PCI SSC Updated QSA_New_V4 Exam Questions and Answers by safaa

UnderAppendix D – Customized Approach, it is clearly stated that theentity is responsiblefor completing theControls Matrixand theTargeted Risk Analysis (TRA). The assessor may assist in completion, but accountability for content lies with the entity.

Option A:Incorrect. QSAs may assist but are not solely responsible.

Option B:Incorrect. This overstates who is responsible; only the entity is ultimately accountable.

Option C:Correct. The entity being assessed is responsible for completing the Controls Matrix and TRA.

Option D:Incorrect. Card brands or acquirers are not involved in document creation.

PCI DSSRequirement 6.3.1requires entities toassign a risk rankingto vulnerabilities (e.g., high, medium, low) to ensure thatremediation efforts are prioritised. This risk-based approach helps organisations focus resources where they are most needed.

Option A:❌Incorrect. Timeframes depend on the severity and internal policy, not always 30 days.

Option B:❌Incorrect. Risk ranking supports remediation but doesn’t replace scanning.

Option C:✅Correct. The purpose is toprioritise higher-risk itemsfor faster action.

Option D:❌Incorrect. Patch frequency is addressed elsewhere (Requirement 6.3.3).

According toSection 12.2.3.3 of PCI DSS v4.0.1, aPartial Assessmentis defined as a result whereat least one PCI DSS requirement is marked as “Not Tested.”This is typically seen duringgap assessments or pre-validation efforts, not official compliance validation.

Option A:❌Incorrect. SAQs are self-assessments; Partial Assessment is a different concept.

Option B:❌Incorrect. Interim drafts are not labeled as “Partial”.

Option C:❌Incorrect. That is a misinterpretation of segmentation by payment channel.

Option D:✅Correct. "Not Tested" = Partial Assessment.

 Scope of Anti-Malware Requirements

PCI DSS Requirement 5 mandates the use of anti-malware solutions on all in-scope systems unless the system is specifically documented as not being at risk from malware.

Examples of systems not at risk include those using operating systems that do not support anti-malware tools, provided proper justifications and alternative controls are implemented​​.

 Assessment Considerations

QSAs must verify and document why a system is considered "not at risk."

Systems storing, processing, or transmitting cardholder data or that could impact the CDE are generally in-scope for anti-malware​​.

 Incorrect Options

Option A: While CDE systems and connected systems require protection, the requirement applies specifically to systems at risk from malware.

Option B: Portable electronic storage is not explicitly called out for universal anti-malware but must be controlled in line with overall security policies.

Option C: Systems storing PAN are only a subset of in-scope systems.