Which baseline setting should an access control system enforce by default to protect cardholder data?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Boost your readiness for the PCI DSS Requirements Exam with engaging flashcards and comprehensive multiple choice questions. Each comes with hints and explanations to maximize your understanding!

Multiple Choice

Which baseline setting should an access control system enforce by default to protect cardholder data?

Explanation:
Starting with a deny-by-default posture is the safest way to control access to cardholder data. By not allowing anything unless there is a specific, reviewed authorization, you minimize the risk of accidental or malicious access slipping through. This aligns with the principle of least privilege: people and systems only get access to what they absolutely need to perform their job, and nothing more. In PCI DSS terms, access to cardholder data must be restricted to authorized personnel with properly enforced authentication and authorization, and every access should be auditable. If access were allowed by default, or if internal access was treated differently from external without explicit controls, the attack surface would be much larger and harder to manage. Granting access to all system components also contradicts least privilege and significantly increases risk. By contrast, granting access only through explicit, justified rules keeps controls tight and makes it easier to review, revoke, and monitor permissions.

Starting with a deny-by-default posture is the safest way to control access to cardholder data. By not allowing anything unless there is a specific, reviewed authorization, you minimize the risk of accidental or malicious access slipping through. This aligns with the principle of least privilege: people and systems only get access to what they absolutely need to perform their job, and nothing more. In PCI DSS terms, access to cardholder data must be restricted to authorized personnel with properly enforced authentication and authorization, and every access should be auditable.

If access were allowed by default, or if internal access was treated differently from external without explicit controls, the attack surface would be much larger and harder to manage. Granting access to all system components also contradicts least privilege and significantly increases risk. By contrast, granting access only through explicit, justified rules keeps controls tight and makes it easier to review, revoke, and monitor permissions.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy