1
PCI ISA Exam Actual Exam 2026/2027 –
Complete Exam-Style Questions with
Detailed Rationales | 100% Verified | Pass
Guaranteed – A+ Graded
[SECTION 1: PCI DSS v4.0 Requirements (Build & Maintain Secure Network) — Questions 1-25]
Q1: According to PCI DSS Requirement 1, which of the following best describes the primary
purpose of a firewall configuration standard?
A. To ensure that all vendor-supplied defaults are changed before installation.
B. To establish a baseline for reviewing and approving firewall rules and connections.
C. To prevent unauthorized access to cardholder data via wireless networks.
D. To document the frequency of vulnerability scans.
Correct Answer: B
Rationale: PCI DSS Requirement 1.1.2 specifically requires entities to have a configuration
standard for firewalls that defines the process for reviewing and approving firewall rules and
connections. This ensures that only necessary traffic is permitted and that changes are controlled.
While changing defaults (A) is important, it is covered under Requirement 2. Wireless
prevention (C) is covered under Requirement 1.3, and vulnerability scans (D) are covered under
Requirement 11.
Q2: An ISA is reviewing the network diagram. Which of the following elements MUST be
included on the diagram to satisfy PCI DSS Requirement 1.1.2?
A. The IP addresses of all employees' personal mobile devices.
B. All connections to cardholder data, including wireless networks and third-party connections.
C. A detailed list of all software versions installed on every server.
D. The organizational hierarchy of the IT security department.
Correct Answer: B
,2
Rationale: Requirement 1.1.2 mandates that network diagrams include all connections to
cardholder data, specifically highlighting connections to untrusted networks and any wireless
environments. This is crucial for scoping and understanding data flow. Personal devices (A) are
generally out of scope unless they are used to access the CDE in a specific manner; software
versions (C) belong in patch management records; and the IT hierarchy (D) is not a network
requirement.
Q3: When reviewing firewall rules for a web server in the DMZ, which of the following
practices aligns with PCI DSS Requirement 1.1.4 regarding "cleanup"?
A. Keeping all old rules disabled for at least one year in case they are needed.
B. Removing rules for insecure protocols like Telnet or FTP immediately upon confirmation they
are not in use.
C. Setting all firewall rules to "any-any" during maintenance windows to simplify
troubleshooting.
D. Documenting the reason for a rule but leaving insecure rules active if requested by a vendor.
Correct Answer: B
Rationale: PCI DSS Requirement 1.1.4 requires a review of firewall rules at least every six
months to remove rules that are not secure or no longer needed. Insecure protocols like Telnet
must be removed or rigorously justified and mitigated. Keeping disabled rules (A) creates clutter,
"any-any" rules (C) are a violation, and leaving insecure rules active (D) violates the
fundamental principle of securing the network.
Q4: What is the minimum frequency required for reviewing firewall and router rule sets
according to PCI DSS v4.0 Requirement 1.1.4?
A. Monthly
B. Quarterly
C. Semi-annually
D. Annually
Correct Answer: C
,3
Rationale: Requirement 1.1.4 explicitly states that firewall and router rule sets must be reviewed
at least every six months (semi-annually). This review ensures that rules are still necessary and
that no insecure rules have been added. Monthly (A) is not required but is a best practice;
Quarterly (B) is insufficient per the standard.
Q5: Which of the following is a requirement for placing system components into a cardholder
data environment (CDE) behind a firewall or within a DMZ control (Req 1.2)?
A. Only systems that process data must be in the DMZ; storage can be anywhere.
B. Any system that stores, processes, or transmits cardholder data must be segregated from the
rest of the internal network.
C. Firewalls are only required at the internet perimeter, not between internal segments.
D. DMZs are only required for e-commerce merchants, not brick-and-mortar retailers.
Correct Answer: B
Rationale: Requirement 1.2 mandates that firewalls be configured to restrict traffic between the
cardholder data environment and untrusted networks, and between any segments with different
security levels. The goal is to isolate the CDE. Option A is incorrect because storage systems
must also be protected. Option C is incorrect because internal segmentation is a key concept.
Option D is incorrect because network security applies to all entities.
Q6: According to PCI DSS Requirement 1.3, what is the restriction regarding inbound and
outbound traffic from the internet to the cardholder data environment?
A. All traffic must be inspected for malware but allowed through.
B. Only necessary protocols and ports must be permitted, and specifically deny all other traffic.
C. Inbound traffic must be restricted, but outbound traffic can be open for system updates.
D. Traffic must be encrypted, but port restrictions are not required.
Correct Answer: B
Rationale: Requirement 1.3.1 requires restricting inbound and outbound traffic to that which is
necessary for the cardholder data environment, and specifically denying all other traffic. This
, 4
"explicit deny" policy is a fundamental firewall configuration principle. Option A and C violate
the necessity principle, and Option D ignores the requirement for port/protocol control.
Q7: An entity wants to use direct public internet access to a cardholder database for development
purposes. Which of the following actions is required by PCI DSS?
A. Prohibit this access and require a secure jump server or VPN.
B. Allow it only if the database uses TLS 1.3 encryption.
C. Allow it if the developer signs a non-disclosure agreement (NDA).
D. Allow it only during non-business hours.
Correct Answer: A
Rationale: PCI DSS Requirement 1.3 prohibits direct access between the internet and system
components in the cardholder data environment. All administrative access must be through
secure, authenticated methods. Encryption (B) protects data in transit but does not address the
network access control violation. NDAs (C) and time restrictions (D) are not technical controls
sufficient to meet network security requirements.
Q8: Which of the following scenarios describes a violation of PCI DSS Requirement 1.2.1
regarding restrictions on inbound traffic?
A. An external IP address is allowed to connect to a specific web server port 443.
B. A firewall rule allows access from "Any" to a specific SQL server port 1433 from the internet.
C. A specific partner IP is allowed SSH access to a management interface.
D. Traffic is restricted to specific internal subnets for a backend database.
Correct Answer: B
Rationale: Requirement 1.2.1 requires limiting inbound internet traffic to IP addresses within the
DMZ. Allowing direct access from "Any" (the entire internet) to a database server (port 1433) is
a critical violation. Options A and C describe specific, limited access which is permissible if
justified. Option D describes internal traffic restrictions, which is good practice.
PCI ISA Exam Actual Exam 2026/2027 –
Complete Exam-Style Questions with
Detailed Rationales | 100% Verified | Pass
Guaranteed – A+ Graded
[SECTION 1: PCI DSS v4.0 Requirements (Build & Maintain Secure Network) — Questions 1-25]
Q1: According to PCI DSS Requirement 1, which of the following best describes the primary
purpose of a firewall configuration standard?
A. To ensure that all vendor-supplied defaults are changed before installation.
B. To establish a baseline for reviewing and approving firewall rules and connections.
C. To prevent unauthorized access to cardholder data via wireless networks.
D. To document the frequency of vulnerability scans.
Correct Answer: B
Rationale: PCI DSS Requirement 1.1.2 specifically requires entities to have a configuration
standard for firewalls that defines the process for reviewing and approving firewall rules and
connections. This ensures that only necessary traffic is permitted and that changes are controlled.
While changing defaults (A) is important, it is covered under Requirement 2. Wireless
prevention (C) is covered under Requirement 1.3, and vulnerability scans (D) are covered under
Requirement 11.
Q2: An ISA is reviewing the network diagram. Which of the following elements MUST be
included on the diagram to satisfy PCI DSS Requirement 1.1.2?
A. The IP addresses of all employees' personal mobile devices.
B. All connections to cardholder data, including wireless networks and third-party connections.
C. A detailed list of all software versions installed on every server.
D. The organizational hierarchy of the IT security department.
Correct Answer: B
,2
Rationale: Requirement 1.1.2 mandates that network diagrams include all connections to
cardholder data, specifically highlighting connections to untrusted networks and any wireless
environments. This is crucial for scoping and understanding data flow. Personal devices (A) are
generally out of scope unless they are used to access the CDE in a specific manner; software
versions (C) belong in patch management records; and the IT hierarchy (D) is not a network
requirement.
Q3: When reviewing firewall rules for a web server in the DMZ, which of the following
practices aligns with PCI DSS Requirement 1.1.4 regarding "cleanup"?
A. Keeping all old rules disabled for at least one year in case they are needed.
B. Removing rules for insecure protocols like Telnet or FTP immediately upon confirmation they
are not in use.
C. Setting all firewall rules to "any-any" during maintenance windows to simplify
troubleshooting.
D. Documenting the reason for a rule but leaving insecure rules active if requested by a vendor.
Correct Answer: B
Rationale: PCI DSS Requirement 1.1.4 requires a review of firewall rules at least every six
months to remove rules that are not secure or no longer needed. Insecure protocols like Telnet
must be removed or rigorously justified and mitigated. Keeping disabled rules (A) creates clutter,
"any-any" rules (C) are a violation, and leaving insecure rules active (D) violates the
fundamental principle of securing the network.
Q4: What is the minimum frequency required for reviewing firewall and router rule sets
according to PCI DSS v4.0 Requirement 1.1.4?
A. Monthly
B. Quarterly
C. Semi-annually
D. Annually
Correct Answer: C
,3
Rationale: Requirement 1.1.4 explicitly states that firewall and router rule sets must be reviewed
at least every six months (semi-annually). This review ensures that rules are still necessary and
that no insecure rules have been added. Monthly (A) is not required but is a best practice;
Quarterly (B) is insufficient per the standard.
Q5: Which of the following is a requirement for placing system components into a cardholder
data environment (CDE) behind a firewall or within a DMZ control (Req 1.2)?
A. Only systems that process data must be in the DMZ; storage can be anywhere.
B. Any system that stores, processes, or transmits cardholder data must be segregated from the
rest of the internal network.
C. Firewalls are only required at the internet perimeter, not between internal segments.
D. DMZs are only required for e-commerce merchants, not brick-and-mortar retailers.
Correct Answer: B
Rationale: Requirement 1.2 mandates that firewalls be configured to restrict traffic between the
cardholder data environment and untrusted networks, and between any segments with different
security levels. The goal is to isolate the CDE. Option A is incorrect because storage systems
must also be protected. Option C is incorrect because internal segmentation is a key concept.
Option D is incorrect because network security applies to all entities.
Q6: According to PCI DSS Requirement 1.3, what is the restriction regarding inbound and
outbound traffic from the internet to the cardholder data environment?
A. All traffic must be inspected for malware but allowed through.
B. Only necessary protocols and ports must be permitted, and specifically deny all other traffic.
C. Inbound traffic must be restricted, but outbound traffic can be open for system updates.
D. Traffic must be encrypted, but port restrictions are not required.
Correct Answer: B
Rationale: Requirement 1.3.1 requires restricting inbound and outbound traffic to that which is
necessary for the cardholder data environment, and specifically denying all other traffic. This
, 4
"explicit deny" policy is a fundamental firewall configuration principle. Option A and C violate
the necessity principle, and Option D ignores the requirement for port/protocol control.
Q7: An entity wants to use direct public internet access to a cardholder database for development
purposes. Which of the following actions is required by PCI DSS?
A. Prohibit this access and require a secure jump server or VPN.
B. Allow it only if the database uses TLS 1.3 encryption.
C. Allow it if the developer signs a non-disclosure agreement (NDA).
D. Allow it only during non-business hours.
Correct Answer: A
Rationale: PCI DSS Requirement 1.3 prohibits direct access between the internet and system
components in the cardholder data environment. All administrative access must be through
secure, authenticated methods. Encryption (B) protects data in transit but does not address the
network access control violation. NDAs (C) and time restrictions (D) are not technical controls
sufficient to meet network security requirements.
Q8: Which of the following scenarios describes a violation of PCI DSS Requirement 1.2.1
regarding restrictions on inbound traffic?
A. An external IP address is allowed to connect to a specific web server port 443.
B. A firewall rule allows access from "Any" to a specific SQL server port 1433 from the internet.
C. A specific partner IP is allowed SSH access to a management interface.
D. Traffic is restricted to specific internal subnets for a backend database.
Correct Answer: B
Rationale: Requirement 1.2.1 requires limiting inbound internet traffic to IP addresses within the
DMZ. Allowing direct access from "Any" (the entire internet) to a database server (port 1433) is
a critical violation. Options A and C describe specific, limited access which is permissible if
justified. Option D describes internal traffic restrictions, which is good practice.
