PCI ISA (LATEST) QUESTIONS & ANSWERS WITH
RATIONALES VERIFIED 100% CORRECT!!/GRADE A+
ASSURED
Question 1
A merchant's e-commerce website fully outsources all payment processing to a validated third-party
service. The merchant's systems never process, transmit, or store any cardholder data. Which Self-
Assessment Questionnaire is most appropriate for this merchant?
A) SAQ-A-EP
B) SAQ-B
C) SAQ-D
D) SAQ-A
E) SAQ-C
Correct Answer: D) SAQ-A
Rationale: SAQ-A is specifically designed for merchants where all cardholder data functions
(processing, storage, transmission) are entirely outsourced to a PCI DSS compliant third-
party. This scenario, often referred to as a "card-not-present" merchant (e-commerce or
mail/telephone order), has the lowest compliance burden because no cardholder data ever
enters their systems.
Question 2
A small retail shop uses only physical imprint machines ("knuckle-busters") to capture cardholder
data and has a standalone, dial-out terminal for processing transactions. Which SAQ should they
complete?
A) SAQ-B-IP
B) SAQ-C
C) SAQ-B
D) SAQ-A
E) SAQ-D
Correct Answer: C) SAQ-B
Rationale: SAQ-B is tailored for merchants who process cardholder data exclusively through
imprint machines or standalone, dial-out terminals. The key factor is that the terminal is not
connected to any other system and connects to the processor via a traditional telephone line,
not an IP network.
Question 3
A merchant uses standalone point-of-sale terminals that connect to their payment processor via an
IP network connection. They do not store any cardholder data electronically. Which SAQ is designed
for this scenario?
A) SAQ-B
B) SAQ-B-IP
C) SAQ-C
,D) SAQ-D
E) SAQ-C-VT
Correct Answer: B) SAQ-B-IP
Rationale: SAQ-B-IP is the correct questionnaire for merchants using standalone, PTS-
approved terminals that connect over an IP network. It is similar to SAQ-B, but includes
additional controls to address the risks associated with connecting payment terminals to an
internet-protocol-based network.
Question 4
A merchant uses a payment application on a server connected to the internet to process
transactions, but does not store any cardholder data electronically. They do not have an e-
commerce website. Which SAQ should they use?
A) SAQ-C-VT
B) SAQ-D
C) SAQ-C
D) SAQ-A
E) SAQ-B-IP
Correct Answer: C) SAQ-C
Rationale: SAQ-C applies to merchants with payment application systems connected to the
internet, such as a point-of-sale (POS) system. It is for merchants who process cardholder
data via an internet-connected payment system but do not store cardholder data. A critical
eligibility criterion is that the merchant does not have an e-commerce presence.
Question 5
A call center processes payments by manually keying cardholder data, one transaction at a time,
into a web-based virtual terminal solution provided by a validated third party. No cardholder data is
stored. Which SAQ is applicable?
A) SAQ-A
B) SAQ-C
C) SAQ-B
D) SAQ-C-VT
E) SAQ-D
Correct Answer: D) SAQ-C-VT
Rationale: SAQ-C-VT is for merchants who use a Virtual Terminal, which is a web-based
application for processing card payments. The merchant keys in the data for each transaction
individually on a computer, and all processing is handled by a validated third party. Like
SAQ-C, it is not applicable for e-commerce channels.
Question 6
An e-commerce merchant outsources all payment processing but has a website that could
,potentially impact the security of the payment page provided by the third party. Which SAQ is
designed to address this specific risk?
A) SAQ-A
B) SAQ-D
C) SAQ-A-EP
D) SAQ-C
E) SAQ-B
Correct Answer: C) SAQ-A-EP
Rationale: SAQ-A-EP is for e-commerce merchants who partially outsource their payment
processing. While the payment processing itself is handled by a third party, the merchant's
website accepts the payment data, which creates a risk that the merchant's site could
compromise the security of the transaction. This SAQ has more controls than SAQ-A to
address this risk.
Question 7
A service provider that stores, processes, or transmits cardholder data on behalf of other entities
needs to validate their PCI DSS compliance. Which SAQ must they always use?
A) SAQ-C
B) SAQ-A
C) SAQ-D
D) SAQ-B-IP
E) They cannot use an SAQ.
Correct Answer: C) SAQ-D
Rationale: SAQ-D is the validation tool for merchants who are not eligible for any other SAQ
type, and it is the mandatory validation tool for all service providers. It covers all PCI DSS
requirements and is the most comprehensive of all the Self-Assessment Questionnaires.
Question 8
According to PCI DSS, which of the following is a required location for a firewall?
A) Between any two servers in the internal network
B) Between wireless networks and the Cardholder Data Environment (CDE)
C) Between the CEO's workstation and the internal network
D) Between the internal network and the accounting department
E) Between any two workstations in the CDE
Correct Answer: B) Between wireless networks and the Cardholder Data Environment (CDE)
Rationale: PCI DSS Requirement 1 mandates the installation of firewalls at specific network
boundaries to protect the CDE. Key required locations include between any wireless network
and the CDE, between the internet and the CDE, and between any untrusted network (like a
DMZ) and the internal CDE.
, Question 9
How often must an organization review its firewall and router rule sets?
A) Every 3 months
B) Every 12 months
C) Every 6 months
D) Only after a security incident
E) Only when a new device is added
Correct Answer: C) Every 6 months
Rationale: PCI DSS Requirement 1.1.7 specifies that firewall and router rule sets must be
reviewed at least every six months. This is to ensure that the rules are still appropriate,
necessary for business, and do not contain any insecure configurations that could expose
the CDE.
Question 10
PCI DSS requires that all non-console administrative access to the cardholder data environment
must be:
A) Logged to a text file
B) Performed only during business hours
C) Approved by a manager via email
D) Encrypted
E) Limited to 10 minutes per session
Correct Answer: D) Encrypted
Rationale: To protect administrative credentials and session data from being intercepted on
the network, PCI DSS mandates the use of strong cryptography for all non-console
administrative access. This means using secure protocols like SSH, VPN, or TLS instead of
insecure protocols like Telnet or FTP.
Question 11
For how long is a merchant permitted to store cardholder data (CHD)?
A) For a maximum of one year
B) Indefinitely, as long as it is encrypted
C) For up to 90 days after the transaction
D) Based on a documented policy that is driven by business, legal, or regulatory requirements
E) They are never permitted to store CHD post-authorization
Correct Answer: D) Based on a documented policy that is driven by business, legal, or
regulatory requirements
Rationale: PCI DSS does not dictate a universal maximum retention period. Instead, it requires
each organization to define and document their own retention policy. This policy must have a
business, legal, or regulatory justification for the retention period, and data should not be
kept any longer than is necessary to meet that need.
RATIONALES VERIFIED 100% CORRECT!!/GRADE A+
ASSURED
Question 1
A merchant's e-commerce website fully outsources all payment processing to a validated third-party
service. The merchant's systems never process, transmit, or store any cardholder data. Which Self-
Assessment Questionnaire is most appropriate for this merchant?
A) SAQ-A-EP
B) SAQ-B
C) SAQ-D
D) SAQ-A
E) SAQ-C
Correct Answer: D) SAQ-A
Rationale: SAQ-A is specifically designed for merchants where all cardholder data functions
(processing, storage, transmission) are entirely outsourced to a PCI DSS compliant third-
party. This scenario, often referred to as a "card-not-present" merchant (e-commerce or
mail/telephone order), has the lowest compliance burden because no cardholder data ever
enters their systems.
Question 2
A small retail shop uses only physical imprint machines ("knuckle-busters") to capture cardholder
data and has a standalone, dial-out terminal for processing transactions. Which SAQ should they
complete?
A) SAQ-B-IP
B) SAQ-C
C) SAQ-B
D) SAQ-A
E) SAQ-D
Correct Answer: C) SAQ-B
Rationale: SAQ-B is tailored for merchants who process cardholder data exclusively through
imprint machines or standalone, dial-out terminals. The key factor is that the terminal is not
connected to any other system and connects to the processor via a traditional telephone line,
not an IP network.
Question 3
A merchant uses standalone point-of-sale terminals that connect to their payment processor via an
IP network connection. They do not store any cardholder data electronically. Which SAQ is designed
for this scenario?
A) SAQ-B
B) SAQ-B-IP
C) SAQ-C
,D) SAQ-D
E) SAQ-C-VT
Correct Answer: B) SAQ-B-IP
Rationale: SAQ-B-IP is the correct questionnaire for merchants using standalone, PTS-
approved terminals that connect over an IP network. It is similar to SAQ-B, but includes
additional controls to address the risks associated with connecting payment terminals to an
internet-protocol-based network.
Question 4
A merchant uses a payment application on a server connected to the internet to process
transactions, but does not store any cardholder data electronically. They do not have an e-
commerce website. Which SAQ should they use?
A) SAQ-C-VT
B) SAQ-D
C) SAQ-C
D) SAQ-A
E) SAQ-B-IP
Correct Answer: C) SAQ-C
Rationale: SAQ-C applies to merchants with payment application systems connected to the
internet, such as a point-of-sale (POS) system. It is for merchants who process cardholder
data via an internet-connected payment system but do not store cardholder data. A critical
eligibility criterion is that the merchant does not have an e-commerce presence.
Question 5
A call center processes payments by manually keying cardholder data, one transaction at a time,
into a web-based virtual terminal solution provided by a validated third party. No cardholder data is
stored. Which SAQ is applicable?
A) SAQ-A
B) SAQ-C
C) SAQ-B
D) SAQ-C-VT
E) SAQ-D
Correct Answer: D) SAQ-C-VT
Rationale: SAQ-C-VT is for merchants who use a Virtual Terminal, which is a web-based
application for processing card payments. The merchant keys in the data for each transaction
individually on a computer, and all processing is handled by a validated third party. Like
SAQ-C, it is not applicable for e-commerce channels.
Question 6
An e-commerce merchant outsources all payment processing but has a website that could
,potentially impact the security of the payment page provided by the third party. Which SAQ is
designed to address this specific risk?
A) SAQ-A
B) SAQ-D
C) SAQ-A-EP
D) SAQ-C
E) SAQ-B
Correct Answer: C) SAQ-A-EP
Rationale: SAQ-A-EP is for e-commerce merchants who partially outsource their payment
processing. While the payment processing itself is handled by a third party, the merchant's
website accepts the payment data, which creates a risk that the merchant's site could
compromise the security of the transaction. This SAQ has more controls than SAQ-A to
address this risk.
Question 7
A service provider that stores, processes, or transmits cardholder data on behalf of other entities
needs to validate their PCI DSS compliance. Which SAQ must they always use?
A) SAQ-C
B) SAQ-A
C) SAQ-D
D) SAQ-B-IP
E) They cannot use an SAQ.
Correct Answer: C) SAQ-D
Rationale: SAQ-D is the validation tool for merchants who are not eligible for any other SAQ
type, and it is the mandatory validation tool for all service providers. It covers all PCI DSS
requirements and is the most comprehensive of all the Self-Assessment Questionnaires.
Question 8
According to PCI DSS, which of the following is a required location for a firewall?
A) Between any two servers in the internal network
B) Between wireless networks and the Cardholder Data Environment (CDE)
C) Between the CEO's workstation and the internal network
D) Between the internal network and the accounting department
E) Between any two workstations in the CDE
Correct Answer: B) Between wireless networks and the Cardholder Data Environment (CDE)
Rationale: PCI DSS Requirement 1 mandates the installation of firewalls at specific network
boundaries to protect the CDE. Key required locations include between any wireless network
and the CDE, between the internet and the CDE, and between any untrusted network (like a
DMZ) and the internal CDE.
, Question 9
How often must an organization review its firewall and router rule sets?
A) Every 3 months
B) Every 12 months
C) Every 6 months
D) Only after a security incident
E) Only when a new device is added
Correct Answer: C) Every 6 months
Rationale: PCI DSS Requirement 1.1.7 specifies that firewall and router rule sets must be
reviewed at least every six months. This is to ensure that the rules are still appropriate,
necessary for business, and do not contain any insecure configurations that could expose
the CDE.
Question 10
PCI DSS requires that all non-console administrative access to the cardholder data environment
must be:
A) Logged to a text file
B) Performed only during business hours
C) Approved by a manager via email
D) Encrypted
E) Limited to 10 minutes per session
Correct Answer: D) Encrypted
Rationale: To protect administrative credentials and session data from being intercepted on
the network, PCI DSS mandates the use of strong cryptography for all non-console
administrative access. This means using secure protocols like SSH, VPN, or TLS instead of
insecure protocols like Telnet or FTP.
Question 11
For how long is a merchant permitted to store cardholder data (CHD)?
A) For a maximum of one year
B) Indefinitely, as long as it is encrypted
C) For up to 90 days after the transaction
D) Based on a documented policy that is driven by business, legal, or regulatory requirements
E) They are never permitted to store CHD post-authorization
Correct Answer: D) Based on a documented policy that is driven by business, legal, or
regulatory requirements
Rationale: PCI DSS does not dictate a universal maximum retention period. Instead, it requires
each organization to define and document their own retention policy. This policy must have a
business, legal, or regulatory justification for the retention period, and data should not be
kept any longer than is necessary to meet that need.
