Free PCI SSC QSA_New_V4 Practice Exam with Questions & Answers | Set: 3

As perRequirement 2.2.1, the purpose of limiting each server to one primary function is toreduce the risk of functions with lower security needs compromising more critical functions.

Option A:❌Incorrect. PCI DSS discourages combining different security-level functions.

Option B:✅Correct. This is the intent: toprevent lower-security processes from weakening high-security environments.

Option C:❌Incorrect. Functions shouldn’t depend on one another for security.

Option D:❌Incorrect. PCI DSS encourages raising security, not lowering it.

Internal vulnerability scanning is addressed underRequirement 11.3.1. According to PCI DSS, internal vulnerability scansmust be conducted at least once every three monthsandafter any significant changein the environment, such as new system components, changes in network topology, firewall rule changes, or product upgrades.

Option A:Correct. Scans must be performed after significant changes.

Option B:Incorrect. Internal scansdo not require an ASV. ASVs are required for external vulnerability scans (Requirement 11.3.2).

Option C:Incorrect. A QSA is not required to perform internal scans. They can be performed by qualified internal staff or third-party providers.

Option D:Incorrect. Internal scans arerequired quarterly, not annually.