The strength of a key-encrypting key (KEK) should be at least equivalent to the strength of the data-encrypting key (DEK) it protects to ensure the overall security of the cryptographic system.​

Option A:Incorrect. DES (Data Encryption Standard) with a 256-bit key length is not a standard configuration, as traditional DES uses a 56-bit key, which is considered weak by modern standards.​

Option B:Incorrect. RSA with a 512-bit key length is considered weak and does not provide sufficient security for protecting AES 128-bit keys.​

Option C:Correct. Using an AES 128-bit key as the KEK to protect an AES 128-bit DEK ensures that both keys have equivalent strength, maintaining the integrity of the encryption system.​

Option D:Incorrect. ROT13 is a simple substitution cipher and does not provide adequate security for encrypting cryptographic keys.​

For detailed guidelines on cryptographic key management, refer toRequirement 3: Protect Stored Account Datain thePCI DSS v4.0.1document.​

There areseparate Attestation of Compliance (AOC) templatesfor different use cases, specifically formerchantsandservice providers, and forSAQsversusROCs. Each template is tailored to match the reporting needs of that assessment type.

Option A:✅Correct. PCI SSC publishes distinct AOC templates depending on whether the entity is a merchant or service provider, and depending on whether they are completing an SAQ or ROC.

Option B:❌Incorrect. The AOC is not signed by PCI SSC. It must be signed by the assessed entity and, where applicable, the QSA or ISA.

Option C:❌Incorrect. ROCs and SAQs use different AOC formats.

Option D:❌Incorrect. Both the entity and the assessor (if applicable)mustsign.

PerRequirement 2.2.5, allinsecure and unnecessary services, protocols, daemons, or functionsmust be disabled. This includes unnecessary features on firewalls and other devices. Disabling unneeded functions reduces the attack surface and aligns with secure configuration principles.

Option A:❌Incorrect. Shared accounts violateRequirement 8.2.1, which mandatesunique IDs.

Option B:❌Incorrect. Allowing all traffic is a violation ofRequirement 1.2.1, which requires " deny all unless explicitly allowed " .

Option C:❌Incorrect. Synchronizing rules may be useful but does not directly relate to hardening.

Option D:✅Correct. Disabling unused firewall features aligns with secure configuration.

As perRequirement 2.2.1, the purpose of limiting each server to one primary function is toreduce the risk of functions with lower security needs compromising more critical functions.

Option A:❌Incorrect. PCI DSS discourages combining different security-level functions.

Option B:✅Correct. This is the intent: toprevent lower-security processes from weakening high-security environments.

Option C:❌Incorrect. Functions shouldn’t depend on one another for security.

Option D:❌Incorrect. PCI DSS encourages raising security, not lowering it.

 Visitor Management Requirements:

PCI DSS Requirement 9.3 specifies that visitors must be escorted at all times in areas where cardholder data is present to prevent unauthorized access or breaches​​.

 Invalid Options:

B:Visitor badges must be distinguishable from employee badges.

C:Visitor logs are necessary but do not need detailed personal information like addresses.

D:Retaining visitor identification for 30 days is not a requirement.

Requirement 5.2.1.1clarifies thatanti-malware solutions are requiredonall in-scope systems,unlessthe system is evaluated asnot at risk for malware(e.g., Linux-based appliances with no Internet access). These risk evaluations must be documented and justified (5.2.3.1).

Option A:❌Incorrect. PCI DSS allows exceptions for systems not at risk.

Option B:❌Incorrect. Anti-malware applies to systems, not portable media per se.

Option C:❌Incorrect. Anti-malware scope is broader than just PAN-storing systems.

Option D:✅Correct. Systems not at risk can be excluded if justified and documented.

According toRequirement 9.3.1and9.4.1.2, physical access control mechanisms — including badge readers — must beprotected against tampering or disablingto prevent unauthorized access and maintain the integrity of access logs.

Option A:Correct. Physical access control systems must be protected from tampering.

Option B:Incorrect. Video cameras are requiredonly where appropriate; badge access may suffice.

Option C:Incorrect. Access logs must beretained for at least three months, not deleted monthly (see 9.4.1.3).

Option D:Incorrect. Motion sensors are not specifically required.

 Scope of Change-Detection Mechanisms

PCI DSS v4.0 requires the implementation of a change-detection mechanism (e.g., file-integrity monitoring) to monitor unauthorized changes to critical files.

Critical files include system configuration and parameter files, application executable files, and scripts used in administrative functions​​.

 Intent of Monitoring System Files

These files often control security settings and operational parameters of systems within the Cardholder Data Environment (CDE). Unauthorized changes could compromise system security.

 Exclusions

Documents like application vendor manuals and security policies do not qualify as files requiring integrity monitoring since they do not directly impact the security posture or operational functions of systems in the CDE.

 Scope of Anti-Malware Requirements

PCI DSS Requirement 5 mandates the use of anti-malware solutions on all in-scope systems unless the system is specifically documented as not being at risk from malware.

Examples of systems not at risk include those using operating systems that do not support anti-malware tools, provided proper justifications and alternative controls are implemented​​.

 Assessment Considerations

QSAs must verify and document why a system is considered " not at risk. "

Systems storing, processing, or transmitting cardholder data or that could impact the CDE are generally in-scope for anti-malware​​.

 Incorrect Options

Option A: While CDE systems and connected systems require protection, the requirement applies specifically to systems at risk from malware.

Option B: Portable electronic storage is not explicitly called out for universal anti-malware but must be controlled in line with overall security policies.

Option C: Systems storing PAN are only a subset of in-scope systems.

As per thePCI DSS Glossary, “bespoke and custom software” is defined assoftware that is developed specifically for, and often by, the entity using it. This includes internally developed applications and externally developed applications created specifically for the entity.

Option A:❌Incorrect. Not all third-party software is custom — much is commercial off-the-shelf (COTS).

Option B:❌Incorrect. Customisability does not equal bespoke development.

Option C:✅Correct. Bespoke software is tailoredby or forthe entity’s specific needs.

Option D:❌Incorrect. Virtual terminals are payment interfaces, not types of software.