Questions for the QSA-NEW-V4 were updated on : Nov 21 ,2025
Which statement is true regarding the presence of both hashed and truncated versions of the same
PAN in an environment?
A
Explanation:
Hashing and Truncation
PCI DSS Requirement 3.4 mandates protecting stored PAN using methods like hashing and
truncation. If both versions coexist, controls must ensure they cannot be combined to reconstruct the
original PAN.
Incorrect Options
Option B: Truncation is unrelated to hashed PANs.
Option C: Correlation of hashed and truncated versions to identify the PAN violates PCI DSS
principles.
Option D: Coexistence of hashed and truncated PANs is permissible if proper controls are in place.
A sample of business facilities is reviewed during the PCI DSS assessment. What is the assessor
required to validate about the sample?
D
Explanation:
Sampling in Assessments
PCI DSS v4.0 requires assessors to ensure that sampled business facilities represent all types and
locations to provide comprehensive coverage of the entity’s operations.
Sampling Considerations
Assessors must include facilities storing or processing cardholder data and validate controls across
diverse locations.
Incorrect Options
Option A: Consistency does not ensure comprehensive representation.
Option B: PCI DSS does not mandate a 10% sample size.
Option C: It is not mandatory to review every facility storing cardholder data.
Which statement about PAN is true?
A
Explanation:
PAN Transmission Protection
PCI DSS Requirement 4.1 mandates strong cryptography for PAN during transmission over both
public and private wireless networks to prevent unauthorized interception.
Incorrect Options
Options B and D: PAN protection is not required for private wired networks.
Option C: PAN must be protected during transmission over public wireless networks.
In accordance with PCI DSS Requirement 10, how long must audit logs be retained?
A
Explanation:
Audit Log Retention Requirements
PCI DSS Requirement 10.7 specifies audit logs must be retained for a minimum of one year. The most
recent three months must be immediately accessible for incident analysis and reporting.
Purpose of Log Retention
Retaining logs aids in forensic investigations, regulatory compliance, and operational oversight.
Incorrect Options
Options B, C, and D specify durations that are not consistent with PCI DSS requirements.
An organization wishes to implement multi-factor authentication for remote access, using the user's
Individual password and a digital certificate. Which of the following scenarios would meet PCI DSS
requirements for multi-factor authentication?
B
Explanation:
Multi-Factor Authentication (MFA)
MFA requires at least two factors from different categories: something you know (password),
something you have (digital certificate), or something you are (biometric).
PCI DSS Requirement 8 mandates that credentials like certificates must be unique to each user.
Secure Certificate Use
Certificates must not be shared and should be assigned individually to ensure accountability and
prevent unauthorized access.
Incorrect Options
Option A: Limiting certificates to administrative groups does not fulfill PCI DSS for all users.
Option C: Logging certificates for retrieval is unrelated to security requirements.
Option D: Certificates do not have a mandatory 90-day change requirement.
If segmentation is being used to reduce the scope of a PCI DSS assessment, the assessor will?
D
Explanation:
Role of the Assessor in Verifying Segmentation
PCI DSS v4.0 requires assessors to confirm that segmentation controls (firewalls, ACLs, etc.)
effectively isolate the CDE from out-of-scope networks.
Proper configuration and functionality testing ensure that only authorized traffic can access the CDE.
Testing Requirements
Methods include network scans, configuration reviews, and traffic analysis to verify the
segmentation is functioning as intended.
Incorrect Options
Option A: Verifying traffic flow is part of the task but not the primary goal.
Option B: Payment brands do not approve segmentation controls.
Option C: Use of specific devices is not mandated for segmentation.
What do PCI DSS requirements for protecting cryptographic keys include?
C
Explanation:
Key Management Requirements:
PCI DSS Requirement 3.5 specifies the protection of cryptographic keys, including encryption, storage
in secure cryptographic devices (SCDs), or as key components to ensure security and prevent
unauthorized access.
Clarifications on Cryptographic Key Protection:
A/B: Public keys and key strength requirements are not specified in this context.
D: Separation of duties mandates that key-encrypting and data-encrypting keys must not be assigned
to the same custodian.
Testing and Validation:
QSAs verify compliance by examining key management practices, storage mechanisms, and access
controls for cryptographic keys during the assessment.
Viewing of audit log files should be limited to?
D
Explanation:
Audit Log Access Control:
PCI DSS Requirement 10.7 restricts access to audit logs to individuals with a job-related need to
protect the integrity and confidentiality of the logs.
Rationale for Job-Related Need:
Limiting access reduces the risk of tampering, accidental modification, or exposure of sensitive
information.
Invalid Options:
A: Individuals who performed the activity should not necessarily view logs unless required.
B/C: Read/write access or administrator privileges are not prerequisites for log viewing.
Could an entity use both the Customized Approach and the Defined Approach to meet the same
requirement?
D
Explanation:
Dual Approach Flexibility:
PCI DSS allows entities to use both the Defined Approach and the Customized Approach for the same
requirement if eligible and documented appropriately. This can provide flexibility in addressing
complex environments.
Clarifications on Valid Options:
A: Entities are not restricted to a single approach.
B: Compensating controls are unrelated to the choice of approach.
C: Entities can use compensating controls if applicable and justified.
Documentation and Assessment:
Both approaches must be properly documented and validated in the Report on Compliance (ROC),
with clear evidence demonstrating compliance.
An organization has implemented a change-detection mechanism on their systems. How often must
critical file comparisons be performed?
A
Explanation:
PCI DSS Requirement for File Integrity Monitoring (FIM):
Requirement 11.5 mandates the use of file integrity monitoring to detect unauthorized changes to
critical files, and comparisons must be performed at least weekly unless otherwise defined and
justified in the entity’s risk assessment.
Purpose of Weekly Comparisons:
Ensures timely detection of unauthorized modifications, reducing the risk of compromise.
Invalid Options:
B/D: These timeframes are not specific to PCI DSS unless documented as part of a risk-based
approach.
C: Comparisons must occur regularly, not just after changes are installed.
Where can live PANs be used for testing?
C
Explanation:
Testing with Live PANs
PCI DSS Requirement 6.4.3 requires that live PANs (Primary Account Numbers) only be used in secure
and controlled environments within the CDE.
Pre-production environments located within the CDE must adhere to all PCI DSS requirements for
security and monitoring.
Prohibited Uses
Testing with live PANs in environments outside the CDE violates PCI DSS. Only simulated data should
be used in less secure testing environments.
Incorrect Options
Option A: Production environments are for real transactions, not testing.
Option B: Test environments outside the CDE are insecure for live PANs.
Option D: The QSA environment is irrelevant to the organization’s CDE testing controls.
At which step in the payment transaction process does the merchant's bank pay the merchant for the
purchase, and the cardholder's bank bill the cardholder?
C
Explanation:
Settlement in the Payment Process
Settlement is the stage where the merchant’s bank pays the merchant for the transaction, and the
cardholder’s bank debits the cardholder's account.
PCI DSS does not explicitly describe the settlement process but emphasizes the protection of data
during all stages.
Transaction Stages
Authorization: Approves the transaction.
Clearing: Data is sent to the cardholder’s bank.
Settlement: Funds are transferred between banks.
Chargeback: Disputes are handled, and funds might be reversed.
Which of the following describes "stateful responses" to communication Initiated by a trusted
network?
B
Explanation:
Stateful Inspection
PCI DSS Requirement 1.2 specifies the need for stateful inspection to track the state of active
connections. This ensures that only valid responses to communication initiated by trusted networks
are allowed.
Invalid or unsolicited response traffic is blocked to prevent exploitation of vulnerabilities.
Key Functionality of Stateful Firewalls
Stateful firewalls maintain session information and only allow traffic that matches an existing session
or expected response.
Incorrect Options
Option A: Administrative access restrictions are important but unrelated to stateful responses.
Option C: Baseline configurations are a different security control.
Option D: Logging and correlation are for threat detection, not stateful response.
An entity accepts e-commerce payment card transactions and stores account data in a database. The
database server and the web server are both accessible from the Internet. The database server and
the web server are on separate physical servers. What is required for the entity to meet PCI DSS
requirements?
B
Explanation:
Protecting the Database Server
PCI DSS v4.0 requires that systems storing cardholder data, such as database servers, must not be
directly accessible from untrusted networks (Requirement 1.3).
The database server should be behind network security controls like firewalls and placed in a
segmented network isolated from untrusted networks.
Segmentation Best Practices
The web server, which interfaces with external users, can remain accessible from the Internet but
should reside in a DMZ to prevent direct access to the internal network.
This separation protects the database server from external threats while maintaining system
functionality.
Incorrect Options
Option A: Combining the web and database servers increases the attack surface and violates best
practices.
Option C: Moving the web server to the internal network exposes the internal environment.
Option D: Segmentation is critical, but the reason is not solely to allow more concurrent connections.
What does the PCI PTS standard cover?
A
Explanation:
PCI PIN Transaction Security (PTS) Standard:
The PCI PTS standard focuses on securing Point-of-Interaction (POI) devices, such as payment
terminals, that process payment card transactions and protect account data during capture.
Clarifications on Covered Areas:
This standard includes specifications for physical and logical security controls to prevent
unauthorized access to sensitive cardholder data on POI devices.
Invalid Options:
B: Secure coding practices are addressed by PCI PA-DSS (Payment Application Data Security
Standard).
C: Cryptographic algorithm development is not specific to PCI PTS.
D: End-to-end encryption solutions are not covered under PCI PTS.