PCI Practice Quiz 1 Questions and Correct
Answers with Complete Solution | New
Update 2026/27
When confirming PCI-DSS requirements have been met, the accessors must
always use which of the following?
- previous reports on compliance (ROCs)
- independent judgment
- hard-copy documents
- Live testing - ANSWERS independent judgment
Strong encryption of cardholder data is required during transmission over which
of the following?
- Webservers in the DMZ and databases in an internal segment
- Any connection between host in the CDE
- Call center applications and data bases
- 4G connections from mobile terminal to the acquirer - ANSWERS 4G
connections from mobile terminal to the acquirer
If network segmentation is being used to reduce the scope of the PCI-DSS
assessment, what must the assessor verify?
- All controls used for segmentation are configured properly
- The payment card brands have approved the segmentation
,- The segmentation solution is one of the PCI SSC is approved segmentation
solution
- The segmentation is controlled by firewall - ANSWERS All controls used for
segmentation are configured properly
Which of the following statement is true concerning transaction volumes of
merchants?
- Transaction volume is based on the total number of combined transactions from
all payment card brands
- Transaction volume is determined by each acquirer
- If transactions are split between two different acquirers, the merchant level is
determined by halving the transaction volume for each payment card brand
- If the transactions for different payment card brands are handled by the same
acquirer, the merchant level is determined by the total combined transaction
volume of the acquirer - ANSWERS Transaction volume is determined by each
acquirer
Which of the following is true related to use of EMV chip technology?
- PCI-DSS does not apply to the environment using EMV chip technology
- PCI-DSS applies to environments using EMV chip technology
- EMV chip technology increases the risk of fraudulent transactions in card -
present environment
- Merchants are permitted to store the track equivalent data from EMV chip after
authorization - ANSWERS PCI-DSS applies to environments using EMV chip
technology
Which of the following statement is true regarding card verification values/codes
(CAV2/CVC2/CVV2/CID)?
, - They are sensitive authentication data (SAD), and must not be stored after
authorization, even if encrypted
- They are cardholder data and may be stored after authorization if encrypted with
strong cryptography
- They are required for each recurring card-not-present transaction
- They are required for each recurring card-present transaction - ANSWERS
They are sensitive authentication data (SAD), and must not be stored after
authorization, even if encrypted
In order to reduce PCI-DSS scope, what must adequate network segmentation do?
- Isolate systems that store, process, or transmit cardholder data from those that
do not
- Connect databases containing cardholder data in the DMZ to the internet
- Control traffic between systems that store, process, and transmit cardholder data
to those that do not
- Connect system that can store, process, or transmit cardholder data to those
that do not - ANSWERS Isolate systems that store, process, or transmit
cardholder data from those that do not
Which of the following merchant environments could be eligible for SAQ B?
- Merchant with imprint machines, and electronic storage of less than 1M
cardholder data records
- Merchant with stand-alone dial out terminals, and electronic storage of less than
1M cardholder data records
- Merchant with standalone dial-out terminals, and no electronic cardholder data
storage
Answers with Complete Solution | New
Update 2026/27
When confirming PCI-DSS requirements have been met, the accessors must
always use which of the following?
- previous reports on compliance (ROCs)
- independent judgment
- hard-copy documents
- Live testing - ANSWERS independent judgment
Strong encryption of cardholder data is required during transmission over which
of the following?
- Webservers in the DMZ and databases in an internal segment
- Any connection between host in the CDE
- Call center applications and data bases
- 4G connections from mobile terminal to the acquirer - ANSWERS 4G
connections from mobile terminal to the acquirer
If network segmentation is being used to reduce the scope of the PCI-DSS
assessment, what must the assessor verify?
- All controls used for segmentation are configured properly
- The payment card brands have approved the segmentation
,- The segmentation solution is one of the PCI SSC is approved segmentation
solution
- The segmentation is controlled by firewall - ANSWERS All controls used for
segmentation are configured properly
Which of the following statement is true concerning transaction volumes of
merchants?
- Transaction volume is based on the total number of combined transactions from
all payment card brands
- Transaction volume is determined by each acquirer
- If transactions are split between two different acquirers, the merchant level is
determined by halving the transaction volume for each payment card brand
- If the transactions for different payment card brands are handled by the same
acquirer, the merchant level is determined by the total combined transaction
volume of the acquirer - ANSWERS Transaction volume is determined by each
acquirer
Which of the following is true related to use of EMV chip technology?
- PCI-DSS does not apply to the environment using EMV chip technology
- PCI-DSS applies to environments using EMV chip technology
- EMV chip technology increases the risk of fraudulent transactions in card -
present environment
- Merchants are permitted to store the track equivalent data from EMV chip after
authorization - ANSWERS PCI-DSS applies to environments using EMV chip
technology
Which of the following statement is true regarding card verification values/codes
(CAV2/CVC2/CVV2/CID)?
, - They are sensitive authentication data (SAD), and must not be stored after
authorization, even if encrypted
- They are cardholder data and may be stored after authorization if encrypted with
strong cryptography
- They are required for each recurring card-not-present transaction
- They are required for each recurring card-present transaction - ANSWERS
They are sensitive authentication data (SAD), and must not be stored after
authorization, even if encrypted
In order to reduce PCI-DSS scope, what must adequate network segmentation do?
- Isolate systems that store, process, or transmit cardholder data from those that
do not
- Connect databases containing cardholder data in the DMZ to the internet
- Control traffic between systems that store, process, and transmit cardholder data
to those that do not
- Connect system that can store, process, or transmit cardholder data to those
that do not - ANSWERS Isolate systems that store, process, or transmit
cardholder data from those that do not
Which of the following merchant environments could be eligible for SAQ B?
- Merchant with imprint machines, and electronic storage of less than 1M
cardholder data records
- Merchant with stand-alone dial out terminals, and electronic storage of less than
1M cardholder data records
- Merchant with standalone dial-out terminals, and no electronic cardholder data
storage
