PCI ISA EXAM UPDATED QUESTIONS
AND CORRECT ANSWERS.
SAQ-A - ANS e-commerce or telephone order merchants; processing fully outsourced to
validated 3rd party. No processing, transmitting, storing done by merchant
SAQ-B - ANS merchants with imprint machines and/or merchant with only standalone dial-
out terminals
SAQ-B-IP - ANS Same as SAQ-B but the terminals not dial-out, the terminals have an IP
connection
SAQ-C - ANS Merchants with payment apps connected to the Internet but have no CHD
storage. Not available if doing ecommerce
SAQ-C-VT - ANS Merchants who only use virtual terminals from a validated 3rd party. Do
transactions one at a time. Not available if doing ecommerce
SAQ-A-EP - ANS Same as SAQ-A but web site could affect the security of outsourced 3rd
party solution.
SAQ-D - ANS Used by merchants not eligible for any other SAQ. Service providers must
always use SAQ-D
1 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED
, Where are firewalls required - ANS Between Internet and CHD, between DMZ and internal
network, between wireless networks and CHD
How often must firewall rules be reviewed - ANS 6 months and after significant environment
change
Non-Console admin access must be ______ - ANS encrypted
CHD data can only be stored for how long? - ANS based on merchant documented policy
based on biz, regulatory, legal requirements
CHD that has exceeded its defined retention period must be deleted based on a ________
process - ANS quarterly
When is it OK to store sensitive authentication date (SAD)? - ANS temporarily prior to
authorization. Issuers can store SAD based on business need
Sensitive Authentication Data - ANS Full Track, Track 1, Track 2, CVV, PIN. Any equivalent
from chip
When masking a card number what can be shown - ANS first 6 and last 4
Acceptable methods for making PAN unreadable - ANS Hash, Truncation, Tokenized, strong
key cryptography
Secret/Private keys must be protected by what method(s) - ANS 1) key-encrypting key,
stored separately. 2) Hardware Security Module (HSM) 3) two full length key components (aka
split knowledge)
Spit Knowledge - ANS two or more people separately have key components; knowing only
their half
2 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED
AND CORRECT ANSWERS.
SAQ-A - ANS e-commerce or telephone order merchants; processing fully outsourced to
validated 3rd party. No processing, transmitting, storing done by merchant
SAQ-B - ANS merchants with imprint machines and/or merchant with only standalone dial-
out terminals
SAQ-B-IP - ANS Same as SAQ-B but the terminals not dial-out, the terminals have an IP
connection
SAQ-C - ANS Merchants with payment apps connected to the Internet but have no CHD
storage. Not available if doing ecommerce
SAQ-C-VT - ANS Merchants who only use virtual terminals from a validated 3rd party. Do
transactions one at a time. Not available if doing ecommerce
SAQ-A-EP - ANS Same as SAQ-A but web site could affect the security of outsourced 3rd
party solution.
SAQ-D - ANS Used by merchants not eligible for any other SAQ. Service providers must
always use SAQ-D
1 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED
, Where are firewalls required - ANS Between Internet and CHD, between DMZ and internal
network, between wireless networks and CHD
How often must firewall rules be reviewed - ANS 6 months and after significant environment
change
Non-Console admin access must be ______ - ANS encrypted
CHD data can only be stored for how long? - ANS based on merchant documented policy
based on biz, regulatory, legal requirements
CHD that has exceeded its defined retention period must be deleted based on a ________
process - ANS quarterly
When is it OK to store sensitive authentication date (SAD)? - ANS temporarily prior to
authorization. Issuers can store SAD based on business need
Sensitive Authentication Data - ANS Full Track, Track 1, Track 2, CVV, PIN. Any equivalent
from chip
When masking a card number what can be shown - ANS first 6 and last 4
Acceptable methods for making PAN unreadable - ANS Hash, Truncation, Tokenized, strong
key cryptography
Secret/Private keys must be protected by what method(s) - ANS 1) key-encrypting key,
stored separately. 2) Hardware Security Module (HSM) 3) two full length key components (aka
split knowledge)
Spit Knowledge - ANS two or more people separately have key components; knowing only
their half
2 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED
