PCI SSC QSA_New_V4 Qualified Security Assessor V4 Exam Exam Practice Test

 PCI PIN Transaction Security (PTS) Standard:

The PCI PTS standard focuses on securing Point-of-Interaction (POI) devices, such as payment terminals, that process payment card transactions and protect account data during capture​​.

 Clarifications on Covered Areas:

This standard includes specifications for physical and logical security controls to prevent unauthorized access to sensitive cardholder data on POI devices.

 Invalid Options:

B:Secure coding practices are addressed by PCI PA-DSS (Payment Application Data Security Standard).

C:Cryptographic algorithm development is not specific to PCI PTS.

D:End-to-end encryption solutions are not covered under PCI PTS.

PerRequirement 2.2.5, allinsecure and unnecessary services, protocols, daemons, or functionsmust be disabled. This includes unnecessary features on firewalls and other devices. Disabling unneeded functions reduces the attack surface and aligns with secure configuration principles.

Option A:❌Incorrect. Shared accounts violateRequirement 8.2.1, which mandatesunique IDs.

Option B:❌Incorrect. Allowing all traffic is a violation ofRequirement 1.2.1, which requires "deny all unless explicitly allowed".

Option C:❌Incorrect. Synchronizing rules may be useful but does not directly relate to hardening.

Option D:✅Correct. Disabling unused firewall features aligns with secure configuration.

 Requirement for Secure Transmission:

PCI DSS Requirement 4.1 mandates that cardholder data sent over open public networks must be protected with strong cryptographic protocols. Accepting only trusted keys ensures data integrity and prevents unauthorized access​​.

 Key Validation Practices:

Trusted keys and certificates are verified to ensure authenticity. Using untrusted keys compromises the security of the encrypted communication.

 Prohibited Practices:

A/D:Configuring protocols to accept all certificates or lower encryption strength violates PCI DSS encryption guidelines.

B:Proprietary protocols are not inherently compliant unless they meet strong cryptographic standards.

 Testing and Verification:

Assessors verify the implementation of trusted keys by examining encryption settings, reviewing certificate chains, and conducting tests to confirm only trusted connections are accepted​​.

According toPCI DSS Scope Definitions (Section 4.2.1), any system thatcan impact the security of the CDEisin scope, even if it doesn’t store cardholder data. An LDAP server providing authentication to systems in the CDEdirectly affects access control, so it'sin scope.

Option A:✅Correct. Systems providingauthentication services to the CDEarein scope.

Option B:❌Incorrect. LDAP does not need to store card data to be in scope.

Option C:❌Incorrect. Influence over access security makes it in scope regardless of data processing.

Option D:❌Incorrect. Scope isn’t limited to DMZ-linked systems.

UnderRequirement 4.2.1.1, PAN (Primary Account Number) must be protected usingstrong cryptographywhenever it is transmitted overopen, public networks, including the Internet. Assessors are expected to verify that the cryptographic protocols (e.g., TLS 1.2 or higher) are properly implemented and that weak protocols (e.g., SSL, early TLS) are disabled.

Option A:❌Incorrect. Supporting earlier protocol versions (e.g., SSL, TLS 1.0) isnon-compliant.

Option B:✅Correct. Strong encryption (e.g., AES over TLS 1.2 or higher) must be verified.

Option C:❌Incorrect. Acceptingall certificatescould allowMITM (Man-in-the-Middle)attacks.

Option D:❌Incorrect. Deleting PAN after transmission is not a substitute for protecting it during transmission.

PCI DSS clearly states inRequirement 11.4.5and in theScoping Guidancethat if segmentation is used, the assessor must verify thesegmentation is effective— meaning it must be technically and operationally validated to ensure that it properly isolates the Cardholder Data Environment (CDE) from out-of-scope networks.

Option A:Too narrow. While allowing only necessary traffic is important, the verification involves more than that.

Option B:Incorrect. Payment brands do not “approve” segmentation.

Option C:Incorrect. PCI DSS focuses on effectiveness, not brand-specific device use.

Option D:Correct. Assessor must ensure that segmentation controls areproperly configured and function as intended.

Requirement 1.3.7andRequirement 3.3.1emphasise thatdatabases storing cardholder data must not be directly accessible from the Internet or untrusted networks. The database must be behind firewalls and accessible only via controlled, authorised connections.

Option A:❌Incorrect. Combining servers may violate the one-function-per-server rule (Requirement 2.2.1).

Option B:✅Correct. The database must be protected fromdirect public access.

Option C:❌Incorrect. Web servers often reside in the DMZ; moving them internally could increase risk.

Option D:❌Incorrect. Network performance is not a PCI DSS concern —security isolation is.

According toRequirement 9.3.1and9.4.1.2, physical access control mechanisms — including badge readers — must beprotected against tampering or disablingto prevent unauthorized access and maintain the integrity of access logs.

Option A:Correct. Physical access control systems must be protected from tampering.

Option B:Incorrect. Video cameras are requiredonly where appropriate; badge access may suffice.

Option C:Incorrect. Access logs must beretained for at least three months, not deleted monthly (see 9.4.1.3).

Option D:Incorrect. Motion sensors are not specifically required.

According toSection 12.2.3.3 of PCI DSS v4.0.1, aPartial Assessmentis defined as a result whereat least one PCI DSS requirement is marked as “Not Tested.”This is typically seen duringgap assessments or pre-validation efforts, not official compliance validation.

Option A:❌Incorrect. SAQs are self-assessments; Partial Assessment is a different concept.

Option B:❌Incorrect. Interim drafts are not labeled as “Partial”.

Option C:❌Incorrect. That is a misinterpretation of segmentation by payment channel.

Option D:✅Correct. "Not Tested" = Partial Assessment.

Stateful inspection (or stateful packet filtering)tracks the state of active connections and determines which packets are part of a valid session.Requirement 1.4.2references the use of network security controls (NSCs) withstateful filteringcapability to allow legitimate trafficonly in response to trusted requests.

Option A:❌Incorrect. Firewall admin procedures are not what “stateful” refers to.

Option B:✅Correct. “Stateful responses” mean tracking existing connections toblock unauthorised or spoofed responses.

Option C:❌Incorrect. That describes configuration management, not stateful filtering.

Option D:❌Incorrect. Logging is important but not part of stateful inspection.

Internal vulnerability scanning is addressed underRequirement 11.3.1. According to PCI DSS, internal vulnerability scansmust be conducted at least once every three monthsandafter any significant changein the environment, such as new system components, changes in network topology, firewall rule changes, or product upgrades.

Option A:Correct. Scans must be performed after significant changes.

Option B:Incorrect. Internal scansdo not require an ASV. ASVs are required for external vulnerability scans (Requirement 11.3.2).

Option C:Incorrect. A QSA is not required to perform internal scans. They can be performed by qualified internal staff or third-party providers.

Option D:Incorrect. Internal scans arerequired quarterly, not annually.

Requirement 4.2.1.1states that PAN must beprotected with strong cryptographywhenever transmitted overopen or public networks, includingprivate wirelesswhere security is not assured. While not allprivate wired networksrequire encryption,wirelessis generally considered untrusted.

Option A:✅Correct. PAN must be encrypted overprivate wireless networksdue to potential interception risks.

Option B:❌Incorrect. Privatewirednetworks typically don’t require encryption unless they’re untrusted.

Option C & D:❌Incorrect. PANalways requires protectionover public networks.

PCI DSSRequirement 11.5.2mandates the use of file-integrity monitoring (FIM) or change-detection tools to monitorcritical filessuch as system binaries, configuration files, and system parameters.

Option A:❌Incorrect. Manuals are not critical system files.

Option B:❌Incorrect. Regularly changing files (e.g., logs or temp files) are typically excluded.

Option C:❌Incorrect. Policies and procedures are reviewed but not subject to FIM.

Option D:✅Correct. System config and parameter files must bemonitored for unauthorised changes.

 Customized Approach Overview:

Under PCI DSS v4.0, entities can use a Customized Approach to meet requirements by implementing controls tailored to their environment. This allows flexibility while still achieving the intent of the security requirement.

 Role of Assessors:

Assessors (QSAs) are responsible for evaluating both the implementation of customized controls and ensuring these controls fulfill the security objectives of the PCI DSS requirements​​.

QSAs must document the evaluation, evidence reviewed, and results in the Report on Compliance (ROC).

 Controls Matrix and Targeted Risk Analysis (TRA):

The Controls Matrix and TRA are key components of the Customized Approach. QSAs assist in verifying the accuracy and completeness of these tools during assessments​​.

 Documenting in the ROC:

The ROC must include a narrative explaining the assessor’s findings regarding the customized control, validation methods, and any evidence collected​.

 Relevant PCI DSS v4.0 Guidance:

Appendix D and E of the PCI DSS v4.0 ROC Template emphasize that QSAs can evaluate and confirm adherence to the Customized Approach provided this is documented comprehensively in the ROC​.

Requirement10.2.2mandates that all access to audit trails must be logged. This ensures that any tampering, viewing, or deletion of audit data is traceable. It supports the broader goal of maintaining audit trail integrity and accountability.

Option A:Incorrect. PCI DSS does not require logging use of end-user messaging.

Option B:Incorrect. There’s no explicit requirement to log access to external websites.

Option C:Correct. PCI DSS mandates loggingall access to audit trailsto detect and respond to unauthorised attempts.

Option D:Incorrect. Logging all network transmissions is not feasible and not required.

Compensating controls are alternative measures implemented when an entity cannot meet a specific PCI DSS requirement due to legitimate technical or business constraints. These controls must sufficiently mitigate the associated risk and be commensurate with the intent of the original PCI DSS requirement.​

Option A:Incorrect. Even if all other PCI DSS requirements are met, a compensating control is necessary when a specific requirement cannot be directly satisfied.​

Option B:Correct. A compensating control must effectively address and mitigate the risk associated with the inability to meet a particular PCI DSS requirement.​

Option C:Incorrect. While existing controls can support a compensating control, they must collectively address the risk of the unmet requirement and cannot merely be another existing PCI DSS requirement.​

Option D:Incorrect. A compensating control worksheet is mandatory to document the rationale, assessment, and validation of the compensating control, regardless of acquirer approval.​

For detailed guidance on compensating controls, refer toAppendix B: Compensating Controlsin thePCI DSS v4.0.1document.​

According toRequirement 3.5.1.2, whendisk-level encryptionis used (e.g., full disk encryption), access control must beseparate from the operating systemto prevent unauthorised users from bypassing controls by booting the system.

Option A:✅Correct. Disk encryption must useindependent authentication mechanisms.

Option B:❌Incorrect. Sharing authentication with the OSviolates independence.

Option C:❌Incorrect. Association with local accounts may not ensure separate access control.

Option D:❌Incorrect. Key storage within user accounts is not secure or compliant.

PerSection 6 – Sampling for PCI DSS Assessments, the assessor must ensure the sample of business facilitiesincludes all types and locations, reflecting different operational environments. The goal is to cover variations that might affect compliance, such as data centers vs. call centers, or regional differences.

Option A:Incorrect. Each assessment may require a different sample depending on the environment.

Option B:Incorrect. There is no fixed 10% requirement for facility sampling.

Option C:Incorrect. A full review of every facility isn't required if representative sampling is used appropriately.

Option D:Correct. The samplingmust include all types and locationsof facilities to be valid.

Formulti-tenant service providers,isolation and segmentationare critical. As perRequirement 12.10.3, each customer’s environment must besegregated and protectedsuch that no tenant can access another’s data or systems.

Option A:✅Correct. This is the foundational control —isolation of customer environments.

Option B:❌Incorrect. Exposing system config files is a security risk.

Option C:❌Incorrect. Shared user IDs areexplicitly prohibitedby Requirement 8.2.1.

Option D:❌Incorrect. Customers should only access their own logs.

There areseparate Attestation of Compliance (AOC) templatesfor different use cases, specifically formerchantsandservice providers, and forSAQsversusROCs. Each template is tailored to match the reporting needs of that assessment type.

Option A:✅Correct. PCI SSC publishes distinct AOC templates depending on whether the entity is a merchant or service provider, and depending on whether they are completing an SAQ or ROC.

Option B:❌Incorrect. The AOC is not signed by PCI SSC. It must be signed by the assessed entity and, where applicable, the QSA or ISA.

Option C:❌Incorrect. ROCs and SAQs use different AOC formats.

Option D:❌Incorrect. Both the entity and the assessor (if applicable)mustsign.

 Testing with Live PANs

PCI DSS Requirement 6.4.3 requires that live PANs (Primary Account Numbers) only be used in secure and controlled environments within the CDE.

Pre-production environments located within the CDE must adhere to all PCI DSS requirements for security and monitoring​​.

 Prohibited Uses

Testing with live PANs in environments outside the CDE violates PCI DSS. Only simulated data should be used in less secure testing environments.

 Incorrect Options

Option A: Production environments are for real transactions, not testing.

Option B: Test environments outside the CDE are insecure for live PANs.

Option D: The QSA environment is irrelevant to the organization’s CDE testing controls.

As specified underRequirement 11.5.2.1, comparisons of critical files (e.g., config files, executables) using change-detection mechanisms (e.g., FIM tools)must occur at least weekly. This ensures timely detection of unauthorized changes or tampering.

Option A:✅Correct. Weekly is theminimum frequencyrequired.

Option B:❌Incorrect. A defined "period" is not sufficient unless it's weekly or more frequent.

Option C:❌Incorrect. Scans should not wait for changes; they should detectunexpectedones.

Option D:❌Incorrect. Monthly is too infrequent for PCI DSS compliance.