PCI ISA Exam Questions And Accurate Answers @ 2024
SAQ-A - Implement e-commerce or telephone order merchants; all processing
outsourced to validated 3rd party. No processing, transmitting, storing done by
merchant
SAQ-B - Implement merchants with imprint machines and/or merchant with only
standalone dial-out terminals
SAQ-B-IP - Implement Same as SAQ-B but the terminals not dial-out, the terminals have
an IP connection
SAQ-C - Answer Merchants with payment apps connected to the Internet but have no
CHD storage. Not available if doing ecommerce
SAQ-C-VT - Answer Merchants who only use virtual terminals from a validated 3rd party.
Do transactions one at a time. Not available if doing ecommerce
SAQ-A-EP - Answer Same as SAQ-A but web site could affect the security of outsourced
3rd party solution.
SAQ-D - Answer Used by merchants not eligible for any other SAQ. Service providers
must always use SAQ-D
Where are firewalls required - Answer Between Internet and CHD, between DMZ and
internal network, between wireless networks and CHD
How often must firewall rules be reviewed - Answer 6 months and after significant
environment change
, Non-Console admin access must be ______ - Answer encrypted
CHD data can only be retained for how long? - Merchant documented policy based on
business, regulatory, legal requirements
CHD that has exceeded its defined retention period must be deleted based on a ________
process - Answer quarterly
When is it OK to store sensitive authentication date (SAD)? - Answer temporarily prior to
authorization. Issuers can store SAD based on business need
Sensitive Authentication Data - Answer Full Track, Track 1, Track 2, CVV, PIN. Any
equivalent from chip
When masking a card number what can be shown - Answer first 6 and last 4
Acceptable methods for making PAN unreadable - Answer Hash, Truncation, Tokenized,
strong key cryptography
Secret/Private keys must be protected by which method(s) - Which of the following are
correct? 1) key-encrypting key, stored separately. 2) Hardware Security Module (HSM)
3) two full length key components (aka split knowledge)
Spit Knowledge - Which of the following is correct? two or more people separately have
key components; knowing only their half
Name at least 3 open public networks - Which three or more of the following are
correct? Internet, wireless networks (802.11 and Bluetooth), Cellular networks, Satellite
networks
WEP Wired Equivalent Privacy - 802.11 encryption. Very weak. Retired in 2004. Use
SAQ-A - Implement e-commerce or telephone order merchants; all processing
outsourced to validated 3rd party. No processing, transmitting, storing done by
merchant
SAQ-B - Implement merchants with imprint machines and/or merchant with only
standalone dial-out terminals
SAQ-B-IP - Implement Same as SAQ-B but the terminals not dial-out, the terminals have
an IP connection
SAQ-C - Answer Merchants with payment apps connected to the Internet but have no
CHD storage. Not available if doing ecommerce
SAQ-C-VT - Answer Merchants who only use virtual terminals from a validated 3rd party.
Do transactions one at a time. Not available if doing ecommerce
SAQ-A-EP - Answer Same as SAQ-A but web site could affect the security of outsourced
3rd party solution.
SAQ-D - Answer Used by merchants not eligible for any other SAQ. Service providers
must always use SAQ-D
Where are firewalls required - Answer Between Internet and CHD, between DMZ and
internal network, between wireless networks and CHD
How often must firewall rules be reviewed - Answer 6 months and after significant
environment change
, Non-Console admin access must be ______ - Answer encrypted
CHD data can only be retained for how long? - Merchant documented policy based on
business, regulatory, legal requirements
CHD that has exceeded its defined retention period must be deleted based on a ________
process - Answer quarterly
When is it OK to store sensitive authentication date (SAD)? - Answer temporarily prior to
authorization. Issuers can store SAD based on business need
Sensitive Authentication Data - Answer Full Track, Track 1, Track 2, CVV, PIN. Any
equivalent from chip
When masking a card number what can be shown - Answer first 6 and last 4
Acceptable methods for making PAN unreadable - Answer Hash, Truncation, Tokenized,
strong key cryptography
Secret/Private keys must be protected by which method(s) - Which of the following are
correct? 1) key-encrypting key, stored separately. 2) Hardware Security Module (HSM)
3) two full length key components (aka split knowledge)
Spit Knowledge - Which of the following is correct? two or more people separately have
key components; knowing only their half
Name at least 3 open public networks - Which three or more of the following are
correct? Internet, wireless networks (802.11 and Bluetooth), Cellular networks, Satellite
networks
WEP Wired Equivalent Privacy - 802.11 encryption. Very weak. Retired in 2004. Use
