PCI-DSS ISA FINAL PAPER 2026 QUESTIONS
WITH SOLUTIONS UPDATED GRADED A+
◉ SAQ-B. Answer: merchants with imprint machines and/or merchant
with only standalone dial-out terminals
◉ SAQ-B-IP. Answer: Same as SAQ-B but the terminals not dial-out,
the terminals have an IP connection
◉ SAQ-C. Answer: Merchants with payment apps connected to the
Internet but have no CHD storage. Not available if doing ecommerce
◉ SAQ-C-VT. Answer: Merchants who only use virtual terminals from
a validated 3rd party. Do transactions one at a time. Not available if
doing ecommerce
◉ SAQ-A-EP. Answer: Same as SAQ-A but web site could affect the
security of outsourced 3rd party solution.
◉ SAQ-D. Answer: Used by merchants not eligible for any other SAQ.
Service providers must always use SAQ-D
, ◉ Where are firewalls required. Answer: Between Internet and CHD,
between DMZ and internal network, between wireless networks and
CHD
◉ How often must firewall rules be reviewed. Answer: 6 months and
after significant environment change
◉ Non-Console admin access must be ______. Answer: encrypted
◉ CHD data can only be stored for how long?. Answer: based on
merchant documented policy based on biz, regulatory, legal
requirements
◉ CHD that has exceeded its defined retention period must be deleted
based on a ________ process. Answer: quarterly
◉ When is it OK to store sensitive authentication date (SAD)?. Answer:
temporarily prior to authorization. Issuers can store SAD based on
business need
◉ Sensitive Authentication Data. Answer: Full Track, Track 1, Track 2,
CVV, PIN. Any equivalent from chip
◉ When masking a card number what can be shown. Answer: first 6 and
last 4
WITH SOLUTIONS UPDATED GRADED A+
◉ SAQ-B. Answer: merchants with imprint machines and/or merchant
with only standalone dial-out terminals
◉ SAQ-B-IP. Answer: Same as SAQ-B but the terminals not dial-out,
the terminals have an IP connection
◉ SAQ-C. Answer: Merchants with payment apps connected to the
Internet but have no CHD storage. Not available if doing ecommerce
◉ SAQ-C-VT. Answer: Merchants who only use virtual terminals from
a validated 3rd party. Do transactions one at a time. Not available if
doing ecommerce
◉ SAQ-A-EP. Answer: Same as SAQ-A but web site could affect the
security of outsourced 3rd party solution.
◉ SAQ-D. Answer: Used by merchants not eligible for any other SAQ.
Service providers must always use SAQ-D
, ◉ Where are firewalls required. Answer: Between Internet and CHD,
between DMZ and internal network, between wireless networks and
CHD
◉ How often must firewall rules be reviewed. Answer: 6 months and
after significant environment change
◉ Non-Console admin access must be ______. Answer: encrypted
◉ CHD data can only be stored for how long?. Answer: based on
merchant documented policy based on biz, regulatory, legal
requirements
◉ CHD that has exceeded its defined retention period must be deleted
based on a ________ process. Answer: quarterly
◉ When is it OK to store sensitive authentication date (SAD)?. Answer:
temporarily prior to authorization. Issuers can store SAD based on
business need
◉ Sensitive Authentication Data. Answer: Full Track, Track 1, Track 2,
CVV, PIN. Any equivalent from chip
◉ When masking a card number what can be shown. Answer: first 6 and
last 4
