Thirty-two really fun PCIP, QSA or ISA revision questions

I put together this series of sample PCIP questions and answers to help a friend who was revising for her PCIP exam. She passed and so I hope you also find them useful. It is a while since I actually took a PCI SSC exam and so these questions might not reflect the way that the PCI SSC currently asks questions or how they phrase their answers, however they should provide a useful knowledge test so you can discover your strengths and weaknesses.

The answers are contained in a downloadable PDF – there’s a link to it at the end of the questions.

The PDF is password protected – and here’s the deal. My PCIP-passing best friend has Multiple Sclerosis and I try to run one half-marathon each year to raise some funds for the MS Trust. You can find the password to unlock the answers on my current donation page While you’re there – if you found this useful, fun or even a little annoying – a small donation would be awesome.

So here are the questions. For each one there is only one correct answer. Enjoy.

Q1 What information must be included in the network diagram?
A: Firewalls, routers and switches
B: Connections between other networks and the CDE excluding wireless networks
C: All connections between the CDE and all other networks
D: Wireless access points and firewalls

Q2: A merchant only accepts payments via the telephone and they enter the cardholder data directly into a webpage provided by their acquirer. Which SAQ is most likely to be the one the merchant should use?

Q3 How frequently should cardholder data that is beyond the specified retention period be deleted?
A: Immediately

B: Weekly
C: Monthly
D: Quarterly

Q4 If video cameras are used to monitor physical access to the CDE, how long should the logs be kept for?
A 1 month
B 3 months
C 6 months
D indefinitely

Q5. Who can approve the configuration of routers and firewalls protecting the CDE?
A: A QSA must approve the configuration
B: No specific approval is required, the person in charge of making changes to configuration just needs to make sure that that all changes are correct
C: A senior executive must approve the configuration
D: Someone independent from the person that changes the configuration must approve the configuration

Q6 When is it OK for a merchant to store the CVV2 / CVC2 value
A: When it is encrypted using strong cryptography
B: When the merchant does not store, process or transmit PANs as well
C: It is never permitted for a merchant to store the CVV2/CVC2 value
D: Temporarily, before a transaction is authorised by the acquirer

Q7 Which PCI credentials entitle someone to sign a Report on Compliance
B: ASV and QSA
C: QSA and ISA

Q8: Which PCI standard helps secure physical devices used to read cardholder data such as magnetic stripe and EVM chip readers

Q9 Which PCI standard would have requirements that controlled how an issuer looked after blank payment cards before they were personalised with the customer’s name and PAN?
A: None – card without PAN are not covered by PCI Standards
D: PCI Card Production

Q10: Where does the standard require the use of a DMZ
A: Systems that provide authorised publicly accessible services must be in a DMZ
B: A DMZ is required to store cardholder data
C: A DMZ is required between wireless networks and the CDE
D: The standard doesn’t require the use of a DMZ

Q11: Sarah uses her laptop at home and also when she is in the office and connected to the CDE. Which of the following controls should be applied to Sarah’s laptop to comply with PCI DSS?

A: The laptop should be tested by the IT department before Sarah connects it to the CDE
B: Sarah cannot have access to the USB ports on the laptop
C: The laptop must have personal firewall software or an equivalent installed
D: Sarah cannot access wi-fi networks

Q12: Which entity in the payment ecosystem provides consumers with payment cards
A: Card brands
B: Card brands and issuers
C: Issuers
D: Card brands and acquirers

Q13 When can you use cardholder data in test environments?
A Never
B When troubleshooting
C Only when authorised by a QSA
D When supervised by a PCIP and deleted after use

Q14: Which of the following is not considered sensitive authentication data (SAD)
A Service code
D Full magnetic stripe track data

Q15 Is it OK to use Telnet for administrative access to the routers in your CDE?
A: Of course
B: Yes, if it is encapsulated in an encrypted VPN
C: Yes, if the routers do not support SSH
D: It is never OK to use telnet for administrative access

Q16 In the payment process what step typically follows authorisation?
A Clearing
B Acquiring
C Settlement
D Funds release

Q17 Which of the following is not an example of multi-factor authentication?
A: A username, password and certificate
B: A fingerprint and a password
C: A username, password and secret phrase
D: A smart card and an iris scan

Q18 What special provisions apply to public facing web applications?
A: None
B: Use automated code automated application vulnerability security assessment tools or methods AND a web application firewall
C: Use automated code automated application vulnerability security assessment tools or methods OR a web application firewall
D: Use real-time security monitoring tools

Q19 How many hours of CPE must a PCIP accumulate each year?
A: 5 Hours
B: 10 hours
C: 20 hours
D: 40 hours

Q20 A company’s mainframe doesn’t support encryption – so it is unable to comply with requirement 3.4 – what should the company do?
A: As this is a legitimate technical constraint, the company should develop appropriate documented compensating controls
B: Ask the QSA if it can ignore requirement 3.4
C: As the mainframe does not support encryption, mark the requirement as not applicable (N/A)
D: Request a PCI waiver from the PCI SSC

Q21 Which PCI standard would apply to a merchant that had purchased and was using a validated PCI P2PE solution?
D: None because the merchant only has encrypted data

Q22 Where does the standard require the use of firewalls?
A: Between the internet and the CDE, a DMZ and the internal network, between wireless networks and the CDE
B: Between the internet and internal networks
C: Between the wireless networks and the CDE, between the internet and the CDE
D: The standard does not require the use of firewalls, they are just recommended

Q23 Which of the following can be used to transmit cardholder data?
A Email
B Instant messaging
D Encrypted communications

Q24 How quickly should critical patches be applied?
A: As soon as possible
B: Within 7 days
C: Within one month
D: Within 3 months

Q25 When should a company make use of a compensating control?
A: When it cannot afford to implement a PCI DSS control
B: When its own risk assessment suggests a PCI DSS requirement is not needed
C: When a QSA runs out of time in the company’s annual assessment
D: When the company cannot meet the requirement due to legitimate technical or documented business constraints.

Q26. Which words in the right order complete this sentence? In a four-party model, a merchant transaction flows from the merchant to the _________, then the _________ and finally to the __________
A: Issuer, Acquirer, Card Brand
B: Card Brand, Issuer, Acquirer
C: Acquirer, Card Brand. PCI SSC
D: Acquirer, Card Brand, Issuer

Q27 Why would a merchant typically use a QIR?
A: After a compromise of cardholder data
B: To prepare for a new PCI DSS assessment
C: To purchase a PCI DSS compliance certificate
D: To implement a PA DSS application

Q28 Are stateful firewalls _______ for connections into the Cardholder Data Environment?
A: Recommended
B: Required
C: Optional
D: Not mentioned

Q29 If PAN is to be stored in a database, which of the following is not an acceptable way of storing a PAN?
A: Encrypted using strong cryptography and key management
B: Split into two parts, each half stored in a separate table
C: A one-way hash based on strong cryptography
D: Truncated

Q30: What entities may conduct external vulnerability scans?
D: A Penetration Tester

Q31 How quickly must inactive accounts be removed or disabled?
A: After 30 days’ inactivity
B: After 90 days’ inactivity
C: After 180 days’ inactivity
D: After one year of inactivity

Q32: What sanction does the PCI SSC not have against a PCIP who is in contravention of the PCI SSC Code of Professional Responsibility?
A: Issue a warning to the PCIP
B: Issue a warning to the PCIP’s employer
C: Suspend the PCIP from all PCI Programs
D: Revoke the PCIP qualification

And here’s a link to the answer sheet. Remember, this is password protected and you can find the password to unlock the it on my current ‘fund raising for the MS Trust’ page While you’re there a small donation would be awesome 🙂

2 thoughts on “Thirty-two really fun PCIP, QSA or ISA revision questions

  1. Rose

    Hi John,
    Thanks for these questions considering doing the ISA training. Your fundraising link seems to be closed but I’ll put a donation in the next charity box I see. Nice to find this online and also that it was you, I met you a few years back when you came in to advise our company 🙂
    Kind regards

Leave a Reply

Your email address will not be published. Required fields are marked *