PCI SSC QSA_New_V4 Qualified Security Assessor V4 Exam Exam Practice Test

Requirement 5.2.1.1clarifies thatanti-malware solutions are requiredonall in-scope systems,unlessthe system is evaluated asnot at risk for malware(e.g., Linux-based appliances with no Internet access). These risk evaluations must be documented and justified (5.2.3.1).

Option A:❌Incorrect. PCI DSS allows exceptions for systems not at risk.

Option B:❌Incorrect. Anti-malware applies to systems, not portable media per se.

Option C:❌Incorrect. Anti-malware scope is broader than just PAN-storing systems.

Option D:✅Correct. Systems not at risk can be excluded if justified and documented.

According toRequirement 8.2.1, PCI DSS mandates that all users be assigned aunique IDbefore accessing system components or cardholder data. This ensuresaccountability, enabling identification of actions taken by each user.

Option A:❌Incorrect. Password strength is addressed underRequirement 8.3, not unique ID.

Option B:❌Incorrect. Shared accounts areprohibitedregardless of admin status.

Option C:✅Correct. Unique IDs ensure thateach user's actions can be traced.

Option D:❌Incorrect. Group accounts are discouraged in favour of individual accountability.

Requirement 4.2.1.1states that PAN must beprotected with strong cryptographywhenever transmitted overopen or public networks, includingprivate wirelesswhere security is not assured. While not allprivate wired networksrequire encryption,wirelessis generally considered untrusted.

Option A:✅Correct. PAN must be encrypted overprivate wireless networksdue to potential interception risks.

Option B:❌Incorrect. Privatewirednetworks typically don’t require encryption unless they’re untrusted.

Option C & D:❌Incorrect. PANalways requires protectionover public networks.

PCI DSS Requirement 12.7 mandates that organizations perform background checks on personnel who have access to the cardholder data environment (CDE) to ensure that individuals with malicious intent do not gain access to sensitive cardholder data.​

Option A:Incorrect. While conducting background checks on all personnel is a good security practice, PCI DSS specifically requires checks for those with access to the CDE.​

Option B:Correct. Background checks are required for personnel with access to the CDE to mitigate the risk of insider threats.​

Option C:Incorrect. Visitors are not typically subjected to background checks but should be escorted and monitored while in sensitive areas.

Track equivalent data— whether from a magnetic stripe or embedded chip — falls underSensitive Authentication Data (SAD)and mustnot be stored after authorisation, even if encrypted. This is covered underRequirement 3.3.1and Table 3 in PCI DSS v4.0.1.

Option A:❌Incorrect. SADmust not be stored after authorisation, regardless of encryption.

Option B:✅Correct. Track equivalent data is explicitly defined asSAD.

Option C:❌Incorrect. SAD is fullyin-scopefor PCI DSS.

Option D:❌Incorrect. Requirement 3.2 and 3.3 specifically address SAD.

According toSection 7 – Description of Timeframes Used in PCI DSS Requirements, the PCI DSS defines "quarterly" as:

“An activity performed once per calendar quarter (i.e., one time in each three-month period), or as close as reasonably possible to the calendar quarter.”

Option A:✅Correct. This aligns precisely with PCI DSS’s definition —once in each three-month calendar quarter.

Option B:❌Incorrect. PCI DSS doesnotdefine quarterly by a fixed number of days.

Option C & D:❌Incorrect. Specific dates or months are not prescribed.

 Scope of Change-Detection Mechanisms

PCI DSS v4.0 requires the implementation of a change-detection mechanism (e.g., file-integrity monitoring) to monitor unauthorized changes to critical files.

Critical files include system configuration and parameter files, application executable files, and scripts used in administrative functions​​.

 Intent of Monitoring System Files

These files often control security settings and operational parameters of systems within the Cardholder Data Environment (CDE). Unauthorized changes could compromise system security.

 Exclusions

Documents like application vendor manuals and security policies do not qualify as files requiring integrity monitoring since they do not directly impact the security posture or operational functions of systems in the CDE.

PCI DSS allows for theuse of truncation and hashingfor protecting PAN, butRequirement 3.4.1and its guidance warn againstcombining hashed and truncated PANsin such a way that the original PAN could be reconstructed. If both formats exist,controls must ensurethey can't be used together to reverse-engineer the PAN.

Option A:✅Correct. Controls must ensure PAN cannot be reconstructed using both versions.

Option B:❌Incorrect. A hashed PAN does not need truncation — hashing is a separate mechanism.

Option C:❌Incorrect. PCI DSS aims to prevent correlation, not encourage it.

Option D:❌Incorrect. They can coexist, but must be secured so that PAN cannot be derived.

 Firewall Hardening:

Requirement 1.2 mandates that firewalls should be configured with only the necessary functionality to reduce attack surfaces. Disabling unused functions eliminates potential vulnerabilities​.

 Explanation of Other Options:

A:Shared accounts violate Requirement 8.1.5, which prohibits shared or generic accounts.

B:Allowing all traffic initially violates Requirement 1.2.1, which requires a restrictive firewall policy.

C:Synchronization of rules may not always be necessary, especially for firewalls with different scopes or roles.

According toRequirement 12.10.1, an effectiveincident response plan (IRP)must include steps to detect, respond to, and contain incidents such asunauthorised wireless access points. PCI DSS11.2.1also mandates quarterly rogue AP detection.

Option A:❌Incorrect. Notification to PCI SSC is not required; notification goes toacquirers/payment brands.

Option B:✅Correct. The IRP must includeresponse to unauthorised wireless access detection.

Option C:❌Incorrect. Records must beretained, not deleted.

Option D:❌Incorrect. Retaliatory or offensive actions arenot allowed or recommended.

 Attestation of Compliance (AOC):

The AOC is a document that confirms an entity’s compliance with PCI DSS requirements. It is signed by the entity (merchant or service provider) and the Qualified Security Assessor (QSA) if a QSA is involved.

 Different AOC Templates:

PCI DSS provides distinct templates for service providers and merchants, tailored to their respective roles and responsibilities within the cardholder data environment (CDE)​​.

 Invalid Options:

B:PCI SSC does not sign AOCs; they are signed by the merchant/service provider and the QSA.

C:AOCs differ between ROCs and SAQs, so the same template is not universally used.

D:Both the merchant/service provider and the QSA/ISA (Internal Security Assessor) must sign the AOC when applicable.

PerRequirement 7.2.5and8.2.2, PCI DSS recommends thatonly application-layer accessbe allowed to databases storing cardholder data, preventing users from issuing direct SQL queries or accessing the database via administrative tools.

Option A:✅Correct. Restricting database access toprogrammatic (application-layer) methodsis strongly preferred and aligns with PCI DSS guidance.

Option B:❌Incorrect. Admins should not have unrestricted access unless justified and monitored.

Option C:❌Incorrect. Application IDs must not be used interactively by individuals (Requirement 8.6.1).

Option D:❌Incorrect. Shared accounts are disallowed (Requirement 8.2.1).

Requirement 10.5.1.1requires thataudit logs be protected from unauthorised viewing and modification, and access should berestricted to individuals with a job-related need to view them. This principle aligns with least privilege and ensures accountability.

Option A:❌Incorrect. The person who performed the action may not need to view logs.

Option B:❌Incorrect. Read/write access istoo permissive.

Option C:❌Incorrect. Not all administrators need access to logs.

Option D:✅Correct. Access should bebased on job function.

TheSoftware Security Framework (SSF)is intended to support entities usingbespoke and custom softwarewithin the Cardholder Data Environment (CDE). If the software is developed and maintained in accordance with theSecure Software Lifecycle (SLC) Standard, it can help demonstrate secure software development practices and potentially reduce the number of applicable PCI DSS requirements.

Option A:Incorrect. Not all payment software qualifies unless developed under SSF standards.

Option B:Incorrect. PCI PTS devices follow different hardware security standards.

Option C:Incorrect. PA-DSS has been retired; those applications are now listed as “Acceptable Only for Pre-Existing Deployments”.

Option D:Correct. Software developed under the Secure SLC Standard may help an entity meet some requirements in PCI DSS Requirement 6.

 Scope of Anti-Malware Requirements

PCI DSS Requirement 5 mandates the use of anti-malware solutions on all in-scope systems unless the system is specifically documented as not being at risk from malware.

Examples of systems not at risk include those using operating systems that do not support anti-malware tools, provided proper justifications and alternative controls are implemented​​.

 Assessment Considerations

QSAs must verify and document why a system is considered "not at risk."

Systems storing, processing, or transmitting cardholder data or that could impact the CDE are generally in-scope for anti-malware​​.

 Incorrect Options

Option A: While CDE systems and connected systems require protection, the requirement applies specifically to systems at risk from malware.

Option B: Portable electronic storage is not explicitly called out for universal anti-malware but must be controlled in line with overall security policies.

Option C: Systems storing PAN are only a subset of in-scope systems.

Requirement 6.4.3.1clarifies that if live PANs are to be used in testing, the test environment mustmeet all applicable PCI DSS controls. Thus,testing with live PAN is only allowed if the test environment is within the CDEand fully secured.

Option A:❌Incorrect. Testing should not happen in production.

Option B:❌Incorrect. It must be within the CDE if live PAN is involved.

Option C:✅Correct. Live PANs can be used inpre-production environments within the CDE.

Option D:❌Incorrect. There’s no requirement to test only within QSA environments.

As perRequirement 2.2.1, the purpose of limiting each server to one primary function is toreduce the risk of functions with lower security needs compromising more critical functions.

Option A:❌Incorrect. PCI DSS discourages combining different security-level functions.

Option B:✅Correct. This is the intent: toprevent lower-security processes from weakening high-security environments.

Option C:❌Incorrect. Functions shouldn’t depend on one another for security.

Option D:❌Incorrect. PCI DSS encourages raising security, not lowering it.

True segmentation, as defined inPCI DSS Scope Guidance, requiresenforcing isolationsuch thatno network traffic is allowed between the CDE and out-of-scope systems, unless explicitly permitted and secured. This is the only way toreduce assessment scopereliably.

Option A:❌Incorrect. Monitoring alone does not restrict or prevent access.

Option B:❌Incorrect. Logging without restriction doesnot isolatethe CDE.

Option C:❌Incorrect. VLANs may be part of segmentation, but routing traffic alone doesn't reduce scope.

Option D:✅Correct. This describesproper segmentation: no uncontrolled traffic into the CDE.

 Customized Approach Overview:

Under PCI DSS v4.0, entities can use a Customized Approach to meet requirements by implementing controls tailored to their environment. This allows flexibility while still achieving the intent of the security requirement.

 Role of Assessors:

Assessors (QSAs) are responsible for evaluating both the implementation of customized controls and ensuring these controls fulfill the security objectives of the PCI DSS requirements​​.

QSAs must document the evaluation, evidence reviewed, and results in the Report on Compliance (ROC).

 Controls Matrix and Targeted Risk Analysis (TRA):

The Controls Matrix and TRA are key components of the Customized Approach. QSAs assist in verifying the accuracy and completeness of these tools during assessments​​.

 Documenting in the ROC:

The ROC must include a narrative explaining the assessor’s findings regarding the customized control, validation methods, and any evidence collected​.

 Relevant PCI DSS v4.0 Guidance:

Appendix D and E of the PCI DSS v4.0 ROC Template emphasize that QSAs can evaluate and confirm adherence to the Customized Approach provided this is documented comprehensively in the ROC​.

Internal vulnerability scanning is addressed underRequirement 11.3.1. According to PCI DSS, internal vulnerability scansmust be conducted at least once every three monthsandafter any significant changein the environment, such as new system components, changes in network topology, firewall rule changes, or product upgrades.

Option A:Correct. Scans must be performed after significant changes.

Option B:Incorrect. Internal scansdo not require an ASV. ASVs are required for external vulnerability scans (Requirement 11.3.2).

Option C:Incorrect. A QSA is not required to perform internal scans. They can be performed by qualified internal staff or third-party providers.

Option D:Incorrect. Internal scans arerequired quarterly, not annually.

PCI DSS allows an entity touse both Defined and Customized Approaches, including for different sub-requirements of the same primary requirement,as long as they are eligible and justified. Entities might use the Defined Approach for standard controls and the Customized Approach where flexibility is needed.

Option A:Incorrect. PCI DSS explicitly allows mixed use per Requirement 8 guidance.

Option B:Incorrect. Compensating controls are separate from the Customized Approach.

Option C:Incorrect. Eligibility is not based solely on the absence of compensating controls.

Option D:Correct. Mixed approaches are allowed if eligibility requirements are met.

UnderAppendix D – Customized Approach, it is clearly stated that theentity is responsiblefor completing theControls Matrixand theTargeted Risk Analysis (TRA). The assessor may assist in completion, but accountability for content lies with the entity.

Option A:Incorrect. QSAs may assist but are not solely responsible.

Option B:Incorrect. This overstates who is responsible; only the entity is ultimately accountable.

Option C:Correct. The entity being assessed is responsible for completing the Controls Matrix and TRA.

Option D:Incorrect. Card brands or acquirers are not involved in document creation.