QSA_New_V4 Qualified Security Assessor V4 Exam Questions and Answers

According toPCI DSS Scope Definitions (Section 4.2.1), any system thatcan impact the security of the CDEisin scope, even if it doesn’t store cardholder data. An LDAP server providing authentication to systems in the CDEdirectly affects access control, so it'sin scope.

Option A:✅Correct. Systems providingauthentication services to the CDEarein scope.

Option B:❌Incorrect. LDAP does not need to store card data to be in scope.

Option C:❌Incorrect. Influence over access security makes it in scope regardless of data processing.

Option D:❌Incorrect. Scope isn’t limited to DMZ-linked systems.

PCI DSSRequirement 11.5.2mandates the use of file-integrity monitoring (FIM) or change-detection tools to monitorcritical filessuch as system binaries, configuration files, and system parameters.

Option A:❌Incorrect. Manuals are not critical system files.

Option B:❌Incorrect. Regularly changing files (e.g., logs or temp files) are typically excluded.

Option C:❌Incorrect. Policies and procedures are reviewed but not subject to FIM.

Option D:✅Correct. System config and parameter files must bemonitored for unauthorised changes.

There areseparate Attestation of Compliance (AOC) templatesfor different use cases, specifically formerchantsandservice providers, and forSAQsversusROCs. Each template is tailored to match the reporting needs of that assessment type.

Option A:✅Correct. PCI SSC publishes distinct AOC templates depending on whether the entity is a merchant or service provider, and depending on whether they are completing an SAQ or ROC.

Option B:❌Incorrect. The AOC is not signed by PCI SSC. It must be signed by the assessed entity and, where applicable, the QSA or ISA.

Option C:❌Incorrect. ROCs and SAQs use different AOC formats.

Option D:❌Incorrect. Both the entity and the assessor (if applicable)mustsign.

Sampling is a legitimate method under PCI DSS for assessing a representative subset of system components and locations.Section 6 – Sampling for PCI DSS Assessmentsoutlines thatsampling of business facilities and system componentsis allowed, as long as it’s justified, consistent, and documented.

Option A:Incorrect. PCI DSS requirements themselvescannotbe sampled.

Option B:Incorrect.Compensating controls must be assessed in full, not sampled.

Option C:Correct. Sampling may apply tobusiness facilities and system componentsto make the assessment more efficient.

Option D:Incorrect.Policies and proceduresmust be evaluated in full.

According toRequirement 9.3.1and9.4.1.2, physical access control mechanisms — including badge readers — must beprotected against tampering or disablingto prevent unauthorized access and maintain the integrity of access logs.

Option A:Correct. Physical access control systems must be protected from tampering.

Option B:Incorrect. Video cameras are requiredonly where appropriate; badge access may suffice.

Option C:Incorrect. Access logs must beretained for at least three months, not deleted monthly (see 9.4.1.3).

Option D:Incorrect. Motion sensors are not specifically required.

 Purpose of Classifying Media

PCI DSS v4.0 emphasizes the need to classify media based on the sensitivity of the data it contains. Media classification ensures appropriate handling, storage, and destruction processes​​.

 Media Protection Requirements

Media containing cardholder data must be securely stored, transferred, and destroyed when no longer needed.

Classification informs the level of protection required, such as encryption, physical security, or controlled access​​.

 Incorrect Options

Option B: Moving media quarterly is not a requirement.

Option C: Labeling as "Confidential" is insufficient without a comprehensive protection strategy.

Option D: Destruction schedules should depend on retention requirements and data sensitivity, not a universal timeline.

According toRequirement 8.2.1, PCI DSS mandates that all users be assigned aunique IDbefore accessing system components or cardholder data. This ensuresaccountability, enabling identification of actions taken by each user.

Option A:❌Incorrect. Password strength is addressed underRequirement 8.3, not unique ID.

Option B:❌Incorrect. Shared accounts areprohibitedregardless of admin status.

Option C:✅Correct. Unique IDs ensure thateach user's actions can be traced.

Option D:❌Incorrect. Group accounts are discouraged in favour of individual accountability.

 Key Management Requirements:

PCI DSS Requirement 3.5 specifies the protection of cryptographic keys, including encryption, storage in secure cryptographic devices (SCDs), or as key components to ensure security and prevent unauthorized access​​.

 Clarifications on Cryptographic Key Protection:

A/B:Public keys and key strength requirements are not specified in this context.

D:Separation of duties mandates that key-encrypting and data-encrypting keys must not be assigned to the same custodian.

 Testing and Validation:

QSAs verify compliance by examining key management practices, storage mechanisms, and access controls for cryptographic keys during the assessment​.

 Attestation of Compliance (AOC):

The AOC is a document that confirms an entity’s compliance with PCI DSS requirements. It is signed by the entity (merchant or service provider) and the Qualified Security Assessor (QSA) if a QSA is involved.

 Different AOC Templates:

PCI DSS provides distinct templates for service providers and merchants, tailored to their respective roles and responsibilities within the cardholder data environment (CDE)​​.

 Invalid Options:

B:PCI SSC does not sign AOCs; they are signed by the merchant/service provider and the QSA.

C:AOCs differ between ROCs and SAQs, so the same template is not universally used.

D:Both the merchant/service provider and the QSA/ISA (Internal Security Assessor) must sign the AOC when applicable.

Stateful inspection (or stateful packet filtering)tracks the state of active connections and determines which packets are part of a valid session.Requirement 1.4.2references the use of network security controls (NSCs) withstateful filteringcapability to allow legitimate trafficonly in response to trusted requests.

Option A:❌Incorrect. Firewall admin procedures are not what “stateful” refers to.

Option B:✅Correct. “Stateful responses” mean tracking existing connections toblock unauthorised or spoofed responses.

Option C:❌Incorrect. That describes configuration management, not stateful filtering.

Option D:❌Incorrect. Logging is important but not part of stateful inspection.

PCI DSS allows for theuse of truncation and hashingfor protecting PAN, butRequirement 3.4.1and its guidance warn againstcombining hashed and truncated PANsin such a way that the original PAN could be reconstructed. If both formats exist,controls must ensurethey can't be used together to reverse-engineer the PAN.

Option A:✅Correct. Controls must ensure PAN cannot be reconstructed using both versions.

Option B:❌Incorrect. A hashed PAN does not need truncation — hashing is a separate mechanism.

Option C:❌Incorrect. PCI DSS aims to prevent correlation, not encourage it.

Option D:❌Incorrect. They can coexist, but must be secured so that PAN cannot be derived.

PerSection 11 and 12of PCI DSS v4.0.1, assessors arerequired to use the official PCI SSC ROC Reporting Template. This ensures uniformity and completeness across all assessments. The same requirement applies to bothmerchants and service providersundergoing afull assessment (ROC).

Option A:✅Correct. PCI SSC mandates use of its official ROC template.

Option B:❌Incorrect. Custom assessor templates arenot permitted.

Option C:❌Incorrect. Assessorsmust notcreate their own templates.

Option D:❌Incorrect. The ROC template is used forbothmerchants and service providers, where applicable.

Track equivalent data— whether from a magnetic stripe or embedded chip — falls underSensitive Authentication Data (SAD)and mustnot be stored after authorisation, even if encrypted. This is covered underRequirement 3.3.1and Table 3 in PCI DSS v4.0.1.

Option A:❌Incorrect. SADmust not be stored after authorisation, regardless of encryption.

Option B:✅Correct. Track equivalent data is explicitly defined asSAD.

Option C:❌Incorrect. SAD is fullyin-scopefor PCI DSS.

Option D:❌Incorrect. Requirement 3.2 and 3.3 specifically address SAD.

Requirement 8.4.2defines multi-factor authentication (MFA) asauthentication that requires at least two of the following:

Something you know (password/PIN)

Something you have (smart card/token)

Something you are (biometric)

Option A:❌Incorrect. Presenting the same token twice is stillsingle-factor.

Option B:❌Incorrect. Two passwords arestill one factor— “something you know”.

Option C:✅Correct. Password (something you know) + smart card (something you have) =MFA.

Option D:❌Incorrect. Fingerprint and thumbprint are bothbiometrics, so one factor.

According toRequirement 1.2.1of PCI DSS v4.0.1, network security controls (NSCs), such as firewalls and segmentation controls, are used torestrict and control trafficbetween trusted and untrusted networks. This includes logical or physical network segmentation.

Option A:Incorrect. Anti-malware is addressed in Requirement 5.

Option B:Correct. NSCs control and restrict inbound and outbound traffic between logical and physical network segments.

Option C:Incorrect. Vulnerability management is under Requirement 6.

Option D:Incorrect. PAN encryption is covered in Requirement 3.5.

 Mandatory ROC Template

PCI DSS v4.0 mandates the use of the PCI SSC-provided ROC Template for all Reports on Compliance​​.

This ensures standardization, completeness, and accuracy in documenting compliance assessments.

 Sections of the ROC Template

The ROC includes mandatory sections:

Assessment Overview:General details, scope validation, and assessment findings.

Findings and Observations:Detailed compliance status per requirement.

 Prohibited Practices

Assessors cannot use self-created ROC templates. Deviation from the PCI SSC-approved template may result in rejection of the report​​.

 Key Changes in v4.0

Enhanced focus on the integrity of reporting and inclusion of specific findings to ensure alignment with PCI DSS objectives.

Added support for the customized approach within the ROC structure​​.

PCI DSSRequirement 8.4.2requiresmulti-factor authentication (MFA)to consist of two or moreindependent authentication factors. MFA must alsonot involve shared credentials, so each certificate must be tied to a specific individual.

Option A:❌Incorrect. MFA must apply toall applicable users, not just admins.

Option B:✅Correct. This meets PCI DSS: unique credentials per user and non-shared certificates.

Option C:❌Incorrect. Retaining certificates post-employment is a risk, not a compliance action.

Option D:❌Incorrect. PCI DSS doesn’t mandate 90-day certificate rotation; rather, secure usage and revocation are key.

ThePCI PIN Transaction Security (PTS)standard applies topoint-of-interaction (POI) hardware devices, such as PIN entry devices and POS terminals. It ensures these devicessecurely capture and process account data, particularly for PIN-based transactions.

Option A:✅Correct. PCI PTS focuses onhardware devicesthat process PIN or card data.

Option B:❌Incorrect. This is covered under theSecure Software Standard(part of the Software Security Framework).

Option C:❌Incorrect. Algorithm development is outside PCI SSC’s scope.

Option D:❌Incorrect. End-to-end encryption is covered in other guidance (e.g., P2PE), not PTS.

According toSection 12.2.3.3 of PCI DSS v4.0.1, aPartial Assessmentis defined as a result whereat least one PCI DSS requirement is marked as “Not Tested.”This is typically seen duringgap assessments or pre-validation efforts, not official compliance validation.

Option A:❌Incorrect. SAQs are self-assessments; Partial Assessment is a different concept.

Option B:❌Incorrect. Interim drafts are not labeled as “Partial”.

Option C:❌Incorrect. That is a misinterpretation of segmentation by payment channel.

Option D:✅Correct. "Not Tested" = Partial Assessment.