QSA_New_V4 Qualified Security Assessor V4 Exam Questions and Answers

 Definition of Quarterly:

PCI DSS defines "quarterly" as occurring once within each calendar quarter. This means the activity must happen at least once in Q1, Q2, Q3, and Q4, with no rigid restrictions on specific days​​.

 Clarification on Other Options:

B:While 95–97 days approximates a quarter, it is not mandated as a rigid timeframe.

C/D:Fixed dates (e.g., 15th or 1st of specific months) are not prescribed in PCI DSS.

Formulti-tenant service providers,isolation and segmentationare critical. As perRequirement 12.10.3, each customer’s environment must besegregated and protectedsuch that no tenant can access another’s data or systems.

Option A:✅Correct. This is the foundational control —isolation of customer environments.

Option B:❌Incorrect. Exposing system config files is a security risk.

Option C:❌Incorrect. Shared user IDs areexplicitly prohibitedby Requirement 8.2.1.

Option D:❌Incorrect. Customers should only access their own logs.

 Purpose of Classifying Media

PCI DSS v4.0 emphasizes the need to classify media based on the sensitivity of the data it contains. Media classification ensures appropriate handling, storage, and destruction processes​​.

 Media Protection Requirements

Media containing cardholder data must be securely stored, transferred, and destroyed when no longer needed.

Classification informs the level of protection required, such as encryption, physical security, or controlled access​​.

 Incorrect Options

Option B: Moving media quarterly is not a requirement.

Option C: Labeling as "Confidential" is insufficient without a comprehensive protection strategy.

Option D: Destruction schedules should depend on retention requirements and data sensitivity, not a universal timeline.

According toRequirement 1.2.1of PCI DSS v4.0.1, network security controls (NSCs), such as firewalls and segmentation controls, are used torestrict and control trafficbetween trusted and untrusted networks. This includes logical or physical network segmentation.

Option A:Incorrect. Anti-malware is addressed in Requirement 5.

Option B:Correct. NSCs control and restrict inbound and outbound traffic between logical and physical network segments.

Option C:Incorrect. Vulnerability management is under Requirement 6.

Option D:Incorrect. PAN encryption is covered in Requirement 3.5.

 Customized Approach Overview:

Under PCI DSS v4.0, entities can use a Customized Approach to meet requirements by implementing controls tailored to their environment. This allows flexibility while still achieving the intent of the security requirement.

 Role of Assessors:

Assessors (QSAs) are responsible for evaluating both the implementation of customized controls and ensuring these controls fulfill the security objectives of the PCI DSS requirements​​.

QSAs must document the evaluation, evidence reviewed, and results in the Report on Compliance (ROC).

 Controls Matrix and Targeted Risk Analysis (TRA):

The Controls Matrix and TRA are key components of the Customized Approach. QSAs assist in verifying the accuracy and completeness of these tools during assessments​​.

 Documenting in the ROC:

The ROC must include a narrative explaining the assessor’s findings regarding the customized control, validation methods, and any evidence collected​.

 Relevant PCI DSS v4.0 Guidance:

Appendix D and E of the PCI DSS v4.0 ROC Template emphasize that QSAs can evaluate and confirm adherence to the Customized Approach provided this is documented comprehensively in the ROC​.

 PCI PIN Transaction Security (PTS) Standard:

The PCI PTS standard focuses on securing Point-of-Interaction (POI) devices, such as payment terminals, that process payment card transactions and protect account data during capture​​.

 Clarifications on Covered Areas:

This standard includes specifications for physical and logical security controls to prevent unauthorized access to sensitive cardholder data on POI devices.

 Invalid Options:

B:Secure coding practices are addressed by PCI PA-DSS (Payment Application Data Security Standard).

C:Cryptographic algorithm development is not specific to PCI PTS.

D:End-to-end encryption solutions are not covered under PCI PTS.

Requirement 10.5.1.1requires thataudit logs be protected from unauthorised viewing and modification, and access should berestricted to individuals with a job-related need to view them. This principle aligns with least privilege and ensures accountability.

Option A:❌Incorrect. The person who performed the action may not need to view logs.

Option B:❌Incorrect. Read/write access istoo permissive.

Option C:❌Incorrect. Not all administrators need access to logs.

Option D:✅Correct. Access should bebased on job function.

UnderAppendix D – Customized Approach, it is clearly stated that theentity is responsiblefor completing theControls Matrixand theTargeted Risk Analysis (TRA). The assessor may assist in completion, but accountability for content lies with the entity.

Option A:Incorrect. QSAs may assist but are not solely responsible.

Option B:Incorrect. This overstates who is responsible; only the entity is ultimately accountable.

Option C:Correct. The entity being assessed is responsible for completing the Controls Matrix and TRA.

Option D:Incorrect. Card brands or acquirers are not involved in document creation.

Thesettlement phaseis when:

Themerchant’s acquiring bank pays the merchant, and

Theissuing bank bills the cardholder.

This occursafter authorization and clearinghave already taken place.

Option A:❌Incorrect. Authorization verifies the card and funds but doesn’t trigger payment.

Option B:❌Incorrect. Clearing exchanges transaction details between banks but doesn’t finalise funds.

Option C:✅Correct. Settlement is whenfunds are actually transferred.

Option D:❌Incorrect. Chargebacks reverse transactions, not settle them.

According toRequirement 3.5.1.2, whendisk-level encryptionis used (e.g., full disk encryption), access control must beseparate from the operating systemto prevent unauthorised users from bypassing controls by booting the system.

Option A:✅Correct. Disk encryption must useindependent authentication mechanisms.

Option B:❌Incorrect. Sharing authentication with the OSviolates independence.

Option C:❌Incorrect. Association with local accounts may not ensure separate access control.

Option D:❌Incorrect. Key storage within user accounts is not secure or compliant.

 Stateful Inspection

PCI DSS Requirement 1.2 specifies the need for stateful inspection to track the state of active connections. This ensures that only valid responses to communication initiated by trusted networks are allowed.

Invalid or unsolicited response traffic is blocked to prevent exploitation of vulnerabilities​​.

 Key Functionality of Stateful Firewalls

Stateful firewalls maintain session information and only allow traffic that matches an existing session or expected response.

 Incorrect Options

Option A: Administrative access restrictions are important but unrelated to stateful responses.

Option C: Baseline configurations are a different security control.

Option D: Logging and correlation are for threat detection, not stateful response.

TheSoftware Security Framework (SSF)is intended to support entities usingbespoke and custom softwarewithin the Cardholder Data Environment (CDE). If the software is developed and maintained in accordance with theSecure Software Lifecycle (SLC) Standard, it can help demonstrate secure software development practices and potentially reduce the number of applicable PCI DSS requirements.

Option A:Incorrect. Not all payment software qualifies unless developed under SSF standards.

Option B:Incorrect. PCI PTS devices follow different hardware security standards.

Option C:Incorrect. PA-DSS has been retired; those applications are now listed as “Acceptable Only for Pre-Existing Deployments”.

Option D:Correct. Software developed under the Secure SLC Standard may help an entity meet some requirements in PCI DSS Requirement 6.

Stateful inspection (or stateful packet filtering)tracks the state of active connections and determines which packets are part of a valid session.Requirement 1.4.2references the use of network security controls (NSCs) withstateful filteringcapability to allow legitimate trafficonly in response to trusted requests.

Option A:❌Incorrect. Firewall admin procedures are not what “stateful” refers to.

Option B:✅Correct. “Stateful responses” mean tracking existing connections toblock unauthorised or spoofed responses.

Option C:❌Incorrect. That describes configuration management, not stateful filtering.

Option D:❌Incorrect. Logging is important but not part of stateful inspection.

PerSection 11 and 12of PCI DSS v4.0.1, assessors arerequired to use the official PCI SSC ROC Reporting Template. This ensures uniformity and completeness across all assessments. The same requirement applies to bothmerchants and service providersundergoing afull assessment (ROC).

Option A:✅Correct. PCI SSC mandates use of its official ROC template.

Option B:❌Incorrect. Custom assessor templates arenot permitted.

Option C:❌Incorrect. Assessorsmust notcreate their own templates.

Option D:❌Incorrect. The ROC template is used forbothmerchants and service providers, where applicable.

Track equivalent data— whether from a magnetic stripe or embedded chip — falls underSensitive Authentication Data (SAD)and mustnot be stored after authorisation, even if encrypted. This is covered underRequirement 3.3.1and Table 3 in PCI DSS v4.0.1.

Option A:❌Incorrect. SADmust not be stored after authorisation, regardless of encryption.

Option B:✅Correct. Track equivalent data is explicitly defined asSAD.

Option C:❌Incorrect. SAD is fullyin-scopefor PCI DSS.

Option D:❌Incorrect. Requirement 3.2 and 3.3 specifically address SAD.

PCI DSS clearly states inRequirement 11.4.5and in theScoping Guidancethat if segmentation is used, the assessor must verify thesegmentation is effective— meaning it must be technically and operationally validated to ensure that it properly isolates the Cardholder Data Environment (CDE) from out-of-scope networks.

Option A:Too narrow. While allowing only necessary traffic is important, the verification involves more than that.

Option B:Incorrect. Payment brands do not “approve” segmentation.

Option C:Incorrect. PCI DSS focuses on effectiveness, not brand-specific device use.

Option D:Correct. Assessor must ensure that segmentation controls areproperly configured and function as intended.

According toRequirement 9.4.2.2, visitors must beescorted at all timesin areas where cardholder data is stored or processed. This is a key component of physical access control and is intended to prevent unauthorised access or tampering.

Option A:✅Correct. Escorts aremandatoryfor visitors in sensitive areas.

Option B:❌Incorrect. Visitor badgesmust be distinguishablefrom employee badges.

Option C:❌Incorrect. PCI DSS requires name and firm represented, butnot full address or phone.

Option D:❌Incorrect. Visitor badges must besurrendered or deactivatedimmediately after the visit ends.

According toSection 12.2.3.3 of PCI DSS v4.0.1, aPartial Assessmentis defined as a result whereat least one PCI DSS requirement is marked as “Not Tested.”This is typically seen duringgap assessments or pre-validation efforts, not official compliance validation.

Option A:❌Incorrect. SAQs are self-assessments; Partial Assessment is a different concept.

Option B:❌Incorrect. Interim drafts are not labeled as “Partial”.

Option C:❌Incorrect. That is a misinterpretation of segmentation by payment channel.

Option D:✅Correct. "Not Tested" = Partial Assessment.

PCI DSSRequirement 12.8.4mandates that an entitymonitor the compliance status of third-party service providers (TPSPs) at least annually, especially when those TPSPs store, process, or transmit account data on the entity’s behalf.

Option A:Incorrect. Entities are not responsible for conducting ASV scans on TPSPs.

Option B:Incorrect. There is no quarterly risk assessment requirement for TPSPs.

Option C:Incorrect. Incident response testing for TPSPs is not a direct responsibility of the entity.

Option D:Correct. Annual monitoring of TPSP compliance is explicitly required.