Question 1

An organization wishes to implement multi-factor authentication for remote access, using the user's Individual password and a digital certificate. Which of the following scenarios would meet PCI DSS requirements for multi-factor authentication?

ACertificates are assigned only to administrative groups, and not to regular users.

BA different certificate is assigned to each individual user account, and certificates are not shared.

CCertificates are logged so they can be retrieved when the employee leaves the company.

DChange control processes are In place to ensure certificates are changed every 90 days.

Answer : B

Multi-Factor Authentication (MFA)

MFA requires at least two factors from different categories: something you know (password), something you have (digital certificate), or something you are (biometric).

PCI DSS Requirement 8 mandates that credentials like certificates must be unique to each user.

Secure Certificate Use

Certificates must not be shared and should be assigned individually to ensure accountability and prevent unauthorized access.

Incorrect Options

Option A: Limiting certificates to administrative groups does not fulfill PCI DSS for all users.

Option C: Logging certificates for retrieval is unrelated to security requirements.

Option D: Certificates do not have a mandatory 90-day change requirement.

Question 2

In accordance with PCI DSS Requirement 10, how long must audit logs be retained?

AAt least 1 year, with the most recent 3 months immediately available.

BAt least 2 years, with the most recent 3 months immediately available.

CAt least 2 years, with the most recent month immediately available.

DAt least 3 months, with the most recent month immediately available.

Answer : A

Audit Log Retention Requirements

PCI DSS Requirement 10.7 specifies audit logs must be retained for a minimum of one year. The most recent three months must be immediately accessible for incident analysis and reporting.

Purpose of Log Retention

Retaining logs aids in forensic investigations, regulatory compliance, and operational oversight.

Incorrect Options

Options B, C, and D specify durations that are not consistent with PCI DSS requirements.

Question 3

Which statement about PAN is true?

AIt must be protected with strong cryptography for transmission over private wireless networks.

BIt must be protected with strong cryptography tor transmission over private wired networks.

CIt does not require protection for transmission over public wireless networks.

DIt does not require protection for transmission over public wired networks.

Answer : A

PAN Transmission Protection

PCI DSS Requirement 4.1 mandates strong cryptography for PAN during transmission over both public and private wireless networks to prevent unauthorized interception.

Incorrect Options

Options B and D: PAN protection is not required for private wired networks.

Option C: PAN must be protected during transmission over public wireless networks.

Question 4

A sample of business facilities is reviewed during the PCI DSS assessment. What is the assessor required to validate about the sample?

AIt includes a consistent set of facilities that are reviewed for all assessments.

BThe number of facilities in the sample is at least 10 percent of the total number of facilities.

CEvery facility where cardholder data is stored is reviewed.

DAll types and locations of facilities are represented.

Answer : D

Sampling in Assessments

PCI DSS v4.0 requires assessors to ensure that sampled business facilities represent all types and locations to provide comprehensive coverage of the entity's operations.

Sampling Considerations

Assessors must include facilities storing or processing cardholder data and validate controls across diverse locations.

Incorrect Options

Option A: Consistency does not ensure comprehensive representation.

Option B: PCI DSS does not mandate a 10% sample size.

Option C: It is not mandatory to review every facility storing cardholder data.

Question 5

Which statement is true regarding the presence of both hashed and truncated versions of the same PAN in an environment?

AControls are needed to prevent the original PAN being exposed by the hashed and truncated versions.

BThe hashed version of the PAN must also be truncated per PCI DSS requirements for strong cryptography.

CThe hashed and truncated versions must be correlated so the source PAN can be identified.

DHashed and truncated versions of a PAN must not exist in same environment.

Answer : A

Hashing and Truncation

PCI DSS Requirement 3.4 mandates protecting stored PAN using methods like hashing and truncation. If both versions coexist, controls must ensure they cannot be combined to reconstruct the original PAN.

Incorrect Options

Option B: Truncation is unrelated to hashed PANs.

Option C: Correlation of hashed and truncated versions to identify the PAN violates PCI DSS principles.

Option D: Coexistence of hashed and truncated PANs is permissible if proper controls are in place.

Free Practice Questions for PCI QSA_New_V4 Exam

Question 1

Question 2

Question 3

Question 4

Question 5