1|Page
PCI ISA (LATEST) QUESTIONS & ANSWERS VERIFIED
100% CORRECT ANSWERS||VERIFIED EXAMS!!!
What makes up SAD? - Answer-- Track Data
- CAV2/CVC2/CVV2/CID)
- PINs & PIN Blocks
Track 1 - Answer-Contains all fields of both Track 1 and
Track 2, up to 79 characters long
11.2 Internal Scans - Frequency and performed by who? -
Answer-Quarterly and after significant changes in the
network - Performed by qualified, internal or external,
resource
11.3 Penetration Tests (SERVICE PROVIDERS) -
Frequency and performed by who? - Answer-Every 6
months by a qualified, internal or external, resource
11.2 External Scans - Frequency and performed by who? -
Answer-Quarterly and after significant changes in the
network - Performed by PCI SSC Approved Scanning
Vendor (ASV)
,2|Page
11.3 Penetration Tests - Frequency and performed by
who? - Answer-At least annually and after significant
changes in the network - Performed by qualified, internal
or external, resource
11.2 Review scan reports and verify scan process includes
rescans until: - Answer-- External scans: no vulnerabilities
exists that scored 4.0 or higher by the CVSS
- Internal scans: all high-risk vulnerabilities as defined in
PCI DSS requirement 6.1 are resolved
Who decides if a ROC or SAQ is required? - Answer-
Payment Brands / Acquirers
10.2 Implement audit trails for all system components to
reconstruct the following events: - Answer-- All individual
accesses to CHD
- Actions taken by any individual with root or admin
privileges
- Access to all audit trails
- Invalid logical access attempts
, 3|Page
- Use of, and changes to, identification and authentication
mechanisms
- Initialization, stopping, or pausing of the audit logs
- Creation and deleting of system-level objects
How long must QSA's retain work papers? - Answer-3
years, recommend the same for ISAs
Firewall and router rule sets must be reviewed every
_____________________. - Answer-6 months
Things to consider when assessing: - Answer-People,
processes, technology
How often should an entity undergo a process to securely
delete stored CHD that exceeds defined retention
requirements? - Answer-At least quarterly
3.6 Key-management operations Dual Control vs Split
Knowledge - Answer-Dual Control: At least two people are
required to perform any key-management operations and
no one person has access to the authentication materials
(e.g., passwords, keys) of another
PCI ISA (LATEST) QUESTIONS & ANSWERS VERIFIED
100% CORRECT ANSWERS||VERIFIED EXAMS!!!
What makes up SAD? - Answer-- Track Data
- CAV2/CVC2/CVV2/CID)
- PINs & PIN Blocks
Track 1 - Answer-Contains all fields of both Track 1 and
Track 2, up to 79 characters long
11.2 Internal Scans - Frequency and performed by who? -
Answer-Quarterly and after significant changes in the
network - Performed by qualified, internal or external,
resource
11.3 Penetration Tests (SERVICE PROVIDERS) -
Frequency and performed by who? - Answer-Every 6
months by a qualified, internal or external, resource
11.2 External Scans - Frequency and performed by who? -
Answer-Quarterly and after significant changes in the
network - Performed by PCI SSC Approved Scanning
Vendor (ASV)
,2|Page
11.3 Penetration Tests - Frequency and performed by
who? - Answer-At least annually and after significant
changes in the network - Performed by qualified, internal
or external, resource
11.2 Review scan reports and verify scan process includes
rescans until: - Answer-- External scans: no vulnerabilities
exists that scored 4.0 or higher by the CVSS
- Internal scans: all high-risk vulnerabilities as defined in
PCI DSS requirement 6.1 are resolved
Who decides if a ROC or SAQ is required? - Answer-
Payment Brands / Acquirers
10.2 Implement audit trails for all system components to
reconstruct the following events: - Answer-- All individual
accesses to CHD
- Actions taken by any individual with root or admin
privileges
- Access to all audit trails
- Invalid logical access attempts
, 3|Page
- Use of, and changes to, identification and authentication
mechanisms
- Initialization, stopping, or pausing of the audit logs
- Creation and deleting of system-level objects
How long must QSA's retain work papers? - Answer-3
years, recommend the same for ISAs
Firewall and router rule sets must be reviewed every
_____________________. - Answer-6 months
Things to consider when assessing: - Answer-People,
processes, technology
How often should an entity undergo a process to securely
delete stored CHD that exceeds defined retention
requirements? - Answer-At least quarterly
3.6 Key-management operations Dual Control vs Split
Knowledge - Answer-Dual Control: At least two people are
required to perform any key-management operations and
no one person has access to the authentication materials
(e.g., passwords, keys) of another
