Step-by-Step Procedure for Creating Security Policies Across All Industries in Japan

1
Reference Material for Creating In-House Security Policies Across All
Industries in JAPAN
~ Understanding PCI DSS Version 4.0, Comparison with Version 3.2.1, and Comprehension Test with
Explanations ~
Apr 17, 2025
Introduction
PCI DSS v4.x is often perceived as being exclusive to the credit card industry, but this is not true. PCI
DSS v4.x aligns with global security governance frameworks such as ISO/IEC 27001:2022, the NIST SP
800 series, ISACA CISM (Certified Information Security Manager), and COBIT. Moreover, because it
includes specific numerical requirements, it serves as a strong reference benchmark not only for the
credit card payment industry but also for other industries through risk-based and business process-based
approaches.
To apply it practically, my document suggests replacing terms such as “cardholder data (CHD)” with
“Personally Identifiable Information (PII) and corporate secrets data” and “PCI DSS v4.x” with your
company’s security policy name, such as “XYZ Corporation Security Policy,” then modifying as need by
your organization.
Additionally, my material is intended, of course, to support professionals involved in security audits and
operations conforming to “PCI DSS Version 4.x,” including internal auditors, PCI consultants, ISMS
stakeholders, and Privacy Mark (P-Mark) stakeholders in Japan. It aims to deepen their understanding
of each PCI DSS v4.x requirement and help them acquire practical knowledge.
PCI DSS v4.x includes the following three key changes from the previous version 3.2.1, and these can be
effectively utilized by organizations outside the credit card industry as well:
1. Increased Flexibility for Organizations
The introduction of the “Customized Approach” and “The Entity’s Targeted Risk Analysis”
allows for flexible responses based on risk assessments tailored to each organization. These
changes align PCI DSS more closely with frameworks such as NIST SP800-171 Revision 3 and
ISO27001:2022.
2. Revise of Numerical Requirements
Numerical and definitional requirements—such as the meaning of “daily,” the frequency of
operational implementations, character lengths for passwords/passphrases, and payment card
number (credit, debit, or prepaid cards, etc.) —have been revised to include clearer definitions.
Some requirements have become more understandable, stronger, or in some cases, more lenient.
3. Alignment with Modern Technologies
PCI DSS v4.x has evolved to align with modern technologies. For instance, legacy devices like

2
physical firewalls and routers are being replaced by Network Security Controls (NSCs), and
guidance now includes references to technologies like machine learning, clouds, etc.
Now, let’s begin by looking at the PCI DSS distinctive “numerical requirements” and start by
understanding the basics of PCI DSS v4.x standard. These numerical requirements are recommended to
include in the standard of organizations in any industry—not just the credit card industry.
Requirement
Number
Requirement
Description
Frequency/Value Changes from PCI DSS Ver. 3.2.1
and Notes
1.2.7 Review of Network
Security Controls
(NSC) rule sets
At least once every six
months
Frequency remains unchanged.
Terminology updated from "firewall"
and router" to "Network Security
Controls (NSC)" to encompass
diverse technologies including an
IaaS.
3.2.1 Verification of
account data
retention period
At least once every
three months
Frequency remains the same;
however, the term "account data" is
now clearly defined, encompassing
both cardholder data and sensitive
authentication data.
3.3 Maximum display
digits for PAN
(Primary Account
Number)
BIN and last 4 digits Previously, the first six and last four
digits could be displayed to general
users even though "BIN" is varying
lengths across different card brands.
5.3.2 Frequency of
malware scans
Regular scans based
on risk analysis, with
automatic updates and
real-time scanning or
continuous behavior
analysis
While automatic updates and real-
time scanning were required in the
both. v4.x introduces the option for
continuous behavior analysis for
systems where real-time scanning
isn't feasible.
6.2.2 Training frequency
for software
developers involved
in bespoke and
custom software
At least once Once
every 12 months
Frequency remains the same; the
timing has been clarified.
6.3.3 Deadline for applying
critical or high-
Within 1 month of
release
Concept unchanged from v3.2.1.

3
security patches and
updates
6.3.3 Application of other
patches and updates
except for critical or
high-risk patches
Within a timeframe
determined by the
entity's risk
assessment
While the approach remains risk-
based, v4.x emphasizes conducting a
formal risk analysis to determine
appropriate timelines.
6.4.1 Review of public-
facing web
applications using
manual or automated
security assessment
tools
At least once Once
every 12 months
Frequency remains the same; the
timing has been clarified.
7.2.4 Review of all user
accounts and related
access privileges,
including those for
third-party vendor
apps and cloud
services
At least once every six
months
This is a new requirement in v4.x,
aligning with practices in ISO/IEC
27001:2022. It does not tell the
timing, though.
8.2.6 Timeframe for
removing or
disabling inactive
user accounts
Within 90 days of
inactivity even for the
existing users
8.2.8 Re-authentication
period after user
session inactivity
After 15 minutes of
inactivity even for the
active users
8.3.4 Account lockout
threshold and
duration
Lockout after no more
than 10 failed login
attempts; lockout
duration of at least 30
minutes or until
identity is verified
The failed login attempt threshold
has been relaxed from 6 to 10
attempts; the lockout duration
remains the same.
8.3.9 Frequency of
password/passphrase
changes
No mandatory
password change if
Multi-Factor
Authentication (MFA)
is implemented;
Previously, a 90-day change interval
was required regardless of MFA
implementation. Dynamic risk
analysis becomes an option if neither

4
otherwise, at least
every 90 days, or
implement dynamic
risk analysis if not
changing passwords
MFA nor 90 days interval is
implemented.
8.3.6 Minimum
password/passphrase
length
At least 12 characters;
if system limitations
exist, a minimum of 8
characters
Increased from a minimum of 7 to 12
characters in v3.2.1 to enhance
security.
8.3.7 Password/passphrase
reuse prevention
If MFA is not
implemented, prevent
reuse of the last 4
passwords/passphrases
over a minimum
period of 12 months
Number and frequency remain the
same; 12 months timing has been
clarified.
9.2.2 Retention period for
physical access
records to sensitive
areas within the
Cardholder Data
Environment (CDE)
At least 3 months Frequency remains the same; timing
has been clarified.
9.4.1.2 The security review
of the offline media
backup location(s)
with cardholder data
At least once Once
every 12 months
Frequency remains the same; timing
has been clarified. The term “media
backups” was changed to “offline
media”.
10.4.1 Log review for logs of
all critical system
components, all
servers and system
components that
perform security
functions.
At least daily The frequency remains the same;
however, PCI DSS v4.x clarifies that
it includes weekends and holidays—
not just the typical 5-day workweek
10.4.2 Logs review of all
other system
components (those
not specified in
Requirement 10.4.1)
Periodical Review in
accordance with the
entity’s identified risk.
Periodic reviews may occur more
often. 'organization’s annual risk
assessment' has been replaced with '
entity’s identified risk or the TRA
(Target Risk Analysis).

5
10.5.1 Retention period for
audit logs
At least 12 months,
with the most recent 3
months’ logs
immediately available
has been clarified.
10.6.1 Frequency of audit
log reviews
At least daily Clarified that "daily" includes non-
business days.
11.2.1 Frequency of testing
for unauthorized
wireless access points
At least once every
three months
has been clarified.
11.3.1.2 /
11.3.1.3
Internal
vulnerability scans
At least once every
three months and after
any significant
changes
has been clarified.
11.3.2 /
11.3.2.1
External
vulnerability scans
At least once every
three months and after
any significant
changes
Concept unchanged, and it still
require conducting by an Approved
Scanning Vendor (ASV).
11.4.2 Internal penetration
testing
At least once Once
every 12 months
has been clarified.
11.4.3 External penetration
testing
At least once Once
every 12 months
clarified responsibilities for service
providers.
11.4.5 Verification of
segmentation
effectiveness via
penetration testing
At least once Once
every 12 months
has been clarified.
11.5.1 Detection of file
changes for critical
files
At least daily Clarified that "daily" includes non-
business days.
12.4.2 Review of PCI DSS
responsibilities and
procedures
At least once every
three months
has been clarified.
12.5.1 Inventory review of
system components
within the CDE
At least once Once
every 12 months
has been clarified.

6
12.6.2 Implementation of
security awareness
programs
At least once Once
every 12 months
clarified that training records must
be maintained.
12.6.3 Acknowledgment of
information security
policies and
procedures
At least once Once
every 12 months
clarified that acknowledgments must
be documented.
12.8.4
(12.9.2)
Verification of Third-
Party Service
Providers' (TPSP)
PCI DSS compliance
At least once Once
every 12 months
has been clarified. (Remarks)
According to 12.9.2. TPSP supports
their customer’s requests for PCI
DSS compliance upon requests.
12.10.4 Training for incident
response personnel
At least once Once
every 12 months
has been clarified.
A1.1.4 Penetration testing
of logical
segmentation
controls for Multi-
Tenant Service
Providers (MTSP)
At least once every 6
months
New for v4.x
Blank
In PCI DSS v4.x, as outlined in the following knowledge check, the traditional 12 requirements
from v3.2.1 and earlier have been reorganized into six major categories to provide a clearer structure for
each domain.
Since PCI DSS v4.x is based on the NIST SP800 series, it comprehensively covers all ISMS control
categories, particularly focusing on the "technical controls" of ISO/IEC 27001:2022. Furthermore, PCI DSS
v4.x aligns with the task areas of security managers as described in ISACA’s CISM framework would be
similar to the PCI DSS concepts.
Now, let's go through the approximately 60 questions related to PCI DSS v4.x, read the
explanations and understand the GAP from v3.2.1. Afterwards, refer to ISO/IEC 27001:2022 and CISM,
and try applying these insights to create or enhance your organization’s security policies, standards and
procedures!
(Category 1/6) Build and Maintain a Secure Network and Systems

7
PCI DSS v4.x Requirement 1: Install and Maintain Network Security Controls.
This requirement mandates the design, implementation, and maintenance of network security controls—
such as firewalls and access controls—to protect the Cardholder Data Environment (CDE) from untrusted
networks.
Question #1 (Requirement 1):
How often must the configuration of network security controls (NSC) be reviewed?
A) Once every three months
B) Once every six months
C) Once every 12 months
D) Only after system changes
Correct Answer:
Explanation:
According to PCI DSS v4.x, NSC configurations must be reviewed at least once every six months to ensure
they remain effective in protecting the cardholder data environment (CDE).
Gap from v3.2.1:
In v3.2.1, firewall/router reviews were required. v4.x expands this to include cloud-based and virtual
controls via the term NSC.
Which of the following can be used to achieve network segmentation?
A) Network hubs, bridges, and connectors
B) Traffic monitoring systems with notifications
C) IDS with enhanced auditing
D) Network Security Controls (NSC)
Correct Answer:
D) Network Security Controls (NSC)
Explanation:
NSCs are used to enforce logical separation between untrusted networks and the CDE. They can include
firewalls, cloud security groups, and other access control mechanisms.
Gap from v3.2.1:

8
The terminology was limited to firewalls and routers. v4.x adopts NSC to broaden the scope to virtual/cloud
systems.
Which connection must be restricted using NSC rulesets?
A) Between corporate network and CDE
B) Between wireless and untrusted networks
C) Between systems inside the DMZ
D) Between DMZ and internal network
Correct Answer:
A) Between corporate network and CDE
Explanation:
If the corporate network is not explicitly included in the CDE, it is considered untrusted. NSC rules must
restrict traffic from it to protect the CDE.
Gap from v3.2.1:
Same principle existed, but v4.x adopts NSC and clarifies applicability in modern hybrid/cloud
architectures.
Which of the following statements about network segmentation is correct?
A) A segmented network is also called a flat network
B) Network segmentation is not a PCI DSS requirement
C) PCI DSS requires segmentation for all networks
D) Segmentation increases the scope of PCI DSS assessments
Correct Answer:
B) Network segmentation is not a PCI DSS requirement
Explanation:
Network segmentation is not mandatory but is highly recommended because it reduces the PCI DSS scope
and improves manageability. Without segmentation, the entire network may fall within PCI DSS scope.
Gap from v3.2.1:
This understanding remains the same. v4.x reiterates that segmentation is optional but effective in risk
and scope reduction.

9
Which scenario demonstrates effective segmentation that reduces PCI DSS scope?
A) A VLAN routes traffic between the CDE and other networks
B) A firewall logs all traffic between the CDE and non-CDE
C) NSC rules block unauthorized traffic between CDE and non-CDE
D) A router monitors traffic between CDE and external networks
Correct Answer:
C) NSC rules block unauthorized traffic between CDE and non-CDE
Explanation:
Only option C enforces logical segmentation by blocking unapproved traffic, which is essential for reducing
PCI DSS scope under Requirement 1.2.1.
Gap from v3.2.1:
v4.x expands the segmentation approach to include cloud and virtual NSCs—not just firewalls and routers.
Which statement accurately describes “stateful inspection”?
A) Firewall admin access is restricted to one person
B) Application baselines are maintained
C) NSC audit logs identify user behavior
D) Active connections are tracked to validate response traffic
Correct Answer:
D) Active connections are tracked to validate response traffic
Explanation:
Stateful inspection firewalls monitor the state of network connections to ensure that only legitimate return
traffic is allowed—improving security by preventing spoofed responses.
Gap from v3.2.1:
Concept unchanged; v4.x retains the focus on stateful traffic validation as part of NSC function.
According to PCI DSS v4.x, where should a database server storing cardholder data reside?
A) In the same DMZ segment as the web server

10
B) In the internal network, isolated from the DMZ
C) On the same server as the application server
D) On a public cloud network with the web server
Correct Answer:
B) In the internal network, isolated from the DMZ
Explanation:
PCI DSS Requirement 1.4.4 mandates that systems storing cardholder data, such as database servers, be
located in trusted internal networks, not the DMZ.
Gap from v3.2.1:
Concept unchanged, but v4.x more clearly defines the expected segmentation boundaries for data storage
systems.
Which configuration best complies with PCI DSS v4.x for controlling unauthorized services and protocols?
A) List all services in documentation
B) Monitor low-security services more actively
C) Allow all traffic by default and inspect later
D) Block unauthorized services from entering or exiting the network
Correct Answer:
D) Block unauthorized services from entering or exiting the network
Explanation:
Requirement 1.2.5 requires only authorized ports, services, and protocols to be enabled. Everything else
must be blocked by default.
Gap from v3.2.1:
Concept unchanged. v4.x adds support for customized approaches and emphasizes business justification
for exceptions.
PCI DSS v4.x Requirement 2: Apply Secure Configurations to All System Components.
This requirement mandates applying secure configurations to all system components, avoiding the use of
default settings, and disabling unnecessary services or protocols in order to reduce the risk of attacks.

11
What is required when implementing a newly deployed NSC system regarding its configuration?
A) Use factory default passwords
B) Apply secure configuration and disable unused services
C) Only encrypt logs
D) Use shared administrator credentials for ease of use
Correct Answer:
B) Apply secure configuration and disable unused services
Explanation:
Per Requirement 2.2.4, new systems must be securely configured, avoiding default settings, and
unnecessary features/services disabled to reduce the attack surface.
Gap from v3.2.1:
v3.2.1 required hardening, but v4.x makes it more explicit and aligns with secure deployment best
practices, including cloud-hosted NSCs.
(Category 2/6) Protection of Account Data
PCI DSS v4.x Requirement 3: Protect Stored Account Data
This requirement calls for encrypting stored account data and securing and managing encryption keys
based on secure key management practices, in order to reduce the risk of data breaches in the event of a
leak.
Which is true regarding storing both a hashed and truncated version of the same PAN in the same CDE?
A) It is allowed but must not allow PAN reconstruction
B) It is never allowed under any condition
C) They must be encrypted together
D) Truncation must be reversed if hashed
Correct Answer:
A) It is allowed but must not allow PAN reconstruction
Explanation:
Under Requirement 3.5.1, storing both hashed and truncated PANs in the same environment is allowed,
as long as it does not enable PAN reconstruction.

12
Gap from v3.2.1:
Clarified in v4.x with additional guidance. v3.2.1 lacked clarity on combining tokenized and
masked/truncated data.
Which of the following is true when both a hashed and a truncated version of the same PAN exist in the
CDE?
A) PAN hash and truncation must not be stored together
B) PAN hash must also be truncated
C) PAN cannot be reconstructed from the combination
D) PAN must be encrypted if truncated
Correct Answer:
C) PAN cannot be reconstructed from the combination
Explanation:
PCI DSS v4.x allows storing both a hashed and truncated version of a PAN in the same environment only
if the two cannot be correlated to reconstruct the original PAN.
Gap from v3.2.1:
The general principle existed in v3.2.1 but v4.x introduces more precise clarification about reconstruction
risk and its mitigation.
Question 12 (Requirement 3):
Which data combination is allowed to be stored after authorization (if encrypted), excluding issuers and
their service providers?
Options:
A) Encrypted PAN, expiration date, cardholder name
B) Encrypted PAN, encrypted Track 2 data, service code
C) Hashed PAN, encrypted Track 1 data, expiration date
D) Hashed PAN, encrypted Track 2 data, cardholder name
Correct Answer:
A) Encrypted PAN, expiration date, cardholder name
Explanation:
According to Requirement 3.2, after a transaction is authorized, only specific non-sensitive data elements

13
may be stored: encrypted PAN, cardholder name, service code, and expiration date. Sensitive
Authentication Data (SAD) like track data, CVV, and PINs must never be stored post-authorization—even
if encrypted.
Gap from v3.2.1:
The rule remains unchanged, but v4.x introduces Requirement 3.3.3 to clarify exceptions for issuers and
reinforce correct handling of SAD.
What is true regarding chip (IC) card data and online transactions?
Options:
A) Chip technology increases in-person fraud risk
B) PCI DSS does not apply to chip card use
C) Merchants may store chip track data after authorization
D) Data from a chip may be misused in card-not-present (e-commerce) fraud
Correct Answer:
D) Data from a chip may be misused in card-not-present (e-commerce) fraud
Explanation:
While chip cards (EMV) offer improved security in physical environments, the data they hold can still be
stolen and misused online. This is why PCI DSS requires careful handling of cardholder data regardless
of how it was captured.
Gap from v3.2.1:
v3.2.1 did not clearly state that EMV track-equivalent data is SAD. v4.x explicitly classifies such data as
SAD and enforces the same storage prohibition.
Which best describes track-equivalent data on chip cards under PCI DSS v4.x?
Options:
A) Out of PCI DSS scope
B) Can be stored after auth if encrypted
C) Not subject to data minimization
D) Classified as Sensitive Authentication Data (SAD)
Correct Answer:

14
D) Classified as Sensitive Authentication Data (SAD)
Explanation:
Track-equivalent data—regardless of whether it comes from a magnetic stripe or EMV chip—is classified
as SAD and must never be stored after authorization.
Gap from v3.2.1:
Almost Concept unchanged had occurred.
Which method is most appropriate for protecting stored PANs under PCI DSS v4.x?
Options:
A) Hashing without salt
B) Compression and AES-256
C) Masking on the receiving system
D) Strong encryption algorithm (e.g., AES-256)
Correct Answer:
D) Strong encryption algorithm (e.g., AES-256)
Explanation:
PANs must be protected using strong encryption methods like AES-256. Hashing without salt and masking
are insufficient for storage security.
Gap from v3.2.1:
Concept unchanged.
What is the proper way to manage cryptographic keys used to protect cardholder data?
Options:
A) Store keys in plaintext on the same system
B) Generate keys temporarily at decryption time
C) Store and use keys via a secure key management process
D) Allow the security manager to keep a master decryption key
Correct Answer:
C) Store and use keys via a secure key management process
Explanation:

15
Requirement 3.6 mandates using a secure, auditable key management system to protect cryptographic
keys. This includes using HSMs, enforcing dual control, and separating key storage from encrypted data.
Gap from v3.2.1:
Concept unchanged.
According to PCI DSS v4.x, how should PANs be masked for display purposes?
Options:
A) Show first 6 and last 4 digits
B) Show first 4 and last 4 digits
C) Show last 4 digits only
D) Show BIN and last 4 digits
Correct Answer:
D) Show BIN and last 4 digits
Explanation:
Requirement 3.3 in v4.x allows the display of BIN and last 4 digits, adapting to card brands that use
variable-length BINs. Previously, "first 6 and last 4" was allowed.
Gap from v3.2.1:
v3.2.1 allowed fixed formats like “first 6 + last 4” could allow the entity to show up on the display. v4.x
adapts to BIN range expansion by card brands and permits displaying based on issuer-defined BIN length.
Question 17 (Requirement 3)
What is the correct practice for protecting cryptographic keys used to secure cardholder data?
Options:
A) Store encryption keys in plaintext on the same system
B) Generate keys temporarily only during decryption
C) Store and manage keys using a protected key management process
D) Keep decryption keys accessible by the security manager
Correct Answer:
C) Store and manage keys using a protected key management process
Explanation:
Requirement 3.6 mandates that cryptographic keys used to encrypt cardholder data must be securely

16
stored, managed, and protected using an industry-accepted key management process or technology (e.g.,
HSM, KMS, dedicated encryption platforms). Plaintext storage and uncontrolled access are strictly
prohibited.
Gap from v3.2.1:
Concept unchanged.
Which is the correct statement about SAD retention for issuers?
A) Issuers may store unlimited SAD for historical purposes
B) SAD must be deleted after authorization in all cases
C) SAD retention must be limited by law, regulation, and business need
D) SAD may be stored encrypted with no restriction
Correct Answer:
C) SAD retention must be limited by law, regulation, and business need
Explanation:
Issuers are permitted to retain SAD only under strict, documented legal or business needs and must apply
full protection (encryption, access control).
Gap from v3.2.1:
v3.2.1 required written justification. v4.x removes that explicit clause but maintains the same expectations
through stricter enforcement language.
Where is security code (CVV/CVC) most likely to be mistakenly stored?
A) POS terminal logs
B) Email orders
C) E-commerce system databases and logs
D) Physical receipts
Correct Answer:
C) E-commerce system databases and logs
Explanation:
SAD like CVV is often inadvertently stored by web applications, especially in form submissions and logging
systems.

17
Gap from v3.2.1:
The rule remains unchanged. v4.x stresses automated review of log files to detect accidental storage.
What must be verified once every three months regarding stored cardholder data?
A) Logs containing PAN are reviewed for anomalies
B) Data backups are refreshed
C) PANs exceeding retention limits are securely deleted
D) PANs are securely deleted
Correct Answer:
C) PANs exceeding retention limits are securely deleted
Explanation:
Requirement 3.1 mandates that stored CHD must be limited to only what is necessary. Organizations must
verify at least once every three months that no expired data exists.
Gap from v3.2.1:
v3.2.1 had the same expectation but didn’t clearly specify “once every three months” for verification. v4.x
now explicitly defines the quarterly review cycle.
What is required when storing sensitive authentication data after authorization?
A) It must be encrypted using industry-accepted algorithms.
B) It must be stored only if there is a documented business justification.
C) It must be rendered unrecoverable upon completion of the authorization process.
D) It must be accessible only to personnel with a legitimate business need.
Correct Answer:
C) It must be rendered unrecoverable upon completion of the authorization process.
Explanation:
Requirement 3.2 of PCI DSS v4.x mandates that sensitive authentication data (SAD) must not be stored
after authorization, even if encrypted. If there is a legitimate business need to retain such data prior to
authorization, it must be rendered unrecoverable immediately after authorization. This ensures that
sensitive data, such as full track data, card verification codes, and PINs, are not vulnerable to unauthorized
access post-authorization.

18
Gap from v3.2.1:
In PCI DSS v3.2.1, the prohibition on storing SAD after authorization was present; however, v4.x provides
clearer guidance on rendering such data unrecoverable and emphasizes the immediacy of this action post-
authorization.
How should the Primary Account Number (PAN) be rendered unreadable when stored?
A) By encrypting with strong cryptography.
B) By hashing using SHA-1.
C) By truncating to the first six and last four digits.
D) By storing in plaintext in a secured database.
Correct Answer:
A) By encrypting with strong cryptography.
Explanation:
Requirement 3.4 of PCI DSS v4.x mandates that the PAN must be rendered unreadable anywhere it is
stored using strong cryptographic techniques, such as encryption, truncation, or hashing. This ensures
that even if unauthorized access occurs, the data remains protected.
Gap from v3.2.1:
PCI DSS v4.x continues the emphasis on strong cryptographic methods for protecting stored PANs,
aligning with previous versions while reinforcing the need for robust data protection measures.
What must be documented regarding the retention of cardholder data?
A) A list of all employees with access to cardholder data.
B) A data retention and disposal policy.
C) A record of all transactions processed.
D) An inventory of all encryption keys used.
Correct Answer:
B) A data retention and disposal policy.
Explanation:
Requirement 3.1 requires organizations to establish, document, and maintain a data retention and
disposal policy. This policy ensures that cardholder data is retained only for as long as necessary for legal,

19
regulatory, and business requirements, and that it is disposed of securely when no longer needed.
Gap from v3.2.1:
The emphasis on a formalized data retention and disposal policy remains consistent in v4.x, highlighting
the importance of minimizing data exposure.
PCI DSS v4.x Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission
Over Open, Public Networks.
This requirement mandates protecting cardholder data transmitted over public networks using industry-
standard encryption methods (e.g., TLS 1.2 or higher) to prevent eavesdropping and tampering during
transmission.
When transmitting cardholder data over open, public networks, what security measure must be
implemented?
A) Use of strong cryptography and security protocols.
B) Compression of data before transmission.
C) Splitting data into multiple packets.
D) Sending data during off-peak hours.
Correct Answer:
A) Use of strong cryptography and security protocols.
Explanation:
Requirement 4.1 mandates that cardholder data transmitted over open, public networks must be protected
using strong cryptography and security protocols, such as TLS, to safeguard against interception and
unauthorized access.
Gap from v3.2.1:
The requirement for strong cryptographic protection during data transmission remains unchanged,
underscoring its critical role in data security.
What is required to ensure the security of wireless networks transmitting cardholder data?
A) Implementation of WEP encryption.
B) Use of strong authentication and encryption protocols.
C) Hiding the SSID of the wireless network.
D) Limiting the range of the wireless signal.

20
Correct Answer:
B) Use of strong authentication and encryption protocols.
Explanation:
Requirement 4.1.1 specifies that wireless networks transmitting cardholder data must employ strong
authentication and encryption mechanisms, such as WPA2, to protect against unauthorized access and
data breaches.
Gap from v3.2.1:
The focus on robust wireless security measures continues in v4.x, reflecting the ongoing need to secure
wireless communications effectively.
(Category 3/6) Maintaining a Vulnerability Management Program
PCI DSS v4.x Requirement 5: Protect All Systems and Networks from Malicious Software.
This requirement calls for implementing and operating countermeasures such as antivirus software and
behavior monitoring to protect systems from malware threats, and keeping these measures consistently
up to date.
What action must be taken to protect systems from malware?
A) Install and maintain anti-virus software.
B) Perform monthly system reboots.
C) Disable all network connections.
D) Limit user access to system settings.
Correct Answer:
A) Install and maintain anti-virus software.
Explanation:
Requirement 5.1 requires organizations to deploy anti-virus software on all systems commonly affected by
malware to detect, prevent, and remove malicious software, thereby safeguarding system integrity.
Gap from v3.2.1:
Concept unchanged.
How often should anti-virus mechanisms be updated?

21
A) Once every 12 months.
B) Once every three months.
C) Monthly.
D) Regularly, as defined in the organization's policies.
Correct Answer:
D) Regularly, as defined in the organization's policies.
Explanation:
Requirement 5.2 mandates that anti-virus mechanisms must be kept current through regular updates,
with the frequency defined by the organization's policies and procedures, to ensure effectiveness against
emerging threats.
Gap from v3.2.1:
Concept unchanged.
PCI DSS v4.x Requirement 6: Develop and Maintain Secure Systems and Software.
This requirement emphasizes the implementation of a secure software development lifecycle (SDLC),
management of vulnerabilities, and application of patches to ensure the security and maintainability of
systems.
What is required for developing secure applications?
A) Use of open-source code exclusively.
B) Implementation of a secure software development lifecycle (SDLC).
C) Outsourcing development to third parties.
D) Limiting the number of developers on a project.
Correct Answer:
B) Implementation of a secure software development lifecycle (SDLC).
Explanation:
Requirement 6.3 emphasizes the need for a secure SDLC that incorporates security considerations at
every phase of software development, ensuring that applications are resilient against vulnerabilities.
Gap from v3.2.1:
Concept unchanged.

22
How should vulnerabilities in custom-developed applications be addressed?
A) Ignored if they are low risk.
B) Documented and revisited Once every 12 months.
C) Mitigated based on risk assessment results.
D) Fixed only when an exploit is detected.
Correct Answer:
C) Mitigated based on risk assessment results.
Explanation:
Requirement 6.2 mandates that organizations establish a process to identify and rank security
vulnerabilities, applying patches or other remediation measures based on the criticality of the risk. This
ensures that the most significant threats are addressed promptly to protect the integrity of systems and
data.
Gap from v3.2.1:
The structured approach to vulnerability management continues in v4.x, with an added emphasis on
risk-based prioritization to enhance security posture.
What is the purpose of separating development, test, and production environments?
A) To enhance system performance.
B) To prevent unauthorized access to live data.
C) To reduce hardware costs.
D) To streamline the development process.
Correct Answer:
B) To prevent unauthorized access to live data.
Explanation:
Requirement 6.4.1 requires the separation of development, test, and production environments to
minimize the risk of unauthorized access or changes to live data and systems. This segregation helps
maintain the integrity and security of the production environment.
Gap from v3.2.1:
The requirement for environment separation remains unchanged in v4.x, underscoring its importance in
safeguarding production systems.

23
Why must test data and accounts be removed before a system becomes active?
A) To free up storage space.
B) To prevent unauthorized access.
C) To improve system performance.
D) To comply with licensing agreements.
Correct Answer:
B) To prevent unauthorized access.
Explanation:
Requirement 6.4.4 mandates the removal of test data and accounts prior to production deployment to
eliminate potential backdoors or vulnerabilities that could be exploited by unauthorized individuals.
Gap from v3.2.1:
The focus on eliminating non-production data and accounts before going live is consistently emphasized
in v4.x to maintain system security.
Is it permissible to use live PANs for testing or development purposes?
A) Yes, if encrypted.
B) Yes, with management approval.
C) No, under no circumstances.
D) Yes, if on a secure network.
Correct Answer:
C) No, under no circumstances.
Explanation:
Requirement 6.4.3 strictly prohibits the use of live Primary Account Numbers (PANs) for testing or
development to prevent potential exposure of sensitive data. Instead, organizations should use
anonymized or dummy data during these processes.
Gap from v3.2.1:
The prohibition against using live PANs in non-production environments continues in v4.x, highlighting
the critical need to protect cardholder data at all stages.

24
How should public-facing web applications be protected against known attacks?
A) By implementing a web application firewall (WAF).
B) By using intrusion detection systems.
C) By conducting Once every three months vulnerability scans.
D) By disabling unused services.
Correct Answer:
A) By implementing a web application firewall (WAF).
Explanation:
Requirement 6.6 requires organizations to protect public-facing web applications against known attacks
by installing a WAF or employing other appropriate security measures. This helps detect and prevent
common web-based threats such as SQL injection and cross-site scripting.
Gap from v3.2.1:
The emphasis on safeguarding web applications remains in v4.x, with continued advocacy for robust
protective measures like WAFs.
(Category 4/6) Implement Strong Access Control Measures
PCI DSS v4.x Requirement 7: Restrict Access to System Components and Cardholder Data by Business
Need to Know.
This requirement mandates designing and managing access controls based on the principle of least
privilege, granting only the minimum access necessary for business purposes to prevent unauthorized
access to cardholder data.
What principle should guide the assignment of access rights to system components and cardholder data?
A) Role-based access control.
B) Discretionary access control.
C) Mandatory access control.
D) Least privilege.
Correct Answer:
D) Least privilege.

25
Explanation:
Requirement 7.1 mandates that access to system components and cardholder data should be restricted
based on the principle of least privilege, granting users only the access necessary to perform their job
functions. This minimizes potential exposure and reduces the risk of unauthorized access.
Gap from v3.2.1:
v4.x emphasizes risk-based role design and aligns with CISM principles like assigning “data owners.” It
clarifies access control implementation beyond just job function.
How often must access rights be reviewed according to PCI DSS v4.x?
A) Once every 12 months only
B) Every six months
C) Once every 12 months or upon significant changes
D) Monthly
Correct Answer:
C) Once every 12 months or upon significant changes
Explanation:
Requirement 7.2.5 requires organizations to review user access privileges at least once every 12 months
and whenever job roles or responsibilities change. This ensures access remains aligned with current
business needs and helps identify and remove unnecessary privileges.
Gap from v3.2.1:
Version 4.0 clearly specifies the annual review timeframe and includes stronger emphasis on tying
reviews to organizational changes.
What is the primary purpose of implementing role-based access control (RBAC) in the cardholder data
environment (CDE)?
A) To simplify user account management.
B) To ensure users have access only to the data necessary for their job functions.
C) To enhance network performance.
D) To allow users to access all systems within the CDE.
Correct Answer:

26
B) To ensure users have access only to the data necessary for their job functions.
Explanation:
Requirement 7.1.2 of PCI DSS v4.x emphasizes restricting access to system components and cardholder
data based on users' job responsibilities. Implementing role-based access control (RBAC) ensures that
individuals can access only the information and resources necessary to perform their duties, thereby
minimizing the risk of unauthorized data exposure or modification. RBAC is also described in CISM.
Gap from v3.2.1:
The principle of restricting access based on job responsibilities remains consistent between v3.2.1 and
v4.x. However, v4.x provides more detailed guidance on implementing RBAC effectively to enforce the
principle of least privilege.
PCI DSS v4.x Requirement 8: Identify Users and Authenticate Access to System Components
This requirement ensures traceability of access by uniquely identifying and authenticating users. It also
mandates the use of multi-factor authentication (MFA) for remote access and other critical scenarios to
prevent unauthorized access.
What is required to verify a user's identity before granting access to cardholder data?
A) Single-factor authentication.
B) Multi-factor authentication (MFA).
C) Username and password only.
D) Biometric authentication only.
Correct Answer:
B) Multi-factor authentication (MFA).
Explanation:
Requirement 8.4.2 of PCI DSS v4.x mandates the use of multi-factor authentication (MFA) for all non-
console administrative access and all remote access to the cardholder data environment (CDE). MFA
requires at least two forms of authentication from different categories (e.g., something you know,
something you have, something you are).
Gap from v3.2.1:
While v4.x required MFA with something you know, something you have, AND something you are. V3.2.1
did not clarified that the multi-step with the same kind of factor, such as password on password does not
work as MFA on PCI DSS audit.

27
How should user accounts be managed when an employee leaves the organization?
A) Disable the account after 30 days.
B) Keep the account active for auditing purposes.
C) Immediately deactivate or remove the account.
D) Change the account password and monitor activity.
Correct Answer:
C) Immediately deactivate or remove the account.
Explanation:
Requirement 8.3.4 of PCI DSS v4.x requires that user accounts be immediately deactivated or removed
upon termination of employment or when access is no longer required. Promptly revoking access rights
reduces the risk of unauthorized access by former employees.
Gap from v3.2.1:
The immediate deactivation or removal of user accounts upon termination remains a consistent
requirement between v3.2.1 and v4.x, emphasizing the importance of timely access revocation.
What is the maximum period of inactivity before a user session must be automatically terminated?
A) 15 minutes.
B) 30 minutes.
C) 45 minutes.
D) 60 minutes.
Correct Answer:
A) 15 minutes.
Explanation:
Requirement 8.2.8 of PCI DSS v4.x specifies that user sessions must be automatically terminated after a
maximum of 30 minutes of inactivity. This measure helps protect systems from unauthorized access
when a user forgets to log out or leaves a session unattended.
Gap from v3.2.1:
PCI DSS v4.x Requirement 9: Restrict Physical Access to Cardholder Data
This requirement calls for restricting and managing physical access to environments containing cardholder

28
data. It includes maintaining entry and exit audit logs and monitoring visitors to reduce the risk of
unauthorized physical access.
How should physical access to sensitive areas be controlled?
A) By implementing biometric scanners.
B) By using security cameras (CCTV) only.
C) By requiring identification badges.
D) By restricting access to authorized personnel only.
Correct Answer:
D) By restricting access to authorized personnel only.
Explanation:
Requirement 9.1.1 of PCI DSS v4.x requires that physical access to sensitive areas, such as data centers
or server rooms, be limited to authorized personnel. Implementing measures like access control systems,
security badges, and visitor logs ensures that only individuals with a legitimate business need can enter
these areas, thereby protecting cardholder data from physical threats.
Gap from v3.2.1:
What must be implemented to monitor physical access to sensitive areas?
A) 24/7 security personnel.
B) Video surveillance cameras.
C) Motion detectors.
D) Alarm systems.
Correct Answer:
B) Video surveillance cameras.
Explanation:
Requirement 9.1.2 of PCI DSS v4.x mandates the use of video surveillance or other access monitoring
mechanisms to record physical access to sensitive areas. These recordings should be reviewed and
retained according to organizational policies to detect and deter unauthorized access.
Gap from v3.2.1:

29
How should media containing cardholder data be disposed of when no longer needed?
A) Store it securely indefinitely.
B) Delete the data using standard file deletion methods.
C) Destroy it by shredding, incineration, or other secure means.
D) Recycle it without any special precautions.
Correct Answer:
C) Destroy it by shredding, incineration, or other secure means.
Explanation:
Requirement 9.4 of PCI DSS v4.x mandates that media containing cardholder data must be destroyed
when it is no longer needed for business or legal reasons. Secure disposal methods include shredding,
incineration, or other means that render the data unreadable and irretrievable, ensuring that sensitive
information cannot be accessed or reconstructed.
Gap from v3.2.1:
(Category 5/6) Regular Monitoring and Testing of Networks
PCI DSS v4.x Requirement 10: Log and Monitor All Access to System Components and Cardholder Data
This requirement involves recording and retaining audit logs of all user activity and system access. It also
requires establishing a process for daily log reviews to enable early detection and response to unauthorized
access or suspicious behavior.
What is the primary purpose of implementing logging mechanisms in the cardholder data environment
(CDE)?
A) To monitor system performance.
B) To detect and respond to security incidents.
C) To track employee productivity.
D) To comply with data retention policies.

30
Correct Answer:
B) To detect and respond to security incidents.
Explanation:
Requirement 10.1 of PCI DSS v4.x emphasizes the necessity of implementing logging mechanisms to
track user activities and system events within the cardholder data environment. These logs are crucial
for detecting, understanding, and responding to security incidents, as they provide a detailed record of
actions that can be analyzed to identify unauthorized activities or anomalies.
Gap from v3.2.1:
How long must audit trail records be retained to comply with PCI DSS v4.x?
A) At least one month.
B) At least three months.
C) At least six months.
D) At least 12 months.
Correct Answer:
D) At least 12 months.
Explanation:
Requirement 10.5.1 of PCI DSS v4.x specifies that audit trail records must be retained for at least one
year, with a minimum of three months immediately available for analysis. This retention period ensures
that historical data is available for forensic analysis and investigation in the event of a security incident.
Gap from v3.2.1:
Which of the following is a requirement for time synchronization within the cardholder data
environment?
A) Use of a dedicated time server for each system.
B) System clocks and time are synchronized using time-synchronization technology.
C) Manual adjustment of system clocks on a weekly basis.
D) Allowing systems to operate on different time zones for flexibility.

31
Correct Answer:
B) System clocks and time are synchronized using time-synchronization technology.
Explanation:
Consistent time settings across systems are ideal for accurate log collection, correlation, and analysis,
which are vital for forensic investigations and identifying the sequence of events during a security
incident.
Gap from v3.2.1:
“Synchronizing ALL critical system clocks and times” in v3.2.1 has been removed from v4.x, just like in
ISO27002:2013 from ISO27002: 2022 because it is not feasible for usages of cloud services and it is costly.
PCI DSS v4.x Requirement 11: Test Security of Systems and Networks Regularly
This requirement calls for the planned execution and documentation of measures such as vulnerability
scans, penetration tests, and file integrity monitoring to continuously verify the effectiveness of security
controls.
What is the purpose of conducting regular internal and external vulnerability scans?
A) To identify and mitigate security vulnerabilities.
B) To comply with organizational policies.
C) To assess employee adherence to security protocols.
D) To evaluate the effectiveness of physical security controls.
Correct Answer:
A) To identify and mitigate security vulnerabilities.
Explanation:
Requirement 11.2 of PCI DSS v4.x requires organizations to perform regular internal and external
vulnerability scans to identify weaknesses in their systems and networks. By proactively detecting
vulnerabilities, organizations can remediate them before they are exploited by attackers, thereby
enhancing the security posture of the cardholder data environment.
Gap from v3.2.1:
The emphasis on regular vulnerability scanning remains consistent between v3.2.1 and v4.x, with v4.x
providing additional guidance on the frequency and scope of scans.
How frequently must internal vulnerability scans be conducted according to PCI DSS v4.x?

32
A) Monthly
B) Once every three months
C) Semi-Once every 12 months
D) Once every 12 months
Correct Answer:
B) Once every three months
Explanation:
Requirement 11.3.1 of PCI DSS v4.x specifies that internal vulnerability scans must be performed at
least once every three months (Once every three months). Additionally, scans should be conducted after
any significant change to the network environment. Regular internal scanning helps identify and
remediate vulnerabilities within the organization's systems, thereby enhancing the security of the
cardholder data environment.
Gap from v3.2.1:
The requirement for Once every three months internal vulnerability scans remains consistent between
PCI DSS v3.2.1 and v4.x. However, v4.x introduces Requirement 11.3.1.2, which mandates authenticated
internal vulnerability scans. This new requirement emphasizes the need for deeper scanning using valid
credentials to uncover vulnerabilities that unauthenticated scans might miss. Organizations are
encouraged to adopt authenticated scanning practices to enhance their security posture.
What must be done after a significant change in the network to maintain PCI DSS compliance?
A) Restart all systems
B) Conduct a penetration test
C) Review employee access rights
D) Re-issue all encryption keys
Correct Answer:
B) Conduct a penetration test
Explanation:
Requirement 11.4.2 of PCI DSS v4.x requires that penetration testing be performed after any significant
change to the network (such as a new system component, new platform, or application upgrade). This
ensures that the change has not introduced new vulnerabilities and that security controls remain
effective.

33
Gap from v3.2.1:
While the expectation to test after changes existed previously, v4.x clarifies the need for targeted
penetration testing in addition to routine testing cycles, improving focus on validating security post-
change.
What is the purpose of implementing a change-detection mechanism such as file integrity monitoring
(FIM)?
A) To monitor employee productivity
B) To track hardware usage
C) To alert on unauthorized modifications to critical files
D) To verify software license compliance
Correct Answer:
C) To alert on unauthorized modifications to critical files
Explanation:
Requirement 11.5.1 of PCI DSS v4.x mandates the use of change-detection mechanisms like File
Integrity Monitoring (FIM) to detect unauthorized changes to critical system files, configuration files, or
content files. These alerts can help identify compromise attempts or internal misuse.
Gap from v3.2.1:
FIM was required in v3.2.1 as well, but v4.x emphasizes the need to generate alerts and respond
appropriately, not just log the changes. There is a stronger focus on actionable monitoring.
(Category 6/6) Maintaining an Information Security Policy
PCI DSS v4.x Requirement 12: Support Information Security with Organizational Policies and Programs
This requirement emphasizes maintaining and improving the organization’s security management
framework by establishing information security policies and procedures, defining responsibilities,
providing training, and preparing incident response plans.
What is the primary purpose of establishing an information security policy?
A) To comply with legal requirements.
B) To define and communicate the organization's security expectations and responsibilities.
C) To restrict employee access to the internet.
D) To manage financial reporting procedures.

34
Correct Answer:
B) To define and communicate the organization's security expectations and responsibilities.
Explanation:
Requirement 12.1 of PCI DSS v4.x mandates that organizations establish, publish, maintain, and
disseminate a security policy. This policy serves to clearly define security expectations, assign
responsibilities, and ensure that all personnel understand the importance of protecting cardholder data.
Gap from v3.2.1:
The requirement to have an information security policy remains consistent between v3.2.1 and v4.x, with
v4.x emphasizing the need for regular reviews and updates to address evolving threats.
How often must the information security policy be reviewed and updated?
A) Monthly.
C) Once every 12 months.
D) Bi-Once every 12 months.
Correct Answer:
Explanation:
Requirement 12.1.1 of PCI DSS v4.x specifies that the information security policy must be reviewed at
least once every 12 months and updated as needed to reflect changes to business objectives or the risk
environment. Regular reviews ensure that the policy remains relevant and effective in addressing
current security challenges.
Gap from v3.2.1:
The annual review requirement is consistent between v3.2.1 and v4.x, reinforcing the importance of
maintaining an up-to-date security policy.
What is required regarding risk assessments in PCI DSS v4.x?
A) They must be conducted only after a security incident.
B) They must be performed at least once every 12 months and after significant changes.

35
C) They are optional for organizations with a strong security record.
D) They should focus solely on external threats.
Correct Answer:
B) They must be performed at least once every 12 months and after significant changes.
Explanation:
Requirement 12.2 of PCI DSS v4.x mandates that organizations perform a formal risk assessment at
least once every 12 months and whenever there are significant changes to the environment. This process
helps identify and evaluate threats and vulnerabilities, ensuring that security controls remain effective
and appropriate.
Gap from v3.2.1:
The requirement for annual risk assessments and assessments after significant changes remains
unchanged from v3.2.1 to v4.x, emphasizing the ongoing need for proactive risk management.
What is the purpose of a formal security awareness program?
A) To train IT staff on advanced security protocols.
B) To educate all employees about the importance of cardholder data security.
C) To comply with international security standards.
D) To document security incidents.
Correct Answer:
B) To educate all employees about the importance of cardholder data security.
Explanation:
Requirement 12.6 of PCI DSS v4.x requires organizations to implement a formal security awareness
program to make all personnel aware of the importance of cardholder data security. Educated employees
are better equipped to recognize and respond to security threats, reducing the risk of data breaches.
Gap from v3.2.1:
The emphasis on security awareness training remains consistent between v3.2.1 and v4.x, highlighting
its critical role in an organization's overall security posture.
What must be included in an incident response plan?

36
A) Detailed financial recovery procedures.
B) Procedures for responding to a security breach, including roles, communication strategies, and
reporting requirements.
C) A list of all employees' contact information.
D) Steps for routine data backups.
Correct Answer:
B) Procedures for responding to a security breach, including roles, communication strategies, and
reporting requirements.
Explanation:
Requirement 12.10 of PCI DSS v4.x mandates that organizations establish and maintain an incident
response plan that outlines procedures for responding to security incidents. This plan should define roles,
communication protocols, and reporting obligations to ensure a swift and effective response to breaches.
Gap from v3.2.1:
The requirement for an incident response plan remains consistent between v3.2.1 and v4.x, with v4.x
providing additional guidance on testing and maintaining the plan.
How often must the incident response plan be tested?
A) Monthly.
D) Bi-Once every 12 months.
Correct Answer:
Explanation:
Requirement 12.10.2 of PCI DSS v4.x specifies that the incident response plan must be tested at least
once every 12 months. Regular testing ensures that the plan is effective and that personnel are prepared
to respond appropriately to security incidents.
Gap from v3.2.1:
The annual testing requirement for the incident response plan remains unchanged from v3.2.1 to v4.x,
reinforcing the need for preparedness.

37
What is required regarding service provider engagement?
A) Service providers must be certified by international standards.
B) Entities must maintain a list of all service providers with access to cardholder data and ensure they
are PCI DSS compliant.
C) Service providers must be monitored on a monthly basis.
D) Entities must develop their own security standards for service providers.
Correct Answer:
B) Entities must maintain a list of all service providers with access to cardholder data and ensure they
are PCI DSS compliant.
Explanation:
Requirement 12.8 of PCI DSS v4.x mandates that organizations maintain a comprehensive list of service
providers with access to cardholder data and ensure these providers are PCI DSS compliant. This
involves establishing written agreements that include acknowledgment of the service providers'
responsibility for securing cardholder data. Regular due diligence and monitoring are required to verify
ongoing compliance.
Gap from v3.2.1:
The obligation to manage and monitor service providers remains consistent between v3.2.1 and v4.x.
However, v4.x provides more detailed guidance on the specific responsibilities of entities in overseeing
their service providers' compliance.
What is the purpose of an annual risk assessment?
A) To identify vulnerabilities and threats to cardholder data.
B) To evaluate employee performance.
C) To assess the financial stability of the organization.
D) To review customer satisfaction levels.
Correct Answer:
A) To identify vulnerabilities and threats to cardholder data.
Explanation:

38
Requirement 12.2 of PCI DSS v4.x requires organizations to perform an annual risk assessment to
identify vulnerabilities and threats to cardholder data. This proactive approach helps in implementing
appropriate security measures to mitigate identified risks and protect sensitive information.
Gap from v3.2.1:
The requirement for an annual risk assessment remains unchanged from v3.2.1 to v4.x, emphasizing the
ongoing need for organizations to proactively identify and address security risks.
How should an organization handle security policies and procedures?
A) Develop them once and update only after a security incident.
B) Review and update them at least once Once every 12 months and after significant changes.
C) Share them only with the IT department.
D) Keep them confidential and undisclosed to employees.
Correct Answer:
B) Review and update them at least once every 12 months and after significant changes.
Explanation:
Requirement 12.1.1 of PCI DSS v4.x specifies that security policies and procedures must be reviewed and
updated at least once Once every 12 months and whenever there are significant changes to the
environment. This ensures that security measures remain effective and aligned with the current threat
landscape and organizational changes.
Gap from v3.2.1:
The mandate for annual reviews and updates after significant changes is consistent between v3.2.1 and
v4.x, reinforcing the importance of maintaining current and effective security policies.
What is required for personnel regarding security awareness?
A) Attend a one-time security training during onboarding.
B) Participate in an ongoing security awareness program.
C) Read and acknowledge the security policy once.
D) Pass a security certification exam Once every 12 months.
Correct Answer:
B) Participate in an ongoing security awareness program.

39
Explanation:
Requirement 12.6 of PCI DSS v4.x mandates that organizations implement a formal security awareness
program to ensure all personnel are aware of the importance of cardholder data security. This program
should be ongoing, providing regular updates and training to keep security at the forefront of employees'
responsibilities.
Gap from v3.2.1:
The emphasis on an ongoing security awareness program remains unchanged from v3.2.1 to v4.x,
highlighting the critical role of continuous education in maintaining a secure environment.
What is the role of an executive sponsor in an information security program?
A) To develop technical security controls.
B) To provide leadership and support for the information security program.
C) To conduct security assessments.
D) To manage day-to-day security operations.
Correct Answer:
B) To provide leadership and support for the information security program.
Explanation:
Requirement 12.4.1 of PCI DSS v4.x requires that an executive-level officer or executive management
assign overall responsibility for the information security program. This executive sponsor provides the
necessary leadership, support, and resources to ensure the program's effectiveness and alignment with
organizational objectives.
Gap from v3.2.1:
The role of an executive sponsor in supporting the information security program is consistent between
v3.2.1 and v4.x, emphasizing the importance of leadership commitment to security initiatives.
What is the purpose of conducting Once every three months reviews to confirm personnel are following
security policies and operational procedures?
A) To assess employee performance for annual reviews.
B) To ensure compliance with PCI DSS and identify areas for improvement.
C) To prepare for external audits.
D) To update security policies and procedures.

40
Correct Answer:
B) To ensure compliance with PCI DSS and identify areas for improvement.
Explanation:
Requirement 12.11 of PCI DSS v4.x mandates that service providers perform reviews at least Once every
three months to confirm that personnel are following security policies and operational procedures. These
reviews cover processes such as daily log reviews, firewall rule-set reviews, applying configuration
standards to new systems, responding to security alerts, and change management processes. Regular
reviews ensure that security controls are operating effectively and help identify areas where
improvements may be needed.
Gap from v3.2.1:
The requirement for every three months reviews remains consistent between v3.2.1 and v4.x,
emphasizing the importance of ongoing verification of security practices.
What is the purpose of PCI DSS Requirement 12.11.1 for service providers?
A) To conduct Once every three months reviews of firewall configurations.
B) To perform semi-annual internal vulnerability scans.
C) To document and maintain evidence of Once every three months review processes.
D) To ensure annual penetration testing is conducted.
Correct Answer:
C) To document and maintain evidence of Once every three months review processes.
Explanation:
Requirement 12.11.1 of PCI DSS v4.x mandates that service providers document and maintain evidence
of their Once every three months review processes. This includes records of reviews conducted to confirm
that personnel are adhering to security policies and operational procedures. Maintaining such
documentation ensures that the organization can demonstrate compliance during assessments and
facilitates accountability within the organization.
Gap from v3.2.1:
In PCI DSS v3.2.1, there was no explicit requirement for service providers to document and maintain
evidence of Once every three months reviews. The introduction of Requirement 12.11.1 in v4.x
emphasizes the importance of not only performing regular reviews but also retaining documented proof
of these activities to strengthen compliance verification processes.

41
Which of the following statements is correct regarding the use of Intrusion Detection Systems (IDS)
and/or Intrusion Prevention Systems (IPS)?
A) IDS/IPS must be implemented on all system components
B) IDS/IPS is required to identify all instances of cardholder data
C) IDS/IPS is needed to alert personnel to potential breaches
D) IDS/IPS is used to isolate CDE systems from all other systems
Correct Answer:
C) IDS/IPS is needed to alert personnel to potential breaches
Explanation:
Per Requirement 12.5.2, IDS/IPS technologies are used to detect abnormal activities or attacks within
systems and networks and to alert personnel. This enables a timely response to security incidents.
• A) is incorrect because IDS/IPS isn't mandatory for all systems—only those considered high-risk.
• B) is incorrect—data discovery tools or DLP are responsible for identifying CHD.
• D) is incorrect—segmentation is typically handled by firewalls or network security controls.
Question 64(Requirement 12):
What is the correct understanding of PCI DSS scope under v4.x?
A) Only places where account data is stored are in scope
B) Communications across network boundaries are excluded from scope
C) PCI DSS requirements do not apply to service providers
D) Locations where account data is transmitted, processed, stored, and all connected systems must be
documented and reviewed
Correct Answer:
D) Locations where account data is transmitted, processed, stored, and all connected systems must be
documented and reviewed
Explanation:
Requirement 12.5.2 states that not only the CDE, but also connected environments like backup or
recovery systems and failover networks must be included in scope. These must be documented and
reviewed at least once every 12 months.

42
How often must service providers review whether their personnel are following security policies and
operational procedures?
A) Monthly
B) Once every 12 months
C) Once every three months
D) As needed
Correct Answer:
C) Once every three months
Explanation:
Requirement 12.4.2 mandates that service providers ensure, at least Once every three months, that daily
log reviews, configuration standard application to new systems, responses to alerts, and change
management are performed by designated staff and reviewed by someone other than the implementer.
How often must personnel acknowledge and understand security policies and procedures?
A) At least once every six months
B) At least once every 12 months
C) Only during onboarding
D) Whenever they choose
Correct Answer:
Explanation:
Requirement 12.6.3 requires that applicable personnel (those involved with the CDE) review and
acknowledge the security policies and procedures Once every 12 months. This keeps their understanding
current.
In v3.2.1, this applied to "all personnel." v4.x narrows the scope to only "applicable personnel" and allows
more flexibility in how acknowledgment is recorded.
Gap from v3.2.1:
v3.2.1 required annual written or electronic acknowledgment from all staff. v4.x limits this to “applicable
personnel” and allows more flexible methods.

43
How frequently must an organization confirm the PCI DSS compliance status of its third-party service
providers (TPSPs)?
A) As needed
C) Only at contract renewal
Correct Answer:
Explanation:
Requirement 12.8.4 requires organizations to verify the compliance status of TPSPs at least once Once
every 12 months. This is to avoid unknowingly continuing services with non-compliant providers due to
changes in their environment or status.
Gap from v3.2.1:
In v3.2.1, training was required Once every 12 months. v4.x introduces risk-based flexibility using the
Customized Approach, in line with ISO 27001. v4.x introduces TPSP (Third-Party Service Provider)
terminology, clarifies shared responsibilities, and requires oversight documentation. This was not
detailed in v3.2.1.
Which requirements must be reviewed and documented regarding PCI DSS v4.x compliance status?
A) All requirements claimed as not applicable (N/A)
B) Requirements with incomplete testing
C) All requirements marked as "In Place"
D) Only those partially implemented
Correct Answer:
C) All requirements marked as "In Place"
Explanation:
Requirements 12.10.1 and 12.10.3 specify that all PCI DSS controls marked as "In Place" must have
supporting evidence, documentation, and review confirming their implementation. This is important for
audits and revalidation.

44
What is required regarding incident response plan testing in PCI DSS v4.x?
A) Review and test the incident response plan Once every 12 months
B) Only review the plan Once every 12 months
C) Only test the plan Once every 12 months
D) Delete audit logs within 3 months
Correct Answer:
A) Review and test the incident response plan Once every 12 months
Explanation:
Requirement 12.10.2 mandates that the incident response plan must be reviewed and tested at least
once every 12 months. Testing must include all elements defined in 12.10.1 to ensure effectiveness.
What is required when a security incident occurs under PCI DSS v4.x?
A) First report to the card brand
B) Immediately report to the police
C) Record, report, and respond based on defined procedures
D) First report to the QSA
Correct Answer:
C) Record, report, and respond based on defined procedures
Explanation:
Requirement 12.10.4 emphasizes following predefined procedures during a security incident. This
includes documenting the response, triggering communication channels, and executing corrective
actions.
What must an organization do if it relies on a service provider?
A) No need to verify the provider’s security measures
B) Include in the contract that the service provider accepts responsibility
C) Include in the contract that the service provider is PCI DSS compliant
D) Conduct reviews after terminating the service

45
Correct Answer:
B) Include in the contract that the service provider accepts responsibility
Explanation:
Requirement 12.8.2 requires a written agreement with the service provider explicitly stating their
responsibility for security measures affecting the CDE. This agreement is foundational in managing
third-party risk.
What is the correct way to manage incident contact information in PCI DSS v4.x?
A) Build a temporary contact structure for each incident
B) Create contact lists from scratch as needed
C) Maintain an always up-to-date list of incident contacts
D) Let only a specific department hold the contact info
Correct Answer:
C) Maintain an always up-to-date list of incident contacts
Explanation:
Requirement 12.10.1 states that organizations must document roles, responsibilities, and contact
strategies for incidents, including payment brands and acquirers. Updated contact information is critical
to avoid delays or communication failures.
Under PCI DSS v4.x, what kind of organizational structure is required in the event of a security
incident?
A) The CISO must lead the response
B) A team is required, but documentation is optional
C) An incident response team with defined roles and responsibilities must be established
D) The security manager must lead the response
Correct Answer:
C) An incident response team with defined roles and responsibilities must be established
Explanation:
Requirement 12.10.1 mandates the creation of a documented team structure with clearly defined roles,

46
responsibilities, and reporting procedures for incident response. This ensures readiness for prompt and
coordinated action during incidents.
According to PCI DSS v4.x, what is the appropriate review frequency for information security policies?
A) At least once every six months
C) At least once every three months
D) At least every 24 months
Correct Answer:
Explanation:
Requirement 12.1.2 requires organizations to review their information security policies and related
procedures at least once every 12 months or after any significant environmental changes. This ensures
policies remain relevant to evolving risks.
If a merchant’s CDE is shared with a TPSP, or if the TPSP could impact cardholder data, what must the
merchant do?
A) Visit the TPSP at least once every three months
B) Maintain a program to monitor TPSP contracts and compliance status
C) Keep a list of all PANs the TPSP can access
D) Store a copy of the TPSP’s ROC for at least 3 years
Correct Answer:
B) Maintain a program to monitor TPSP contracts and compliance status
Explanation:
Requirements 12.8.2 and 12.8.4 require that merchants clarify responsibilities in contracts and regularly
(at least once every 12 months) monitor TPSP compliance with PCI DSS.
Which of the following is a correct statement about Third-Party Service Providers (TPSPs)?

47
A) TPSPs are members of payment card brands
B) TPSPs certify compliance with PCI SSC
C) Transaction payment gateways are not considered TPSPs
D) A TPSP can also be a merchant
Correct Answer:
D) A TPSP can also be a merchant
Explanation:
According to Requirements 12.8 and 12.9, a TPSP is an entity that stores, processes, or transmits CHD
or manages PCI DSS requirements on behalf of another. A company like Amazon, which is both a
merchant and a service provider to others, would be considered both. PCI DSS compliance responsibility
defines TPSPs, not just their function.
Appendix A1: Additional PCI DSS Requirements for Multi-Tenant Service Providers
Question 77 (Appendix A1):
What is a responsibility that multi-tenant service providers must fulfill?
A) Provide shared user accounts to tenants for accessing critical system binaries
B) Ensure that one tenant cannot access another tenant’s Cardholder Data Environment (CDE)
C) Make all audit log files available to all tenants
D) Provide hosting provider system configuration files to tenants
Correct Answer:
B) Ensure that one tenant cannot access another tenant’s Cardholder Data Environment (CDE)
Explanation:
Appendix A1 requires that multi-tenant service providers (such as cloud providers) must ensure that each
tenant’s CDE is properly isolated from others. Proper access controls, audit log segregation, and unique
account management are essential to enforce this separation.
Changes from v3.2.1:
In PCI DSS v3.2.1, the term "shared service provider" was used instead of "multi-tenant." This referred to
environments where infrastructure or systems were shared by multiple customers—such as IaaS cloud
services. PCI DSS v4.x updates the terminology to "multi-tenant" to reflect modern cloud usage and
provides clearer requirements in Appendix A1 related to tenant separation, access control, and
independent audit logging.

48
Useful knowledge areas related to PCI DSS compliance:
Question 78:
When a QSA company marks a requirement as “In Place” in the ROC template, which of the following
must be included?
A) Reasons the entity claims non-compliance
B) QSA’s observations of non-compliance with the system requirements
C) QSA’s observations that the system complies with the requirement
D) Project plans for how the entity will implement the requirement
Correct Answer:
C) QSA’s observations that the system complies with the requirement
Explanation:
For a requirement to be marked “In Place,” the ROC (Report on Compliance) must include documentation,
observations, and interviews showing that the requirement has been met. “Observation” refers to evidence
such as settings, process execution, and configuration noted during the audit.
Concept unchanged. The same expectations applied in v3.2.1.
Question 79:
Which of the following statements about roles and responsibilities is correct?
A) PCI SSC is responsible for setting merchant and TPSP compliance deadlines
B) Payment card brands manage the SSF application and PTS device lists
C) TPSPs (Third Party Service Providers) are responsible for their customers’ compliance
D) Acquirers are responsible for monitoring merchant compliance and verification
Correct Answer:
D) Acquirers are responsible for monitoring merchant compliance and verification
Explanation:
Acquirers oversee merchant PCI DSS compliance, including collecting necessary reports like ROCs or
SAQs. Card brands manage compliance programs. PCI SSC develops the standards, and TPSPs are
responsible for their own compliance—not their clients’.

49
Concept unchanged; the roles remain as defined in the previous version.
Question 80:
Which of the following statements about compensating controls is correct?
A) They’re not required if all other PCI DSS requirements are implemented
B) They must address the risk of not meeting a PCI DSS v4.x requirement
C) If the acquirer approves them, no worksheet is needed
D) Even if requirements are fully met, a worksheet must still be completed
Correct Answer:
B) They must address the risk of not meeting a PCI DSS v4.x requirement
Explanation:
Compensating controls are allowed when a requirement can’t be met directly, and they must provide
equivalent or stronger protection. PCI DSS Appendix B requires detailed documentation via the
Compensating Control Worksheet (CCW), including purpose, implementation, risk analysis, and testing
results.
Concept unchanged in principle.
Question 81:
Which entity determines a merchant’s transaction volume?
A) Acquirer
B) PCI SSC
C) ISA
D) Card Brand
Correct Answer:
A) Acquirer
Explanation:
Transaction volume refers to the number of credit card transactions processed by the merchant. It
determines the compliance level (Level 1–4) under PCI DSS and is assessed and managed by the acquirer,
not PCI SSC.
Concept unchanged—this has remained consistent.

50
Question 82:
Which entity defines the levels of merchants and service providers?
A) Acquirer
B) Payment card brands
C) PCI Security Standards Council (PCI SSC)
D) The merchants and providers themselves
Correct Answer:
Explanation:
Payment card brands like Visa and Mastercard define merchant and service provider levels based on
transaction volume. These levels influence the required validation method (e.g., ROC, SAQ).
Concept unchanged—the structure and responsibilities are consistent.
Question 83:
Which scenario results in the largest application sample size during a PCI DSS v4.x assessment?
A) Application development follows variable build procedures and non-centralized deployment
B) Development follows standard build procedures and uniform deployment
C) Applications not approved by the SSF
D) Applications approved under the SSF
Correct Answer:
A) Application development follows variable build procedures and non-centralized deployment
Explanation:
Non-uniform build and deployment environments introduce complexity. More samples are needed to
ensure representative and effective assessment.
v4.x explicitly clarifies how variation affects sample sizes.
Question 84:
Which of the following is considered a valid sample type for PCI DSS assessments?
A) Samples of compensating controls

51
B) Samples of PCI DSS v4.x requirements and test procedures
C) Samples of business facilities and system components
D) Samples of security policies and procedures
Correct Answer:
C) Samples of business facilities and system components
Explanation:
When evaluating large environments, QSAs use sampling to assess representative business locations and
system components. The sample must reflect the diversity of types, locations, and functions within the
assessed environment.
Concept unchanged—the same sampling approach applies.
Question 85:
What is the most effective way to reduce the scope of a PCI DSS assessment?
A) Do not store cardholder data
B) Encrypt cardholder data
C) Mask cardholder data
D) Store cardholder data in a database
Correct Answer:
A) Do not store cardholder data
Explanation:
Per Requirement 3.1, avoiding cardholder data storage is the most effective way to reduce assessment
scope. Encryption and masking protect data, but if data is stored, processed, or transmitted, it remains in
scope.
Concept unchanged.
Question 86:
Which of the following is a responsibility of the acquirer?
A) Be legally liable for merchants failing compliance programs
B) Set fines and legal actions for compliance program violations
C) Provide merchant compliance status to PCI SSC

52
D) Maintain a list of compliant merchants and service providers
Correct Answer:
D) Maintain a list of compliant merchants and service providers
Explanation:
Acquirers oversee their merchants' compliance and are responsible for tracking and managing lists of
compliant entities. Card brands issue fines; PCI SSC sets standards.
Concept unchanged.
Question 87:
Who defines the levels (e.g., Level 1 to Level 4) of merchants and service providers under PCI DSS?
:
A) Acquirer
C) PCI SSC (Security Standards Council)
D) Merchants and service providers themselves
Correct Answer:
Explanation:
Each payment card brand (e.g., Visa, Mastercard, JCB) defines its own merchant and service provider
levels based on the number of annual transactions. These levels determine the method of compliance
validation, such as ROC (Report on Compliance) or SAQ (Self-Assessment Questionnaire). PCI SSC creates
the standards but does not set the levels.
Gap from v3.2.1:
Concept unchanged. The responsibility of defining levels has always rested with the card brands. PCI DSS
v4.x clarifies this further with consistent terminology and reference in documentation.
Question 88:
Who determines the transaction volume of a merchant, which is used to classify compliance level?
A) PCI SSC
B) Acquirer
C) Internal Security Assessor (ISA)

53
D) Payment card brand
Correct Answer:
B) Acquirer
Explanation:
The acquirer (the bank or processor managing the merchant account) is responsible for calculating and
monitoring the merchant’s annual transaction volume. This volume determines the merchant's compliance
level under PCI DSS, which affects whether the merchant must complete an SAQ or a full ROC.
Gap from v3.2.1:
Concept unchanged in responsibility. PCI DSS v4.x maintains that the acquirer manages merchant
validation and volume classification, but v4.x documentation provides clearer examples and role
expectations.
Question 89:
Which of the following is the responsibility of an acquirer under PCI DSS?
A) Setting legal liabilities for non-compliance
B) Sending merchant compliance reports to PCI SSC
C) Certifying service providers under PCI DSS
D) Maintaining a list of compliant merchants and service providers
Correct Answer:
D) Maintaining a list of compliant merchants and service providers
Explanation:
Acquirers are responsible for overseeing the PCI DSS compliance of the merchants and service providers
they work with. This includes ensuring documentation (such as AOC or SAQ) is current and maintaining
a registry of compliant entities. They do not set legal consequences or report directly to PCI SSC.
Gap from v3.2.1:
Concept unchanged, but PCI DSS v4.x emphasizes continuous oversight and the importance of tracking
service provider and merchant compliance status. It strengthens monitoring expectations.
Question 90:
Which type of payment application falls under the Secure Software Framework (SSF)?
A) SaaS-based payment applications
B) Off-the-shelf commercial payment applications

54
C) Custom-developed internal applications
D) Individually customized single-client apps
Correct Answer:
B) Off-the-shelf commercial payment applications
Explanation:
SSF applies to commercial, off-the-shelf payment applications used by multiple organizations. It replaces
the former PA-DSS and is intended for applications that are broadly distributed and used in merchant
environments.
Gap from v3.2.1:
PA-DSS was the previous standard for off-the-shelf applications. In v4.x, SSF replaces it and applies to a
wider range of application delivery models, though the principle of approval remains similar.
Question 91:
What is true about SSF-approved applications in relation to PCI DSS?
A) They exempt the merchant from PCI DSS
B) They are only required for P2PE solutions
C) They fall within the merchant’s PCI DSS assessment scope
D) They replace all PCI DSS controls
Correct Answer:
C) They fall within the merchant’s PCI DSS assessment scope
Explanation:
Even when using SSF-approved apps, they are still part of the merchant’s PCI DSS scope. Compliance of
the application does not remove the merchant’s own responsibilities.
Gap from v3.2.1:
This clarification did not exist in PA-DSS. PCI DSS v4.x better defines the boundaries of SSF and how it
aligns with PCI DSS assessments.
Question 92:
Which of the following best describes PCI PTS (PIN Transaction Security)?
A) It is a software standard for payment apps
B) It applies only to closed-loop systems
C) It defines security for merchant PIN entry devices

55
D) It replaces SSF and PA-DSS
Correct Answer:
C) It defines security for merchant PIN entry devices
Explanation:
PCI PTS is a hardware-focused standard that ensures the physical security and functionality of devices
used for PIN entry, such as POS terminals. It works alongside PCI DSS and P2PE.
Gap from v3.2.1:
This was present in v3.2.1 but is emphasized more in v4.x, which clarifies the interplay between
application, encryption, and hardware device standards.
Question 93:
Which of the following is considered a closed-loop network under PCI DSS v4.x?
A) An organization issues the card via a third party and processes transactions externally
B) An organization both issues the card and directly acquires its transactions
C) Cards are issued by a partner, but transactions are processed internally
D) The organization relies on a shared processor and clearinghouse
Correct Answer:
B) An organization both issues the card and directly acquires its transactions
Explanation:
A closed-loop network refers to systems where the card issuer and transaction acquirer are the same entity.
These systems are sometimes exempt from PCI DSS, depending on how the environment is isolated from
traditional card brands.
Gap from v3.2.1:
The term was loosely used in v3.2.1. PCI DSS v4.x clarifies the conditions under which such models may
be excluded from compliance, typically through QSA or brand review.

56
Closing Remarks
Please note that all of the written content was created personally, so there may be some errors.
Thank you for your understanding.
With this, the understanding test, key points of PCI DSS v4.x, and guidance for developing your own
organization's security standards are now complete.
References
PCI SSC. Payment Card Industry (PCI) Data Security Standard Requirements and Testing Procedures,
Version 4.0.1, June 2024.
PCI SSC. Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment
Procedures, Version 3.2.1, May 2018.
ISACA. CISM Review Manual, 15th Edition.
ISACA. CISM Review Questions, Answers & Explanations Manual, 10th Edition.
National Institute of Standards and Technology (NIST). SP 800-171 Rev.3. Retrieved from
https://csrc.nist.gov/pubs/sp/800/171/r3/final
National Institute of Standards and Technology (NIST). SP 800-53 Rev.5. Retrieved from
https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final
National Institute of Standards and Technology (NIST). The NIST Cybersecurity Framework (CSF) 2.0,
February 26, 2024.
International Organization for Standardization (ISO). ISO/IEC 27002:2022: Information security,
cybersecurity and privacy protection — Information security controls. Feb. 15, 2022
International Organization for Standardization (ISO). ISO/IEC 27001:2022: Information security,
cybersecurity and privacy protection — Information security management systems — Requirements. Oct.
25, 2022

Step-by-Step Procedure for Creating Security Policies Across All Industries in Japan

More Related Content

Similar to Step-by-Step Procedure for Creating Security Policies Across All Industries in Japan (20)

More from Boise State University - College of Engineering (20)

Recently uploaded (20)

Step-by-Step Procedure for Creating Security Policies Across All Industries in Japan