QSA_New_V4 Dumps with Practice Exam Questions Answers

There areseparate Attestation of Compliance (AOC) templatesfor different use cases, specifically formerchantsandservice providers, and forSAQsversusROCs. Each template is tailored to match the reporting needs of that assessment type.

Option A:✅Correct. PCI SSC publishes distinct AOC templates depending on whether the entity is a merchant or service provider, and depending on whether they are completing an SAQ or ROC.

Option B:❌Incorrect. The AOC is not signed by PCI SSC. It must be signed by the assessed entity and, where applicable, the QSA or ISA.

Option C:❌Incorrect. ROCs and SAQs use different AOC formats.

Option D:❌Incorrect. Both the entity and the assessor (if applicable)mustsign.

According toPCI DSS Scope Definitions (Section 4.2.1), any system thatcan impact the security of the CDEisin scope, even if it doesn’t store cardholder data. An LDAP server providing authentication to systems in the CDEdirectly affects access control, so it'sin scope.

Option A:✅Correct. Systems providingauthentication services to the CDEarein scope.

Option B:❌Incorrect. LDAP does not need to store card data to be in scope.

Option C:❌Incorrect. Influence over access security makes it in scope regardless of data processing.

Option D:❌Incorrect. Scope isn’t limited to DMZ-linked systems.

Compensating controls are alternative measures implemented when an entity cannot meet a specific PCI DSS requirement due to legitimate technical or business constraints. These controls must sufficiently mitigate the associated risk and be commensurate with the intent of the original PCI DSS requirement.​

Option A:Incorrect. Even if all other PCI DSS requirements are met, a compensating control is necessary when a specific requirement cannot be directly satisfied.​

Option B:Correct. A compensating control must effectively address and mitigate the risk associated with the inability to meet a particular PCI DSS requirement.​

Option C:Incorrect. While existing controls can support a compensating control, they must collectively address the risk of the unmet requirement and cannot merely be another existing PCI DSS requirement.​

Option D:Incorrect. A compensating control worksheet is mandatory to document the rationale, assessment, and validation of the compensating control, regardless of acquirer approval.​

For detailed guidance on compensating controls, refer toAppendix B: Compensating Controlsin thePCI DSS v4.0.1document.​

As per thePCI DSS Glossary, “bespoke and custom software” is defined assoftware that is developed specifically for, and often by, the entity using it. This includes internally developed applications and externally developed applications created specifically for the entity.

Option A:❌Incorrect. Not all third-party software is custom — much is commercial off-the-shelf (COTS).

Option B:❌Incorrect. Customisability does not equal bespoke development.

Option C:✅Correct. Bespoke software is tailoredby or forthe entity’s specific needs.

Option D:❌Incorrect. Virtual terminals are payment interfaces, not types of software.

PCI DSSRequirement 11.5.2mandates the use of file-integrity monitoring (FIM) or change-detection tools to monitorcritical filessuch as system binaries, configuration files, and system parameters.

Option A:❌Incorrect. Manuals are not critical system files.

Option B:❌Incorrect. Regularly changing files (e.g., logs or temp files) are typically excluded.

Option C:❌Incorrect. Policies and procedures are reviewed but not subject to FIM.

Option D:✅Correct. System config and parameter files must bemonitored for unauthorised changes.