
[2025年10月07日] 無料PCI SSC QSA_New_V4試験問題と解答
検証済みQSA_New_V4問題集と解答は最新QSA_New_V4をダウンロード
PCI SSC QSA_New_V4 認定試験の出題範囲:
| トピック | 出題範囲 |
|---|---|
| トピック 1 |
|
| トピック 2 |
|
| トピック 3 |
|
| トピック 4 |
|
| トピック 5 |
|
質問 # 36
Which statement is true regarding the PCI DSS Report on Compliance (ROC)?
- A. The assessor must create their own ROC template for each assessment report.
- B. The assessor may use either their own template or the ROC Reporting Template provided by PCI SSC.
- C. The ROC Reporting Template and instructions provided by PCI SSC should be used for all ROCs.
- D. The ROC Reporting Template provided by PCI SSC is only required for service provider assessments.
正解:C
解説:
PerSection 11 and 12of PCI DSS v4.0.1, assessors arerequired to use the official PCI SSC ROC Reporting Template. This ensures uniformity and completeness across all assessments. The same requirement applies to bothmerchants and service providersundergoing afull assessment (ROC).
* Option A:#Correct. PCI SSC mandates use of its official ROC template.
* Option B:#Incorrect. Custom assessor templates arenot permitted.
* Option C:#Incorrect. Assessorsmust notcreate their own templates.
* Option D:#Incorrect. The ROC template is used forbothmerchants and service providers, where applicable.
質問 # 37
If an entity shares cardholder data with a TPSP, what activity is the entity required to perform?
- A. The entity must test the TPSP's incident response plan at least quarterly.
- B. The entity must perform a risk assessment of the TPSP's environment at least quarterly.
- C. The entity must conduct ASV scans on the TPSP's systems at least annually.
- D. The entity must monitor the TPSP's PCI DSS compliance status at least annually.
正解:D
解説:
PCI DSSRequirement 12.8.4mandates that an entitymonitor the compliance status of third-party service providers (TPSPs) at least annually, especially when those TPSPs store, process, or transmit account data on the entity's behalf.
* Option A:Incorrect. Entities are not responsible for conducting ASV scans on TPSPs.
* Option B:Incorrect. There is no quarterly risk assessment requirement for TPSPs.
* Option C:Incorrect. Incident response testing for TPSPs is not a direct responsibility of the entity.
* Option D:Correct. Annual monitoring of TPSP compliance is explicitly required.
Reference:PCI DSS v4.0.1 - Requirement 12.8.4.
質問 # 38
An organization wishes to implement multi-factor authentication for remote access, using the user's Individual password and a digital certificate. Which of the following scenarios would meet PCI DSS requirements for multi-factor authentication?
- A. A different certificate is assigned to each individual user account, and certificates are not shared.
- B. Certificates are logged so they can be retrieved when the employee leaves the company.
- C. Certificates are assigned only to administrative groups, and not to regular users.
- D. Change control processes are In place to ensure certificates are changed every 90 days.
正解:A
解説:
Multi-Factor Authentication (MFA)
* MFA requires at least two factors from different categories: something you know (password), something you have (digital certificate), or something you are (biometric).
* PCI DSS Requirement 8 mandates that credentials like certificates must be unique to each user.
Secure Certificate Use
* Certificates must not be shared and should be assigned individually to ensure accountability and prevent unauthorized access.
Incorrect Options
* Option A: Limiting certificates to administrative groups does not fulfill PCI DSS for all users.
* Option C: Logging certificates for retrieval is unrelated to security requirements.
* Option D: Certificates do not have a mandatory 90-day change requirement.
質問 # 39
What must the assessor verify when testing that PAN is protected whenever it is sent over the Internet?
- A. The PAN is encrypted with strong cryptography.
- B. The PAN is securely deleted once the transmission has been sent.
- C. The security protocol is configured to support earlier versions.
- D. The security protocol is configured to accept all digital certificates.
正解:A
解説:
UnderRequirement 4.2.1.1, PAN (Primary Account Number) must be protected usingstrong cryptographywhenever it is transmitted overopen, public networks, including the Internet. Assessors are expected to verify that the cryptographic protocols (e.g., TLS 1.2 or higher) are properly implemented and that weak protocols (e.g., SSL, early TLS) are disabled.
* Option A:#Incorrect. Supporting earlier protocol versions (e.g., SSL, TLS 1.0) isnon-compliant.
* Option B:#Correct. Strong encryption (e.g., AES over TLS 1.2 or higher) must be verified.
* Option C:#Incorrect. Acceptingall certificatescould allowMITM (Man-in-the-Middle)attacks.
* Option D:#Incorrect. Deleting PAN after transmission is not a substitute for protecting it during transmission.
References:
PCI DSS v4.0.1 - Requirement 4.2.1.1
PCI DSS Glossary - Definitions for "strong cryptography" and "open, public networks"
質問 # 40
What must be included in an organization's procedures for managing visitors?
- A. Visitors retain their identification (for example, a visitor badge) for 30 days after completion of the visit.
- B. Visitors are escorted at all times within areas where cardholder data is processed or maintained.
- C. Visitor log includes visitor name, address, and contact phone number.
- D. Visitor badges are identical to badges used by onsite personnel.
正解:B
解説:
According toRequirement 9.4.2.2, visitors must beescorted at all timesin areas where cardholder data is stored or processed. This is a key component of physical access control and is intended to prevent unauthorised access or tampering.
* Option A:#Correct. Escorts aremandatoryfor visitors in sensitive areas.
* Option B:#Incorrect. Visitor badgesmust be distinguishablefrom employee badges.
* Option C:#Incorrect. PCI DSS requires name and firm represented, butnot full address or phone.
* Option D:#Incorrect. Visitor badges must besurrendered or deactivatedimmediately after the visit ends.
質問 # 41
What must be included in an organization's procedures for managing visitors?
- A. Visitors retain their identification (for example, a visitor badge) for 30 days after completion of the visit.
- B. Visitors are escorted at all times within areas where cardholder data is processed or maintained.
- C. Visitor log includes visitor name, address, and contact phone number.
- D. Visitor badges are identical to badges used by onsite personnel.
正解:B
解説:
According toRequirement 9.4.2.2, visitors must beescorted at all timesin areas where cardholder data is stored or processed. This is a key component of physical access control and is intended to prevent unauthorised access or tampering.
* Option A:#Correct. Escorts aremandatoryfor visitors in sensitive areas.
* Option B:#Incorrect. Visitor badgesmust be distinguishablefrom employee badges.
* Option C:#Incorrect. PCI DSS requires name and firm represented, butnot full address or phone.
* Option D:#Incorrect. Visitor badges must besurrendered or deactivatedimmediately after the visit ends.
References:
PCI DSS v4.0.1 - Requirements 9.4.2.1 to 9.4.2.3.
質問 # 42
Where can live PANs be used for testing?
- A. Pre-production (test) environments only it located outside the CDE.
- B. Production (live) environments only.
- C. Pre-production environments thatare located within the CDE.
- D. Testing with live PANs must only be performed in the OSA Company environment.
正解:C
解説:
Testing with Live PANs
* PCI DSS Requirement 6.4.3 requires that live PANs (Primary Account Numbers) only be used in secure and controlled environments within the CDE.
* Pre-production environments located within the CDE must adhere to all PCI DSS requirements for security and monitoring.
Prohibited Uses
* Testing with live PANs in environments outside the CDE violates PCI DSS. Only simulated data should be used in less secure testing environments.
Incorrect Options
* Option A: Production environments are for real transactions, not testing.
* Option B: Test environments outside the CDE are insecure for live PANs.
* Option D: The QSA environment is irrelevant to the organization's CDE testing controls.
質問 # 43
Passwords for default accounts and default administrative accounts should be?
- A. Configured to expire in 30 days.
- B. Changed within 30 days after installing a system on the network.
- C. Changed before installing a system on the network.
- D. Reset to the default password before installing a system on the network.
正解:C
解説:
According toRequirement 2.2.6,default passwords must be changed before systems are installed on the network. The use of default credentials (such as "admin/admin") presents a major security risk and is a well- known vector for breaches.
* Option A:#Incorrect. Changing within 30 days is not soon enough per PCI DSS.
* Option B:#Incorrect. Resetting to default would defeat the purpose of secure configuration.
* Option C:#Correct. The requirement is to change default passwordsprior to network connection.
* Option D:#Incorrect. Password expiration policies are a separate topic under Requirement 8.
質問 # 44
At which step in the payment transaction process does the merchant's bank pay the merchant for the purchase, and the cardholder's bank bill the cardholder?
- A. Settlement
- B. Clearing
- C. Authorization
- D. Chargeback
正解:A
解説:
Settlement in the Payment Process
* Settlement is the stage where the merchant's bank pays the merchant for the transaction, and the cardholder's bank debits the cardholder's account.
* PCI DSS does not explicitly describe the settlement process but emphasizes the protection of data during all stages.
Transaction Stages
* Authorization:Approves the transaction.
* Clearing:Data is sent to the cardholder's bank.
* Settlement:Funds are transferred between banks.
* Chargeback:Disputes are handled, and funds might be reversed.
質問 # 45
An LDAP server providing authentication services to the cardholder data environment is_____________?
- A. in scope for PCI DSS.
- B. not In scope for PCI DSS.
- C. in scope only if it stores, processes or transmits cardholder data.
- D. in scope only if itprovides authentication services to systems in the DMZ.
正解:A
解説:
Scope of PCI DSS:
* PCI DSS applies to all systems that store, process, or transmit cardholder data (CHD), as well as systems that can impact the security of the CDE. An LDAP server providing authentication services is considered a connected system that could impact the security of CHD and is therefore in scope.
Clarifications on Scope:
* Systems like LDAP servers that do not directly handle CHD but provide critical services to the CDE (e.
g., authentication) are in scope for PCI DSS.
Invalid Options:
* B/C/D:Scoping is not limited to direct storage, processing, or transmission of CHD but includes systems that could affect the CDE's security.
質問 # 46
Which of the following meets the definition of "quarterly" as indicated in the description of timeframes used in PCI DSS requirements?
- A. On the 1st of each fourth month.
- B. Occurring at some point in each quarter of a year.
- C. On the 15th of each third month.
- D. At least once every 95-97 days.
正解:B
解説:
According toSection 7 - Description of Timeframes Used in PCI DSS Requirements, the PCI DSS defines
"quarterly" as:
"An activity performed once per calendar quarter (i.e., one time in each three-month period), or as close as reasonably possible to the calendar quarter."
* Option A:#Correct. This aligns precisely with PCI DSS's definition -once in each three-month calendar quarter.
* Option B:#Incorrect. PCI DSS doesnotdefine quarterly by a fixed number of days.
* Option C & D:#Incorrect. Specific dates or months are not prescribed.
質問 # 47
What should the assessor verify when testing that cardholder data Is protected whenever It Is sent over open public networks?
- A. A proprietary security protocol is used.
- B. The security protocol accepts connections from systems with lower encryption strength than required by the protocol.
- C. The security protocol Is configured to accept all digital certificates.
- D. The security protocol accepts only trusted keys.
正解:D
解説:
Requirement for Secure Transmission:
* PCI DSS Requirement 4.1 mandates that cardholder data sent over open public networks must be protected with strong cryptographic protocols. Accepting only trusted keys ensures data integrity and prevents unauthorized access.
Key Validation Practices:
* Trusted keys and certificates are verified to ensure authenticity. Using untrusted keys compromises the security of the encrypted communication.
Prohibited Practices:
* A/D:Configuring protocols to accept all certificates or lower encryption strength violates PCI DSS encryption guidelines.
* B:Proprietary protocols are not inherently compliant unless they meet strong cryptographic standards.
Testing and Verification:
* Assessors verify the implementation of trusted keys by examining encryption settings, reviewing certificate chains, and conducting tests to confirm only trusted connections are accepted.
質問 # 48
Which of the following is a requirement for multi-tenant service providers?
- A. Provide customers with a shared user ID for access to critical system binaries.
- B. Ensure that customers cannot access another entity's cardholder data environment.
- C. Provide customers with access to the hosting provider's system configuration files.
- D. Ensure that a customer's log files are available to all hosted entities.
正解:B
解説:
Formulti-tenant service providers,isolation and segmentationare critical. As perRequirement 12.10.3, each customer's environment must besegregated and protectedsuch that no tenant can access another's data or systems.
* Option A:#Correct. This is the foundational control -isolation of customer environments.
* Option B:#Incorrect. Exposing system config files is a security risk.
* Option C:#Incorrect. Shared user IDs areexplicitly prohibitedby Requirement 8.2.1.
* Option D:#Incorrect. Customers should only access their own logs.
Reference:PCI DSS v4.0.1 - Requirement 12.10.3; Scoping Guidance for Service Providers.
質問 # 49
Viewing of audit log files should be limited to?
- A. Individuals who performed the logged activity.
- B. Individuals with administrator privileges.
- C. Individuals with read/write access.
- D. Individuals with a job-related need.
正解:D
解説:
Audit Log Access Control:
* PCI DSS Requirement 10.7 restricts access to audit logs to individuals with a job-related need to protect the integrity and confidentiality of the logs.
Rationale for Job-Related Need:
* Limiting access reduces the risk of tampering, accidental modification, or exposure of sensitive information.
Invalid Options:
* A:Individuals who performed the activity should not necessarily view logs unless required.
* B/C:Read/write access or administrator privileges are not prerequisites for log viewing.
質問 # 50
In accordance with PCI DSS Requirement 10, how long must audit logs be retained?
- A. At least 2 years, with the most recent month immediately available.
- B. At least 3 months, with the most recent month immediately available.
- C. At least 1 year, with the most recent 3 months immediately available.
- D. At least 2 years, with the most recent 3 months immediately available.
正解:C
解説:
PerRequirement 10.5.1.2, audit logs must be retained forat least one year, and the mostrecent three months must be readily availablefor analysis. This ensures traceability of security events over both short and longer- term periods.
* Option A:#Correct. Matches both duration and availability criteria.
* Option B:#Incorrect. Two years is not required.
* Option C:#Incorrect. The retention period is misstated.
* Option D:#Incorrect. One month is insufficient for immediate access.
質問 # 51
Which of the following is a requirement for multi-tenant service providers?
- A. Provide customers with a shared user ID for access to critical system binaries.
- B. Ensure that customers cannot access another entity's cardholder data environment.
- C. Provide customers with access to the hosting provider's system configuration files.
- D. Ensure that a customer's log files are available to all hosted entities.
正解:B
解説:
Formulti-tenant service providers,isolation and segmentationare critical. As perRequirement 12.10.3, each customer's environment must besegregated and protectedsuch that no tenant can access another's data or systems.
* Option A:#Correct. This is the foundational control -isolation of customer environments.
* Option B:#Incorrect. Exposing system config files is a security risk.
* Option C:#Incorrect. Shared user IDs areexplicitly prohibitedby Requirement 8.2.1.
* Option D:#Incorrect. Customers should only access their own logs.
質問 # 52
Which scenario meets PCI DSS requirements for critical systems to have correct and consistent time?
- A. Each internal system peers directly with an external source to ensure accuracy of time updates.
- B. Access to time configuration settings is available to all users of the system.
- C. Central time servers receive time signals from specific, approved external sources.
- D. Each internal system is configured to be its own time server.
正解:C
解説:
PerRequirement 10.6.1, PCI DSS mandates that time-synchronization technology be used, andsystems must be synchronized to a central time serverthat itself receives time from an approved external source. This ensures logs can be accurately correlated.
* Option A:Incorrect. Time inconsistency arises if each system operates independently.
* Option B:Incorrect. Time configuration must berestricted to authorised personnel only.
* Option C:Correct. Time should be sourced from a centralised server which is in sync with reliable external sources.
* Option D:Incorrect. Each system peering independently can cause inconsistencies.
Reference:PCI DSS v4.0.1 - Requirement 10.6.1.1.
質問 # 53
......
リアル問題集を使おう 100%無料QSA_New_V4試験問題集:https://jp.fast2test.com/QSA_New_V4-premium-file.html
更新された100%カバー率リアルQSA_New_V4試験問題で100%合格保証:https://drive.google.com/open?id=1EE7GyJLJaGEeEN4wLjgi7DsdErBsVXn3