Selected QSA_New_V4 PCI Qualified Professionals Questions Answers

PCI DSSRequirement 11.5.2mandates the use of file-integrity monitoring (FIM) or change-detection tools to monitorcritical filessuch as system binaries, configuration files, and system parameters.

Option A:❌Incorrect. Manuals are not critical system files.

Option B:❌Incorrect. Regularly changing files (e.g., logs or temp files) are typically excluded.

Option C:❌Incorrect. Policies and procedures are reviewed but not subject to FIM.

Option D:✅Correct. System config and parameter files must bemonitored for unauthorised changes.

According toRequirement 9.3.1and9.4.1.2, physical access control mechanisms — including badge readers — must beprotected against tampering or disablingto prevent unauthorized access and maintain the integrity of access logs.

Option A:Correct. Physical access control systems must be protected from tampering.

Option B:Incorrect. Video cameras are requiredonly where appropriate; badge access may suffice.

Option C:Incorrect. Access logs must beretained for at least three months, not deleted monthly (see 9.4.1.3).

Option D:Incorrect. Motion sensors are not specifically required.

PerRequirement 7.2.5and8.2.2, PCI DSS recommends thatonly application-layer accessbe allowed to databases storing cardholder data, preventing users from issuing direct SQL queries or accessing the database via administrative tools.

Option A:✅Correct. Restricting database access toprogrammatic (application-layer) methodsis strongly preferred and aligns with PCI DSS guidance.

Option B:❌Incorrect. Admins should not have unrestricted access unless justified and monitored.

Option C:❌Incorrect. Application IDs must not be used interactively by individuals (Requirement 8.6.1).

Option D:❌Incorrect. Shared accounts are disallowed (Requirement 8.2.1).

 Definition of Quarterly:

PCI DSS defines "quarterly" as occurring once within each calendar quarter. This means the activity must happen at least once in Q1, Q2, Q3, and Q4, with no rigid restrictions on specific days​​.

 Clarification on Other Options:

B:While 95–97 days approximates a quarter, it is not mandated as a rigid timeframe.

C/D:Fixed dates (e.g., 15th or 1st of specific months) are not prescribed in PCI DSS.