ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A payment gateway is being deployed on an e-commerce web server that must comply with PCI DSS 4.0 requirements for protecting cardholder data in transit. The solution has to provide strong encryption, mutual authentication, and forward secrecy while requiring no additional software on customer devices. Which server configuration BEST meets these objectives?
SSL 3.0 using the 3DES_EDE_CBC_SHA cipher suite
TLS 1.0 configured to use RC4_128_MD5
IPsec tunnel mode with a static pre-shared key between client and server
TLS 1.2 configured to prefer the cipher suite ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Under PCI DSS 4.0, SSL 3.0 and early TLS versions such as 1.0 must not be used, and cipher suites that rely on outdated algorithms like 3DES or RC4 are considered weak. TLS 1.2 (or higher) with a suite that uses ephemeral elliptic-curve Diffie-Hellman (ECDHE) achieves perfect forward secrecy, and AES-GCM supplies confidentiality and built-in integrity protection; SHA-256 in the suite name refers to the hash used in TLS's pseudorandom function and handshake, not to the MAC on application data. The selected suite also supports optional client-certificate authentication, satisfying the mutual-authentication requirement without extra client software because modern browsers already support TLS 1.2. By contrast, SSL 3.0 with 3DES and TLS 1.0 with RC4 are explicitly disallowed, and an IPsec tunnel with a static pre-shared key is not standard for browser-based payments and does not guarantee forward secrecy. Therefore, preferring TLS 1.2 with the ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite is the most appropriate choice.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is forward secrecy in TLS?
Open an interactive chat with Bash
Why is the ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite considered strong?
Open an interactive chat with Bash
Why are SSL 3.0 and early TLS versions like 1.0 disallowed under PCI DSS 4.0?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .