PCI ISA FINAL TEST 2026 QUESTIONS
WITH CORRECT ANSWERS GRADED A+
• Functions associated with Acquirers.
Answer: - Provide settlement services to a merchant - Provide clearing
services to a merchant - Provide authorization services to a merchant
• PCI DSS Requirements 3.6.5.
Answer: Retirement or replacement (for example, archiving, destruction,
and/or revocation) of keys as deemed necessary when the integrity of the
key has been weakened (for example, departure of an employee with
knowledge of a clear-text key component), or keys are suspected of being
compromised. Note: If retired or replaced cryptographic keys need to be
retained, these keys must be securely archived (for example, by using a
key-encryption key) . Archived cryptographic keys should only be used for
decryption/verification purposes. Keys that are no longer used or needed, or
keys that are known or suspected to be compromised, should be revoked
and/or destroyed to ensure that the keys can no longer be used. If such keys
need to be kept (for example, to support archived, encrypted data) they
should be strongly protected.
• When to install applicable vendor-supplied security patches?.
Answer: within an appropriate time frame (for example, within three
months).
• PA-DSS Applicability - Hardware Terminals.
Answer: There are two ways for a hardware terminal payment application to
achieve PA-DSS validation: 1. The payment application directly meets all
PA-DSS requirements 2. The payment application is resident on a PCI PTS
approved Point of Interaction (POI) hardware device that meets some of the
PA-DSS requirements PA-DSS requirements may be met through a
combination of PA-DSS and PTS validated controls: - Hardware terminal
must be a PTS validated POI device - PTS validated hardware provides a
, trusted computing environment - Hardware and payment application are
required dependencies - PCI DSS compliant settings must be enabled by
default
• PCI DSS Requirements - Appendix A3.2.2.
Answer: Determine PCI DSS scope impact for all changes to systems or
networks, including additions of new systems and new network connections.
Processes must include: - Performing a formal PCI DSS impact assessment ;
Identifying applicable PCI DSS requirements to the system or network ;
Updating PCI DSS scope as appropriate ; Documented sign-off of the results
of the impact assessment by responsible personnel. Changes to systems or
networks can have significant impact to PCI DSS scope.
• PCI DSS Requirements 12.3.1.
Answer: Ensure these usage policies require explicit approval by authorized
parties. Without requiring proper approval for implementation of these
technologies, individual personnel may innocently implement a solution to a
perceived business need, but also open a huge hole that subjects critical
systems and data to malicious individuals.
• Appendix A1 applies to.
Answer: hosting providers
• PCI DSS Requirements 11.6.
Answer: Ensure that security policies and operational procedures for
security monitoring and testing are documented, in use, and known to all
affected parties. Personnel need to be aware of and following security
policies and operational procedures for security monitoring and testing on a
continuous basis.
• PCI DSS Requirements 3.5.
Answer: Document and implement procedures to protect keys used to secure
stored cardholder data against disclosure and misuse: Note: This
requirement applies to keys used to encrypt stored cardholder data, and also
applies to key-encrypting keys used to protect data-encrypting keys—such
key-encrypting keys must be at least as strong as the data-encrypting key.
, Guidance: Cryptographic keys must be strongly protected because those
who obtain access will be able to decrypt data. Key-encrypting keys, if used,
must be at least as strong as the data-encrypting key in order to ensure
proper protection of the key that encrypts the data as well as the data
encrypted with that key.
• Cardholder Data Flow Example 2.
Answer:
• PCI DSS Requirements 10.3.1.
Answer: User identification.
• The decision about a merchant's level is made by?.
Answer: The decision about a merchant's validation level belongs to the
acquirers, since they are the ones responsible for their merchants
• PCI DSS Requirements 3.1.
Answer: Keep cardholder data storage to a minimum by implementing data
retention and disposal policies, procedures and processes that include at
least the following for all cardholder data (CHD) storage: - Limiting data
storage amount and retention time to that which is required for legal,
regulatory, and/or business requirements - Specific retention requirements
for cardholder data - Processes for secure deletion of data when no longer
needed - A quarterly process for identifying and securely deleting stored
cardholder data that exceeds defined retention A formal data retention
policy identifies what data needs to be retained, and where that data resides
so it can be securely destroyed or deleted as soon as it is no longer needed.
In order to define appropriate retention requirements, an entity first needs to
understand their own business needs as well as any legal or regulatory
obligations that apply to their industry, and/or that apply to the type of data
being retained. Identifying and deleting stored data that has exceeded its
specified retention period prevents unnecessary retention of data that is no
longer needed. This process may be automated or manual or a combination
of both. For example, a programmatic procedure (automatic or manual) to
locate and remove data and/or a manual review of data storage areas could
, be performed. Implementing secure deletion methods ensure that the data
cannot be retrieved when it is no longer needed.
• PCI DSS Requirements 9.9.1.
Answer: Maintain an up-to-date list of devices. The list should include the
following: - Make, model of device - Location of device (for example, the
address of the site or facility where the device is located ) - Device serial
number or other method of unique identification. Keeping an up-to-date list
of devices helps an organization keep track of where devices are supposed
to be, and quickly identify if a device is missing or lost.
• Service Provider Submission - Level 1 - 3 American Express.
Answer:
• PCI DSS Requirements 10.8.
Answer: Additional requirement for service providers only:Implement a
process for the timely detection and reporting of failures of critical security
control systems, including but not limited to failure of: - Firewalls - IDS/IPS
- FIM - Anti-virus - Physical access controls - Logical access controls -
Audit logging mechanisms - Segmentation controls (if used) Without formal
processes to detect and alert when critical security controls fail, failures may
go undetected for extended periods and provide attackers ample time to
compromise systems and steal sensitive data from the cardholder data
environment.
• PCI DSS Requirements - Appendix A3.1.3.
Answer: PCI DSS compliance roles and responsibilities must be specifically
defined and formally assigned to one or more personnel, including at least
the following: - Managing PCI DSS business-as-usual activities - Managing
annual PCI DSS assessments - Managing continuous validation of PCI DSS
requirements (for example: daily, weekly, quarterly, etc. as applicable per
requirement) - Managing business-impact analysis to determine potential
PCI DSS impacts for strategic business decisions The formal definition of
specific PCI DSS compliance roles and responsibilities helps to ensure
accountability and monitoring of ongoing PCI DSS compliance efforts.
WITH CORRECT ANSWERS GRADED A+
• Functions associated with Acquirers.
Answer: - Provide settlement services to a merchant - Provide clearing
services to a merchant - Provide authorization services to a merchant
• PCI DSS Requirements 3.6.5.
Answer: Retirement or replacement (for example, archiving, destruction,
and/or revocation) of keys as deemed necessary when the integrity of the
key has been weakened (for example, departure of an employee with
knowledge of a clear-text key component), or keys are suspected of being
compromised. Note: If retired or replaced cryptographic keys need to be
retained, these keys must be securely archived (for example, by using a
key-encryption key) . Archived cryptographic keys should only be used for
decryption/verification purposes. Keys that are no longer used or needed, or
keys that are known or suspected to be compromised, should be revoked
and/or destroyed to ensure that the keys can no longer be used. If such keys
need to be kept (for example, to support archived, encrypted data) they
should be strongly protected.
• When to install applicable vendor-supplied security patches?.
Answer: within an appropriate time frame (for example, within three
months).
• PA-DSS Applicability - Hardware Terminals.
Answer: There are two ways for a hardware terminal payment application to
achieve PA-DSS validation: 1. The payment application directly meets all
PA-DSS requirements 2. The payment application is resident on a PCI PTS
approved Point of Interaction (POI) hardware device that meets some of the
PA-DSS requirements PA-DSS requirements may be met through a
combination of PA-DSS and PTS validated controls: - Hardware terminal
must be a PTS validated POI device - PTS validated hardware provides a
, trusted computing environment - Hardware and payment application are
required dependencies - PCI DSS compliant settings must be enabled by
default
• PCI DSS Requirements - Appendix A3.2.2.
Answer: Determine PCI DSS scope impact for all changes to systems or
networks, including additions of new systems and new network connections.
Processes must include: - Performing a formal PCI DSS impact assessment ;
Identifying applicable PCI DSS requirements to the system or network ;
Updating PCI DSS scope as appropriate ; Documented sign-off of the results
of the impact assessment by responsible personnel. Changes to systems or
networks can have significant impact to PCI DSS scope.
• PCI DSS Requirements 12.3.1.
Answer: Ensure these usage policies require explicit approval by authorized
parties. Without requiring proper approval for implementation of these
technologies, individual personnel may innocently implement a solution to a
perceived business need, but also open a huge hole that subjects critical
systems and data to malicious individuals.
• Appendix A1 applies to.
Answer: hosting providers
• PCI DSS Requirements 11.6.
Answer: Ensure that security policies and operational procedures for
security monitoring and testing are documented, in use, and known to all
affected parties. Personnel need to be aware of and following security
policies and operational procedures for security monitoring and testing on a
continuous basis.
• PCI DSS Requirements 3.5.
Answer: Document and implement procedures to protect keys used to secure
stored cardholder data against disclosure and misuse: Note: This
requirement applies to keys used to encrypt stored cardholder data, and also
applies to key-encrypting keys used to protect data-encrypting keys—such
key-encrypting keys must be at least as strong as the data-encrypting key.
, Guidance: Cryptographic keys must be strongly protected because those
who obtain access will be able to decrypt data. Key-encrypting keys, if used,
must be at least as strong as the data-encrypting key in order to ensure
proper protection of the key that encrypts the data as well as the data
encrypted with that key.
• Cardholder Data Flow Example 2.
Answer:
• PCI DSS Requirements 10.3.1.
Answer: User identification.
• The decision about a merchant's level is made by?.
Answer: The decision about a merchant's validation level belongs to the
acquirers, since they are the ones responsible for their merchants
• PCI DSS Requirements 3.1.
Answer: Keep cardholder data storage to a minimum by implementing data
retention and disposal policies, procedures and processes that include at
least the following for all cardholder data (CHD) storage: - Limiting data
storage amount and retention time to that which is required for legal,
regulatory, and/or business requirements - Specific retention requirements
for cardholder data - Processes for secure deletion of data when no longer
needed - A quarterly process for identifying and securely deleting stored
cardholder data that exceeds defined retention A formal data retention
policy identifies what data needs to be retained, and where that data resides
so it can be securely destroyed or deleted as soon as it is no longer needed.
In order to define appropriate retention requirements, an entity first needs to
understand their own business needs as well as any legal or regulatory
obligations that apply to their industry, and/or that apply to the type of data
being retained. Identifying and deleting stored data that has exceeded its
specified retention period prevents unnecessary retention of data that is no
longer needed. This process may be automated or manual or a combination
of both. For example, a programmatic procedure (automatic or manual) to
locate and remove data and/or a manual review of data storage areas could
, be performed. Implementing secure deletion methods ensure that the data
cannot be retrieved when it is no longer needed.
• PCI DSS Requirements 9.9.1.
Answer: Maintain an up-to-date list of devices. The list should include the
following: - Make, model of device - Location of device (for example, the
address of the site or facility where the device is located ) - Device serial
number or other method of unique identification. Keeping an up-to-date list
of devices helps an organization keep track of where devices are supposed
to be, and quickly identify if a device is missing or lost.
• Service Provider Submission - Level 1 - 3 American Express.
Answer:
• PCI DSS Requirements 10.8.
Answer: Additional requirement for service providers only:Implement a
process for the timely detection and reporting of failures of critical security
control systems, including but not limited to failure of: - Firewalls - IDS/IPS
- FIM - Anti-virus - Physical access controls - Logical access controls -
Audit logging mechanisms - Segmentation controls (if used) Without formal
processes to detect and alert when critical security controls fail, failures may
go undetected for extended periods and provide attackers ample time to
compromise systems and steal sensitive data from the cardholder data
environment.
• PCI DSS Requirements - Appendix A3.1.3.
Answer: PCI DSS compliance roles and responsibilities must be specifically
defined and formally assigned to one or more personnel, including at least
the following: - Managing PCI DSS business-as-usual activities - Managing
annual PCI DSS assessments - Managing continuous validation of PCI DSS
requirements (for example: daily, weekly, quarterly, etc. as applicable per
requirement) - Managing business-impact analysis to determine potential
PCI DSS impacts for strategic business decisions The formal definition of
specific PCI DSS compliance roles and responsibilities helps to ensure
accountability and monitoring of ongoing PCI DSS compliance efforts.
