PCI ISA (LATEST)|| VERIFIED QUESTION
WITH ACTUAL ANSWERS|| EXAM
PREPARATION 2026 ||ALREADY
PASSED!!
Perimeter firewalls installed ______________________________. - answers between
all wireless networks and the CHD environment.
Where should firewalls be installed? - answers At each Internet connection and
between any DMZ and the internal network.
Review of firewall and router rule sets at least every __________________. - answers 6
months
If disk encryption is used - answers logical access must be managed separately and
independently of native operating system authentication and access control
mechanisms
Manual clear-text key-management procedures specify processes for the use of the
following: - answers Split knowledge AND Dual control of keys
What is considered "Sensitive Authentication Data"? - answers Card verification value
When a PAN is displayed to an employee who does NOT need to see the full PAN, the
minimum digits to be masked are: All digits between the ___________ and the
__________. - answers first 6; last 4
Regarding protection of PAN... - answers PAN must be rendered unreadable during the
transmission over public and wireless networks.
Under requirement 3.4, what method must be used to render the PAN unreadable? -
answers Hashing the entire PAN using strong cryptography
Weak security controls that should NOT be used - answers WEP, SSL, and TLS 1.0 or
earlier
Per requirement 5, anti-virus technology must be deployed_________________ -
answers on all system components commonly affected by malicious software.
Key functions for anti-vius program per Requirement 5: - answers 1) Detect
2) Remove
3) Protect
,Anti-virus solutions may be temporarily disabled only if - answers there is legitimate
technical need, as authorized by management on a case-by-case basis
When to install "critical" applicable vendor-supplied security patches? ---> within
_________ of release. - answers 1 month
When to install applicable vendor-supplied security patches? - answers within an
appropriate time frame (for example, within three months).
When assessing requirement 6.5, testing to verify secure coding techniques are in place
to address common coding vulnerabilities includes: - answers Reviewing software
development policies and procedures
Requirements 7 restricted access controls by: - answers Need-to-know and least
privilege
Inactive accounts over _____________days need to be removed or disabled. - answers
90 days
To verify user access termination policy, an ISA need to select a sample of user
terminated in the past _______________ months, and review current user access lists
—for both local and remote access—to verify that their IDs have been deactivated or
removed from the access lists. - answers 6 months
How many logon attempts should be allowed until resulting temporarily account locked-
out? - answers 6 attempts
Once user account is locked-out, it will remain locked for a minimum of
________________________ or until a system administrator resets the account. -
answers 30 minutes
System/session idle time out must be set to_________ minutes or less. - answers 15
minutes
What are the methods to authenticate users? - answers - "Something you know", such
as a password or passphrase
- "Something you have", such as a token device or smart card, or
- "Something you are", such as a biometric.
Where passwords or pass-phrases are used, they must be at least _______ characters
long and contain both numeric and alphabetic characters. - answers 7
Passwords must be changed at least once every__________________. - answers 90
days
, Password history must also be in place to ensure that users' ________ previous
passwords can't be re-used. - answers 4
An example of a "one-way" cryptographic function used to render data unreadable is: -
answers SHA-2
Data from video cameras and/or access control mechanisms is reviewed, and that data
is stored for at least ________________. - answers 3 months
The visitor logs must contain the relevant information and be retained for at
least_________________. - answers 3 months
Verify that the storage location security is reviewed at least ____________________ to
confirm that backup media storage is secure. - answers annually
Review media inventory logs to verify that logs are maintained and media inventories
are performed at least______________. - answers annually
Using time-synchronization technology, synchronize all critical system clocks and times
and ensure that the following is implemented for: - answers acquiring, distributing, and
storing time
All security events and logs of (a) all system components that store, process, or transmit
CHD; (b) critical system components; (c) components that perform security functions
(for example, firewalls, intrusion-detection systems/intrusion-prevention systems
(IDS/IPS), authentication servers, e-commerce redirection servers, etc.) to be reviewed
at least ______________. - answers daily
Audit logs must be immediately available for analysis for a period of ________ and must
be retained for a period of _________. - answers 3 months; 1 year
Detection and identification of authorized and unauthorized wireless access points must
occur _________________. - answers quarterly
Run internal and external network vulnerability scans at least ____________________
and after any significant change in the network - answers quarterly
External vulnerability scans must be run by ____________ and perform
________________. - answers an ASV; quarterly
For external scans, no vulnerabilities exist that are scored _____________ by the
CVSS. - answers 4.0 or higher
Penetration testing for "Service Provider" in which targeting segmentation controls must
be perform every __________________. - answers 6 months
WITH ACTUAL ANSWERS|| EXAM
PREPARATION 2026 ||ALREADY
PASSED!!
Perimeter firewalls installed ______________________________. - answers between
all wireless networks and the CHD environment.
Where should firewalls be installed? - answers At each Internet connection and
between any DMZ and the internal network.
Review of firewall and router rule sets at least every __________________. - answers 6
months
If disk encryption is used - answers logical access must be managed separately and
independently of native operating system authentication and access control
mechanisms
Manual clear-text key-management procedures specify processes for the use of the
following: - answers Split knowledge AND Dual control of keys
What is considered "Sensitive Authentication Data"? - answers Card verification value
When a PAN is displayed to an employee who does NOT need to see the full PAN, the
minimum digits to be masked are: All digits between the ___________ and the
__________. - answers first 6; last 4
Regarding protection of PAN... - answers PAN must be rendered unreadable during the
transmission over public and wireless networks.
Under requirement 3.4, what method must be used to render the PAN unreadable? -
answers Hashing the entire PAN using strong cryptography
Weak security controls that should NOT be used - answers WEP, SSL, and TLS 1.0 or
earlier
Per requirement 5, anti-virus technology must be deployed_________________ -
answers on all system components commonly affected by malicious software.
Key functions for anti-vius program per Requirement 5: - answers 1) Detect
2) Remove
3) Protect
,Anti-virus solutions may be temporarily disabled only if - answers there is legitimate
technical need, as authorized by management on a case-by-case basis
When to install "critical" applicable vendor-supplied security patches? ---> within
_________ of release. - answers 1 month
When to install applicable vendor-supplied security patches? - answers within an
appropriate time frame (for example, within three months).
When assessing requirement 6.5, testing to verify secure coding techniques are in place
to address common coding vulnerabilities includes: - answers Reviewing software
development policies and procedures
Requirements 7 restricted access controls by: - answers Need-to-know and least
privilege
Inactive accounts over _____________days need to be removed or disabled. - answers
90 days
To verify user access termination policy, an ISA need to select a sample of user
terminated in the past _______________ months, and review current user access lists
—for both local and remote access—to verify that their IDs have been deactivated or
removed from the access lists. - answers 6 months
How many logon attempts should be allowed until resulting temporarily account locked-
out? - answers 6 attempts
Once user account is locked-out, it will remain locked for a minimum of
________________________ or until a system administrator resets the account. -
answers 30 minutes
System/session idle time out must be set to_________ minutes or less. - answers 15
minutes
What are the methods to authenticate users? - answers - "Something you know", such
as a password or passphrase
- "Something you have", such as a token device or smart card, or
- "Something you are", such as a biometric.
Where passwords or pass-phrases are used, they must be at least _______ characters
long and contain both numeric and alphabetic characters. - answers 7
Passwords must be changed at least once every__________________. - answers 90
days
, Password history must also be in place to ensure that users' ________ previous
passwords can't be re-used. - answers 4
An example of a "one-way" cryptographic function used to render data unreadable is: -
answers SHA-2
Data from video cameras and/or access control mechanisms is reviewed, and that data
is stored for at least ________________. - answers 3 months
The visitor logs must contain the relevant information and be retained for at
least_________________. - answers 3 months
Verify that the storage location security is reviewed at least ____________________ to
confirm that backup media storage is secure. - answers annually
Review media inventory logs to verify that logs are maintained and media inventories
are performed at least______________. - answers annually
Using time-synchronization technology, synchronize all critical system clocks and times
and ensure that the following is implemented for: - answers acquiring, distributing, and
storing time
All security events and logs of (a) all system components that store, process, or transmit
CHD; (b) critical system components; (c) components that perform security functions
(for example, firewalls, intrusion-detection systems/intrusion-prevention systems
(IDS/IPS), authentication servers, e-commerce redirection servers, etc.) to be reviewed
at least ______________. - answers daily
Audit logs must be immediately available for analysis for a period of ________ and must
be retained for a period of _________. - answers 3 months; 1 year
Detection and identification of authorized and unauthorized wireless access points must
occur _________________. - answers quarterly
Run internal and external network vulnerability scans at least ____________________
and after any significant change in the network - answers quarterly
External vulnerability scans must be run by ____________ and perform
________________. - answers an ASV; quarterly
For external scans, no vulnerabilities exist that are scored _____________ by the
CVSS. - answers 4.0 or higher
Penetration testing for "Service Provider" in which targeting segmentation controls must
be perform every __________________. - answers 6 months
