QSA_New_V4 PCI SSC Qualified Security Assessor V4 Exam Free Practice Exam Questions (2025 Updated)

Requirement9.9.2of PCI DSS v4.0.1 mandates that entitiesregularly inspect POS devicesto detect signs of tampering or skimming. This includes physical inspections to identify unexpected additions, unauthorized stickers, broken seals, etc.

Option A:Correct. Regular inspection for skimming/tampering is required.

Option B:Incorrect. There is no mandate for manufacturer serial number verification.

Option C:Incorrect. PCI DSS does not require routine replacement of device identifiers or labels.

Option D:Incorrect. Devices may be investigated if compromised, but not necessarily destroyed.

PerSection 11 and 12of PCI DSS v4.0.1, assessors arerequired to use the official PCI SSC ROC Reporting Template. This ensures uniformity and completeness across all assessments. The same requirement applies to bothmerchants and service providersundergoing afull assessment (ROC).

Option A:✅Correct. PCI SSC mandates use of its official ROC template.

Option B:❌Incorrect. Custom assessor templates arenot permitted.

Option C:❌Incorrect. Assessorsmust notcreate their own templates.

Option D:❌Incorrect. The ROC template is used forbothmerchants and service providers, where applicable.

The strength of a key-encrypting key (KEK) should be at least equivalent to the strength of the data-encrypting key (DEK) it protects to ensure the overall security of the cryptographic system.​

Option A:Incorrect. DES (Data Encryption Standard) with a 256-bit key length is not a standard configuration, as traditional DES uses a 56-bit key, which is considered weak by modern standards.​

Option B:Incorrect. RSA with a 512-bit key length is considered weak and does not provide sufficient security for protecting AES 128-bit keys.​

Option C:Correct. Using an AES 128-bit key as the KEK to protect an AES 128-bit DEK ensures that both keys have equivalent strength, maintaining the integrity of the encryption system.​

Option D:Incorrect. ROT13 is a simple substitution cipher and does not provide adequate security for encrypting cryptographic keys.​

For detailed guidelines on cryptographic key management, refer toRequirement 3: Protect Stored Account Datain thePCI DSS v4.0.1document.​

TheSoftware Security Framework (SSF)is intended to support entities usingbespoke and custom softwarewithin the Cardholder Data Environment (CDE). If the software is developed and maintained in accordance with theSecure Software Lifecycle (SLC) Standard, it can help demonstrate secure software development practices and potentially reduce the number of applicable PCI DSS requirements.

Option A:Incorrect. Not all payment software qualifies unless developed under SSF standards.

Option B:Incorrect. PCI PTS devices follow different hardware security standards.

Option C:Incorrect. PA-DSS has been retired; those applications are now listed as “Acceptable Only for Pre-Existing Deployments”.

Option D:Correct. Software developed under the Secure SLC Standard may help an entity meet some requirements in PCI DSS Requirement 6.

According toPCI DSS Scope Definitions (Section 4.2.1), any system thatcan impact the security of the CDEisin scope, even if it doesn’t store cardholder data. An LDAP server providing authentication to systems in the CDEdirectly affects access control, so it'sin scope.

Option A:✅Correct. Systems providingauthentication services to the CDEarein scope.

Option B:❌Incorrect. LDAP does not need to store card data to be in scope.

Option C:❌Incorrect. Influence over access security makes it in scope regardless of data processing.

Option D:❌Incorrect. Scope isn’t limited to DMZ-linked systems.

PCI DSSRequirement 6.3.1requires entities toassign a risk rankingto vulnerabilities (e.g., high, medium, low) to ensure thatremediation efforts are prioritised. This risk-based approach helps organisations focus resources where they are most needed.

Option A:❌Incorrect. Timeframes depend on the severity and internal policy, not always 30 days.

Option B:❌Incorrect. Risk ranking supports remediation but doesn’t replace scanning.

Option C:✅Correct. The purpose is toprioritise higher-risk itemsfor faster action.

Option D:❌Incorrect. Patch frequency is addressed elsewhere (Requirement 6.3.3).

PerRequirement 10.5.1.2, audit logs must be retained forat least one year, and the mostrecent three months must be readily availablefor analysis. This ensures traceability of security events over both short and longer-term periods.

Option A:✅Correct. Matches both duration and availability criteria.

Option B:❌Incorrect. Two years is not required.

Option C:❌Incorrect. The retention period is misstated.

Option D:❌Incorrect. One month is insufficient for immediate access.

 Mandatory ROC Template

PCI DSS v4.0 mandates the use of the PCI SSC-provided ROC Template for all Reports on Compliance​​.

This ensures standardization, completeness, and accuracy in documenting compliance assessments.

 Sections of the ROC Template

The ROC includes mandatory sections:

Assessment Overview:General details, scope validation, and assessment findings.

Findings and Observations:Detailed compliance status per requirement.

 Prohibited Practices

Assessors cannot use self-created ROC templates. Deviation from the PCI SSC-approved template may result in rejection of the report​​.

 Key Changes in v4.0

Enhanced focus on the integrity of reporting and inclusion of specific findings to ensure alignment with PCI DSS objectives.

Added support for the customized approach within the ROC structure​​.

 Testing with Live PANs

PCI DSS Requirement 6.4.3 requires that live PANs (Primary Account Numbers) only be used in secure and controlled environments within the CDE.

Pre-production environments located within the CDE must adhere to all PCI DSS requirements for security and monitoring​​.

 Prohibited Uses

Testing with live PANs in environments outside the CDE violates PCI DSS. Only simulated data should be used in less secure testing environments.

 Incorrect Options

Option A: Production environments are for real transactions, not testing.

Option B: Test environments outside the CDE are insecure for live PANs.

Option D: The QSA environment is irrelevant to the organization’s CDE testing controls.

PerRequirement 10.6.1, PCI DSS mandates that time-synchronization technology be used, andsystems must be synchronized to a central time serverthat itself receives time from an approved external source. This ensures logs can be accurately correlated.

Option A:Incorrect. Time inconsistency arises if each system operates independently.

Option B:Incorrect. Time configuration must berestricted to authorised personnel only.

Option C:Correct. Time should be sourced from a centralised server which is in sync with reliable external sources.

Option D:Incorrect. Each system peering independently can cause inconsistencies.

According toRequirement 9.4.2.2, visitors must beescorted at all timesin areas where cardholder data is stored or processed. This is a key component of physical access control and is intended to prevent unauthorised access or tampering.

Option A:✅Correct. Escorts aremandatoryfor visitors in sensitive areas.

Option B:❌Incorrect. Visitor badgesmust be distinguishablefrom employee badges.

Option C:❌Incorrect. PCI DSS requires name and firm represented, butnot full address or phone.

Option D:❌Incorrect. Visitor badges must besurrendered or deactivatedimmediately after the visit ends.

Requirement 5.2.1.1clarifies thatanti-malware solutions are requiredonall in-scope systems,unlessthe system is evaluated asnot at risk for malware(e.g., Linux-based appliances with no Internet access). These risk evaluations must be documented and justified (5.2.3.1).

Option A:❌Incorrect. PCI DSS allows exceptions for systems not at risk.

Option B:❌Incorrect. Anti-malware applies to systems, not portable media per se.

Option C:❌Incorrect. Anti-malware scope is broader than just PAN-storing systems.

Option D:✅Correct. Systems not at risk can be excluded if justified and documented.

 PCI PIN Transaction Security (PTS) Standard:

The PCI PTS standard focuses on securing Point-of-Interaction (POI) devices, such as payment terminals, that process payment card transactions and protect account data during capture​​.

 Clarifications on Covered Areas:

This standard includes specifications for physical and logical security controls to prevent unauthorized access to sensitive cardholder data on POI devices.

 Invalid Options:

B:Secure coding practices are addressed by PCI PA-DSS (Payment Application Data Security Standard).

C:Cryptographic algorithm development is not specific to PCI PTS.

D:End-to-end encryption solutions are not covered under PCI PTS.

When a cryptographic key is retired and replaced, it is essential to ensure that the retired key is no longer used for encryption purposes to maintain the security of the cryptographic system.​

Option A:Correct. Retired keys must not be used for encryption operations to prevent potential security vulnerabilities. However, they may be retained for decryption purposes if necessary, such as decrypting existing data encrypted under the retired key.​

Option B:Incorrect. PCI DSS does not specify a mandatory retention period for retired cryptographic key components before disposal. Retention periods should align with the entity's data retention policies and legal requirements.​

Option C:Incorrect. Assigning a new key custodian is not a mandatory requirement upon key retirement and replacement, though proper key management practices should ensure that custodianship is clearly defined and documented.​

Option D:Incorrect. While data encrypted under a retired key should be re-encrypted with the new key or securely managed, PCI DSS does not mandate the destruction of such data solely due to key retirement.​

For more information on cryptographic key management practices, refer toRequirement 3: Protect Stored Account Datain thePCI DSS v4.0.1document.​Wikipedia

Requirement 6.4.3.1clarifies that if live PANs are to be used in testing, the test environment mustmeet all applicable PCI DSS controls. Thus,testing with live PAN is only allowed if the test environment is within the CDEand fully secured.

Option A:❌Incorrect. Testing should not happen in production.

Option B:❌Incorrect. It must be within the CDE if live PAN is involved.

Option C:✅Correct. Live PANs can be used inpre-production environments within the CDE.

Option D:❌Incorrect. There’s no requirement to test only within QSA environments.

UnderRequirement 4.2.1.1, PAN (Primary Account Number) must be protected usingstrong cryptographywhenever it is transmitted overopen, public networks, including the Internet. Assessors are expected to verify that the cryptographic protocols (e.g., TLS 1.2 or higher) are properly implemented and that weak protocols (e.g., SSL, early TLS) are disabled.

Option A:❌Incorrect. Supporting earlier protocol versions (e.g., SSL, TLS 1.0) isnon-compliant.

Option B:✅Correct. Strong encryption (e.g., AES over TLS 1.2 or higher) must be verified.

Option C:❌Incorrect. Acceptingall certificatescould allowMITM (Man-in-the-Middle)attacks.

Option D:❌Incorrect. Deleting PAN after transmission is not a substitute for protecting it during transmission.

According toRequirement 12.10.1, an effectiveincident response plan (IRP)must include steps to detect, respond to, and contain incidents such asunauthorised wireless access points. PCI DSS11.2.1also mandates quarterly rogue AP detection.

Option A:❌Incorrect. Notification to PCI SSC is not required; notification goes toacquirers/payment brands.

Option B:✅Correct. The IRP must includeresponse to unauthorised wireless access detection.

Option C:❌Incorrect. Records must beretained, not deleted.

Option D:❌Incorrect. Retaliatory or offensive actions arenot allowed or recommended.

 Compensating Controls Definition and Purpose

A compensating control is an alternate measure that satisfies the intent of a specific PCI DSS requirement and provides an equivalent level of security.

The rationale and risk mitigation must be explicitly documented using the Compensating Control Worksheet (CCW).

 Mandatory Documentation

PCI DSS v4.0 mandates the use of a CCW when implementing compensating controls. This applies regardless of acquirer approvals​​.

The CCW requires detailed documentation including:

Constraints preventing the original requirement from being implemented.

Justification for the compensating control.

Description of the control and evidence of its effectiveness.

 Using Existing Requirements

If an existing PCI DSS requirement (e.g., Requirement 5 for antivirus) is already implemented and can mitigate the risks of not meeting another requirement, it may qualify as a compensating control​​.

 Approval and Review Process

QSAs must validate the implementation, effectiveness, and appropriateness of compensating controls during the assessment process​

 Firewall Hardening:

Requirement 1.2 mandates that firewalls should be configured with only the necessary functionality to reduce attack surfaces. Disabling unused functions eliminates potential vulnerabilities​.

 Explanation of Other Options:

A:Shared accounts violate Requirement 8.1.5, which prohibits shared or generic accounts.

B:Allowing all traffic initially violates Requirement 1.2.1, which requires a restrictive firewall policy.

C:Synchronization of rules may not always be necessary, especially for firewalls with different scopes or roles.