PCI ISA Exam Questions and Correct
Answers with Complete Solution | Latest
Update 2026/27
QSAs must retain work papers for a minimum of _______ years. It is a
recommendation for ISAs to do the same. - ANSWERS 3
According to PCI DSS requirement 1, Firewall and router rule sets need to be
reviewed every _____ months. - ANSWERS 6
At least ______________ and prior to the annual assessment the assessed entity:
- Identifies all locations and flows of cardholder data to verify they are included in
the CDE
- Confirms the accuracy of their PCI DSS scope
- Retains their scoping documentation for assessor reference - ANSWERS
annually
scope includes - ANSWERS ppl process, tech
Evidence Retention
It is recommended that the ISA secure and maintain digital and/or hard copies of
case logs, audit results and work papers, notes, and any technical information that
was created and/or obtained during the PCI Data Security Assessment for a
, minimum of ________ or as applicable to company data retention policies -
ANSWERS of three (3) years
A (time) ______ process for identifying and securely deleting stored cardholder
data that exceeds defined retention requirements. - ANSWERS quarterly
Do not store SAD after ____________ (even if encrypted). (track data / cvc / pin) -
ANSWERS authorization
manual clear-text key-management procedures specify processes for the use of
the following - ANSWERS Split knowledge.Dual control
Dual control - ANSWERS least two people are required to perform any key-
management operations and no one person has access to the authentication
materials (for example, passwords or keys) of another
Split knowledge - ANSWERS key components are under the control of at least
two people who only have knowledge of their own key components
PAN is rendered unreadable in which ways - ANSWERS hash
mask
encrypt
pad
Ensure that all system components and software are protected from known
vulnerabilities by installing applicable vendor-supplied security patches. Install
critical security patches within _____ of release. - ANSWERS one month
Answers with Complete Solution | Latest
Update 2026/27
QSAs must retain work papers for a minimum of _______ years. It is a
recommendation for ISAs to do the same. - ANSWERS 3
According to PCI DSS requirement 1, Firewall and router rule sets need to be
reviewed every _____ months. - ANSWERS 6
At least ______________ and prior to the annual assessment the assessed entity:
- Identifies all locations and flows of cardholder data to verify they are included in
the CDE
- Confirms the accuracy of their PCI DSS scope
- Retains their scoping documentation for assessor reference - ANSWERS
annually
scope includes - ANSWERS ppl process, tech
Evidence Retention
It is recommended that the ISA secure and maintain digital and/or hard copies of
case logs, audit results and work papers, notes, and any technical information that
was created and/or obtained during the PCI Data Security Assessment for a
, minimum of ________ or as applicable to company data retention policies -
ANSWERS of three (3) years
A (time) ______ process for identifying and securely deleting stored cardholder
data that exceeds defined retention requirements. - ANSWERS quarterly
Do not store SAD after ____________ (even if encrypted). (track data / cvc / pin) -
ANSWERS authorization
manual clear-text key-management procedures specify processes for the use of
the following - ANSWERS Split knowledge.Dual control
Dual control - ANSWERS least two people are required to perform any key-
management operations and no one person has access to the authentication
materials (for example, passwords or keys) of another
Split knowledge - ANSWERS key components are under the control of at least
two people who only have knowledge of their own key components
PAN is rendered unreadable in which ways - ANSWERS hash
mask
encrypt
pad
Ensure that all system components and software are protected from known
vulnerabilities by installing applicable vendor-supplied security patches. Install
critical security patches within _____ of release. - ANSWERS one month
