PCI ISA EXAM QUESTION AND ANSWERS 2025!!
Question 1
Which of the following is considered Cardholder Data but not Sensitive Authentication Data?
A) Full magnetic stripe data
B) Card verification code (CVC)
C) PAN (Primary Account Number)
D) PIN (Personal Identification Number)
E) Data from the chip
Correct Answer: C) PAN, Cardholder Name, Expiration Datee
Rationale: Cardholder Data consists of the Primary Account Number (PAN), Cardholder
Name, and Expiration Date. The other options are classified as Sensitive Authentication
Data (SAD).
Question 2
Which of the following data elements are considered Sensitive Authentication Data (SAD)?
A) Cardholder Name
B) Expiration Date
C) Service Code
D) Full track data (magnetic stripe or chip), card verification code, and PINS
E) Primary Account Number (PAN)
Correct Answer: D) Full track data (magnetic strip or chip), card verification code, and
PINS
Rationale: Sensitive Authentication Data (SAD) includes Full track data, card verification
code, and PINS.
Question 3
Who is the Cardholder in a payment card transaction?
A) The merchant's bank
B) The purchaser
C) The entity that accepts the card for purchase
D) The payment brand network (e.g., Visa, Mastercard)
E) The cardholder's bank
Correct Answer: B) Purchaser
,Rationale: The Cardholder is the individual who is making the purchase with a payment
card.
Question 4
Who is the Merchant in a payment card transaction?
A) The purchaser's bank
B) The individual making the purchase
C) The entity that accepts the cardholder information for purchase
D) The network that facilitates the transaction
E) A third-party service provider
Correct Answer: C) accepts the cardholder information for purchase; merchant levels based
on payment brand
Rationale: The Merchant is the entity that accepts the cardholder information for purchase.
Question 5
Who is the Acquirer in a payment card transaction?
A) The Cardholder's Bank
B) The Merchant's Bank
C) The individual making the purchase
D) The payment brand network
E) A third-party processor
Correct Answer: B) Merchants Bank
Rationale: The Acquirer is the Merchant's Bank, which processes the transaction on behalf
of the merchant.
Question 6
Which entity facilitates the transfer of funds and data between the Acquirer and the Issuer?
A) The Merchant
B) The Cardholder
C) The Payment Brand Network
D) The Service Provider
E) The PCI Security Standards Council
Correct Answer: C) Facilities the transfer
,Rationale: The Payment Brand Network (e.g., Visa, Mastercard) facilitates the transfer of
information and funds between the Acquirer and Issuer.
Question 7
Who is the Issuer in a payment card transaction?
A) The Merchant's Bank
B) The Cardholder's Bank
C) The entity that accepts the payment card
D) The individual making the purchase
E) A third-party service provider
Correct Answer: B) Cardholders Bank
Rationale: The Issuer is the Cardholder's Bank, which issued the payment card to the
cardholder.
Question 8
Service Providers (TPSPs) that are in scope for PCIDSS are those that:
A) Only provide physical security for the merchant's location.
B) Are directly involved in the processing, storage, or transmission of cardholder data on behalf
of another entity.
C) Manufacture the point-of-sale terminals.
D) Are only involved in marketing for the merchant.
E) Provide janitorial services to the merchant's data center.
Correct Answer: B) Directly involved in the processing, storage, or transmission of
cardholder data on behalf of another entity. If the TPSP can decrypt the data or has access
to decryption keys, that it is in scope
Rationale: A Service Provider is in scope if it is directly involved in the processing, storage,
or transmission of cardholder data.
Question 9
PCI DSS Requirement #1 is primarily focused on:
A) Protecting stored account data.
B) Applying secure configurations to all system components.
C) Installing and Maintaining Network Security Controls.
, D) Restricting physical access to cardholder data.
E) Testing security and networks regularly.
Correct Answer: C) Install and Maintain Network Security Controls
Rationale: Requirement #1 is Install and Maintain Network Security Controls.
Question 10
PCI DSS Requirement #2 is primarily focused on:
A) Applying secure configurations to all system components.
B) Protecting cardholder data with strong cryptography.
C) Protecting all systems and networks from malicious software.
D) Restricting access to system components by business need to know.
E) Logging and monitoring all access to system components.
Correct Answer: A) Apply secure configurations to all system components
Rationale: Requirement #2 is Apply secure configurations to all system components.
Question 11
PCI DSS Requirement #3 is primarily focused on:
A) Protecting stored account data.
B) Developing and maintaining secure systems and software.
C) Identifying users and authenticating access to system components.
D) Restricting physical access to cardholder data.
E) Supporting information security with organizational policies.
Correct Answer: A) Protect Stored Account Data
Rationale: Requirement #3 is Protect Stored Account Data.
Question 12
PCI DSS Requirement #4 is primarily focused on:
A) Applying secure configurations to all system components.
B) Protecting cardholder data with strong cryptography during transmission.
C) Protecting all systems and networks from malicious software.
D) Restricting access to system components by business need to know.
E) Logging and monitoring all access to system components.
Correct Answer: B) Protect cardholder Data with strong cryptography
Question 1
Which of the following is considered Cardholder Data but not Sensitive Authentication Data?
A) Full magnetic stripe data
B) Card verification code (CVC)
C) PAN (Primary Account Number)
D) PIN (Personal Identification Number)
E) Data from the chip
Correct Answer: C) PAN, Cardholder Name, Expiration Datee
Rationale: Cardholder Data consists of the Primary Account Number (PAN), Cardholder
Name, and Expiration Date. The other options are classified as Sensitive Authentication
Data (SAD).
Question 2
Which of the following data elements are considered Sensitive Authentication Data (SAD)?
A) Cardholder Name
B) Expiration Date
C) Service Code
D) Full track data (magnetic stripe or chip), card verification code, and PINS
E) Primary Account Number (PAN)
Correct Answer: D) Full track data (magnetic strip or chip), card verification code, and
PINS
Rationale: Sensitive Authentication Data (SAD) includes Full track data, card verification
code, and PINS.
Question 3
Who is the Cardholder in a payment card transaction?
A) The merchant's bank
B) The purchaser
C) The entity that accepts the card for purchase
D) The payment brand network (e.g., Visa, Mastercard)
E) The cardholder's bank
Correct Answer: B) Purchaser
,Rationale: The Cardholder is the individual who is making the purchase with a payment
card.
Question 4
Who is the Merchant in a payment card transaction?
A) The purchaser's bank
B) The individual making the purchase
C) The entity that accepts the cardholder information for purchase
D) The network that facilitates the transaction
E) A third-party service provider
Correct Answer: C) accepts the cardholder information for purchase; merchant levels based
on payment brand
Rationale: The Merchant is the entity that accepts the cardholder information for purchase.
Question 5
Who is the Acquirer in a payment card transaction?
A) The Cardholder's Bank
B) The Merchant's Bank
C) The individual making the purchase
D) The payment brand network
E) A third-party processor
Correct Answer: B) Merchants Bank
Rationale: The Acquirer is the Merchant's Bank, which processes the transaction on behalf
of the merchant.
Question 6
Which entity facilitates the transfer of funds and data between the Acquirer and the Issuer?
A) The Merchant
B) The Cardholder
C) The Payment Brand Network
D) The Service Provider
E) The PCI Security Standards Council
Correct Answer: C) Facilities the transfer
,Rationale: The Payment Brand Network (e.g., Visa, Mastercard) facilitates the transfer of
information and funds between the Acquirer and Issuer.
Question 7
Who is the Issuer in a payment card transaction?
A) The Merchant's Bank
B) The Cardholder's Bank
C) The entity that accepts the payment card
D) The individual making the purchase
E) A third-party service provider
Correct Answer: B) Cardholders Bank
Rationale: The Issuer is the Cardholder's Bank, which issued the payment card to the
cardholder.
Question 8
Service Providers (TPSPs) that are in scope for PCIDSS are those that:
A) Only provide physical security for the merchant's location.
B) Are directly involved in the processing, storage, or transmission of cardholder data on behalf
of another entity.
C) Manufacture the point-of-sale terminals.
D) Are only involved in marketing for the merchant.
E) Provide janitorial services to the merchant's data center.
Correct Answer: B) Directly involved in the processing, storage, or transmission of
cardholder data on behalf of another entity. If the TPSP can decrypt the data or has access
to decryption keys, that it is in scope
Rationale: A Service Provider is in scope if it is directly involved in the processing, storage,
or transmission of cardholder data.
Question 9
PCI DSS Requirement #1 is primarily focused on:
A) Protecting stored account data.
B) Applying secure configurations to all system components.
C) Installing and Maintaining Network Security Controls.
, D) Restricting physical access to cardholder data.
E) Testing security and networks regularly.
Correct Answer: C) Install and Maintain Network Security Controls
Rationale: Requirement #1 is Install and Maintain Network Security Controls.
Question 10
PCI DSS Requirement #2 is primarily focused on:
A) Applying secure configurations to all system components.
B) Protecting cardholder data with strong cryptography.
C) Protecting all systems and networks from malicious software.
D) Restricting access to system components by business need to know.
E) Logging and monitoring all access to system components.
Correct Answer: A) Apply secure configurations to all system components
Rationale: Requirement #2 is Apply secure configurations to all system components.
Question 11
PCI DSS Requirement #3 is primarily focused on:
A) Protecting stored account data.
B) Developing and maintaining secure systems and software.
C) Identifying users and authenticating access to system components.
D) Restricting physical access to cardholder data.
E) Supporting information security with organizational policies.
Correct Answer: A) Protect Stored Account Data
Rationale: Requirement #3 is Protect Stored Account Data.
Question 12
PCI DSS Requirement #4 is primarily focused on:
A) Applying secure configurations to all system components.
B) Protecting cardholder data with strong cryptography during transmission.
C) Protecting all systems and networks from malicious software.
D) Restricting access to system components by business need to know.
E) Logging and monitoring all access to system components.
Correct Answer: B) Protect cardholder Data with strong cryptography
