Free PCI SSC QSA_New_V4 Practice Exam with Questions & Answers | Set: 2

UnderAppendix D – Customized Approach, it is clearly stated that theentity is responsiblefor completing theControls Matrixand theTargeted Risk Analysis (TRA). The assessor may assist in completion, but accountability for content lies with the entity.

Option A:Incorrect. QSAs may assist but are not solely responsible.

Option B:Incorrect. This overstates who is responsible; only the entity is ultimately accountable.

Option C:Correct. The entity being assessed is responsible for completing the Controls Matrix and TRA.

Option D:Incorrect. Card brands or acquirers are not involved in document creation.

 Compensating Controls Definition and Purpose

A compensating control is an alternate measure that satisfies the intent of a specific PCI DSS requirement and provides an equivalent level of security.

The rationale and risk mitigation must be explicitly documented using the Compensating Control Worksheet (CCW).

 Mandatory Documentation

PCI DSS v4.0 mandates the use of a CCW when implementing compensating controls. This applies regardless of acquirer approvals​​.

The CCW requires detailed documentation including:

Constraints preventing the original requirement from being implemented.

Justification for the compensating control.

Description of the control and evidence of its effectiveness.

 Using Existing Requirements

If an existing PCI DSS requirement (e.g., Requirement 5 for antivirus) is already implemented and can mitigate the risks of not meeting another requirement, it may qualify as a compensating control​​.

 Approval and Review Process

QSAs must validate the implementation, effectiveness, and appropriateness of compensating controls during the assessment process​

PCI DSSRequirement 11.5.2mandates the use of file-integrity monitoring (FIM) or change-detection tools to monitorcritical filessuch as system binaries, configuration files, and system parameters.

Option A:❌Incorrect. Manuals are not critical system files.

Option B:❌Incorrect. Regularly changing files (e.g., logs or temp files) are typically excluded.

Option C:❌Incorrect. Policies and procedures are reviewed but not subject to FIM.

Option D:✅Correct. System config and parameter files must bemonitored for unauthorised changes.

According toRequirement 1.2.1of PCI DSS v4.0.1, network security controls (NSCs), such as firewalls and segmentation controls, are used torestrict and control trafficbetween trusted and untrusted networks. This includes logical or physical network segmentation.

Option A:Incorrect. Anti-malware is addressed in Requirement 5.

Option B:Correct. NSCs control and restrict inbound and outbound traffic between logical and physical network segments.

Option C:Incorrect. Vulnerability management is under Requirement 6.

Option D:Incorrect. PAN encryption is covered in Requirement 3.5.

PCI DSSRequirement 12.8.4mandates that an entitymonitor the compliance status of third-party service providers (TPSPs) at least annually, especially when those TPSPs store, process, or transmit account data on the entity’s behalf.

Option A:Incorrect. Entities are not responsible for conducting ASV scans on TPSPs.

Option B:Incorrect. There is no quarterly risk assessment requirement for TPSPs.

Option C:Incorrect. Incident response testing for TPSPs is not a direct responsibility of the entity.

Option D:Correct. Annual monitoring of TPSP compliance is explicitly required.

Requirement9.9.2of PCI DSS v4.0.1 mandates that entitiesregularly inspect POS devicesto detect signs of tampering or skimming. This includes physical inspections to identify unexpected additions, unauthorized stickers, broken seals, etc.

Option A:Correct. Regular inspection for skimming/tampering is required.

Option B:Incorrect. There is no mandate for manufacturer serial number verification.

Option C:Incorrect. PCI DSS does not require routine replacement of device identifiers or labels.

Option D:Incorrect. Devices may be investigated if compromised, but not necessarily destroyed.

According toRequirement 12.10.1, an effectiveincident response plan (IRP)must include steps to detect, respond to, and contain incidents such asunauthorised wireless access points. PCI DSS11.2.1also mandates quarterly rogue AP detection.

Option A:❌Incorrect. Notification to PCI SSC is not required; notification goes toacquirers/payment brands.

Option B:✅Correct. The IRP must includeresponse to unauthorised wireless access detection.

Option C:❌Incorrect. Records must beretained, not deleted.

Option D:❌Incorrect. Retaliatory or offensive actions arenot allowed or recommended.

True segmentation, as defined inPCI DSS Scope Guidance, requiresenforcing isolationsuch thatno network traffic is allowed between the CDE and out-of-scope systems, unless explicitly permitted and secured. This is the only way toreduce assessment scopereliably.

Option A:❌Incorrect. Monitoring alone does not restrict or prevent access.

Option B:❌Incorrect. Logging without restriction doesnot isolatethe CDE.

Option C:❌Incorrect. VLANs may be part of segmentation, but routing traffic alone doesn't reduce scope.

Option D:✅Correct. This describesproper segmentation: no uncontrolled traffic into the CDE.

 Customized Approach Overview:

Under PCI DSS v4.0, entities can use a Customized Approach to meet requirements by implementing controls tailored to their environment. This allows flexibility while still achieving the intent of the security requirement.

 Role of Assessors:

Assessors (QSAs) are responsible for evaluating both the implementation of customized controls and ensuring these controls fulfill the security objectives of the PCI DSS requirements​​.

QSAs must document the evaluation, evidence reviewed, and results in the Report on Compliance (ROC).

 Controls Matrix and Targeted Risk Analysis (TRA):

The Controls Matrix and TRA are key components of the Customized Approach. QSAs assist in verifying the accuracy and completeness of these tools during assessments​​.

 Documenting in the ROC:

The ROC must include a narrative explaining the assessor’s findings regarding the customized control, validation methods, and any evidence collected​.

 Relevant PCI DSS v4.0 Guidance:

Appendix D and E of the PCI DSS v4.0 ROC Template emphasize that QSAs can evaluate and confirm adherence to the Customized Approach provided this is documented comprehensively in the ROC​.

PCI DSSRequirement 8.4.2requiresmulti-factor authentication (MFA)to consist of two or moreindependent authentication factors. MFA must alsonot involve shared credentials, so each certificate must be tied to a specific individual.

Option A:❌Incorrect. MFA must apply toall applicable users, not just admins.

Option B:✅Correct. This meets PCI DSS: unique credentials per user and non-shared certificates.

Option C:❌Incorrect. Retaining certificates post-employment is a risk, not a compliance action.

Option D:❌Incorrect. PCI DSS doesn’t mandate 90-day certificate rotation; rather, secure usage and revocation are key.