Requirement 9.6.1mandates theclassification of mediaso that appropriatehandling, storage, and disposalprocedures are applied based on thesensitivity of the data. This ensures that media storing cardholder data is not treated the same as media containing non-sensitive content.

Option A:✅Correct. Classifying media enablesrisk-appropriate protections.

Option B:❌Incorrect. Movement schedules are not mandated.

Option C:❌Incorrect. Labeling is a recommended control but not the primary intent.

Option D:❌Incorrect. Destruction must bebased on data classification, not uniform timing.

PCI DSSRequirement 12.1.1requires that security policies and procedures be disseminated to all relevant personnel and that those individualsunderstand and acknowledgethe policies. While review and update frequencies are also part of compliance, the most complete and correct answer is that policies must be shared with affected parties.

Option A:Incorrect. Encryption is not specifically required for policy documents.

Option B:Incorrect. Limiting access to only management contradicts the requirement for distribution.

Option C:Incorrect. The correct review cycle per Requirement 12.1.2 isannually, not quarterly.

Option D:Correct. Policies and procedures must be understood and acknowledged by all affected parties.

Compensating controls are alternative measures implemented when an entity cannot meet a specific PCI DSS requirement due to legitimate technical or business constraints. These controls must sufficiently mitigate the associated risk and be commensurate with the intent of the original PCI DSS requirement.​

Option A:Incorrect. Even if all other PCI DSS requirements are met, a compensating control is necessary when a specific requirement cannot be directly satisfied.​

Option B:Correct. A compensating control must effectively address and mitigate the risk associated with the inability to meet a particular PCI DSS requirement.​

Option C:Incorrect. While existing controls can support a compensating control, they must collectively address the risk of the unmet requirement and cannot merely be another existing PCI DSS requirement.​

Option D:Incorrect. A compensating control worksheet is mandatory to document the rationale, assessment, and validation of the compensating control, regardless of acquirer approval.​

For detailed guidance on compensating controls, refer toAppendix B: Compensating Controlsin thePCI DSS v4.0.1document.​

 Purpose of Classifying Media

PCI DSS v4.0 emphasizes the need to classify media based on the sensitivity of the data it contains. Media classification ensures appropriate handling, storage, and destruction processes​​.

 Media Protection Requirements

Media containing cardholder data must be securely stored, transferred, and destroyed when no longer needed.

Classification informs the level of protection required, such as encryption, physical security, or controlled access​​.

 Incorrect Options

Option B: Moving media quarterly is not a requirement.

Option C: Labeling as " Confidential " is insufficient without a comprehensive protection strategy.

Option D: Destruction schedules should depend on retention requirements and data sensitivity, not a universal timeline.

Stateful inspection (or stateful packet filtering)tracks the state of active connections and determines which packets are part of a valid session.Requirement 1.4.2references the use of network security controls (NSCs) withstateful filteringcapability to allow legitimate trafficonly in response to trusted requests.

Option A:❌Incorrect. Firewall admin procedures are not what “stateful” refers to.

Option B:✅Correct. “Stateful responses” mean tracking existing connections toblock unauthorised or spoofed responses.

Option C:❌Incorrect. That describes configuration management, not stateful filtering.

Option D:❌Incorrect. Logging is important but not part of stateful inspection.

PCI DSS allows for theuse of truncation and hashingfor protecting PAN, butRequirement 3.4.1and its guidance warn againstcombining hashed and truncated PANsin such a way that the original PAN could be reconstructed. If both formats exist,controls must ensurethey can ' t be used together to reverse-engineer the PAN.

Option A:✅Correct. Controls must ensure PAN cannot be reconstructed using both versions.

Option B:❌Incorrect. A hashed PAN does not need truncation — hashing is a separate mechanism.

Option C:❌Incorrect. PCI DSS aims to prevent correlation, not encourage it.

Option D:❌Incorrect. They can coexist, but must be secured so that PAN cannot be derived.

According toRequirement 1.2.1of PCI DSS v4.0.1, network security controls (NSCs), such as firewalls and segmentation controls, are used torestrict and control trafficbetween trusted and untrusted networks. This includes logical or physical network segmentation.

Option A:Incorrect. Anti-malware is addressed in Requirement 5.

Option B:Correct. NSCs control and restrict inbound and outbound traffic between logical and physical network segments.

Option C:Incorrect. Vulnerability management is under Requirement 6.

Option D:Incorrect. PAN encryption is covered in Requirement 3.5.

 Customized Approach Overview:

Under PCI DSS v4.0, entities can use a Customized Approach to meet requirements by implementing controls tailored to their environment. This allows flexibility while still achieving the intent of the security requirement.

 Role of Assessors:

Assessors (QSAs) are responsible for evaluating both the implementation of customized controls and ensuring these controls fulfill the security objectives of the PCI DSS requirements​​.

QSAs must document the evaluation, evidence reviewed, and results in the Report on Compliance (ROC).

 Controls Matrix and Targeted Risk Analysis (TRA):

The Controls Matrix and TRA are key components of the Customized Approach. QSAs assist in verifying the accuracy and completeness of these tools during assessments​​.

 Documenting in the ROC:

The ROC must include a narrative explaining the assessor’s findings regarding the customized control, validation methods, and any evidence collected​.

 Relevant PCI DSS v4.0 Guidance:

Appendix D and E of the PCI DSS v4.0 ROC Template emphasize that QSAs can evaluate and confirm adherence to the Customized Approach provided this is documented comprehensively in the ROC​.

TheROC Reporting Templaterequires assessors todocument how the requirement was verifiedas “In Place”. This includesmethods used, evidence reviewed, and how compliance was determined.

Option A:❌Incorrect. Project plans are relevant for “In Progress”, not “In Place”.

Option B:✅Correct. “In Place” requires an explanation ofassessor observations and validation.

Option C:❌Incorrect. This applies to “Not in Place”.

Option D:❌Incorrect. This applies to non-compliance scenarios.

PerRequirement 7.2.5and8.2.2, PCI DSS recommends thatonly application-layer accessbe allowed to databases storing cardholder data, preventing users from issuing direct SQL queries or accessing the database via administrative tools.

Option A:✅Correct. Restricting database access toprogrammatic (application-layer) methodsis strongly preferred and aligns with PCI DSS guidance.

Option B:❌Incorrect. Admins should not have unrestricted access unless justified and monitored.

Option C:❌Incorrect. Application IDs must not be used interactively by individuals (Requirement 8.6.1).

Option D:❌Incorrect. Shared accounts are disallowed (Requirement 8.2.1).