QSA_New_V4 Qualified Security Assessor V4 Exam Questions and Answers

Thesettlement phaseis when:

Themerchant’s acquiring bank pays the merchant, and

Theissuing bank bills the cardholder.

This occursafter authorization and clearinghave already taken place.

Option A:❌Incorrect. Authorization verifies the card and funds but doesn’t trigger payment.

Option B:❌Incorrect. Clearing exchanges transaction details between banks but doesn’t finalise funds.

Option C:✅Correct. Settlement is whenfunds are actually transferred.

Option D:❌Incorrect. Chargebacks reverse transactions, not settle them.

True segmentation, as defined inPCI DSS Scope Guidance, requiresenforcing isolationsuch thatno network traffic is allowed between the CDE and out-of-scope systems, unless explicitly permitted and secured. This is the only way toreduce assessment scopereliably.

Option A:❌Incorrect. Monitoring alone does not restrict or prevent access.

Option B:❌Incorrect. Logging without restriction doesnot isolatethe CDE.

Option C:❌Incorrect. VLANs may be part of segmentation, but routing traffic alone doesn't reduce scope.

Option D:✅Correct. This describesproper segmentation: no uncontrolled traffic into the CDE.

 Requirement Context:

PCI DSS Requirement 12.5 mandates that security policies and operational procedures are not only documented but also distributed to relevant parties to ensure clarity and compliance.

 Importance of Distribution and Awareness:

All affected parties, including employees, contractors, and third parties with access to the cardholder data environment (CDE), must receive and understand the policies. This ensures they adhere to the security measures​​.

 Review and Updates:

Security policies must be kept up to date and reviewed at least annually or after significant changes in the environment. While other options such as encryption or restricted access are important for security, the critical focus is on distribution and awareness to ensure operational effectiveness​​.

 Testing and Validation:

During assessments, QSAs validate the implementation by examining training records, communication logs, and acknowledgment forms signed by affected parties​​.

 Relevant PCI DSS v4.0 Guidance:

Section 12.5.1 of PCI DSS v4.0 outlines that the dissemination of policies must ensure that all personnel understand their roles in securing the environment​​.

 Visitor Management Requirements:

PCI DSS Requirement 9.3 specifies that visitors must be escorted at all times in areas where cardholder data is present to prevent unauthorized access or breaches​​.

 Invalid Options:

B:Visitor badges must be distinguishable from employee badges.

C:Visitor logs are necessary but do not need detailed personal information like addresses.

D:Retaining visitor identification for 30 days is not a requirement.

Formulti-tenant service providers,isolation and segmentationare critical. As perRequirement 12.10.3, each customer’s environment must besegregated and protectedsuch that no tenant can access another’s data or systems.

Option A:✅Correct. This is the foundational control —isolation of customer environments.

Option B:❌Incorrect. Exposing system config files is a security risk.

Option C:❌Incorrect. Shared user IDs areexplicitly prohibitedby Requirement 8.2.1.

Option D:❌Incorrect. Customers should only access their own logs.

PCI DSS Requirement 12.7 mandates that organizations perform background checks on personnel who have access to the cardholder data environment (CDE) to ensure that individuals with malicious intent do not gain access to sensitive cardholder data.​

Option A:Incorrect. While conducting background checks on all personnel is a good security practice, PCI DSS specifically requires checks for those with access to the CDE.​

Option B:Correct. Background checks are required for personnel with access to the CDE to mitigate the risk of insider threats.​

Option C:Incorrect. Visitors are not typically subjected to background checks but should be escorted and monitored while in sensitive areas.

As perRequirement 2.2.1, the purpose of limiting each server to one primary function is toreduce the risk of functions with lower security needs compromising more critical functions.

Option A:❌Incorrect. PCI DSS discourages combining different security-level functions.

Option B:✅Correct. This is the intent: toprevent lower-security processes from weakening high-security environments.

Option C:❌Incorrect. Functions shouldn’t depend on one another for security.

Option D:❌Incorrect. PCI DSS encourages raising security, not lowering it.

Track equivalent data— whether from a magnetic stripe or embedded chip — falls underSensitive Authentication Data (SAD)and mustnot be stored after authorisation, even if encrypted. This is covered underRequirement 3.3.1and Table 3 in PCI DSS v4.0.1.

Option A:❌Incorrect. SADmust not be stored after authorisation, regardless of encryption.

Option B:✅Correct. Track equivalent data is explicitly defined asSAD.

Option C:❌Incorrect. SAD is fullyin-scopefor PCI DSS.

Option D:❌Incorrect. Requirement 3.2 and 3.3 specifically address SAD.

Requirement10.2.2mandates that all access to audit trails must be logged. This ensures that any tampering, viewing, or deletion of audit data is traceable. It supports the broader goal of maintaining audit trail integrity and accountability.

Option A:Incorrect. PCI DSS does not require logging use of end-user messaging.

Option B:Incorrect. There’s no explicit requirement to log access to external websites.

Option C:Correct. PCI DSS mandates loggingall access to audit trailsto detect and respond to unauthorised attempts.

Option D:Incorrect. Logging all network transmissions is not feasible and not required.

PCI DSSRequirement 6.3.1requires entities toassign a risk rankingto vulnerabilities (e.g., high, medium, low) to ensure thatremediation efforts are prioritised. This risk-based approach helps organisations focus resources where they are most needed.

Option A:❌Incorrect. Timeframes depend on the severity and internal policy, not always 30 days.

Option B:❌Incorrect. Risk ranking supports remediation but doesn’t replace scanning.

Option C:✅Correct. The purpose is toprioritise higher-risk itemsfor faster action.

Option D:❌Incorrect. Patch frequency is addressed elsewhere (Requirement 6.3.3).

Requirement 8.4.2defines multi-factor authentication (MFA) asauthentication that requires at least two of the following:

Something you know (password/PIN)

Something you have (smart card/token)

Something you are (biometric)

Option A:❌Incorrect. Presenting the same token twice is stillsingle-factor.

Option B:❌Incorrect. Two passwords arestill one factor— “something you know”.

Option C:✅Correct. Password (something you know) + smart card (something you have) =MFA.

Option D:❌Incorrect. Fingerprint and thumbprint are bothbiometrics, so one factor.

PerRequirement 2.2.5, allinsecure and unnecessary services, protocols, daemons, or functionsmust be disabled. This includes unnecessary features on firewalls and other devices. Disabling unneeded functions reduces the attack surface and aligns with secure configuration principles.

Option A:❌Incorrect. Shared accounts violateRequirement 8.2.1, which mandatesunique IDs.

Option B:❌Incorrect. Allowing all traffic is a violation ofRequirement 1.2.1, which requires "deny all unless explicitly allowed".

Option C:❌Incorrect. Synchronizing rules may be useful but does not directly relate to hardening.

Option D:✅Correct. Disabling unused firewall features aligns with secure configuration.

Scope definition in PCI DSS v4.0.1 (Section 4)includesany system that can impact the security of the CDE. Time synchronization servers such asNTParecritical to log integrity(Requirement 10.6), and if they provide services to CDE systems,they are in scopeeven if they do not directly process cardholder data.

Option A:❌Incorrect. Scope is broader than just databases.

Option B:❌Incorrect. Time serversimpact log security, so they are in scope.

Option C:❌Incorrect. PCI DSS scope includes systems thataffect the securityof CDE, not just those storing card data.

Option D:✅Correct. Internal NTP servers providing services to the CDE arein scope.

Requirement 6.4.3.1clarifies that if live PANs are to be used in testing, the test environment mustmeet all applicable PCI DSS controls. Thus,testing with live PAN is only allowed if the test environment is within the CDEand fully secured.

Option A:❌Incorrect. Testing should not happen in production.

Option B:❌Incorrect. It must be within the CDE if live PAN is involved.

Option C:✅Correct. Live PANs can be used inpre-production environments within the CDE.

Option D:❌Incorrect. There’s no requirement to test only within QSA environments.

PerRequirement 7.2.5and8.2.2, PCI DSS recommends thatonly application-layer accessbe allowed to databases storing cardholder data, preventing users from issuing direct SQL queries or accessing the database via administrative tools.

Option A:✅Correct. Restricting database access toprogrammatic (application-layer) methodsis strongly preferred and aligns with PCI DSS guidance.

Option B:❌Incorrect. Admins should not have unrestricted access unless justified and monitored.

Option C:❌Incorrect. Application IDs must not be used interactively by individuals (Requirement 8.6.1).

Option D:❌Incorrect. Shared accounts are disallowed (Requirement 8.2.1).

 Mandatory ROC Template

PCI DSS v4.0 mandates the use of the PCI SSC-provided ROC Template for all Reports on Compliance​​.

This ensures standardization, completeness, and accuracy in documenting compliance assessments.

 Sections of the ROC Template

The ROC includes mandatory sections:

Assessment Overview:General details, scope validation, and assessment findings.

Findings and Observations:Detailed compliance status per requirement.

 Prohibited Practices

Assessors cannot use self-created ROC templates. Deviation from the PCI SSC-approved template may result in rejection of the report​​.

 Key Changes in v4.0

Enhanced focus on the integrity of reporting and inclusion of specific findings to ensure alignment with PCI DSS objectives.

Added support for the customized approach within the ROC structure​​.

TheROC Reporting Templaterequires assessors todocument how the requirement was verifiedas “In Place”. This includesmethods used, evidence reviewed, and how compliance was determined.

Option A:❌Incorrect. Project plans are relevant for “In Progress”, not “In Place”.

Option B:✅Correct. “In Place” requires an explanation ofassessor observations and validation.

Option C:❌Incorrect. This applies to “Not in Place”.

Option D:❌Incorrect. This applies to non-compliance scenarios.

PerSection 11 and 12of PCI DSS v4.0.1, assessors arerequired to use the official PCI SSC ROC Reporting Template. This ensures uniformity and completeness across all assessments. The same requirement applies to bothmerchants and service providersundergoing afull assessment (ROC).

Option A:✅Correct. PCI SSC mandates use of its official ROC template.

Option B:❌Incorrect. Custom assessor templates arenot permitted.

Option C:❌Incorrect. Assessorsmust notcreate their own templates.

Option D:❌Incorrect. The ROC template is used forbothmerchants and service providers, where applicable.

 Scope of Anti-Malware Requirements

PCI DSS Requirement 5 mandates the use of anti-malware solutions on all in-scope systems unless the system is specifically documented as not being at risk from malware.

Examples of systems not at risk include those using operating systems that do not support anti-malware tools, provided proper justifications and alternative controls are implemented​​.

 Assessment Considerations

QSAs must verify and document why a system is considered "not at risk."

Systems storing, processing, or transmitting cardholder data or that could impact the CDE are generally in-scope for anti-malware​​.

 Incorrect Options

Option A: While CDE systems and connected systems require protection, the requirement applies specifically to systems at risk from malware.

Option B: Portable electronic storage is not explicitly called out for universal anti-malware but must be controlled in line with overall security policies.

Option C: Systems storing PAN are only a subset of in-scope systems.