PCI ISA EXAM SCRIPT 2026 FULL QUESTIONS
WITH CORRECT ANSWERS GRADED A+
◉ According to PCI DSS requirement 1, Firewall and router rule sets
need to be reviewed every _____ months. Answer: 6
◉ At least ______________ and prior to the annual assessment the
assessed entity:
- Identifies all locations and flows of cardholder data to verify they are
included in the CDE
- Confirms the accuracy of their PCI DSS scope
- Retains their scoping documentation for assessor reference. Answer:
annually
◉ scope includes. Answer: ppl process, tech
◉ Evidence Retention
It is recommended that the ISA secure and maintain digital and/or hard
copies of case logs, audit results and work papers, notes, and any
technical information that was created and/or obtained during the PCI
, Data Security Assessment for a minimum of ________ or as applicable
to company data retention policies. Answer: of three (3) years
◉ A (time) ______ process for identifying and securely deleting stored
cardholder data that exceeds defined retention requirements. Answer:
quarterly
◉ Do not store SAD after ____________ (even if encrypted). (track data
/ cvc / pin). Answer: authorization
◉ manual clear-text key-management procedures specify processes for
the use of the following. Answer: Split knowledge.Dual control
◉ Dual control. Answer: least two people are required to perform any
key-management operations and no one person has access to the
authentication materials (for example, passwords or keys) of another
◉ Split knowledge. Answer: key components are under the control of at
least two people who only have knowledge of their own key components
◉ PAN is rendered unreadable in which ways. Answer: hash
mask
encrypt
pad
WITH CORRECT ANSWERS GRADED A+
◉ According to PCI DSS requirement 1, Firewall and router rule sets
need to be reviewed every _____ months. Answer: 6
◉ At least ______________ and prior to the annual assessment the
assessed entity:
- Identifies all locations and flows of cardholder data to verify they are
included in the CDE
- Confirms the accuracy of their PCI DSS scope
- Retains their scoping documentation for assessor reference. Answer:
annually
◉ scope includes. Answer: ppl process, tech
◉ Evidence Retention
It is recommended that the ISA secure and maintain digital and/or hard
copies of case logs, audit results and work papers, notes, and any
technical information that was created and/or obtained during the PCI
, Data Security Assessment for a minimum of ________ or as applicable
to company data retention policies. Answer: of three (3) years
◉ A (time) ______ process for identifying and securely deleting stored
cardholder data that exceeds defined retention requirements. Answer:
quarterly
◉ Do not store SAD after ____________ (even if encrypted). (track data
/ cvc / pin). Answer: authorization
◉ manual clear-text key-management procedures specify processes for
the use of the following. Answer: Split knowledge.Dual control
◉ Dual control. Answer: least two people are required to perform any
key-management operations and no one person has access to the
authentication materials (for example, passwords or keys) of another
◉ Split knowledge. Answer: key components are under the control of at
least two people who only have knowledge of their own key components
◉ PAN is rendered unreadable in which ways. Answer: hash
mask
encrypt
pad
