QSA_New_V4 Qualified Security Assessor V4 Exam Questions and Answers

TheSoftware Security Framework (SSF)is intended to support entities usingbespoke and custom softwarewithin the Cardholder Data Environment (CDE). If the software is developed and maintained in accordance with theSecure Software Lifecycle (SLC) Standard, it can help demonstrate secure software development practices and potentially reduce the number of applicable PCI DSS requirements.

Option A:Incorrect. Not all payment software qualifies unless developed under SSF standards.

Option B:Incorrect. PCI PTS devices follow different hardware security standards.

Option C:Incorrect. PA-DSS has been retired; those applications are now listed as “Acceptable Only for Pre-Existing Deployments”.

Option D:Correct. Software developed under the Secure SLC Standard may help an entity meet some requirements in PCI DSS Requirement 6.

 Requirement for Secure Transmission:

PCI DSS Requirement 4.1 mandates that cardholder data sent over open public networks must be protected with strong cryptographic protocols. Accepting only trusted keys ensures data integrity and prevents unauthorized access​​.

 Key Validation Practices:

Trusted keys and certificates are verified to ensure authenticity. Using untrusted keys compromises the security of the encrypted communication.

 Prohibited Practices:

A/D:Configuring protocols to accept all certificates or lower encryption strength violates PCI DSS encryption guidelines.

B:Proprietary protocols are not inherently compliant unless they meet strong cryptographic standards.

 Testing and Verification:

Assessors verify the implementation of trusted keys by examining encryption settings, reviewing certificate chains, and conducting tests to confirm only trusted connections are accepted​​.

UnderRequirement 4.2.1.1, PAN (Primary Account Number) must be protected usingstrong cryptographywhenever it is transmitted overopen, public networks, including the Internet. Assessors are expected to verify that the cryptographic protocols (e.g., TLS 1.2 or higher) are properly implemented and that weak protocols (e.g., SSL, early TLS) are disabled.

Option A:❌Incorrect. Supporting earlier protocol versions (e.g., SSL, TLS 1.0) isnon-compliant.

Option B:✅Correct. Strong encryption (e.g., AES over TLS 1.2 or higher) must be verified.

Option C:❌Incorrect. Acceptingall certificatescould allowMITM (Man-in-the-Middle)attacks.

Option D:❌Incorrect. Deleting PAN after transmission is not a substitute for protecting it during transmission.

Requirement 11.5.1mandates that organisations deployintrusion-detection or prevention toolstomonitor traffic and generate alertsfor suspicious activity. The goal is tonotify personnel quicklyof a possible breach.

Option A:❌Incorrect. IDS/IPS isnot requiredon every component — only where it adds value.

Option B:✅Correct. IDS/IPS must be configured toalert on potential compromises.

Option C:❌Incorrect. Segmentation is a separate concern under Requirement 1.

Option D:❌Incorrect. IDS is not for discovering cardholder data.

According toRequirement 3.5.1.2, whendisk-level encryptionis used (e.g., full disk encryption), access control must beseparate from the operating systemto prevent unauthorised users from bypassing controls by booting the system.

Option A:✅Correct. Disk encryption must useindependent authentication mechanisms.

Option B:❌Incorrect. Sharing authentication with the OSviolates independence.

Option C:❌Incorrect. Association with local accounts may not ensure separate access control.

Option D:❌Incorrect. Key storage within user accounts is not secure or compliant.

Requirement 1.3.7andRequirement 3.3.1emphasise thatdatabases storing cardholder data must not be directly accessible from the Internet or untrusted networks. The database must be behind firewalls and accessible only via controlled, authorised connections.

Option A:❌Incorrect. Combining servers may violate the one-function-per-server rule (Requirement 2.2.1).

Option B:✅Correct. The database must be protected fromdirect public access.

Option C:❌Incorrect. Web servers often reside in the DMZ; moving them internally could increase risk.

Option D:❌Incorrect. Network performance is not a PCI DSS concern —security isolation is.

Requirement 10.5.1.1requires thataudit logs be protected from unauthorised viewing and modification, and access should berestricted to individuals with a job-related need to view them. This principle aligns with least privilege and ensures accountability.

Option A:❌Incorrect. The person who performed the action may not need to view logs.

Option B:❌Incorrect. Read/write access istoo permissive.

Option C:❌Incorrect. Not all administrators need access to logs.

Option D:✅Correct. Access should bebased on job function.

UnderAppendix D – Customized Approach, it is clearly stated that theentity is responsiblefor completing theControls Matrixand theTargeted Risk Analysis (TRA). The assessor may assist in completion, but accountability for content lies with the entity.

Option A:Incorrect. QSAs may assist but are not solely responsible.

Option B:Incorrect. This overstates who is responsible; only the entity is ultimately accountable.

Option C:Correct. The entity being assessed is responsible for completing the Controls Matrix and TRA.

Option D:Incorrect. Card brands or acquirers are not involved in document creation.

 Scope of Change-Detection Mechanisms

PCI DSS v4.0 requires the implementation of a change-detection mechanism (e.g., file-integrity monitoring) to monitor unauthorized changes to critical files.

Critical files include system configuration and parameter files, application executable files, and scripts used in administrative functions​​.

 Intent of Monitoring System Files

These files often control security settings and operational parameters of systems within the Cardholder Data Environment (CDE). Unauthorized changes could compromise system security.

 Exclusions

Documents like application vendor manuals and security policies do not qualify as files requiring integrity monitoring since they do not directly impact the security posture or operational functions of systems in the CDE.

According toSection 12.2.3.3 of PCI DSS v4.0.1, aPartial Assessmentis defined as a result whereat least one PCI DSS requirement is marked as “Not Tested.”This is typically seen duringgap assessments or pre-validation efforts, not official compliance validation.

Option A:❌Incorrect. SAQs are self-assessments; Partial Assessment is a different concept.

Option B:❌Incorrect. Interim drafts are not labeled as “Partial”.

Option C:❌Incorrect. That is a misinterpretation of segmentation by payment channel.

Option D:✅Correct. "Not Tested" = Partial Assessment.

PerSection 6 – Sampling for PCI DSS Assessments, the assessor must ensure the sample of business facilitiesincludes all types and locations, reflecting different operational environments. The goal is to cover variations that might affect compliance, such as data centers vs. call centers, or regional differences.

Option A:Incorrect. Each assessment may require a different sample depending on the environment.

Option B:Incorrect. There is no fixed 10% requirement for facility sampling.

Option C:Incorrect. A full review of every facility isn't required if representative sampling is used appropriately.

Option D:Correct. The samplingmust include all types and locationsof facilities to be valid.

 PCI DSS Reporting Expectations:

When documenting that a requirement is "In Place," the ROC must clearly describe how compliance was validated by the assessor. This involves detailing the evidence observed, such as system configurations, documentation, and personnel interviews​.

 ROC Documentation Guidelines:

The ROC Reporting Template specifies that each "In Place" response must include evidence demonstrating compliance with the requirement, such as testing observations and validation of implemented controls​.

 Eliminating Incorrect Options:

A:Project plans are not sufficient to demonstrate current compliance.

C/D:Responses discussing non-implementation or non-compliance are irrelevant when the requirement is "In Place."

 PCI DSS v4.0 ROC Template Guidance:

Appendix sections in the ROC provide specific instructions for assessors to document the testing performed, evidence reviewed, and results​.

According toRequirement 1.2.1of PCI DSS v4.0.1, network security controls (NSCs), such as firewalls and segmentation controls, are used torestrict and control trafficbetween trusted and untrusted networks. This includes logical or physical network segmentation.

Option A:Incorrect. Anti-malware is addressed in Requirement 5.

Option B:Correct. NSCs control and restrict inbound and outbound traffic between logical and physical network segments.

Option C:Incorrect. Vulnerability management is under Requirement 6.

Option D:Incorrect. PAN encryption is covered in Requirement 3.5.

Compensating controls are alternative measures implemented when an entity cannot meet a specific PCI DSS requirement due to legitimate technical or business constraints. These controls must sufficiently mitigate the associated risk and be commensurate with the intent of the original PCI DSS requirement.​

Option A:Incorrect. Even if all other PCI DSS requirements are met, a compensating control is necessary when a specific requirement cannot be directly satisfied.​

Option B:Correct. A compensating control must effectively address and mitigate the risk associated with the inability to meet a particular PCI DSS requirement.​

Option C:Incorrect. While existing controls can support a compensating control, they must collectively address the risk of the unmet requirement and cannot merely be another existing PCI DSS requirement.​

Option D:Incorrect. A compensating control worksheet is mandatory to document the rationale, assessment, and validation of the compensating control, regardless of acquirer approval.​

For detailed guidance on compensating controls, refer toAppendix B: Compensating Controlsin thePCI DSS v4.0.1document.​

When a cryptographic key is retired and replaced, it is essential to ensure that the retired key is no longer used for encryption purposes to maintain the security of the cryptographic system.​

Option A:Correct. Retired keys must not be used for encryption operations to prevent potential security vulnerabilities. However, they may be retained for decryption purposes if necessary, such as decrypting existing data encrypted under the retired key.​

Option B:Incorrect. PCI DSS does not specify a mandatory retention period for retired cryptographic key components before disposal. Retention periods should align with the entity's data retention policies and legal requirements.​

Option C:Incorrect. Assigning a new key custodian is not a mandatory requirement upon key retirement and replacement, though proper key management practices should ensure that custodianship is clearly defined and documented.​

Option D:Incorrect. While data encrypted under a retired key should be re-encrypted with the new key or securely managed, PCI DSS does not mandate the destruction of such data solely due to key retirement.​

For more information on cryptographic key management practices, refer toRequirement 3: Protect Stored Account Datain thePCI DSS v4.0.1document.​Wikipedia

PCI DSSRequirement 12.8.4mandates that an entitymonitor the compliance status of third-party service providers (TPSPs) at least annually, especially when those TPSPs store, process, or transmit account data on the entity’s behalf.

Option A:Incorrect. Entities are not responsible for conducting ASV scans on TPSPs.

Option B:Incorrect. There is no quarterly risk assessment requirement for TPSPs.

Option C:Incorrect. Incident response testing for TPSPs is not a direct responsibility of the entity.

Option D:Correct. Annual monitoring of TPSP compliance is explicitly required.

 Scope of Anti-Malware Requirements

PCI DSS Requirement 5 mandates the use of anti-malware solutions on all in-scope systems unless the system is specifically documented as not being at risk from malware.

Examples of systems not at risk include those using operating systems that do not support anti-malware tools, provided proper justifications and alternative controls are implemented​​.

 Assessment Considerations

QSAs must verify and document why a system is considered "not at risk."

Systems storing, processing, or transmitting cardholder data or that could impact the CDE are generally in-scope for anti-malware​​.

 Incorrect Options

Option A: While CDE systems and connected systems require protection, the requirement applies specifically to systems at risk from malware.

Option B: Portable electronic storage is not explicitly called out for universal anti-malware but must be controlled in line with overall security policies.

Option C: Systems storing PAN are only a subset of in-scope systems.

 Stateful Inspection

PCI DSS Requirement 1.2 specifies the need for stateful inspection to track the state of active connections. This ensures that only valid responses to communication initiated by trusted networks are allowed.

Invalid or unsolicited response traffic is blocked to prevent exploitation of vulnerabilities​​.

 Key Functionality of Stateful Firewalls

Stateful firewalls maintain session information and only allow traffic that matches an existing session or expected response.

 Incorrect Options

Option A: Administrative access restrictions are important but unrelated to stateful responses.

Option C: Baseline configurations are a different security control.

Option D: Logging and correlation are for threat detection, not stateful response.

As per thePCI DSS Glossary, “bespoke and custom software” is defined assoftware that is developed specifically for, and often by, the entity using it. This includes internally developed applications and externally developed applications created specifically for the entity.

Option A:❌Incorrect. Not all third-party software is custom — much is commercial off-the-shelf (COTS).

Option B:❌Incorrect. Customisability does not equal bespoke development.

Option C:✅Correct. Bespoke software is tailoredby or forthe entity’s specific needs.

Option D:❌Incorrect. Virtual terminals are payment interfaces, not types of software.