300 QUESTIONS AND ANSWERS
QIR - Qualified Integrator & Reseller
1. What does QIR stand for in the context of PCI DSS?
A) Qualified Integrator & Reseller
B) Quality Inspection & Review
C) Qualified Inspector & Registrar
D) Quality Integration & Reporting
Answer: A
2. Which organization manages the QIR program?
A) VISA
B) Mastercard
C) PCI Security Standards Council (PCI SSC)
D) ISACA
Answer: C
3. What is the primary purpose of the QIR program?
A) To certify hardware manufacturers
B) To ensure proper installation of payment systems by qualified
personnel
C) To audit merchant financial records
D) To validate software code quality
Answer: B
4. Which of the following is a key requirement for a company to become a
QIR?
A) Must be a bank
B) Must complete the QIR training and pass the exam
C) Must be headquartered in the US
D) Must have ISO 27001 certification
Answer: B
,5. QIR-qualified employees must complete training provided by whom?
A) Individual card brands
B) The merchant they are working for
C) The PCI SSC
D) Local government
Answer: C
6. What document governs the QIR program requirements?
A) PA-DSS
B) PCI DSS
C) QIR Program Guide
D) ISO 27001
Answer: C
7. A QIR is responsible for which of the following tasks?
A) Issuing credit cards
B) Installing, configuring, and/or supporting payment applications and
systems
C) Processing chargebacks
D) Approving merchant applications
Answer: B
8. The QIR program primarily targets which type of merchants?
A) Large e-commerce retailers
B) Small and medium-sized merchants
C) Banks only
D) Government agencies
Answer: B
9. QIRs are required to follow which standard during installations?
A) SOC 2
B) ISO 9001
C) PCI DSS
D) HIPAA
Answer: C
10. How often must a QIR company renew its listing on the PCI SSC
website?
A) Every 6 months
B) Every year
C) Every 2 years
, D) Every 3 years
Answer: B
Section 2: Cardholder Data & Scope
11. Which of the following is considered cardholder data (CHD)?
A) Merchant's tax ID
B) Primary Account Number (PAN)
C) Bank routing number
D) Merchant's address
Answer: B
12. What is the cardholder data environment (CDE)?
A) The physical store location
B) The network and systems that store, process, or transmit cardholder
data
C) The payment terminal only
D) The merchant's accounting software
Answer: B
13. Which data element must NEVER be stored after authorization?
A) Cardholder name
B) Expiration date
C) Full magnetic stripe data
D) Service code
Answer: C
14. The CVV/CVC code on a payment card is an example of what?
A) Cardholder data
B) Sensitive authentication data (SAD)
C) Public data
D) Transaction metadata
Answer: B
15. Which of the following CANNOT be stored after transaction
authorization under PCI DSS?
A) Cardholder name
B) PAN (truncated)
C) PIN blocks
D) Expiration date
Answer: C
, 16. Truncation of a PAN means:
A) Encrypting the entire PAN
B) Displaying only the first 6 and last 4 digits
C) Hashing the PAN
D) Masking all digits except the last 4
Answer: B
17. Which of the following is NOT cardholder data?
A) PAN
B) Cardholder name
C) Card expiration date
D) CVV2
Answer: D
18. A QIR must help reduce scope by:
A) Storing all cardholder data in one location
B) Implementing network segmentation
C) Disabling firewalls
D) Using default passwords
Answer: B
19. What is 'scope creep' in the context of PCI DSS?
A) Expansion of the CDE beyond what is necessary
B) Adding more staff to a project
C) Increasing merchant fees
D) Extending the payment contract
Answer: A
20. Which system component is in scope for PCI DSS?
A) A server that processes payroll only
B) A system connected to the CDE
C) A printer not connected to any network
D) The merchant's personal laptop
Answer: B
Section 3: Network Security
21. What is the first line of defense for protecting cardholder data on a
network?
A) Antivirus software
B) Firewall
QIR - Qualified Integrator & Reseller
1. What does QIR stand for in the context of PCI DSS?
A) Qualified Integrator & Reseller
B) Quality Inspection & Review
C) Qualified Inspector & Registrar
D) Quality Integration & Reporting
Answer: A
2. Which organization manages the QIR program?
A) VISA
B) Mastercard
C) PCI Security Standards Council (PCI SSC)
D) ISACA
Answer: C
3. What is the primary purpose of the QIR program?
A) To certify hardware manufacturers
B) To ensure proper installation of payment systems by qualified
personnel
C) To audit merchant financial records
D) To validate software code quality
Answer: B
4. Which of the following is a key requirement for a company to become a
QIR?
A) Must be a bank
B) Must complete the QIR training and pass the exam
C) Must be headquartered in the US
D) Must have ISO 27001 certification
Answer: B
,5. QIR-qualified employees must complete training provided by whom?
A) Individual card brands
B) The merchant they are working for
C) The PCI SSC
D) Local government
Answer: C
6. What document governs the QIR program requirements?
A) PA-DSS
B) PCI DSS
C) QIR Program Guide
D) ISO 27001
Answer: C
7. A QIR is responsible for which of the following tasks?
A) Issuing credit cards
B) Installing, configuring, and/or supporting payment applications and
systems
C) Processing chargebacks
D) Approving merchant applications
Answer: B
8. The QIR program primarily targets which type of merchants?
A) Large e-commerce retailers
B) Small and medium-sized merchants
C) Banks only
D) Government agencies
Answer: B
9. QIRs are required to follow which standard during installations?
A) SOC 2
B) ISO 9001
C) PCI DSS
D) HIPAA
Answer: C
10. How often must a QIR company renew its listing on the PCI SSC
website?
A) Every 6 months
B) Every year
C) Every 2 years
, D) Every 3 years
Answer: B
Section 2: Cardholder Data & Scope
11. Which of the following is considered cardholder data (CHD)?
A) Merchant's tax ID
B) Primary Account Number (PAN)
C) Bank routing number
D) Merchant's address
Answer: B
12. What is the cardholder data environment (CDE)?
A) The physical store location
B) The network and systems that store, process, or transmit cardholder
data
C) The payment terminal only
D) The merchant's accounting software
Answer: B
13. Which data element must NEVER be stored after authorization?
A) Cardholder name
B) Expiration date
C) Full magnetic stripe data
D) Service code
Answer: C
14. The CVV/CVC code on a payment card is an example of what?
A) Cardholder data
B) Sensitive authentication data (SAD)
C) Public data
D) Transaction metadata
Answer: B
15. Which of the following CANNOT be stored after transaction
authorization under PCI DSS?
A) Cardholder name
B) PAN (truncated)
C) PIN blocks
D) Expiration date
Answer: C
, 16. Truncation of a PAN means:
A) Encrypting the entire PAN
B) Displaying only the first 6 and last 4 digits
C) Hashing the PAN
D) Masking all digits except the last 4
Answer: B
17. Which of the following is NOT cardholder data?
A) PAN
B) Cardholder name
C) Card expiration date
D) CVV2
Answer: D
18. A QIR must help reduce scope by:
A) Storing all cardholder data in one location
B) Implementing network segmentation
C) Disabling firewalls
D) Using default passwords
Answer: B
19. What is 'scope creep' in the context of PCI DSS?
A) Expansion of the CDE beyond what is necessary
B) Adding more staff to a project
C) Increasing merchant fees
D) Extending the payment contract
Answer: A
20. Which system component is in scope for PCI DSS?
A) A server that processes payroll only
B) A system connected to the CDE
C) A printer not connected to any network
D) The merchant's personal laptop
Answer: B
Section 3: Network Security
21. What is the first line of defense for protecting cardholder data on a
network?
A) Antivirus software
B) Firewall
