QSA_New_V4 Exam Dumps - PCI SSC PCI Qualified Professionals Questions and Answers

Requirement 1.3.7andRequirement 3.3.1emphasise thatdatabases storing cardholder data must not be directly accessible from the Internet or untrusted networks. The database must be behind firewalls and accessible only via controlled, authorised connections.

Option A:❌Incorrect. Combining servers may violate the one-function-per-server rule (Requirement 2.2.1).

Option B:✅Correct. The database must be protected fromdirect public access.

Option C:❌Incorrect. Web servers often reside in the DMZ; moving them internally could increase risk.

Option D:❌Incorrect. Network performance is not a PCI DSS concern —security isolation is.

According toRequirement 9.3.1and9.4.1.2, physical access control mechanisms — including badge readers — must beprotected against tampering or disablingto prevent unauthorized access and maintain the integrity of access logs.

Option A:Correct. Physical access control systems must be protected from tampering.

Option B:Incorrect. Video cameras are requiredonly where appropriate; badge access may suffice.

Option C:Incorrect. Access logs must beretained for at least three months, not deleted monthly (see 9.4.1.3).

Option D:Incorrect. Motion sensors are not specifically required.

 Scope of Anti-Malware Requirements

PCI DSS Requirement 5 mandates the use of anti-malware solutions on all in-scope systems unless the system is specifically documented as not being at risk from malware.

Examples of systems not at risk include those using operating systems that do not support anti-malware tools, provided proper justifications and alternative controls are implemented​​.

 Assessment Considerations

QSAs must verify and document why a system is considered "not at risk."

Systems storing, processing, or transmitting cardholder data or that could impact the CDE are generally in-scope for anti-malware​​.

 Incorrect Options

Option A: While CDE systems and connected systems require protection, the requirement applies specifically to systems at risk from malware.

Option B: Portable electronic storage is not explicitly called out for universal anti-malware but must be controlled in line with overall security policies.

Option C: Systems storing PAN are only a subset of in-scope systems.

Requirement 8.4.2defines multi-factor authentication (MFA) asauthentication that requires at least two of the following:

Something you know (password/PIN)

Something you have (smart card/token)

Something you are (biometric)

Option A:❌Incorrect. Presenting the same token twice is stillsingle-factor.

Option B:❌Incorrect. Two passwords arestill one factor— “something you know”.

Option C:✅Correct. Password (something you know) + smart card (something you have) =MFA.

Option D:❌Incorrect. Fingerprint and thumbprint are bothbiometrics, so one factor.

PCI DSS clearly states inRequirement 11.4.5and in theScoping Guidancethat if segmentation is used, the assessor must verify thesegmentation is effective— meaning it must be technically and operationally validated to ensure that it properly isolates the Cardholder Data Environment (CDE) from out-of-scope networks.

Option A:Too narrow. While allowing only necessary traffic is important, the verification involves more than that.

Option B:Incorrect. Payment brands do not “approve” segmentation.

Option C:Incorrect. PCI DSS focuses on effectiveness, not brand-specific device use.

Option D:Correct. Assessor must ensure that segmentation controls areproperly configured and function as intended.

PCI DSSRequirement 12.8.4mandates that an entitymonitor the compliance status of third-party service providers (TPSPs) at least annually, especially when those TPSPs store, process, or transmit account data on the entity’s behalf.

Option A:Incorrect. Entities are not responsible for conducting ASV scans on TPSPs.

Option B:Incorrect. There is no quarterly risk assessment requirement for TPSPs.

Option C:Incorrect. Incident response testing for TPSPs is not a direct responsibility of the entity.

Option D:Correct. Annual monitoring of TPSP compliance is explicitly required.

Compensating controls are alternative measures implemented when an entity cannot meet a specific PCI DSS requirement due to legitimate technical or business constraints. These controls must sufficiently mitigate the associated risk and be commensurate with the intent of the original PCI DSS requirement.​

Option A:Incorrect. Even if all other PCI DSS requirements are met, a compensating control is necessary when a specific requirement cannot be directly satisfied.​

Option B:Correct. A compensating control must effectively address and mitigate the risk associated with the inability to meet a particular PCI DSS requirement.​

Option C:Incorrect. While existing controls can support a compensating control, they must collectively address the risk of the unmet requirement and cannot merely be another existing PCI DSS requirement.​

Option D:Incorrect. A compensating control worksheet is mandatory to document the rationale, assessment, and validation of the compensating control, regardless of acquirer approval.​

For detailed guidance on compensating controls, refer toAppendix B: Compensating Controlsin thePCI DSS v4.0.1document.​

PCI DSSRequirement 8.4.2requiresmulti-factor authentication (MFA)to consist of two or moreindependent authentication factors. MFA must alsonot involve shared credentials, so each certificate must be tied to a specific individual.

Option A:❌Incorrect. MFA must apply toall applicable users, not just admins.

Option B:✅Correct. This meets PCI DSS: unique credentials per user and non-shared certificates.

Option C:❌Incorrect. Retaining certificates post-employment is a risk, not a compliance action.

Option D:❌Incorrect. PCI DSS doesn’t mandate 90-day certificate rotation; rather, secure usage and revocation are key.

PerRequirement 10.6.1, PCI DSS mandates that time-synchronization technology be used, andsystems must be synchronized to a central time serverthat itself receives time from an approved external source. This ensures logs can be accurately correlated.

Option A:Incorrect. Time inconsistency arises if each system operates independently.

Option B:Incorrect. Time configuration must berestricted to authorised personnel only.

Option C:Correct. Time should be sourced from a centralised server which is in sync with reliable external sources.

Option D:Incorrect. Each system peering independently can cause inconsistencies.

UnderAppendix D – Customized Approach, it is clearly stated that theentity is responsiblefor completing theControls Matrixand theTargeted Risk Analysis (TRA). The assessor may assist in completion, but accountability for content lies with the entity.

Option A:Incorrect. QSAs may assist but are not solely responsible.

Option B:Incorrect. This overstates who is responsible; only the entity is ultimately accountable.

Option C:Correct. The entity being assessed is responsible for completing the Controls Matrix and TRA.

Option D:Incorrect. Card brands or acquirers are not involved in document creation.