1|Page
PCI ISA Certification Exam||Verified Exam!!!||, PCI
Security Standards Council Program, 2026/2027-
Question Practice Exam with Answers and
Rationales||Newest Exam!!
How long must QSA's retain work papers? - Answer-3
years, recommend the same for ISAs
Firewall and router rule sets must be reviewed every
_____________________. - Answer-6 months
Things to consider when assessing: - Answer-People,
processes, technology
How often should an entity undergo a process to securely
delete stored CHD that exceeds defined retention
requirements? - Answer-At least quarterly
3.6 Key-management operations Dual Control vs Split
Knowledge - Answer-Dual Control: At least two people are
required to perform any key-management operations and
no one person has access to the authentication materials
(e.g., passwords, keys) of another
,2|Page
Split Knowledge: Key components are under the control of
at least two people who only have knowledge of their own
key components
3.4 Pan is rendered unreadable in which ways? - Answer-
Hash, truncation, encrypt, index token and pads
6.2 Critical Security patches should be installed
__________________________________. - Answer-
Within 1 month of release
6.2 Installation of applicable vendor-supplied security
patches (non-critical) should be installed: - Answer-Within
an appropriate time frame (e.g., 3 months)
6.4.5 Change control procedures must include the
following - Answer-- Documentation of impact
- Documented change approval by authorized parties
- Functionality testing to verify change does not adversely
impact security of the system
- Back-out procedures
,3|Page
6.5 Developers must be trained in up-to-date secure
coding techniques at least ________. - Answer-Annually
6.6 For public-facing web applications, address new
threats and vulnerabilities on an ongoing basis and ensure
these applications are protected against known attacks by
either of the following methods - Answer-- At least
annually, and after any changes, review via manual or
automated application vulnerability assessment
tools/methods
- Automated technical solution that detects and prevents
web-based attacks continuously
1.3.2 Examine firewall and router configurations to verify
inbound traffic is: - Answer-Limited to IP addresses within
the DMZ
7.1.4 Select sample of user IDs and compare with
documented approvals to verify: - Answer-1) Documented
approval exists for the assigned privileges
2) Approved by authorized parties
3) Specified privileges match the role of the user ID
, 4|Page
8.1.4 Inactive user accounts ________________ should
be removed or disabled. - Answer-Over 90 days old
8.1.5 Accounts used by third-parties should be: - Answer-
1) Disabled when not in use
2) Enabled only when needed, and disabled when not in
use
8.1.6 Accounts should be locked out after
_______________________. - Answer-6 failed login
attempts
8.1.7 Locked out accounts remain locked out for
__________ or _________________________ . - Answer-
30 minutes; administrator unlocks the account
8.1.8 Idle time-out set to _______________________. -
Answer-15 minutes or less
8.2.1 Passwords must be protected with strong
cryptography during _____________. - Answer-
Transmission & Storage
PCI ISA Certification Exam||Verified Exam!!!||, PCI
Security Standards Council Program, 2026/2027-
Question Practice Exam with Answers and
Rationales||Newest Exam!!
How long must QSA's retain work papers? - Answer-3
years, recommend the same for ISAs
Firewall and router rule sets must be reviewed every
_____________________. - Answer-6 months
Things to consider when assessing: - Answer-People,
processes, technology
How often should an entity undergo a process to securely
delete stored CHD that exceeds defined retention
requirements? - Answer-At least quarterly
3.6 Key-management operations Dual Control vs Split
Knowledge - Answer-Dual Control: At least two people are
required to perform any key-management operations and
no one person has access to the authentication materials
(e.g., passwords, keys) of another
,2|Page
Split Knowledge: Key components are under the control of
at least two people who only have knowledge of their own
key components
3.4 Pan is rendered unreadable in which ways? - Answer-
Hash, truncation, encrypt, index token and pads
6.2 Critical Security patches should be installed
__________________________________. - Answer-
Within 1 month of release
6.2 Installation of applicable vendor-supplied security
patches (non-critical) should be installed: - Answer-Within
an appropriate time frame (e.g., 3 months)
6.4.5 Change control procedures must include the
following - Answer-- Documentation of impact
- Documented change approval by authorized parties
- Functionality testing to verify change does not adversely
impact security of the system
- Back-out procedures
,3|Page
6.5 Developers must be trained in up-to-date secure
coding techniques at least ________. - Answer-Annually
6.6 For public-facing web applications, address new
threats and vulnerabilities on an ongoing basis and ensure
these applications are protected against known attacks by
either of the following methods - Answer-- At least
annually, and after any changes, review via manual or
automated application vulnerability assessment
tools/methods
- Automated technical solution that detects and prevents
web-based attacks continuously
1.3.2 Examine firewall and router configurations to verify
inbound traffic is: - Answer-Limited to IP addresses within
the DMZ
7.1.4 Select sample of user IDs and compare with
documented approvals to verify: - Answer-1) Documented
approval exists for the assigned privileges
2) Approved by authorized parties
3) Specified privileges match the role of the user ID
, 4|Page
8.1.4 Inactive user accounts ________________ should
be removed or disabled. - Answer-Over 90 days old
8.1.5 Accounts used by third-parties should be: - Answer-
1) Disabled when not in use
2) Enabled only when needed, and disabled when not in
use
8.1.6 Accounts should be locked out after
_______________________. - Answer-6 failed login
attempts
8.1.7 Locked out accounts remain locked out for
__________ or _________________________ . - Answer-
30 minutes; administrator unlocks the account
8.1.8 Idle time-out set to _______________________. -
Answer-15 minutes or less
8.2.1 Passwords must be protected with strong
cryptography during _____________. - Answer-
Transmission & Storage
