 Scope of Change-Detection Mechanisms

PCI DSS v4.0 requires the implementation of a change-detection mechanism (e.g., file-integrity monitoring) to monitor unauthorized changes to critical files.

Critical files include system configuration and parameter files, application executable files, and scripts used in administrative functions​​.

 Intent of Monitoring System Files

These files often control security settings and operational parameters of systems within the Cardholder Data Environment (CDE). Unauthorized changes could compromise system security.

 Exclusions

Documents like application vendor manuals and security policies do not qualify as files requiring integrity monitoring since they do not directly impact the security posture or operational functions of systems in the CDE.

PCI DSS allows for theuse of truncation and hashingfor protecting PAN, butRequirement 3.4.1and its guidance warn againstcombining hashed and truncated PANsin such a way that the original PAN could be reconstructed. If both formats exist,controls must ensurethey can't be used together to reverse-engineer the PAN.

Option A:✅Correct. Controls must ensure PAN cannot be reconstructed using both versions.

Option B:❌Incorrect. A hashed PAN does not need truncation — hashing is a separate mechanism.

Option C:❌Incorrect. PCI DSS aims to prevent correlation, not encourage it.

Option D:❌Incorrect. They can coexist, but must be secured so that PAN cannot be derived.

PCI DSSRequirement 11.5.2mandates the use of file-integrity monitoring (FIM) or change-detection tools to monitorcritical filessuch as system binaries, configuration files, and system parameters.

Option A:❌Incorrect. Manuals are not critical system files.

Option B:❌Incorrect. Regularly changing files (e.g., logs or temp files) are typically excluded.

Option C:❌Incorrect. Policies and procedures are reviewed but not subject to FIM.

Option D:✅Correct. System config and parameter files must bemonitored for unauthorised changes.

 Purpose of Classifying Media

PCI DSS v4.0 emphasizes the need to classify media based on the sensitivity of the data it contains. Media classification ensures appropriate handling, storage, and destruction processes​​.

 Media Protection Requirements

Media containing cardholder data must be securely stored, transferred, and destroyed when no longer needed.

Classification informs the level of protection required, such as encryption, physical security, or controlled access​​.

 Incorrect Options

Option B: Moving media quarterly is not a requirement.

Option C: Labeling as "Confidential" is insufficient without a comprehensive protection strategy.

Option D: Destruction schedules should depend on retention requirements and data sensitivity, not a universal timeline.

As per thePCI DSS Glossary, “bespoke and custom software” is defined assoftware that is developed specifically for, and often by, the entity using it. This includes internally developed applications and externally developed applications created specifically for the entity.

Option A:❌Incorrect. Not all third-party software is custom — much is commercial off-the-shelf (COTS).

Option B:❌Incorrect. Customisability does not equal bespoke development.

Option C:✅Correct. Bespoke software is tailoredby or forthe entity’s specific needs.

Option D:❌Incorrect. Virtual terminals are payment interfaces, not types of software.

PCI DSSRequirement 8.4.2requiresmulti-factor authentication (MFA)to consist of two or moreindependent authentication factors. MFA must alsonot involve shared credentials, so each certificate must be tied to a specific individual.

Option A:❌Incorrect. MFA must apply toall applicable users, not just admins.

Option B:✅Correct. This meets PCI DSS: unique credentials per user and non-shared certificates.

Option C:❌Incorrect. Retaining certificates post-employment is a risk, not a compliance action.

Option D:❌Incorrect. PCI DSS doesn’t mandate 90-day certificate rotation; rather, secure usage and revocation are key.

Stateful inspection (or stateful packet filtering)tracks the state of active connections and determines which packets are part of a valid session.Requirement 1.4.2references the use of network security controls (NSCs) withstateful filteringcapability to allow legitimate trafficonly in response to trusted requests.

Option A:❌Incorrect. Firewall admin procedures are not what “stateful” refers to.

Option B:✅Correct. “Stateful responses” mean tracking existing connections toblock unauthorised or spoofed responses.

Option C:❌Incorrect. That describes configuration management, not stateful filtering.

Option D:❌Incorrect. Logging is important but not part of stateful inspection.