PCI SSC QSA_New_V4 - Qualified Security Assessor V4 Exam

According toRequirement 9.3.1and9.4.1.2, physical access control mechanisms — including badge readers — must beprotected against tampering or disablingto prevent unauthorized access and maintain the integrity of access logs.

Option A:Correct. Physical access control systems must be protected from tampering.

Option B:Incorrect. Video cameras are requiredonly where appropriate; badge access may suffice.

Option C:Incorrect. Access logs must beretained for at least three months, not deleted monthly (see 9.4.1.3).

Option D:Incorrect. Motion sensors are not specifically required.

Requirement 10.5.1.1requires thataudit logs be protected from unauthorised viewing and modification, and access should berestricted to individuals with a job-related need to view them. This principle aligns with least privilege and ensures accountability.

Option A:❌Incorrect. The person who performed the action may not need to view logs.

Option B:❌Incorrect. Read/write access istoo permissive.

Option C:❌Incorrect. Not all administrators need access to logs.

Option D:✅Correct. Access should bebased on job function.

ï‚· Customized Approach Overview:

Under PCI DSS v4.0, entities can use a Customized Approach to meet requirements by implementing controls tailored to their environment. This allows flexibility while still achieving the intent of the security requirement.

ï‚· Role of Assessors:

Assessors (QSAs) are responsible for evaluating both the implementation of customized controls and ensuring these controls fulfill the security objectives of the PCI DSS requirements​​.

QSAs must document the evaluation, evidence reviewed, and results in the Report on Compliance (ROC).

ï‚· Controls Matrix and Targeted Risk Analysis (TRA):

The Controls Matrix and TRA are key components of the Customized Approach. QSAs assist in verifying the accuracy and completeness of these tools during assessments​​.

ï‚· Documenting in the ROC:

The ROC must include a narrative explaining the assessor’s findings regarding the customized control, validation methods, and any evidence collected​.

ï‚· Relevant PCI DSS v4.0 Guidance:

Appendix D and E of the PCI DSS v4.0 ROC Template emphasize that QSAs can evaluate and confirm adherence to the Customized Approach provided this is documented comprehensively in the ROC​.

TheSoftware Security Framework (SSF)is intended to support entities usingbespoke and custom softwarewithin the Cardholder Data Environment (CDE). If the software is developed and maintained in accordance with theSecure Software Lifecycle (SLC) Standard, it can help demonstrate secure software development practices and potentially reduce the number of applicable PCI DSS requirements.

Option A:Incorrect. Not all payment software qualifies unless developed under SSF standards.

Option B:Incorrect. PCI PTS devices follow different hardware security standards.

Option C:Incorrect. PA-DSS has been retired; those applications are now listed as “Acceptable Only for Pre-Existing Deployments”.

Option D:Correct. Software developed under the Secure SLC Standard may help an entity meet some requirements in PCI DSS Requirement 6.

According toRequirement 8.2.1, PCI DSS mandates that all users be assigned aunique IDbefore accessing system components or cardholder data. This ensuresaccountability, enabling identification of actions taken by each user.

Option A:❌Incorrect. Password strength is addressed underRequirement 8.3, not unique ID.

Option B:❌Incorrect. Shared accounts areprohibitedregardless of admin status.

Option C:✅Correct. Unique IDs ensure thateach user's actions can be traced.

Option D:❌Incorrect. Group accounts are discouraged in favour of individual accountability.

Scope definition in PCI DSS v4.0.1 (Section 4)includesany system that can impact the security of the CDE. Time synchronization servers such asNTParecritical to log integrity(Requirement 10.6), and if they provide services to CDE systems,they are in scopeeven if they do not directly process cardholder data.

Option A:❌Incorrect. Scope is broader than just databases.

Option B:❌Incorrect. Time serversimpact log security, so they are in scope.

Option C:❌Incorrect. PCI DSS scope includes systems thataffect the securityof CDE, not just those storing card data.

Option D:✅Correct. Internal NTP servers providing services to the CDE arein scope.

PerRequirement 7.2.5and8.2.2, PCI DSS recommends thatonly application-layer accessbe allowed to databases storing cardholder data, preventing users from issuing direct SQL queries or accessing the database via administrative tools.

Option A:✅Correct. Restricting database access toprogrammatic (application-layer) methodsis strongly preferred and aligns with PCI DSS guidance.

Option B:❌Incorrect. Admins should not have unrestricted access unless justified and monitored.

Option C:❌Incorrect. Application IDs must not be used interactively by individuals (Requirement 8.6.1).

Option D:❌Incorrect. Shared accounts are disallowed (Requirement 8.2.1).

According toPCI DSS Scope Definitions (Section 4.2.1), any system thatcan impact the security of the CDEisin scope, even if it doesn’t store cardholder data. An LDAP server providing authentication to systems in the CDEdirectly affects access control, so it'sin scope.

Option A:✅Correct. Systems providingauthentication services to the CDEarein scope.

Option B:❌Incorrect. LDAP does not need to store card data to be in scope.

Option C:❌Incorrect. Influence over access security makes it in scope regardless of data processing.

Option D:❌Incorrect. Scope isn’t limited to DMZ-linked systems.

Sampling is a legitimate method under PCI DSS for assessing a representative subset of system components and locations.Section 6 – Sampling for PCI DSS Assessmentsoutlines thatsampling of business facilities and system componentsis allowed, as long as it’s justified, consistent, and documented.

Option A:Incorrect. PCI DSS requirements themselvescannotbe sampled.

Option B:Incorrect.Compensating controls must be assessed in full, not sampled.

Option C:Correct. Sampling may apply tobusiness facilities and system componentsto make the assessment more efficient.

Option D:Incorrect.Policies and proceduresmust be evaluated in full.

PerSection 11 and 12of PCI DSS v4.0.1, assessors arerequired to use the official PCI SSC ROC Reporting Template. This ensures uniformity and completeness across all assessments. The same requirement applies to bothmerchants and service providersundergoing afull assessment (ROC).

Option A:✅Correct. PCI SSC mandates use of its official ROC template.

Option B:❌Incorrect. Custom assessor templates arenot permitted.

Option C:❌Incorrect. Assessorsmust notcreate their own templates.

Option D:❌Incorrect. The ROC template is used forbothmerchants and service providers, where applicable.