QSA_New_V4 Qualified Security Assessor V4 Exam Questions and Answers

Scope of Anti-Malware Requirements

PCI DSS Requirement 5 mandates the use of anti-malware solutions on all in-scope systems unless the system is specifically documented as not being at risk from malware.

Examples of systems not at risk include those using operating systems that do not support anti-malware tools, provided proper justifications and alternative controls are implemented​​.

Assessment Considerations

QSAs must verify and document why a system is considered "not at risk."

Systems storing, processing, or transmitting cardholder data or that could impact the CDE are generally in-scope for anti-malware​​.

Incorrect Options

Option A: While CDE systems and connected systems require protection, the requirement applies specifically to systems at risk from malware.

Option B: Portable electronic storage is not explicitly called out for universal anti-malware but must be controlled in line with overall security policies.

Option C: Systems storing PAN are only a subset of in-scope systems.

Scope of Change-Detection Mechanisms

PCI DSS v4.0 requires the implementation of a change-detection mechanism (e.g., file-integrity monitoring) to monitor unauthorized changes to critical files.

Critical files include system configuration and parameter files, application executable files, and scripts used in administrative functions​​.

Intent of Monitoring System Files

These files often control security settings and operational parameters of systems within the Cardholder Data Environment (CDE). Unauthorized changes could compromise system security.

Exclusions

Documents like application vendor manuals and security policies do not qualify as files requiring integrity monitoring since they do not directly impact the security posture or operational functions of systems in the CDE.

Key Management Requirements:

PCI DSS Requirement 3.5 specifies the protection of cryptographic keys, including encryption, storage in secure cryptographic devices (SCDs), or as key components to ensure security and prevent unauthorized access​​.

Clarifications on Cryptographic Key Protection:

A/B:Public keys and key strength requirements are not specified in this context.

D:Separation of duties mandates that key-encrypting and data-encrypting keys must not be assigned to the same custodian.

Testing and Validation:

QSAs verify compliance by examining key management practices, storage mechanisms, and access controls for cryptographic keys during the assessment​.

PCI DSS Requirement for File Integrity Monitoring (FIM):

Requirement 11.5 mandates the use of file integrity monitoring to detect unauthorized changes to critical files, and comparisons must be performed at least weekly unless otherwise defined and justified in the entity’s risk assessment​​.

Purpose of Weekly Comparisons:

Ensures timely detection of unauthorized modifications, reducing the risk of compromise.

Invalid Options:

B/D:These timeframes are not specific to PCI DSS unless documented as part of a risk-based approach.

C:Comparisons must occur regularly, not just after changes are installed.

Key Management Requirements:

PCI DSS Requirement 3.6.5 specifies that when a cryptographic key is retired, it must no longer be used for encryption operations but may still be retained for decryption purposes as needed (e.g., to decrypt historical data until it is re-encrypted with the new key)​.

Secure Key Retirement:

Retired keys should be securely stored or destroyed based on the organization’s key management policy to prevent unauthorized access or misuse.

Reference in PCI DSS Documentation:

Section 3.6.5 emphasizes that retired keys must be rendered inactive for further encryption while allowing use for decryption, ensuring data continuity and compliance​.

Purpose of Classifying Media

PCI DSS v4.0 emphasizes the need to classify media based on the sensitivity of the data it contains. Media classification ensures appropriate handling, storage, and destruction processes​​.

Media Protection Requirements

Media containing cardholder data must be securely stored, transferred, and destroyed when no longer needed.

Classification informs the level of protection required, such as encryption, physical security, or controlled access​​.

Incorrect Options

Option B: Moving media quarterly is not a requirement.

Option C: Labeling as "Confidential" is insufficient without a comprehensive protection strategy.

Option D: Destruction schedules should depend on retention requirements and data sensitivity, not a universal timeline.

Audit Log Retention Requirements

PCI DSS Requirement 10.7 specifies audit logs must be retained for a minimum of one year. The most recent three months must be immediately accessible for incident analysis and reporting​​.

Purpose of Log Retention

Retaining logs aids in forensic investigations, regulatory compliance, and operational oversight.

Incorrect Options

Options B, C, and D specify durations that are not consistent with PCI DSS requirements.

Intent of Risk Ranking

PCI DSS Requirement 6.3.2 requires that entities assign a risk ranking to vulnerabilities to prioritize remediation efforts.

This ensures that the most critical vulnerabilities are addressed in a timely manner, reducing the risk to the CDE​​.

Practical Implementation

Vulnerabilities are assessed based on potential impact and likelihood of exploitation, typically using industry-standard frameworks like CVSS.

High-risk vulnerabilities may require immediate attention, while lower-priority issues are remediated per schedule.

Incorrect Options

Option A: PCI DSS does not mandate a 30-day remediation window for all vulnerabilities; remediation timelines depend on risk.

Option B: Quarterly ASV scans are still required even with risk ranking.

Option D: Installing patches quarterly does not align with the dynamic prioritization of risks.

PAN Transmission Protection

PCI DSS Requirement 4.1 mandates strong cryptography for PAN during transmission over both public and private wireless networks to prevent unauthorized interception​​.

Incorrect Options

Options B and D: PAN protection is not required for private wired networks.

Option C: PAN must be protected during transmission over public wireless networks.