PCI ISA Questions and Answers with Certified Solutions

QSAs must retain work papers for a minimum of _______ years. It is a recommendation for

ISAs to do the same. ✔✔3

According to PCI DSS requirement 1, Firewall and router rule sets need to be reviewed every

_____ months. ✔✔6

At least ______________ and prior to the annual assessment the assessed entity:

- Identifies all locations and flows of cardholder data to verify they are included in the CDE

- Confirms the accuracy of their PCI DSS scope

- Retains their scoping documentation for assessor reference ✔✔annually

scope includes ✔✔ppl process, tech

Evidence Retention

It is recommended that the ISA secure and maintain digital and/or hard copies of case logs, audit

results and work papers, notes, and any technical information that was created and/or obtained

during the PCI Data Security Assessment for a minimum of ________ or as applicable to

company data retention policies ✔✔of three (3) years

A (time) ______ process for identifying and securely deleting stored cardholder data that

exceeds defined retention requirements. ✔✔quarterly

Do not store SAD after ____________ (even if encrypted). (track data / cvc / pin)

✔✔authorization

manual clear-text key-management procedures specify processes for the use of the following

✔✔Split knowledge.Dual control

Dual control ✔✔least two people are required to perform any key-management operations and

no one person has access to the authentication materials (for example, passwords or keys) of

another

Split knowledge ✔✔key components are under the control of at least two people who only have

knowledge of their own key components