PCI-DSS ISA Exam Questions with Correct Answers Latest Update 2025-2026
Perimeter firewalls installed ______________________________. - Answers between all wireless
networks and the CHD environment.
Where should firewalls be installed? - Answers At each Internet connection and between any
DMZ and the internal network.
Review of firewall and router rule sets at least every __________________. - Answers 6 months
If disk encryption is used - Answers logical access must be managed separately and
independently of native operating system authentication and access control mechanisms
Manual clear-text key-management procedures specify processes for the use of the following: -
Answers Split knowledge AND Dual control of keys
What is considered "Sensitive Authentication Data"? - Answers Card verification value
When a PAN is displayed to an employee who does NOT need to see the full PAN, the minimum
digits to be masked are: All digits between the ___________ and the __________. - Answers first 6;
last 4
Regarding protection of PAN... - Answers PAN must be rendered unreadable during the
transmission over public and wireless networks.
Under requirement 3.4, what method must be used to render the PAN unreadable? - Answers
Hashing the entire PAN using strong cryptography
Weak security controls that should NOT be used - Answers WEP, SSL, and TLS 1.0 or earlier
Per requirement 5, anti-virus technology must be deployed_________________ - Answers on all
system components commonly affected by malicious software.
Key functions for anti-vius program per Requirement 5: - Answers 1) Detect
2) Remove
3) Protect
Anti-virus solutions may be temporarily disabled only if - Answers there is legitimate technical
need, as authorized by management on a case-by-case basis
When to install "critical" applicable vendor-supplied security patches? ---> within _________ of
release. - Answers 1 month
When to install applicable vendor-supplied security patches? - Answers within an appropriate
time frame (for example, within three months).
, When assessing requirement 6.5, testing to verify secure coding techniques are in place to
address common coding vulnerabilities includes: - Answers Reviewing software development
policies and procedures
Requirements 7 restricted access controls by: - Answers Need-to-know and least privilege
Inactive accounts over _____________days need to be removed or disabled. - Answers 90 days
To verify user access termination policy, an ISA need to select a sample of user terminated in
the past _______________ months, and review current user access lists—for both local and
remote access—to verify that their IDs have been deactivated or removed from the access lists.
- Answers 6 months
How many logon attempts should be allowed until resulting temporarily account locked-out? -
Answers 6 attempts
Once user account is locked-out, it will remain locked for a minimum of ________________________
or until a system administrator resets the account. - Answers 30 minutes
System/session idle time out must be set to_________ minutes or less. - Answers 15 minutes
What are the methods to authenticate users? - Answers - "Something you know", such as a
password or passphrase
- "Something you have", such as a token device or smart card, or
- "Something you are", such as a biometric.
Where passwords or pass-phrases are used, they must be at least _______ characters long and
contain both numeric and alphabetic characters. - Answers 7
Passwords must be changed at least once every__________________. - Answers 90 days
Password history must also be in place to ensure that users' ________ previous passwords can't
be re-used. - Answers 4
An example of a "one-way" cryptographic function used to render data unreadable is: - Answers
SHA-2
Data from video cameras and/or access control mechanisms is reviewed, and that data is
stored for at least ________________. - Answers 3 months
The visitor logs must contain the relevant information and be retained for at
least_________________. - Answers 3 months
Verify that the storage location security is reviewed at least ____________________ to confirm that
backup media storage is secure. - Answers annually
Perimeter firewalls installed ______________________________. - Answers between all wireless
networks and the CHD environment.
Where should firewalls be installed? - Answers At each Internet connection and between any
DMZ and the internal network.
Review of firewall and router rule sets at least every __________________. - Answers 6 months
If disk encryption is used - Answers logical access must be managed separately and
independently of native operating system authentication and access control mechanisms
Manual clear-text key-management procedures specify processes for the use of the following: -
Answers Split knowledge AND Dual control of keys
What is considered "Sensitive Authentication Data"? - Answers Card verification value
When a PAN is displayed to an employee who does NOT need to see the full PAN, the minimum
digits to be masked are: All digits between the ___________ and the __________. - Answers first 6;
last 4
Regarding protection of PAN... - Answers PAN must be rendered unreadable during the
transmission over public and wireless networks.
Under requirement 3.4, what method must be used to render the PAN unreadable? - Answers
Hashing the entire PAN using strong cryptography
Weak security controls that should NOT be used - Answers WEP, SSL, and TLS 1.0 or earlier
Per requirement 5, anti-virus technology must be deployed_________________ - Answers on all
system components commonly affected by malicious software.
Key functions for anti-vius program per Requirement 5: - Answers 1) Detect
2) Remove
3) Protect
Anti-virus solutions may be temporarily disabled only if - Answers there is legitimate technical
need, as authorized by management on a case-by-case basis
When to install "critical" applicable vendor-supplied security patches? ---> within _________ of
release. - Answers 1 month
When to install applicable vendor-supplied security patches? - Answers within an appropriate
time frame (for example, within three months).
, When assessing requirement 6.5, testing to verify secure coding techniques are in place to
address common coding vulnerabilities includes: - Answers Reviewing software development
policies and procedures
Requirements 7 restricted access controls by: - Answers Need-to-know and least privilege
Inactive accounts over _____________days need to be removed or disabled. - Answers 90 days
To verify user access termination policy, an ISA need to select a sample of user terminated in
the past _______________ months, and review current user access lists—for both local and
remote access—to verify that their IDs have been deactivated or removed from the access lists.
- Answers 6 months
How many logon attempts should be allowed until resulting temporarily account locked-out? -
Answers 6 attempts
Once user account is locked-out, it will remain locked for a minimum of ________________________
or until a system administrator resets the account. - Answers 30 minutes
System/session idle time out must be set to_________ minutes or less. - Answers 15 minutes
What are the methods to authenticate users? - Answers - "Something you know", such as a
password or passphrase
- "Something you have", such as a token device or smart card, or
- "Something you are", such as a biometric.
Where passwords or pass-phrases are used, they must be at least _______ characters long and
contain both numeric and alphabetic characters. - Answers 7
Passwords must be changed at least once every__________________. - Answers 90 days
Password history must also be in place to ensure that users' ________ previous passwords can't
be re-used. - Answers 4
An example of a "one-way" cryptographic function used to render data unreadable is: - Answers
SHA-2
Data from video cameras and/or access control mechanisms is reviewed, and that data is
stored for at least ________________. - Answers 3 months
The visitor logs must contain the relevant information and be retained for at
least_________________. - Answers 3 months
Verify that the storage location security is reviewed at least ____________________ to confirm that
backup media storage is secure. - Answers annually
