and explanations. Prepare confidently for your certification test!

Multiple Choice

Which statement accurately describes handling of insecure protocols in documentation?

Explanation:
When you have insecure protocols in use, the important practice is to identify them, justify why they’re needed, and specify what security controls are protecting cardholder data as compensating measures. This shows you’re actively managing risk rather than ignoring it, and it provides auditors with clear evidence of due diligence and plan for remediation. Providing documentation along with a business justification and describing the security features implemented is the best approach because it acknowledges the risk and demonstrates that you’ve put in place concrete measures to mitigate it. It also aligns with the PCI mindset that any exception to preferred secure protocols should be documented, justified by business needs, and accompanied by compensating controls such as encryption in transit, strong access controls, monitoring, and network segmentation. The other ideas fall short because they either ignore the risk (relying on encryption elsewhere or assuming removal isn’t necessary), or skip the required justification. Immediate removal is ideal, but not always feasible in every situation; documentation with justification and controls provides a practical path that still protects cardholder data while planning for remediation.

When you have insecure protocols in use, the important practice is to identify them, justify why they’re needed, and specify what security controls are protecting cardholder data as compensating measures. This shows you’re actively managing risk rather than ignoring it, and it provides auditors with clear evidence of due diligence and plan for remediation.

Providing documentation along with a business justification and describing the security features implemented is the best approach because it acknowledges the risk and demonstrates that you’ve put in place concrete measures to mitigate it. It also aligns with the PCI mindset that any exception to preferred secure protocols should be documented, justified by business needs, and accompanied by compensating controls such as encryption in transit, strong access controls, monitoring, and network segmentation.

The other ideas fall short because they either ignore the risk (relying on encryption elsewhere or assuming removal isn’t necessary), or skip the required justification. Immediate removal is ideal, but not always feasible in every situation; documentation with justification and controls provides a practical path that still protects cardholder data while planning for remediation.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy