PCI ASV EXAM QUESTIONS WITH CORRECT ANSWERS LATEST UPDATE 2025/2026
Operating systems no longer supported by the vendor - Answers Automatic failure
Open access to database from the Internet - Answers Automatic failure
Default passwords and accounts - Answers Automatic failure
Unrestricted DNS zone transfer - Answers Automatic failure
SQL injection - Answers Automatic failure
Cross-Site Scripting (XSS) - Answers Automatic failure
Directory Traversal - Answers Automatic failure
HTTP Response Splitting / header injection - Answers Automatic failure
Information leakage (I.e., detailed error message, etc.) - Answers Automatic failure
Back doors / malware - Answers Automatic failure
Use of SSL/TLS 1.0 - Answers Automatic failure
Any vulnerability that violates PCI DSS - Answers Automatic failure
Invalidated synchronized environment behind load balancer - Answers Special note
Browsable directory - Answers Special note
Anonymous/ non-authenticated cipher suites - Answers Special note
Remote access software - Answers Special note
Detection of POS software - Answers Special note
Embedded code / code from out of scope domains - Answers Special note
Insecure services / industry deprecated protocols - Answers Special note
Unknown services - Answers Special note
1. Scoping
2. Scanning
3. Reporting / remediate
4. Dispute resolution
, 5. Rescan (if needed)
6. Final report - Answers Phases of ASV scans
1. Be non-disruptive
2. Perform host discovery
3 Perform service / OS discovery
4.Perform service / OS fingerprinting
5. Be accurate
6. Be platform independent
7. Account for load balancers - Answers Characteristics of ASV scans
1. The vulnerability is not included in the NVD
2. The ASV disagrees with the CVSS score noted in
the NVD.
3. The vulnerability purely a denial of service (DOS)
attack.
4. The vulnerability violates PCI DSS and will result in
an automatic failure. - Answers Exceptions to scoring vulnerabilities with the NVD
CVSS 0.0 - 3.9 - Answers Pass
CVSS 4.0 - 10.0 - Answers Fail
DOS vulnerabilities with a CVSS score of 6.0 - Answers Pass
1. AOC
2. ASV scan report summary
3. ASV Vulnerability details - Answers Components of a scan report
The AOC can be customized (i.e., ASV logos, fonts, placement of information) - Answers True
The ASV may choose to omit vulnerabilities that do not impact PCI DSS compliance (I.e., low
severity vulnerabilities). - Answers True
1) All failing vulnerabilities that have been fixed, rescanned and validated as passing upon
Operating systems no longer supported by the vendor - Answers Automatic failure
Open access to database from the Internet - Answers Automatic failure
Default passwords and accounts - Answers Automatic failure
Unrestricted DNS zone transfer - Answers Automatic failure
SQL injection - Answers Automatic failure
Cross-Site Scripting (XSS) - Answers Automatic failure
Directory Traversal - Answers Automatic failure
HTTP Response Splitting / header injection - Answers Automatic failure
Information leakage (I.e., detailed error message, etc.) - Answers Automatic failure
Back doors / malware - Answers Automatic failure
Use of SSL/TLS 1.0 - Answers Automatic failure
Any vulnerability that violates PCI DSS - Answers Automatic failure
Invalidated synchronized environment behind load balancer - Answers Special note
Browsable directory - Answers Special note
Anonymous/ non-authenticated cipher suites - Answers Special note
Remote access software - Answers Special note
Detection of POS software - Answers Special note
Embedded code / code from out of scope domains - Answers Special note
Insecure services / industry deprecated protocols - Answers Special note
Unknown services - Answers Special note
1. Scoping
2. Scanning
3. Reporting / remediate
4. Dispute resolution
, 5. Rescan (if needed)
6. Final report - Answers Phases of ASV scans
1. Be non-disruptive
2. Perform host discovery
3 Perform service / OS discovery
4.Perform service / OS fingerprinting
5. Be accurate
6. Be platform independent
7. Account for load balancers - Answers Characteristics of ASV scans
1. The vulnerability is not included in the NVD
2. The ASV disagrees with the CVSS score noted in
the NVD.
3. The vulnerability purely a denial of service (DOS)
attack.
4. The vulnerability violates PCI DSS and will result in
an automatic failure. - Answers Exceptions to scoring vulnerabilities with the NVD
CVSS 0.0 - 3.9 - Answers Pass
CVSS 4.0 - 10.0 - Answers Fail
DOS vulnerabilities with a CVSS score of 6.0 - Answers Pass
1. AOC
2. ASV scan report summary
3. ASV Vulnerability details - Answers Components of a scan report
The AOC can be customized (i.e., ASV logos, fonts, placement of information) - Answers True
The ASV may choose to omit vulnerabilities that do not impact PCI DSS compliance (I.e., low
severity vulnerabilities). - Answers True
1) All failing vulnerabilities that have been fixed, rescanned and validated as passing upon
