critical systems must have correct and consistent time, which means they should use a reliable time source and synchronize their clocks with other systems. This is one of the requirements for ensuring that critical systems have accurate time.

According to the PCI DSS v3.2.1 Quick Reference Guide 1 , the assessor may use either their own template or the ROC Reporting Template provided by PCI SSC. This is one of the requirements for ensuring consistency and accuracy in ROCs.

PCI DSS Requirement 9.1.1 requires entities to use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment (CDE) 1 . A badge access-control system is one example of such a control, as it can identify who entered and exited the server room and when.  However, this control is only effective if it is protected from tampering or disabling by unauthorized persons, as PCI DSS Requirement 9.1.2 states 1 . Otherwise, the access-control system could be bypassed or compromised, allowing unauthorized access to the systems that store encrypted PAN data. Therefore, the badge access-control system must be protected from tampering or disabling, as stated in option A.

The other options are not true regarding PCI DSS physical security requirements for a server room.  Option B is not true because PCI DSS does not mandate the use of video cameras in addition to the existing access-control system, although it is a recommended best practice 2 .  Option C is not true because PCI DSS does not specify a data retention period for the access-control system, although it requires entities to retain audit trail history for at least one year, with a minimum of three months immediately available for analysis 3 .  Option D is not true because PCI DSS does not require the use of motion-sensing alarms in addition to the existing access-control system, although it is another recommended best practice 2 .  References :

PCI DSS v3.2.1

PCI DSS Requirement 9: Upping Your Physical Security

PCI DSS Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data

According to the PCI DSS v3.2.1 Quick Reference Guide 1 , visitors are escorted at all times within areas where cardholder data is processed or maintained, visitor badges are identical to badges used by onsite personnel, visitor log includes visitor name, address, and contact phone number, visitors retain their identification (for example a visitor badge) for 30 days after completion of the visit. These are some examples of procedures that must be included in an organization’s procedures for managing visitors who access in-scope systems where cardholder data is processed or maintained.

According to the PCI DSS v3.2.1 Quick Reference Guide 1 , screening and background checks for personnel with access to the cardholder data environment are required, as they may pose a risk if they have compromised or stolen cardholder data in the past or present. This is one of the requirements for ensuring that personnel with access to cardholder data are qualified and trustworthy.

when PAN is sent over the Internet, PAN must be encrypted with strong cryptography, which means it should use encryption techniques such as WEP, WPA, WPA2, or TLS/SSL to prevent unauthorized access or interception. This is one of the requirements for ensuring that PAN is protected from unauthorized access or interception.

PCI DSS Requirement 12.10.1 requires entities to implement an incident response plan that includes roles, responsibilities, and communication and contact strategies for a data security incident, including notification of relevant payment brands 1 .  This is important because each payment card brand has its own policies and procedures for dealing with a security breach, and failing to follow them or meet reporting deadlines could result in fines or loss of authority to process payment card transactions 2 .  Therefore, an incident response plan must include procedures for notifying PCI SSC of the security incident, as well as any other entities that may require notification, whether by contract or law 1 .  References :

Guidance for PCI DSS Scoping and Network Segmentation

Responding to a Cardholder Data Breach