PCI ISA CERTIFICATION EXAM — 2026/2027 | 100 QUESTIONS
Core Domains: PCI DSS Requirements & Compliance Framework, Governance & Risk Management, CDE Scoping, Access Control, Encryption,
Vulnerability Management, Logging/Monitoring, SDLC, Third-Party Oversight, and Audit Methodologies.
Note: Correct answers are in bold green, questions are in bold, and rationales are in italics.
1. Which role is specifically defined as an employee of an assessed entity who has been trained and certified to perform internal
assessments?
A) Qualified Security Assessor (QSA)
B) Internal Security Assessor (ISA)
C) Approved Scanning Vendor (ASV)
D) Payment Application QSA (PA-QSA)
Rationale: The ISA program is designed to educate internal employees of merchants and service providers on how to perform internal assessments and
interact with a QSA.
2. Under PCI DSS v4.0, which approach allows an entity to design its own security controls to meet a requirement's stated objective?
A) Defined Approach
B) Compensating Control Approach
C) Customized Approach
D) Risk-Based Approach
Rationale: The Customized Approach in v4.0 allows entities to implement innovative controls that meet the requirement's "Objective" without following
the strict "Defined Approach" testing procedures.
3. What is the primary purpose of the "Prioritized Approach" to PCI DSS compliance?
A) To allow entities to skip low-risk requirements.
B) To provide a roadmap for organizations to address high-risk areas first.
C) To determine the cost of the audit.
D) To rank service providers by their security posture.
Rationale: The Prioritized Approach provides six milestones to help organizations prioritize their compliance efforts based on risk.
4. Which document must be signed by an officer of the company to attest to the results of a PCI DSS assessment?
A) Report on Compliance (ROC)
B) Self-Assessment Questionnaire (SAQ)
C) Attestation of Compliance (AOC)
D) Prioritized Approach Tool (PAT)
Rationale: The AOC is the final document where the entity and the assessor (if applicable) formally attest that the assessment results are accurate.
5. In the context of "PCI ISA" as it relates to industrial environments (ISA/IEC 62443), what is the primary focus of "Zone" and
"Conduit" segmentation?
A) Credit card data encryption.
B) Grouping assets with similar security requirements and protecting their communication paths.
C) Physical security of data centers.
D) Web application firewall rules.
Rationale: In industrial automation (ISA/IEC 62443), Zones group assets, and Conduits protect the communication between them, mirroring the
concept of CDE segmentation in PCI DSS.
6. Which entity is responsible for managing the PCI DSS standard and providing certification training for QSAs and ISAs?
A) Visa and Mastercard
B) PCI Security Standards Council (PCI SSC)
C) ISACA
D) NIST
Rationale: The PCI SSC is the global body that develops and maintains the standards; the individual card brands enforce compliance.
, 7. A merchant that processes fewer than 20,000 e-commerce transactions per year is typically classified as which level?
A) Level 1
B) Level 2
C) Level 3
D) Level 4
Rationale: Level 4 merchants typically process fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually.
8. What is the minimum frequency for performing a formal PCI DSS risk assessment?
A) Semi-annually
B) At least once every 12 months
C) Every 2 years
D) Only after a breach
Rationale: Requirement 12.2 (v4.0 12.3.1) specifies that a risk assessment must be performed at least annually and upon significant changes.
9. Which SAQ type is specifically for merchants who only use hardware payment terminals connected via dial-up?
A) SAQ A
B) SAQ B
C) SAQ C
D) SAQ P2PE
Rationale: SAQ B is for merchants using only imprint machines or standalone, dial-out terminals.
10. When scoping a CDE, which of the following is considered a "Connected-to" system?
A) A system that stores encrypted PAN only.
B) An administrative server that manages the firewall protecting the CDE.
C) A public web server with no network path to the database.
D) A customer's personal mobile device.
Rationale: Systems that provide security services (like DNS, NTP, or Firewall management) to the CDE are considered "connected-to" and are in scope.
11. What is the primary benefit of network segmentation in a PCI DSS environment?
A) It makes the network faster.
B) It reduces the scope of the PCI DSS assessment.
C) It eliminates the need for encryption.
D) It replaces the need for an ASV scan.
Rationale: Segmentation isolates the CDE from the rest of the network, reducing the number of systems that must be assessed for compliance.
12. Which of the following data elements MUST NOT be stored after authorization, even if encrypted?
A) Primary Account Number (PAN)
B) Expiration Date
C) Sensitive Authentication Data (SAD) like CVV2
D) Cardholder Name
Rationale: Requirement 3.3 strictly prohibits the storage of SAD (magnetic stripe data, CVV, PIN) after authorization.
13. In PCI DSS v4.0, if an entity uses the "Customized Approach," who is responsible for developing the testing procedures?
A) The PCI SSC
B) The Assessor (QSA or ISA)
C) The Internal Audit Team
D) The Software Vendor
Rationale: In the Customized Approach, the assessor must derive specific testing procedures to verify the control meets the objective.
14. Which document provides guidance on how to identify all locations and flows of cardholder data?
A) Firewall Rule Set
B) Data Flow Diagram
C) Incident Response Plan
D) Employee Handbook
Core Domains: PCI DSS Requirements & Compliance Framework, Governance & Risk Management, CDE Scoping, Access Control, Encryption,
Vulnerability Management, Logging/Monitoring, SDLC, Third-Party Oversight, and Audit Methodologies.
Note: Correct answers are in bold green, questions are in bold, and rationales are in italics.
1. Which role is specifically defined as an employee of an assessed entity who has been trained and certified to perform internal
assessments?
A) Qualified Security Assessor (QSA)
B) Internal Security Assessor (ISA)
C) Approved Scanning Vendor (ASV)
D) Payment Application QSA (PA-QSA)
Rationale: The ISA program is designed to educate internal employees of merchants and service providers on how to perform internal assessments and
interact with a QSA.
2. Under PCI DSS v4.0, which approach allows an entity to design its own security controls to meet a requirement's stated objective?
A) Defined Approach
B) Compensating Control Approach
C) Customized Approach
D) Risk-Based Approach
Rationale: The Customized Approach in v4.0 allows entities to implement innovative controls that meet the requirement's "Objective" without following
the strict "Defined Approach" testing procedures.
3. What is the primary purpose of the "Prioritized Approach" to PCI DSS compliance?
A) To allow entities to skip low-risk requirements.
B) To provide a roadmap for organizations to address high-risk areas first.
C) To determine the cost of the audit.
D) To rank service providers by their security posture.
Rationale: The Prioritized Approach provides six milestones to help organizations prioritize their compliance efforts based on risk.
4. Which document must be signed by an officer of the company to attest to the results of a PCI DSS assessment?
A) Report on Compliance (ROC)
B) Self-Assessment Questionnaire (SAQ)
C) Attestation of Compliance (AOC)
D) Prioritized Approach Tool (PAT)
Rationale: The AOC is the final document where the entity and the assessor (if applicable) formally attest that the assessment results are accurate.
5. In the context of "PCI ISA" as it relates to industrial environments (ISA/IEC 62443), what is the primary focus of "Zone" and
"Conduit" segmentation?
A) Credit card data encryption.
B) Grouping assets with similar security requirements and protecting their communication paths.
C) Physical security of data centers.
D) Web application firewall rules.
Rationale: In industrial automation (ISA/IEC 62443), Zones group assets, and Conduits protect the communication between them, mirroring the
concept of CDE segmentation in PCI DSS.
6. Which entity is responsible for managing the PCI DSS standard and providing certification training for QSAs and ISAs?
A) Visa and Mastercard
B) PCI Security Standards Council (PCI SSC)
C) ISACA
D) NIST
Rationale: The PCI SSC is the global body that develops and maintains the standards; the individual card brands enforce compliance.
, 7. A merchant that processes fewer than 20,000 e-commerce transactions per year is typically classified as which level?
A) Level 1
B) Level 2
C) Level 3
D) Level 4
Rationale: Level 4 merchants typically process fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually.
8. What is the minimum frequency for performing a formal PCI DSS risk assessment?
A) Semi-annually
B) At least once every 12 months
C) Every 2 years
D) Only after a breach
Rationale: Requirement 12.2 (v4.0 12.3.1) specifies that a risk assessment must be performed at least annually and upon significant changes.
9. Which SAQ type is specifically for merchants who only use hardware payment terminals connected via dial-up?
A) SAQ A
B) SAQ B
C) SAQ C
D) SAQ P2PE
Rationale: SAQ B is for merchants using only imprint machines or standalone, dial-out terminals.
10. When scoping a CDE, which of the following is considered a "Connected-to" system?
A) A system that stores encrypted PAN only.
B) An administrative server that manages the firewall protecting the CDE.
C) A public web server with no network path to the database.
D) A customer's personal mobile device.
Rationale: Systems that provide security services (like DNS, NTP, or Firewall management) to the CDE are considered "connected-to" and are in scope.
11. What is the primary benefit of network segmentation in a PCI DSS environment?
A) It makes the network faster.
B) It reduces the scope of the PCI DSS assessment.
C) It eliminates the need for encryption.
D) It replaces the need for an ASV scan.
Rationale: Segmentation isolates the CDE from the rest of the network, reducing the number of systems that must be assessed for compliance.
12. Which of the following data elements MUST NOT be stored after authorization, even if encrypted?
A) Primary Account Number (PAN)
B) Expiration Date
C) Sensitive Authentication Data (SAD) like CVV2
D) Cardholder Name
Rationale: Requirement 3.3 strictly prohibits the storage of SAD (magnetic stripe data, CVV, PIN) after authorization.
13. In PCI DSS v4.0, if an entity uses the "Customized Approach," who is responsible for developing the testing procedures?
A) The PCI SSC
B) The Assessor (QSA or ISA)
C) The Internal Audit Team
D) The Software Vendor
Rationale: In the Customized Approach, the assessor must derive specific testing procedures to verify the control meets the objective.
14. Which document provides guidance on how to identify all locations and flows of cardholder data?
A) Firewall Rule Set
B) Data Flow Diagram
C) Incident Response Plan
D) Employee Handbook
