Special Summer Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: pass65

QSA_New_V4 Qualified Security Assessor V4 Exam Questions and Answers

Questions 4

An LDAP server providing authentication services to the cardholder data environment is?

Options:

A.

In scope for PCI DSS.

B.

Not in scope for PCI DSS.

C.

In scope only if it stores, processes or transmits cardholder data.

D.

In scope only if it provides authentication services to systems in the DMZ.

Buy Now
Questions 5

Which of the following file types must be monitored by a change-detection mechanism (e.g., a file-integrity monitoring tool)?

Options:

A.

Application vendor manuals

B.

Files that regularly change

C.

Security policy and procedure documents

D.

System configuration and parameter files

Buy Now
Questions 6

Which statement about the Attestation of Compliance (AOC) is correct?

Options:

A.

There are different AOC templates for service providers and merchants.

B.

The AOC must be signed by both the merchant/service provider and by PCI SSC.

C.

The same AOC template is used for ROCs and SAQs.

D.

The AOC must be signed by either the merchant/service provider or the QSA/ISA.

Buy Now
Questions 7

Which of the following can be sampled for testing during a PCI DSS assessment?

Options:

A.

PCI DSS requirements and testing procedures.

B.

Compensating controls.

C.

Business facilities and system components.

D.

Security policies and procedures.

Buy Now
Questions 8

A retail merchant has a server room containing systems that store encrypted PAN data. The merchant has implemented a badge access-control system that identifies who entered and exited the room, on what date, and at what time. There are no video cameras located in the server room. Based on this information, which statement is true regarding PCI DSS physical security requirements?

Options:

A.

The badge access-control system must be protected from tampering or disabling.

B.

The merchant must install video cameras in addition to the existing access-control system.

C.

Data from the access-control system must be securely deleted on a monthly basis.

D.

The merchant must install motion-sensing alarms in addition to the existing access-control system.

Buy Now
Questions 9

What is the intent of classifying media that contains cardholder data?

Options:

A.

Ensuring that media is properly protected according to the sensitivity of the data it contains.

B.

Ensuring that media containing cardholder data Is moved from secured areas an a quarterly basis.

C.

Ensuring that media is clearly and visibly labeled as "Confidential" so all personnel know that the media contains cardholder data.

D.

Ensuring that all media is consistently destroyed on the same schedule, regardless of the contents.

Buy Now
Questions 10

Assigning a unique ID to each person is intended to ensure?

Options:

A.

Strong passwords are used for each user account.

B.

Shared accounts are only used by administrators.

C.

Individual users are accountable for their own actions.

D.

Access is assigned to group accounts based on need-to-know.

Buy Now
Questions 11

What do PCI DSS requirements for protecting cryptographic keys include?

Options:

A.

Public keys must be encrypted with a key-encrypting key.

B.

Data-encrypting keys must be stronger than the key-encrypting key that protects it.

C.

Private or secret keys must be encrypted, stored within an SCD, or stored as key components.

D.

Key-encrypting keys and data-encrypting keys must be assigned to the same key custodian.

Buy Now
Questions 12

Which statement about the Attestation of Compliance (AOC) is correct?

Options:

A.

There are different AOC templates for service providers and merchants.

B.

The AOC must be signed by both the merchant/service provider and by PCI SSC.

C.

The same AOC template is used W ROCs and SAQs.

D.

The AOC must be signed by either the merchant/service provider or the QSA/ISA.

Buy Now
Questions 13

Which of the following describes “stateful responses” to communication initiated by a trusted network?

Options:

A.

Administrative access to respond to requests to change the firewall is limited to one individual at a time.

B.

Active network connections are tracked so that invalid “response” traffic can be identified.

C.

A current baseline of application configurations is maintained and any misconfiguration is responded to promptly.

D.

Logs of user activity on the firewall are correlated to identify and respond to suspicious behavior.

Buy Now
Questions 14

Which statement is true regarding the presence of both hashed and truncated versions of the same PAN in an environment?

Options:

A.

Controls are needed to prevent the original PAN being exposed by the hashed and truncated versions.

B.

The hashed version of the PAN must also be truncated per PCI DSS requirements for strong cryptography.

C.

The hashed and truncated versions must be correlated so the source PAN can be identified.

D.

Hashed and truncated versions of a PAN must not exist in same environment.

Buy Now
Questions 15

Which statement is true regarding the PCI DSS Report on Compliance (ROC)?

Options:

A.

The ROC Reporting Template and instructions provided by PCI SSC should be used for all ROCs.

B.

The assessor may use either their own template or the ROC Reporting Template provided by PCI SSC.

C.

The assessor must create their own ROC template for each assessment report.

D.

The ROC Reporting Template provided by PCI SSC is only required for service provider assessments.

Buy Now
Questions 16

Which of the following statements is true regarding track equivalent data on the chip of a payment card?

Options:

A.

It is allowed to be stored by merchants after authorization, if encrypted.

B.

It is sensitive authentication data.

C.

It is out of scope for PCI DSS.

D.

It is not applicable for PCI DSS Requirement 3.2.

Buy Now
Questions 17

Which of the following is an example of multi-factor authentication?

Options:

A.

A token that must be presented twice during the login process.

B.

A user passphrase and an application-level password.

C.

A user password and a PIN-activated smart card.

D.

A user fingerprint and a user thumbprint.

Buy Now
Questions 18

According to Requirement 1, what is the purpose of “Network Security Controls"?

Options:

A.

Manage anti-malware throughout the CDE.

B.

Control network traffic between two or more logical or physical network segments.

C.

Discover vulnerabilities and rank them.

D.

Encrypt PAN when stored.

Buy Now
Questions 19

Which statement is true regarding the PCI DSS Report on Compliance (ROC)?

Options:

A.

The ROC Reporting Template and instructions provided by PCI SSC should be used for all ROCs.

B.

The assessor may use either their own template or the ROC Reporting Template provided by PCI SSC.

C.

The assessor must create their own ROC template tor each assessment report.

D.

The ROC Reporting Template provided by PCI SSC is only required for service provider assessments.

Buy Now
Questions 20

An organization wishes to implement multi-factor authentication for remote access, using the user's individual password and a digital certificate. Which of the following scenarios would meet PCI DSS requirements for multi-factor authentication?

Options:

A.

Certificates are assigned only to administrative groups, and not to regular users.

B.

A different certificate is assigned to each individual user account, and certificates are not shared.

C.

Certificates are logged so they can be retrieved when the employee leaves the company.

D.

Change control processes are in place to ensure certificates are changed every 90 days.

Buy Now
Questions 21

What does the PCI PTS standard cover?

Options:

A.

Point-of-interaction devices used to protect account data.

B.

Secure coding practices for commercial payment applications.

C.

Development of strong cryptographic algorithms.

D.

End-to-end encryption solutions for transmission of account data.

Buy Now
Questions 22

A "Partial Assessment" is a new assessment result. What is a “Partial Assessment"?

Options:

A.

A ROC that has been completed after using an SAQ to determine which requirements should be tested, as per FAQ 1331.

B.

An interim result before the final ROC has been completed.

C.

A term used by payment brands and acquirers to describe entities that have multiple payment channels, with each channel having its own assessment.

D.

An assessment with at least one requirement marked as “Not Tested".

Buy Now
Exam Code: QSA_New_V4
Exam Name: Qualified Security Assessor V4 Exam
Last Update: Apr 2, 2025
Questions: 75

PDF + Testing Engine

$57.75  $164.99

Testing Engine

$43.75  $124.99
buy now QSA_New_V4 testing engine

PDF (Q&A)

$36.75  $104.99
buy now QSA_New_V4 pdf