Thirty-two really fun PCIP, QSA or ISA revision questions

I put together this series of sample PCIP questions and answers to help a friend who was revising for her PCIP exam. She passed and so I hope you also find them useful. It is a while since I actually took a PCI SSC exam and so these questions might not reflect the way that the PCI SSC currently asks questions or how they phrase their answers, however they should provide a useful knowledge test so you can discover your strengths and weaknesses.

The answers are contained in a downloadable PDF – there’s a link to it at the end of the questions.

The PDF is password protected – and here’s the deal. My PCIP-passing best friend has Multiple Sclerosis and I try to run one half-marathon each year to raise some funds for the MS Trust. You can find the password to unlock the answers on my current donation page While you’re there – if you found this useful, fun or even a little annoying – a small donation would be awesome.

So here are the questions. For each one there is only one correct answer. Enjoy.

Q1 What information must be included in the network diagram?
A: Firewalls, routers and switches
B: Connections between other networks and the CDE excluding wireless networks
C: All connections between the CDE and all other networks
D: Wireless access points and firewalls

Q2: A merchant only accepts payments via the telephone and they enter the cardholder data directly into a webpage provided by their acquirer. Which SAQ is most likely to be the one the merchant should use?

Q3 How frequently should cardholder data that is beyond the specified retention period be deleted?
A: Immediately

B: Weekly
C: Monthly
D: Quarterly

Q4 If video cameras are used to monitor physical access to the CDE, how long should the logs be kept for?
A 1 month
B 3 months
C 6 months
D indefinitely

Q5. Who can approve the configuration of routers and firewalls protecting the CDE?
A: A QSA must approve the configuration
B: No specific approval is required, the person in charge of making changes to configuration just needs to make sure that that all changes are correct
C: A senior executive must approve the configuration
D: Someone independent from the person that changes the configuration must approve the configuration

Q6 When is it OK for a merchant to store the CVV2 / CVC2 value
A: When it is encrypted using strong cryptography
B: When the merchant does not store, process or transmit PANs as well
C: It is never permitted for a merchant to store the CVV2/CVC2 value
D: Temporarily, before a transaction is authorised by the acquirer

Q7 Which PCI credentials entitle someone to sign a Report on Compliance
B: ASV and QSA
C: QSA and ISA

Q8: Which PCI standard helps secure physical devices used to read cardholder data such as magnetic stripe and EVM chip readers

Q9 Which PCI standard would have requirements that controlled how an issuer looked after blank payment cards before they were personalised with the customer’s name and PAN?
A: None – card without PAN are not covered by PCI Standards
D: PCI Card Production

Q10: Where does the standard require the use of a DMZ
A: Systems that provide authorised publicly accessible services must be in a DMZ
B: A DMZ is required to store cardholder data
C: A DMZ is required between wireless networks and the CDE
D: The standard doesn’t require the use of a DMZ

Q11: Sarah uses her laptop at home and also when she is in the office and connected to the CDE. Which of the following controls should be applied to Sarah’s laptop to comply with PCI DSS?

A: The laptop should be tested by the IT department before Sarah connects it to the CDE
B: Sarah cannot have access to the USB ports on the laptop
C: The laptop must have personal firewall software or an equivalent installed
D: Sarah cannot access wi-fi networks

Q12: Which entity in the payment ecosystem provides consumers with payment cards
A: Card brands
B: Card brands and issuers
C: Issuers
D: Card brands and acquirers

Q13 When can you use cardholder data in test environments?
A Never
B When troubleshooting
C Only when authorised by a QSA
D When supervised by a PCIP and deleted after use

Q14: Which of the following is not considered sensitive authentication data (SAD)
A Service code
D Full magnetic stripe track data

Q15 Is it OK to use Telnet for administrative access to the routers in your CDE?
A: Of course
B: Yes, if it is encapsulated in an encrypted VPN
C: Yes, if the routers do not support SSH
D: It is never OK to use telnet for administrative access

Q16 In the payment process what step typically follows authorisation?
A Clearing
B Acquiring
C Settlement
D Funds release

Q17 Which of the following is not an example of multi-factor authentication?
A: A username, password and certificate
B: A fingerprint and a password
C: A username, password and secret phrase
D: A smart card and an iris scan

Q18 What special provisions apply to public facing web applications?
A: None
B: Use automated code automated application vulnerability security assessment tools or methods AND a web application firewall
C: Use automated code automated application vulnerability security assessment tools or methods OR a web application firewall
D: Use real-time security monitoring tools

Q19 How many hours of CPE must a PCIP accumulate each year?
A: 5 Hours
B: 10 hours
C: 20 hours
D: 40 hours

Q20 A company’s mainframe doesn’t support encryption – so it is unable to comply with requirement 3.4 – what should the company do?
A: As this is a legitimate technical constraint, the company should develop appropriate documented compensating controls
B: Ask the QSA if it can ignore requirement 3.4
C: As the mainframe does not support encryption, mark the requirement as not applicable (N/A)
D: Request a PCI waiver from the PCI SSC

Q21 Which PCI standard would apply to a merchant that had purchased and was using a validated PCI P2PE solution?
D: None because the merchant only has encrypted data

Q22 Where does the standard require the use of firewalls?
A: Between the internet and the CDE, a DMZ and the internal network, between wireless networks and the CDE
B: Between the internet and internal networks
C: Between the wireless networks and the CDE, between the internet and the CDE
D: The standard does not require the use of firewalls, they are just recommended

Q23 Which of the following can be used to transmit cardholder data?
A Email
B Instant messaging
D Encrypted communications

Q24 How quickly should critical patches be applied?
A: As soon as possible
B: Within 7 days
C: Within one month
D: Within 3 months

Q25 When should a company make use of a compensating control?
A: When it cannot afford to implement a PCI DSS control
B: When its own risk assessment suggests a PCI DSS requirement is not needed
C: When a QSA runs out of time in the company’s annual assessment
D: When the company cannot meet the requirement due to legitimate technical or documented business constraints.

Q26. Which words in the right order complete this sentence? In a four-party model, a merchant transaction flows from the merchant to the _________, then the _________ and finally to the __________
A: Issuer, Acquirer, Card Brand
B: Card Brand, Issuer, Acquirer
C: Acquirer, Card Brand. PCI SSC
D: Acquirer, Card Brand, Issuer

Q27 Why would a merchant typically use a QIR?
A: After a compromise of cardholder data
B: To prepare for a new PCI DSS assessment
C: To purchase a PCI DSS compliance certificate
D: To implement a PA DSS application

Q28 Are stateful firewalls _______ for connections into the Cardholder Data Environment?
A: Recommended
B: Required
C: Optional
D: Not mentioned

Q29 If PAN is to be stored in a database, which of the following is not an acceptable way of storing a PAN?
A: Encrypted using strong cryptography and key management
B: Split into two parts, each half stored in a separate table
C: A one-way hash based on strong cryptography
D: Truncated

Q30: What entities may conduct external vulnerability scans?
D: A Penetration Tester

Q31 How quickly must inactive accounts be removed or disabled?
A: After 30 days’ inactivity
B: After 90 days’ inactivity
C: After 180 days’ inactivity
D: After one year of inactivity

Q32: What sanction does the PCI SSC not have against a PCIP who is in contravention of the PCI SSC Code of Professional Responsibility?
A: Issue a warning to the PCIP
B: Issue a warning to the PCIP’s employer
C: Suspend the PCIP from all PCI Programs
D: Revoke the PCIP qualification

And here’s a link to the answer sheet. Remember, this is password protected and you can find the password to unlock the it on my current ‘fund raising for the MS Trust’ page While you’re there a small donation would be awesome 🙂

Webcast on Thursday 11th August

On Thursday 11th August at 6pm London (or 10am if you’re in San Francisco) I’ll be giving a webcast of my popular RSA Conference presentation, “How to Explain Cybersecurity to the Board Using the Simple Metaphor of fire”. You can register here:

I presented this on the first day of RSA Conference in February and I assumed that because it was the Monday before the conference proper started not many people would come. I was really wrong. The room was full and I understand some people couldn’t get in. Some of the feedback I had afterwards included:

Speaker provided clear and constructive recommendations to facilitate discussion of technical subjects with non-subject matter experts. Very enjoyable.

This was a fantastic presentation and provided a great insight on a different way of thinking about presenting security with a publicly recognizable twist. Will definitely use his analogies in the future.

So if you’d like to find a simple way to explain some of the cyber security principles to colleagues and your C-suite this webcast may be useful. If you can’t attend in real-time I understand that a recording will appear on the RSA Conference website afterwards.

In memoriam requirement 1.3.3

It is rare for the DSS to get smaller, each version typically adds a few requirements based on lessons from forensic investigations of breaches of cardholder data. However, in the summary of changes from version 3.1 to version 3.2 published this week I noticed:

1.3.3: Removed requirement as intent is addressed via other requirements in 1.2 and 1.3.

Perhaps, the resident threnodist at Private Eye (a satirical British newspaper) would mark its passing thus:

So farewell then requirement 1.3.3
“Prevent direct internet connections to the CDE”
was your request

People asked, does that require
a proxy server
or just a firewall?

You inspired
pedantic discussions
on the meaning of “direct”

Although you are gone
Your proxy servers live on

EJ Thribb (17½)

Is your employees’ privacy one of the first casualties in the battle to secure your information systems?

I’m speaking about the trade off between network security and employee privacy at the International Association of Privacy Professionals (IAPP) European Data Protection Congress in Brussels on the 2nd December.

In the face of modern cyber-threats, communication monitoring and surveillance are essential for the protection of corporate information. But monitoring technology is often intrusive of the privacy of system users and, ironically, the capabilities of modern cyber-solutions can bring increasing privacy risks for system users. What are the threats to user privacy of IT monitoring and surveillance tools that allow network communications to be retained for subsequent analysis and replay? What are the legitimate expectations of privacy in the workplace? How can the tensions be reconciled? Here, we will examine the threats presented to the privacy of system users by latest-generation monitoring technologies. We will explore the challenges involved in reconciling the need for robust system security with legal obligations to respect the privacy of system users. We will also consider strategies for managing these challenges and associated legal risks, including PIA and security risk assessments.

What you’ll take away:

  • An understanding of the privacy risks posed by latest-generation monitoring technologies.
  • Strategies for minimising privacy risks, including an appreciation of the role of consent in programmes of workplace surveillance both now and under the draft GDPR.

I’m really pleased to be co-presenting with Heledd Lloyd-Jones, a specialist privacy lawyer with Bird & Bird. Heledd sparked my interest in the intersection of privacy and information security seven years ago when I attended her brilliant ISEB Protection training course.

There are lots of other really interesting sessions at the conference, I’m really looking forward to The Ten Million Dollar Question: Managing Privacy Risks in Your Supply Chain and Cloud Privacy: How Do International Certification Standards Fit with the Proposed EU Regulation?

Registration for the conference is open now.

Pre-authorisation data (PCI DSS Q&A)

Question: Is pre-authorisation data in scope of PCI DSS?

Answer: Yes.

There’s quite a bit of misleading information on the internet about the status of pre-authorisation data. As far as all the card schemes are concerned there’s no difference between pre-authorisation data and post-authorisation data. If you store, process or transmit pre-authorised cardholder data then the PCI DSS requirements apply.

However, if your card brand agrees, you are permitted to store sensitive authentication data (SAD) which includes track-data, encrypted PIN blocks and CVV2 values before authorisation as long as it is deleted immediately after authorisation.

The best argument I once heard about this subject was from a QSA who said that a card number that had not been authorised “was just a random 16 digit number” and it was only the process of authorisation that made it cardholder data. He argued that the fact that it passed a Luhn check and was entered into a web form field labelled “card number” was immaterial. Nonsense: if it walks like a PAN, and quacks like a PAN, then it’s a PAN.

There’s also a PCI SSC FAQ about this.

Grand Central: Great trains, terrible terms

Recently I travelled to York on Grand Central Railway. I really like their train service because you pay the same fare whether you buy your ticket in advance, at the station, or on the train. I really dislike the terms and conditions for using their on-board wi-fi.

“Grand Central reserves the right to include the name, address and other relevant information relating to the User in a directory for the use of Grand Central users or other third parties, unless specifically requested by the User in writing not to do so.”

As a fair processing notice designed to let the user know what Grand Central will do with your data, this fails.

  • I guess by ‘directory’ they mean ‘database’. Directory is a terrible word to use, as most people’s mental model will be of something that’s open to anyone to consult – like a telephone directory.
  • It doesn’t say what use will be made of the data, just the types of people (Grand Central users and other third parties) who can use it.
  • It gives no indication of what could be relevant information. It could mean that they collect details of all the web sites you visit when using that connection, and add those to their ‘directory’.
  • If you were to apply the Information Commissioner’s Principle One test – what would the user expect Grand Central to do with their data?

Needless to say, I didn’t use the wi-fi, but emailed their customer service department once I was back on a real connection. Their response was:

“This is a generic condition from our WiFi service provider. The only detail we collect is email address and we may use this from time to time to contact users with details of Grand Central, offers and promotions. If you wish to be removed from the directory please inform us in writing.”

Which is a much better statement of the data they are collecting, and what they plan to do with it — essentially the fair processing notice that should have been available for using the wi-fi.

There are some lessons here:

  • Telling a user what data you’re collecting and what you are going to do with it is one of the fundamental principles of the DPA.
  • If you use generic text from someone else, then you risk being in breach of the first and second data protection principles.
  • Breaching the DPA at best gets you a letter from the ICO, and perhaps you’re added to his list of ‘potential incompetents’. After all, if you can’t write a basic statement of what you’re going to do with people’s data, you might be equally relaxed about how you look after it. Perhaps all the routers and file servers at Grand Central still have their generic passwords?

Filling cabinet breaches

I like to analyse the ICO’s undertakings and enforcement notices to see whether there are lessons you can learn from other people’s unfortunate mistakes.

Last year the Orbit housing association moved offices and in the process sold-off some of their surplus-to-requirments filling cabinets. The problem was that there were some 57 files left in them. With 42 recovered that left 15 customers’ files in the wild. The ICO insisted on an undertaking (PDF).

I resisted pointing out the obvious — that this was a bad idea — and reminding people that it is important to involve your DPA or security manager in office moves, and embedding DPA considerations into your business change process.

However a couple of weeks ago Lancashire County Council left some social work records in an old filing cabinet that was bought by a member of the public. Again the ICO required an undertaking (PDF).

There’s a couple of lessons to take for these two incidents.

  1. It is worth reminding everyone in the organisation that the data protection act applies to paper files that contain personal data. Just emphasising this in the next DPA or security training my help someone stop and think.
  2. Make sure that there’s a DPA or security check in all of your business change processes.

Data Sharing and the Blue Badge Parking Scheme

Back in 2008 the government announced that they were going to reform some of the ways the disabled parking / blue-badge scheme worked to reduce the amount of fraudulent use. When I heard this discussed on the radio, the government’s spokesman talked about providing £10 million towards a data sharing scheme to enable a council parking attendant to check on the validity of a blue badge issued by another council.

I have a knee-jerk adverse reaction to the words “government” and “data sharing” – especially when they are used in the same context as “the prevention and detection of crime”, so I checked out the strategy document (PDF) on the Department for Transport’s (DfT) site and was pleasantly surprised to find a sensible proposal:

“The preferred option going forward is to create a system which allows sharing of data through the linking of existing local authority databases. DfT will provide local authorities with up to £10m in funding over the next three years to establish a system of data-sharing.”

That was back in October 2008, and now a consultant has finished a survey of all the IT systems local councils use to administer the scheme, the DfT is starting to run data sharing workshops with local councils, beginning to design the system (December status update – PDF).

In the meantime Rochdale council has made a successful bid to the Government Connect benefits realisation fund to investigate the “establishment of a national database with local access” for the blue badge scheme.

So, it will be interesting to see if a distributed approach is maintained and I’d like to offer my suggestions so that privacy is built in from the start. Because when you look at the problem, there is probably no need to share data.

Implement a simple question and answer approach. Not data sharing and not a centralised database.

Whose data is it?

People apply to their local council to issue a permit, so it is the job of the local council to look after that data. It’s the permit holder’s data that they entrust to the local council and in Data Protection Act terms, the local council is the Data Controller. The name of the issuing council is written on the permit along with a permit number (that also identifies the gender of the owner) and the date the permit expires.

Who needs to access it?

Parking enforcement officers from all over the UK (and perhaps eventually Europe) don’t need access to any more data than is written on the permint.

All they need is the answer to one question: “is this permit valid, invalid or being used illegally?”.

They don’t need to see any of the information that the issuing council has about the permit owner.

A parking officer may also like to report a concern to the issuing council – that they suspect the permit may be being used illegally. Sending this information to the council that issued the permit would then allow the council to get in touch with the permit holder directly. This keeps the relationship between the local council and the permit holder and doesn’t make the permit holder subject to potentially inconsistent actions of parking attendants anywhere in the country.

A network of local databases:

From a technical perspective, the system constraints are simply this:

  • Each council needs to keep the responsibility of looking after the data of their permit holders.
  • Other authorities (who are properly authorised and validated by the issuing council) need to be able to ask a question of this information, and receive an answer.

So here’s one way of building this system.

Each council maintains their own database of permits and permit holders (as the DfT initially suggests). They look after the security of the data and they don’t export the data to any other system.

Each council issues all of the other councils an electronic access key that allows them to ask a validity question from the issuing council’s database.

Whenever a parking enforcement officer needs to check whether a permit is valid, they send:

  • The permit ID in question
  • Their ID (e.g. their badge number – something that can individually identify them)
  • Their council’s access key

to the council that issued the permit (they can read this from the permit). The issuing council would then reply with one of four answers:

  1. We didn’t issue that permit. (It’s probably a forgery.)
  2. We issued that permit, and the permit is valid.
  3. The permit is invalid (it may have just expired — this allows the issuing council to set their own grey-area) so doesn’t confer any rights to disregard parking restrictions.
  4. The permit is invalid and has been reported stolen or withdrawn by the issuer and should be seized.

The parking attendant can then perform the relevant statutory actions.

No personal data needs to be shared between the issuing council and the parking attendant, wherever they are in the country.


  1. I’m not an expert on parking, permit fraud or enforcement. There may be many reasons why this simple query / answer approach wouldn’t solve the problems with fraudulent permit use. However, this is the best place to start. If people think that a parking enforcement officer needs more information then they should make the case for this. It is always best to share the minimum amount of data necessary to remain compliant with the third (only get and use data you need) data protection principle.
  2. I’ve simplified this discussion to the broad question of data copying, data sharing or my preferred question:response which would share the minimum of personal information. There’s a separate technical discussion about the best way of achieving this, and whether it would be best implemented using public-private key encryption, with a central-key management system operated jointly by all councils. There would be some other issues to explore around how long a key is valid for, and how a local council revokes another authority’s access.
  3. I’d also be tempted to consider whether using near-field RFID chips in the permits would add value to the system and make the permits harder to forge. It would also reduce the frequency of number keying errors by a glove-wearing parking attendant on a cold day, as their terminal would just be able to read the permit ID through the windscreen.

The future of privacy talk at ORG

Bruce Schneier spoke on the subject of The Future of Privacy at the Open Rights Group on Friday. The ORG is the ‘UK equivalent’ of the EFF and I’m proud to be one of its founder members. I’ve heard Bruce speak a few times, most recently at WEIS 09, and I’ve always been impressed at his relaxed presentation style. This was a great event and ORG will be posting has posted a video of the event on its web site. I’d recommend watching the both the presentation and the Q&A afterwards.

UPDATED: Here are the links to the presentation and the Q&A.

A few highlights (with comments):

  • In relation to large government databases, built to facilitate data mining techniques for suspicious activities, Bruce commented that if you’re looking for a needle in a haystack, it doesn’t seem very sensible to add more hay!
  • On CCTV he posited that we’re living in a unique time. Ten years ago there were no cameras, now there are hundreds of cameras and we can see them all, in ten year’s time there will be many hundreds of cameras, but we won’t be able to see any of them.
  • When ‘life recorders’ become widely used (and they’d only need about 1TB a year to record your entire life) he could see that not having an active life recorder would be seen as suspicious — much like leaving or turning off your mobile phone is now presented as “evidence” that you were up to no good.
  • Ephemeral conversation is dying.
  • The real dichotomy is not security v privacy, but liberty v control. He argued that privacy increases power, and openness decreases power. So citizens need privacy and governments need to be open for a balanced democracy to prosper.
  • The death of privacy has been predicted for centuries (for instance, see Warren and Brandeis’ The Right to Privacy published in 1890). Without a doubt privacy is changing and this is a natural process — but it isn’t inevitable. Our challenge is to either accept this, or to reset the balance between privacy and the mass of identity-based data gathered for commercial gain and state security. Laws are the prime way to reset that balance.
  • When asked the one thing he’d like to change, he replied it would be to implement European style data protection legislation (like our own Data Protection Act) in the US.