PCI SSC QSA_New_V4 Qualified Security Assessor V4 Exam Exam Practice Test

Scope definition in PCI DSS v4.0.1 (Section 4)includesany system that can impact the security of the CDE. Time synchronization servers such asNTParecritical to log integrity(Requirement 10.6), and if they provide services to CDE systems,they are in scopeeven if they do not directly process cardholder data.

Option A:❌Incorrect. Scope is broader than just databases.

Option B:❌Incorrect. Time serversimpact log security, so they are in scope.

Option C:❌Incorrect. PCI DSS scope includes systems thataffect the securityof CDE, not just those storing card data.

Option D:✅Correct. Internal NTP servers providing services to the CDE arein scope.

 Attestation of Compliance (AOC):

The AOC is a document that confirms an entity’s compliance with PCI DSS requirements. It is signed by the entity (merchant or service provider) and the Qualified Security Assessor (QSA) if a QSA is involved.

 Different AOC Templates:

PCI DSS provides distinct templates for service providers and merchants, tailored to their respective roles and responsibilities within the cardholder data environment (CDE)​​.

 Invalid Options:

B:PCI SSC does not sign AOCs; they are signed by the merchant/service provider and the QSA.

C:AOCs differ between ROCs and SAQs, so the same template is not universally used.

D:Both the merchant/service provider and the QSA/ISA (Internal Security Assessor) must sign the AOC when applicable.

According toRequirement 2.2.6,default passwords must be changed before systems are installed on the network. The use of default credentials (such as "admin/admin") presents a major security risk and is a well-known vector for breaches.

Option A:❌Incorrect. Changing within 30 days is not soon enough per PCI DSS.

Option B:❌Incorrect. Resetting to default would defeat the purpose of secure configuration.

Option C:✅Correct. The requirement is to change default passwordsprior to network connection.

Option D:❌Incorrect. Password expiration policies are a separate topic under Requirement 8.

PerRequirement 2.2.5, allinsecure and unnecessary services, protocols, daemons, or functionsmust be disabled. This includes unnecessary features on firewalls and other devices. Disabling unneeded functions reduces the attack surface and aligns with secure configuration principles.

Option A:❌Incorrect. Shared accounts violateRequirement 8.2.1, which mandatesunique IDs.

Option B:❌Incorrect. Allowing all traffic is a violation ofRequirement 1.2.1, which requires "deny all unless explicitly allowed".

Option C:❌Incorrect. Synchronizing rules may be useful but does not directly relate to hardening.

Option D:✅Correct. Disabling unused firewall features aligns with secure configuration.

PCI DSSRequirement 6.3.1requires entities toassign a risk rankingto vulnerabilities (e.g., high, medium, low) to ensure thatremediation efforts are prioritised. This risk-based approach helps organisations focus resources where they are most needed.

Option A:❌Incorrect. Timeframes depend on the severity and internal policy, not always 30 days.

Option B:❌Incorrect. Risk ranking supports remediation but doesn’t replace scanning.

Option C:✅Correct. The purpose is toprioritise higher-risk itemsfor faster action.

Option D:❌Incorrect. Patch frequency is addressed elsewhere (Requirement 6.3.3).

 PCI DSS Reporting Expectations:

When documenting that a requirement is "In Place," the ROC must clearly describe how compliance was validated by the assessor. This involves detailing the evidence observed, such as system configurations, documentation, and personnel interviews​.

 ROC Documentation Guidelines:

The ROC Reporting Template specifies that each "In Place" response must include evidence demonstrating compliance with the requirement, such as testing observations and validation of implemented controls​.

 Eliminating Incorrect Options:

A:Project plans are not sufficient to demonstrate current compliance.

C/D:Responses discussing non-implementation or non-compliance are irrelevant when the requirement is "In Place."

 PCI DSS v4.0 ROC Template Guidance:

Appendix sections in the ROC provide specific instructions for assessors to document the testing performed, evidence reviewed, and results​.

According toRequirement 9.3.1and9.4.1.2, physical access control mechanisms — including badge readers — must beprotected against tampering or disablingto prevent unauthorized access and maintain the integrity of access logs.

Option A:Correct. Physical access control systems must be protected from tampering.

Option B:Incorrect. Video cameras are requiredonly where appropriate; badge access may suffice.

Option C:Incorrect. Access logs must beretained for at least three months, not deleted monthly (see 9.4.1.3).

Option D:Incorrect. Motion sensors are not specifically required.

Formulti-tenant service providers,isolation and segmentationare critical. As perRequirement 12.10.3, each customer’s environment must besegregated and protectedsuch that no tenant can access another’s data or systems.

Option A:✅Correct. This is the foundational control —isolation of customer environments.

Option B:❌Incorrect. Exposing system config files is a security risk.

Option C:❌Incorrect. Shared user IDs areexplicitly prohibitedby Requirement 8.2.1.

Option D:❌Incorrect. Customers should only access their own logs.

 Mandatory ROC Template

PCI DSS v4.0 mandates the use of the PCI SSC-provided ROC Template for all Reports on Compliance​​.

This ensures standardization, completeness, and accuracy in documenting compliance assessments.

 Sections of the ROC Template

The ROC includes mandatory sections:

Assessment Overview:General details, scope validation, and assessment findings.

Findings and Observations:Detailed compliance status per requirement.

 Prohibited Practices

Assessors cannot use self-created ROC templates. Deviation from the PCI SSC-approved template may result in rejection of the report​​.

 Key Changes in v4.0

Enhanced focus on the integrity of reporting and inclusion of specific findings to ensure alignment with PCI DSS objectives.

Added support for the customized approach within the ROC structure​​.

PCI DSSRequirement 12.1.1requires that security policies and procedures be disseminated to all relevant personnel and that those individualsunderstand and acknowledgethe policies. While review and update frequencies are also part of compliance, the most complete and correct answer is that policies must be shared with affected parties.

Option A:Incorrect. Encryption is not specifically required for policy documents.

Option B:Incorrect. Limiting access to only management contradicts the requirement for distribution.

Option C:Incorrect. The correct review cycle per Requirement 12.1.2 isannually, not quarterly.

Option D:Correct. Policies and procedures must be understood and acknowledged by all affected parties.

 Requirement Context:

PCI DSS Requirement 12.5 mandates that security policies and operational procedures are not only documented but also distributed to relevant parties to ensure clarity and compliance.

 Importance of Distribution and Awareness:

All affected parties, including employees, contractors, and third parties with access to the cardholder data environment (CDE), must receive and understand the policies. This ensures they adhere to the security measures​​.

 Review and Updates:

Security policies must be kept up to date and reviewed at least annually or after significant changes in the environment. While other options such as encryption or restricted access are important for security, the critical focus is on distribution and awareness to ensure operational effectiveness​​.

 Testing and Validation:

During assessments, QSAs validate the implementation by examining training records, communication logs, and acknowledgment forms signed by affected parties​​.

 Relevant PCI DSS v4.0 Guidance:

Section 12.5.1 of PCI DSS v4.0 outlines that the dissemination of policies must ensure that all personnel understand their roles in securing the environment​​.

According toRequirement 3.5.1.2, whendisk-level encryptionis used (e.g., full disk encryption), access control must beseparate from the operating systemto prevent unauthorised users from bypassing controls by booting the system.

Option A:✅Correct. Disk encryption must useindependent authentication mechanisms.

Option B:❌Incorrect. Sharing authentication with the OSviolates independence.

Option C:❌Incorrect. Association with local accounts may not ensure separate access control.

Option D:❌Incorrect. Key storage within user accounts is not secure or compliant.

PerRequirement 7.2.5and8.2.2, PCI DSS recommends thatonly application-layer accessbe allowed to databases storing cardholder data, preventing users from issuing direct SQL queries or accessing the database via administrative tools.

Option A:✅Correct. Restricting database access toprogrammatic (application-layer) methodsis strongly preferred and aligns with PCI DSS guidance.

Option B:❌Incorrect. Admins should not have unrestricted access unless justified and monitored.

Option C:❌Incorrect. Application IDs must not be used interactively by individuals (Requirement 8.6.1).

Option D:❌Incorrect. Shared accounts are disallowed (Requirement 8.2.1).

PerRequirement 10.5.1.2, audit logs must be retained forat least one year, and the mostrecent three months must be readily availablefor analysis. This ensures traceability of security events over both short and longer-term periods.

Option A:✅Correct. Matches both duration and availability criteria.

Option B:❌Incorrect. Two years is not required.

Option C:❌Incorrect. The retention period is misstated.

Option D:❌Incorrect. One month is insufficient for immediate access.

Sampling is a legitimate method under PCI DSS for assessing a representative subset of system components and locations.Section 6 – Sampling for PCI DSS Assessmentsoutlines thatsampling of business facilities and system componentsis allowed, as long as it’s justified, consistent, and documented.

Option A:Incorrect. PCI DSS requirements themselvescannotbe sampled.

Option B:Incorrect.Compensating controls must be assessed in full, not sampled.

Option C:Correct. Sampling may apply tobusiness facilities and system componentsto make the assessment more efficient.

Option D:Incorrect.Policies and proceduresmust be evaluated in full.

 Testing with Live PANs

PCI DSS Requirement 6.4.3 requires that live PANs (Primary Account Numbers) only be used in secure and controlled environments within the CDE.

Pre-production environments located within the CDE must adhere to all PCI DSS requirements for security and monitoring​​.

 Prohibited Uses

Testing with live PANs in environments outside the CDE violates PCI DSS. Only simulated data should be used in less secure testing environments.

 Incorrect Options

Option A: Production environments are for real transactions, not testing.

Option B: Test environments outside the CDE are insecure for live PANs.

Option D: The QSA environment is irrelevant to the organization’s CDE testing controls.

Requirement 10.5.1.1requires thataudit logs be protected from unauthorised viewing and modification, and access should berestricted to individuals with a job-related need to view them. This principle aligns with least privilege and ensures accountability.

Option A:❌Incorrect. The person who performed the action may not need to view logs.

Option B:❌Incorrect. Read/write access istoo permissive.

Option C:❌Incorrect. Not all administrators need access to logs.

Option D:✅Correct. Access should bebased on job function.

Requirement 6.4.3.1clarifies that if live PANs are to be used in testing, the test environment mustmeet all applicable PCI DSS controls. Thus,testing with live PAN is only allowed if the test environment is within the CDEand fully secured.

Option A:❌Incorrect. Testing should not happen in production.

Option B:❌Incorrect. It must be within the CDE if live PAN is involved.

Option C:✅Correct. Live PANs can be used inpre-production environments within the CDE.

Option D:❌Incorrect. There’s no requirement to test only within QSA environments.

Track equivalent data— whether from a magnetic stripe or embedded chip — falls underSensitive Authentication Data (SAD)and mustnot be stored after authorisation, even if encrypted. This is covered underRequirement 3.3.1and Table 3 in PCI DSS v4.0.1.

Option A:❌Incorrect. SADmust not be stored after authorisation, regardless of encryption.

Option B:✅Correct. Track equivalent data is explicitly defined asSAD.

Option C:❌Incorrect. SAD is fullyin-scopefor PCI DSS.

Option D:❌Incorrect. Requirement 3.2 and 3.3 specifically address SAD.

UnderAppendix D – Customized Approach, it is clearly stated that theentity is responsiblefor completing theControls Matrixand theTargeted Risk Analysis (TRA). The assessor may assist in completion, but accountability for content lies with the entity.

Option A:Incorrect. QSAs may assist but are not solely responsible.

Option B:Incorrect. This overstates who is responsible; only the entity is ultimately accountable.

Option C:Correct. The entity being assessed is responsible for completing the Controls Matrix and TRA.

Option D:Incorrect. Card brands or acquirers are not involved in document creation.

 Scope of Anti-Malware Requirements

PCI DSS Requirement 5 mandates the use of anti-malware solutions on all in-scope systems unless the system is specifically documented as not being at risk from malware.

Examples of systems not at risk include those using operating systems that do not support anti-malware tools, provided proper justifications and alternative controls are implemented​​.

 Assessment Considerations

QSAs must verify and document why a system is considered "not at risk."

Systems storing, processing, or transmitting cardholder data or that could impact the CDE are generally in-scope for anti-malware​​.

 Incorrect Options

Option A: While CDE systems and connected systems require protection, the requirement applies specifically to systems at risk from malware.

Option B: Portable electronic storage is not explicitly called out for universal anti-malware but must be controlled in line with overall security policies.

Option C: Systems storing PAN are only a subset of in-scope systems.

Requirement 8.4.2defines multi-factor authentication (MFA) asauthentication that requires at least two of the following:

Something you know (password/PIN)

Something you have (smart card/token)

Something you are (biometric)

Option A:❌Incorrect. Presenting the same token twice is stillsingle-factor.

Option B:❌Incorrect. Two passwords arestill one factor— “something you know”.

Option C:✅Correct. Password (something you know) + smart card (something you have) =MFA.

Option D:❌Incorrect. Fingerprint and thumbprint are bothbiometrics, so one factor.