PCI SSC QSA_New_V4 - Qualified Security Assessor V4 Exam

Track equivalent data— whether from a magnetic stripe or embedded chip — falls underSensitive Authentication Data (SAD)and mustnot be stored after authorisation, even if encrypted. This is covered underRequirement 3.3.1and Table 3 in PCI DSS v4.0.1.

Option A:❌Incorrect. SADmust not be stored after authorisation, regardless of encryption.

Option B:✅Correct. Track equivalent data is explicitly defined asSAD.

Option C:❌Incorrect. SAD is fullyin-scopefor PCI DSS.

Option D:❌Incorrect. Requirement 3.2 and 3.3 specifically address SAD.

Formulti-tenant service providers,isolation and segmentationare critical. As perRequirement 12.10.3, each customer’s environment must besegregated and protectedsuch that no tenant can access another’s data or systems.

Option A:✅Correct. This is the foundational control —isolation of customer environments.

Option B:❌Incorrect. Exposing system config files is a security risk.

Option C:❌Incorrect. Shared user IDs areexplicitly prohibitedby Requirement 8.2.1.

Option D:❌Incorrect. Customers should only access their own logs.

ï‚· Scope of Anti-Malware Requirements

PCI DSS Requirement 5 mandates the use of anti-malware solutions on all in-scope systems unless the system is specifically documented as not being at risk from malware.

Examples of systems not at risk include those using operating systems that do not support anti-malware tools, provided proper justifications and alternative controls are implemented​​.

ï‚· Assessment Considerations

QSAs must verify and document why a system is considered "not at risk."

Systems storing, processing, or transmitting cardholder data or that could impact the CDE are generally in-scope for anti-malware​​.

ï‚· Incorrect Options

Option A: While CDE systems and connected systems require protection, the requirement applies specifically to systems at risk from malware.

Option B: Portable electronic storage is not explicitly called out for universal anti-malware but must be controlled in line with overall security policies.

Option C: Systems storing PAN are only a subset of in-scope systems.

ï‚· Stateful Inspection

PCI DSS Requirement 1.2 specifies the need for stateful inspection to track the state of active connections. This ensures that only valid responses to communication initiated by trusted networks are allowed.

Invalid or unsolicited response traffic is blocked to prevent exploitation of vulnerabilities​​.

ï‚· Key Functionality of Stateful Firewalls

Stateful firewalls maintain session information and only allow traffic that matches an existing session or expected response.

ï‚· Incorrect Options

Option A: Administrative access restrictions are important but unrelated to stateful responses.

Option C: Baseline configurations are a different security control.

Option D: Logging and correlation are for threat detection, not stateful response.

ï‚· Key Management Requirements:

PCI DSS Requirement 3.5 specifies the protection of cryptographic keys, including encryption, storage in secure cryptographic devices (SCDs), or as key components to ensure security and prevent unauthorized access​​.

ï‚· Clarifications on Cryptographic Key Protection:

A/B:Public keys and key strength requirements are not specified in this context.

D:Separation of duties mandates that key-encrypting and data-encrypting keys must not be assigned to the same custodian.

ï‚· Testing and Validation:

QSAs verify compliance by examining key management practices, storage mechanisms, and access controls for cryptographic keys during the assessment​.

There areseparate Attestation of Compliance (AOC) templatesfor different use cases, specifically formerchantsandservice providers, and forSAQsversusROCs. Each template is tailored to match the reporting needs of that assessment type.

Option A:✅Correct. PCI SSC publishes distinct AOC templates depending on whether the entity is a merchant or service provider, and depending on whether they are completing an SAQ or ROC.

Option B:❌Incorrect. The AOC is not signed by PCI SSC. It must be signed by the assessed entity and, where applicable, the QSA or ISA.

Option C:❌Incorrect. ROCs and SAQs use different AOC formats.

Option D:❌Incorrect. Both the entity and the assessor (if applicable)mustsign.

TheSecure Software Lifecycle (SLC) Standardis part of PCI’sSoftware Security Framework (SSF). If an entity's software is developed under aPCI-recognised Secure SLC process, it maysatisfy parts of Requirement 6, especially around secure coding practices and vulnerability management.

Option A:❌Incorrect. SLC compliance alone doesn’t grant full PCI DSS compliance.

Option B:✅Correct. Secure SLC can help meetmany of the development-related controls.

Option C:❌Incorrect. There isimpact— potentially reducing scope/testing.

Option D:❌Incorrect. The software remainsin scope, but fewer controls may need to be separately validated.

The strength of a key-encrypting key (KEK) should be at least equivalent to the strength of the data-encrypting key (DEK) it protects to ensure the overall security of the cryptographic system.​

Option A:Incorrect. DES (Data Encryption Standard) with a 256-bit key length is not a standard configuration, as traditional DES uses a 56-bit key, which is considered weak by modern standards.​

Option B:Incorrect. RSA with a 512-bit key length is considered weak and does not provide sufficient security for protecting AES 128-bit keys.​

Option C:Correct. Using an AES 128-bit key as the KEK to protect an AES 128-bit DEK ensures that both keys have equivalent strength, maintaining the integrity of the encryption system.​

Option D:Incorrect. ROT13 is a simple substitution cipher and does not provide adequate security for encrypting cryptographic keys.​

For detailed guidelines on cryptographic key management, refer toRequirement 3: Protect Stored Account Datain thePCI DSS v4.0.1document.​

ï‚· Testing with Live PANs

PCI DSS Requirement 6.4.3 requires that live PANs (Primary Account Numbers) only be used in secure and controlled environments within the CDE.

Pre-production environments located within the CDE must adhere to all PCI DSS requirements for security and monitoring​​.

ï‚· Prohibited Uses

Testing with live PANs in environments outside the CDE violates PCI DSS. Only simulated data should be used in less secure testing environments.

ï‚· Incorrect Options

Option A: Production environments are for real transactions, not testing.

Option B: Test environments outside the CDE are insecure for live PANs.

Option D: The QSA environment is irrelevant to the organization’s CDE testing controls.