PCI ISA Certification Practice Exam
PCI ISA Certification Practice Exam
60 Multiple Choice Questions with Answer Key at End of
Exam | Based on PCI DSS v4.0
1. According to PCI DSS v4.0, what is the definition of the Cardholder Data Environment
(CDE)?
a) Any system that stores PAN
b) The people, processes, and technology that store, process, or transmit cardholder
data or sensitive authentication data
c) Only the physical servers that process transactions
d) All systems connected to the corporate network
2. Which of the following is considered Sensitive Authentication Data (SAD) that must
never be stored after authorization? a) Primary Account Number (PAN)
b) Cardholder name
c) Full magnetic stripe data
d) Expiration date
3. An entity has implemented network segmentation. What is the primary benefit from a
PCI DSS perspective?
a) It eliminates the need for firewalls
b) It reduces the scope of the assessment
c) It eliminates the need for antivirus software
d) It allows for longer log retention periods
4. Under Requirement 8.4.2, multi-factor authentication is required for:
a) All users accessing the corporate network
b) All non-console administrative access into the CDE
c) Only third-party vendors accessing the CDE
d) All users accessing email systems
5. What is the maximum time allowed to remediate a critical vulnerability identified
during an external vulnerability scan?
, PCI ISA Certification Practice Exam
a) 7 days
b) 14 days
c) 30 days
d) 90 days
6. Which SAQ is typically used by e-commerce merchants who fully outsource payment
processing to a PCI DSS validated third party? a) SAQ A
b) SAQ B
c) SAQ C
d) SAQ D
7. Requirement 3.5.1 addresses the use of cryptographic keys. What is the primary
requirement?
a) Keys must be changed annually
b) Keys must be stored in the same database as cardholder data
c) Keys must be stored securely with documented key management processes
d) Keys must be shared with all system administrators
8. According to Requirement 10.4.1, how frequently must time synchronization
mechanisms be reviewed and synchronized? a) Annually
b) Monthly
c) At least daily
d) At least weekly
9. What is the purpose of Requirement 11.6.1?
a) To perform annual penetration testing
b) To detect and respond to unauthorized changes to payment pages
c) To monitor all network traffic
d) To scan for malware on endpoints
10. A service provider is defined by the PCI SSC as:
a) Any entity that accepts credit cards
b) A business entity that is not a payment brand but is involved in processing, storing, or
transmitting cardholder data on behalf of another entity c) Only third-party
processors
d) Any company with over 1,000 employees
PCI ISA Certification Practice Exam
60 Multiple Choice Questions with Answer Key at End of
Exam | Based on PCI DSS v4.0
1. According to PCI DSS v4.0, what is the definition of the Cardholder Data Environment
(CDE)?
a) Any system that stores PAN
b) The people, processes, and technology that store, process, or transmit cardholder
data or sensitive authentication data
c) Only the physical servers that process transactions
d) All systems connected to the corporate network
2. Which of the following is considered Sensitive Authentication Data (SAD) that must
never be stored after authorization? a) Primary Account Number (PAN)
b) Cardholder name
c) Full magnetic stripe data
d) Expiration date
3. An entity has implemented network segmentation. What is the primary benefit from a
PCI DSS perspective?
a) It eliminates the need for firewalls
b) It reduces the scope of the assessment
c) It eliminates the need for antivirus software
d) It allows for longer log retention periods
4. Under Requirement 8.4.2, multi-factor authentication is required for:
a) All users accessing the corporate network
b) All non-console administrative access into the CDE
c) Only third-party vendors accessing the CDE
d) All users accessing email systems
5. What is the maximum time allowed to remediate a critical vulnerability identified
during an external vulnerability scan?
, PCI ISA Certification Practice Exam
a) 7 days
b) 14 days
c) 30 days
d) 90 days
6. Which SAQ is typically used by e-commerce merchants who fully outsource payment
processing to a PCI DSS validated third party? a) SAQ A
b) SAQ B
c) SAQ C
d) SAQ D
7. Requirement 3.5.1 addresses the use of cryptographic keys. What is the primary
requirement?
a) Keys must be changed annually
b) Keys must be stored in the same database as cardholder data
c) Keys must be stored securely with documented key management processes
d) Keys must be shared with all system administrators
8. According to Requirement 10.4.1, how frequently must time synchronization
mechanisms be reviewed and synchronized? a) Annually
b) Monthly
c) At least daily
d) At least weekly
9. What is the purpose of Requirement 11.6.1?
a) To perform annual penetration testing
b) To detect and respond to unauthorized changes to payment pages
c) To monitor all network traffic
d) To scan for malware on endpoints
10. A service provider is defined by the PCI SSC as:
a) Any entity that accepts credit cards
b) A business entity that is not a payment brand but is involved in processing, storing, or
transmitting cardholder data on behalf of another entity c) Only third-party
processors
d) Any company with over 1,000 employees
