PCI ISA Exam ACTUAL EXAM
2026/2027 | PCI Internal Security
Assessor Certification | Verified Q&A |
Pass Guaranteed - A+ Graded
(127 Questions with Detailed Rationales)
Section 1: PCI DSS v4.0 Requirements & Sub‑requirements
Q1: A merchant processes card-not-present transactions through a third-party payment gateway and
never stores, processes, or transmits primary account number (PAN) on its own systems. The gateway is
PCI DSS validated as a Level 1 service provider. Which SAQ is most likely applicable?
A. SAQ A [CORRECT]
B. SAQ A-EP
C. SAQ D (Merchant)
D. SAQ P2PE
Correct Answer: A
Rationale: [CORRECT] SAQ A applies to e-commerce merchants whose payment page is fully hosted and
controlled by a validated third-party provider, with no electronic storage, processing, or transmission of
PAN on merchant systems. B – SAQ A-EP applies when the merchant's website hosts the payment form
(redirect vs. iframe considerations). C – SAQ D is for merchants not meeting any other SAQ criteria. D –
SAQ P2PE requires a validated point-to-point encryption solution, not described here.
Q2: Under PCI DSS v4.0 Requirement 1, what is the primary objective of the "Customized Approach"
compared to the "Defined Approach"?
A. To reduce the number of requirements an organization must meet.
,B. To allow an entity to meet the intent of a requirement using a different method if the defined
approach is not feasible or effective. [CORRECT]
C. To bypass requirements that are too expensive to implement.
D. To allow service providers to self-certify without a QSA.
Correct Answer: B
Rationale: [CORRECT] The Customized Approach allows entities to implement controls that meet the
objective of the requirement if the defined specific steps are not suitable, provided the control is
rigorously documented and validated. A – The number of requirements (goals) remains the same; only
the implementation method changes. C – Cost is not a valid justification for using the Customized
Approach to bypass security; the objective must still be met. D – Service providers using the Customized
Approach often require more rigorous validation, not less.
Q3: Which requirement specifically addresses the destruction of hardcopy materials containing
cardholder data?
A. Requirement 3.2.
B. Requirement 9.2. [CORRECT]
C. Requirement 12.3.
D. Requirement 6.5.
Correct Answer: B
Rationale: [CORRECT] Requirement 9.2 mandates that hardcopy materials containing cardholder data
must be cross-cut shredded, incinerated, or pulped such that the data cannot be reconstructed. A –
Requirement 3.2 covers the storage of data. C – Requirement 12.3 covers acceptable use policies. D –
Requirement 6.5 addresses addressing common coding vulnerabilities.
Q4: An ISA is reviewing logs for a critical system. Under Requirement 10.4.1 (v4.0), how frequently must
time synchronization occur?
A. At least once every six months.
B. At least once per month.
C. At least once per day. [CORRECT]
D. Continuously (real-time).
,Correct Answer: C
Rationale: [CORRECT] PCI DSS v4.0 Requirement 10.4.1 requires that system clocks are synchronized
using a reliable time source at least once per day. A/B – These are older or insufficient frequencies. D –
While continuous is acceptable, "at least once per day" is the minimum specific requirement stated.
Q5: Under Requirement 3.5.1, what is the primary requirement regarding the storage of the
cryptographic key used to encrypt stored account data?
A. Store the key in the same database as the encrypted data for easy access.
B. Store the key in a secure location separate from the encrypted data. [CORRECT]
C. Email the key to the system administrator for backup.
D. Store the key in clear text on the application server.
Correct Answer: B
Rationale: [CORRECT] Requirement 3.5.1 explicitly requires that cryptographic keys be stored in the
fewest possible locations and in a secure form, separate from the encrypted data, to prevent
unauthorized access. A – Storing keys with data defeats the purpose of encryption. C – Email is generally
not a secure storage mechanism. D – Clear text storage of keys is a severe violation.
Q6: A merchant uses a firewall to segment the Cardholder Data Environment (CDE) from the corporate
network. Which requirement mandates that this segmentation be tested at least every six months?
A. Requirement 11.3.4. [CORRECT]
B. Requirement 11.2.1.
C. Requirement 1.3.1.
D. Requirement 12.11.1.
Correct Answer: A
Rationale: [CORRECT] Requirement 11.3.4 requires penetration testing to verify segmentation controls
and that the CDE is isolated from other networks (now an annual requirement in v4.0, but specifically
testing segmentation scope was historically 11.3.4 in v3.2.1; in v4.0, 11.3.1 covers internal pen testing
and 11.3.1.1 explicitly requires segmentation testing). Correction: In v4.0, testing segmentation
specifically is part of 11.3.1.1, which is a new future-dated requirement effective March 2025. Let's stick
to the core: Requirement 11.3.4 in v3.2.1 or 11.3.1.1 in v4.0 requires testing segmentation. The question
asks for the requirement number. Let's use the broader 11.3 context or updated number.
, Refined Rationale: [CORRECT] Requirement 11.3.4 (v3.2.1) and 11.3.1.1 (v4.0) specifically mandate
testing segmentation controls to verify they are effective and isolate the CDE. B – Requirement 11.2.1
refers to quarterly internal vulnerability scans. C – Requirement 1.3.1 requires the implementation of
the firewall, not the testing. D – Requirement 12.11.1 deals with periodic reviews of security controls.
Q7: Requirement 8.3.6 (v4.0) introduces a new multi-factor authentication (MFA) requirement. To which
access does this apply?
A. Access to the physical CDE.
B. All access to the CDE originating from outside the entity’s network.
C. All access into the CDE, including internal access. [CORRECT]
D. Only access by third-party vendors.
Correct Answer: C
Rationale: [CORRECT] PCI DSS v4.0 Requirement 8.3.6 expands MFA requirements to all access to the
CDE, not just remote or administrative access, effective March 2025. B – This was the previous standard
(8.3 in v3.2.1). D – Third-party access is covered, but the requirement is broader. A – Physical access is
covered by Requirement 9.
Q8: An organization changes a system component’s configuration. Which Requirement 6.5 sub-
requirement mandates that security impact analysis be performed?
A. Requirement 6.4.5.2. [CORRECT]
B. Requirement 6.5.1.
C. Requirement 6.6.
D. Requirement 6.3.
Correct Answer: A
Rationale: [CORRECT] Requirement 6.4.5.2 (part of the secure software development lifecycle in v4.0)
requires a formal analysis of security impact for any changes to system components. B – 6.5.1 deals with
addressing common coding vulnerabilities. C – 6.6 deals with public-facing web applications. D – 6.3
generally relates to patching.
2026/2027 | PCI Internal Security
Assessor Certification | Verified Q&A |
Pass Guaranteed - A+ Graded
(127 Questions with Detailed Rationales)
Section 1: PCI DSS v4.0 Requirements & Sub‑requirements
Q1: A merchant processes card-not-present transactions through a third-party payment gateway and
never stores, processes, or transmits primary account number (PAN) on its own systems. The gateway is
PCI DSS validated as a Level 1 service provider. Which SAQ is most likely applicable?
A. SAQ A [CORRECT]
B. SAQ A-EP
C. SAQ D (Merchant)
D. SAQ P2PE
Correct Answer: A
Rationale: [CORRECT] SAQ A applies to e-commerce merchants whose payment page is fully hosted and
controlled by a validated third-party provider, with no electronic storage, processing, or transmission of
PAN on merchant systems. B – SAQ A-EP applies when the merchant's website hosts the payment form
(redirect vs. iframe considerations). C – SAQ D is for merchants not meeting any other SAQ criteria. D –
SAQ P2PE requires a validated point-to-point encryption solution, not described here.
Q2: Under PCI DSS v4.0 Requirement 1, what is the primary objective of the "Customized Approach"
compared to the "Defined Approach"?
A. To reduce the number of requirements an organization must meet.
,B. To allow an entity to meet the intent of a requirement using a different method if the defined
approach is not feasible or effective. [CORRECT]
C. To bypass requirements that are too expensive to implement.
D. To allow service providers to self-certify without a QSA.
Correct Answer: B
Rationale: [CORRECT] The Customized Approach allows entities to implement controls that meet the
objective of the requirement if the defined specific steps are not suitable, provided the control is
rigorously documented and validated. A – The number of requirements (goals) remains the same; only
the implementation method changes. C – Cost is not a valid justification for using the Customized
Approach to bypass security; the objective must still be met. D – Service providers using the Customized
Approach often require more rigorous validation, not less.
Q3: Which requirement specifically addresses the destruction of hardcopy materials containing
cardholder data?
A. Requirement 3.2.
B. Requirement 9.2. [CORRECT]
C. Requirement 12.3.
D. Requirement 6.5.
Correct Answer: B
Rationale: [CORRECT] Requirement 9.2 mandates that hardcopy materials containing cardholder data
must be cross-cut shredded, incinerated, or pulped such that the data cannot be reconstructed. A –
Requirement 3.2 covers the storage of data. C – Requirement 12.3 covers acceptable use policies. D –
Requirement 6.5 addresses addressing common coding vulnerabilities.
Q4: An ISA is reviewing logs for a critical system. Under Requirement 10.4.1 (v4.0), how frequently must
time synchronization occur?
A. At least once every six months.
B. At least once per month.
C. At least once per day. [CORRECT]
D. Continuously (real-time).
,Correct Answer: C
Rationale: [CORRECT] PCI DSS v4.0 Requirement 10.4.1 requires that system clocks are synchronized
using a reliable time source at least once per day. A/B – These are older or insufficient frequencies. D –
While continuous is acceptable, "at least once per day" is the minimum specific requirement stated.
Q5: Under Requirement 3.5.1, what is the primary requirement regarding the storage of the
cryptographic key used to encrypt stored account data?
A. Store the key in the same database as the encrypted data for easy access.
B. Store the key in a secure location separate from the encrypted data. [CORRECT]
C. Email the key to the system administrator for backup.
D. Store the key in clear text on the application server.
Correct Answer: B
Rationale: [CORRECT] Requirement 3.5.1 explicitly requires that cryptographic keys be stored in the
fewest possible locations and in a secure form, separate from the encrypted data, to prevent
unauthorized access. A – Storing keys with data defeats the purpose of encryption. C – Email is generally
not a secure storage mechanism. D – Clear text storage of keys is a severe violation.
Q6: A merchant uses a firewall to segment the Cardholder Data Environment (CDE) from the corporate
network. Which requirement mandates that this segmentation be tested at least every six months?
A. Requirement 11.3.4. [CORRECT]
B. Requirement 11.2.1.
C. Requirement 1.3.1.
D. Requirement 12.11.1.
Correct Answer: A
Rationale: [CORRECT] Requirement 11.3.4 requires penetration testing to verify segmentation controls
and that the CDE is isolated from other networks (now an annual requirement in v4.0, but specifically
testing segmentation scope was historically 11.3.4 in v3.2.1; in v4.0, 11.3.1 covers internal pen testing
and 11.3.1.1 explicitly requires segmentation testing). Correction: In v4.0, testing segmentation
specifically is part of 11.3.1.1, which is a new future-dated requirement effective March 2025. Let's stick
to the core: Requirement 11.3.4 in v3.2.1 or 11.3.1.1 in v4.0 requires testing segmentation. The question
asks for the requirement number. Let's use the broader 11.3 context or updated number.
, Refined Rationale: [CORRECT] Requirement 11.3.4 (v3.2.1) and 11.3.1.1 (v4.0) specifically mandate
testing segmentation controls to verify they are effective and isolate the CDE. B – Requirement 11.2.1
refers to quarterly internal vulnerability scans. C – Requirement 1.3.1 requires the implementation of
the firewall, not the testing. D – Requirement 12.11.1 deals with periodic reviews of security controls.
Q7: Requirement 8.3.6 (v4.0) introduces a new multi-factor authentication (MFA) requirement. To which
access does this apply?
A. Access to the physical CDE.
B. All access to the CDE originating from outside the entity’s network.
C. All access into the CDE, including internal access. [CORRECT]
D. Only access by third-party vendors.
Correct Answer: C
Rationale: [CORRECT] PCI DSS v4.0 Requirement 8.3.6 expands MFA requirements to all access to the
CDE, not just remote or administrative access, effective March 2025. B – This was the previous standard
(8.3 in v3.2.1). D – Third-party access is covered, but the requirement is broader. A – Physical access is
covered by Requirement 9.
Q8: An organization changes a system component’s configuration. Which Requirement 6.5 sub-
requirement mandates that security impact analysis be performed?
A. Requirement 6.4.5.2. [CORRECT]
B. Requirement 6.5.1.
C. Requirement 6.6.
D. Requirement 6.3.
Correct Answer: A
Rationale: [CORRECT] Requirement 6.4.5.2 (part of the secure software development lifecycle in v4.0)
requires a formal analysis of security impact for any changes to system components. B – 6.5.1 deals with
addressing common coding vulnerabilities. C – 6.6 deals with public-facing web applications. D – 6.3
generally relates to patching.
