PCI QSA_New_V4 Exam Practice Test Instant Access

Question 1

Which statement is true regarding the presence of both hashed and truncated versions of the same PAN in an environment?

AControls are needed to prevent the original PAN being exposed by the hashed and truncated versions.

BThe hashed version of the PAN must also be truncated per PCI DSS requirements for strong cryptography.

CThe hashed and truncated versions must be correlated so the source PAN can be identified.

DHashed and truncated versions of a PAN must not exist in same environment.

Answer : A

Hashing and Truncation

PCI DSS Requirement 3.4 mandates protecting stored PAN using methods like hashing and truncation. If both versions coexist, controls must ensure they cannot be combined to reconstruct the original PAN.

Incorrect Options

Option B: Truncation is unrelated to hashed PANs.

Option C: Correlation of hashed and truncated versions to identify the PAN violates PCI DSS principles.

Option D: Coexistence of hashed and truncated PANs is permissible if proper controls are in place.

Question 2

A sample of business facilities is reviewed during the PCI DSS assessment. What is the assessor required to validate about the sample?

AIt includes a consistent set of facilities that are reviewed for all assessments.

BThe number of facilities in the sample is at least 10 percent of the total number of facilities.

CEvery facility where cardholder data is stored is reviewed.

DAll types and locations of facilities are represented.

Answer : D

Sampling in Assessments

PCI DSS v4.0 requires assessors to ensure that sampled business facilities represent all types and locations to provide comprehensive coverage of the entity's operations.

Sampling Considerations

Assessors must include facilities storing or processing cardholder data and validate controls across diverse locations.

Incorrect Options

Option A: Consistency does not ensure comprehensive representation.

Option B: PCI DSS does not mandate a 10% sample size.

Option C: It is not mandatory to review every facility storing cardholder data.

Question 3

Which statement about PAN is true?

AIt must be protected with strong cryptography for transmission over private wireless networks.

BIt must be protected with strong cryptography tor transmission over private wired networks.

CIt does not require protection for transmission over public wireless networks.

DIt does not require protection for transmission over public wired networks.

Answer : A

PAN Transmission Protection

PCI DSS Requirement 4.1 mandates strong cryptography for PAN during transmission over both public and private wireless networks to prevent unauthorized interception.

Incorrect Options

Options B and D: PAN protection is not required for private wired networks.

Option C: PAN must be protected during transmission over public wireless networks.

Question 4

In accordance with PCI DSS Requirement 10, how long must audit logs be retained?

AAt least 1 year, with the most recent 3 months immediately available.

BAt least 2 years, with the most recent 3 months immediately available.

CAt least 2 years, with the most recent month immediately available.

DAt least 3 months, with the most recent month immediately available.

Answer : A

Audit Log Retention Requirements

PCI DSS Requirement 10.7 specifies audit logs must be retained for a minimum of one year. The most recent three months must be immediately accessible for incident analysis and reporting.

Purpose of Log Retention

Retaining logs aids in forensic investigations, regulatory compliance, and operational oversight.

Incorrect Options

Options B, C, and D specify durations that are not consistent with PCI DSS requirements.

Question 5

An organization wishes to implement multi-factor authentication for remote access, using the user's Individual password and a digital certificate. Which of the following scenarios would meet PCI DSS requirements for multi-factor authentication?

ACertificates are assigned only to administrative groups, and not to regular users.

BA different certificate is assigned to each individual user account, and certificates are not shared.

CCertificates are logged so they can be retrieved when the employee leaves the company.

DChange control processes are In place to ensure certificates are changed every 90 days.

Answer : B

Multi-Factor Authentication (MFA)

MFA requires at least two factors from different categories: something you know (password), something you have (digital certificate), or something you are (biometric).

PCI DSS Requirement 8 mandates that credentials like certificates must be unique to each user.

Secure Certificate Use

Certificates must not be shared and should be assigned individually to ensure accountability and prevent unauthorized access.

Incorrect Options

Option A: Limiting certificates to administrative groups does not fulfill PCI DSS for all users.

Option C: Logging certificates for retrieval is unrelated to security requirements.

Option D: Certificates do not have a mandatory 90-day change requirement.

Question 6

If segmentation is being used to reduce the scope of a PCI DSS assessment, the assessor will?

AVerify the segmentation controls allow only necessary traffic Into the cardholder data environment.

BVerify the payment card brands have approved the segmentation.

CVerify that approved devices and applications are used for the segmentation controls.

DVerify the controls used for segmentation are configured properly and functioning as intended

Answer : D

Role of the Assessor in Verifying Segmentation

PCI DSS v4.0 requires assessors to confirm that segmentation controls (firewalls, ACLs, etc.) effectively isolate the CDE from out-of-scope networks.

Proper configuration and functionality testing ensure that only authorized traffic can access the CDE.

Testing Requirements

Methods include network scans, configuration reviews, and traffic analysis to verify the segmentation is functioning as intended.

Incorrect Options

Option A: Verifying traffic flow is part of the task but not the primary goal.

Option B: Payment brands do not approve segmentation controls.

Option C: Use of specific devices is not mandated for segmentation.

Question 7

What do PCI DSS requirements for protecting cryptographic keys include?

APublic keys must be encrypted with a key-encrypting key.

BData-encrypting keys must be stronger than the key-encrypting key that protects it.

CPrivate or secret keys must be encrypted, stored within an SCD, or stored as key components.

DKey-encrypting keys and data-encrypting keys must be assigned to the same key custodian.

Answer : C

Key Management Requirements:

PCI DSS Requirement 3.5 specifies the protection of cryptographic keys, including encryption, storage in secure cryptographic devices (SCDs), or as key components to ensure security and prevent unauthorized access.

Clarifications on Cryptographic Key Protection:

A/B: Public keys and key strength requirements are not specified in this context.

D: Separation of duties mandates that key-encrypting and data-encrypting keys must not be assigned to the same custodian.

Testing and Validation:

QSAs verify compliance by examining key management practices, storage mechanisms, and access controls for cryptographic keys during the assessment.

PCI QSA_New_V4 Qualified Security Assessor V4 Exam Practice Test