I put together this series of sample PCIP questions and answers to help a friend who was revising for her PCIP exam. She passed and so I hope you also find them useful. It is a while since I actually took a PCI SSC exam and so these questions might not reflect the way that the PCI SSC currently asks questions or how they phrase their answers, however they should provide a useful knowledge test so you can discover your strengths and weaknesses.
The answers are contained in a downloadable PDF – there’s a link to it at the end of the questions.
The PDF is password protected – and the password is encryption
If you’d like some more training then I can recommend my PCI courses at Pluralsight:
Payment Card Security, Processing, and the PCI Standards
PCI DSS: The Big Picture
So here are the questions. For each one there is only one correct answer. Enjoy.
Q1 What information must be included in the network diagram?
A: Firewalls, routers and switches
B: Connections between other networks and the CDE excluding wireless networks
C: All connections between the CDE and all other networks
D: Wireless access points and firewalls
Q2: A merchant only accepts payments via the telephone and they enter the cardholder data directly into a webpage provided by their acquirer. Which SAQ is most likely to be the one the merchant should use?
A: SAQ C
B: SAQ B-IP
C: SAQ B
D: SAQ C-VT
Q3 How frequently should cardholder data that is beyond the specified retention period be deleted?
A: Immediately
B: Weekly
C: Monthly
D: Quarterly
Q4 If video cameras are used to monitor physical access to the CDE, how long should the logs be kept for?
A 1 month
B 3 months
C 6 months
D indefinitely
Q5. Who can approve the configuration of routers and firewalls protecting the CDE?
A: A QSA must approve the configuration
B: No specific approval is required, the person in charge of making changes to configuration just needs to make sure that that all changes are correct
C: A senior executive must approve the configuration
D: Someone independent from the person that changes the configuration must approve the configuration
Q6 When is it OK for a merchant to store the CVV2 / CVC2 value
A: When it is encrypted using strong cryptography
B: When the merchant does not store, process or transmit PANs as well
C: It is never permitted for a merchant to store the CVV2/CVC2 value
D: Temporarily, before a transaction is authorised by the acquirer
Q7 Which PCI credentials entitle someone to sign a Report on Compliance
A: QSA, ISA and PCIP
B: ASV and QSA
C: QSA and ISA
D: PCIP
Q8: Which PCI standard helps secure physical devices used to read cardholder data such as magnetic stripe and EVM chip readers
A: PCI P2PE
B: PCI PTS POI
C: PCI PTS HSM
D: PA-DSS
Q9 Which PCI standard would have requirements that controlled how an issuer looked after blank payment cards before they were personalised with the customer’s name and PAN?
A: None – card without PAN are not covered by PCI Standards
B: PCI DSS
C: PCI POI HSM
D: PCI Card Production
Q10: Where does the standard require the use of a DMZ
A: Systems that provide authorised publicly accessible services must be in a DMZ
B: A DMZ is required to store cardholder data
C: A DMZ is required between wireless networks and the CDE
D: The standard doesn’t require the use of a DMZ
**
Q11: Sarah uses her laptop at home and also when she is in the office and connected to the CDE. Which of the following controls should be applied to Sarah’s laptop to comply with PCI DSS?**
A: The laptop should be tested by the IT department before Sarah connects it to the CDE
B: Sarah cannot have access to the USB ports on the laptop
C: The laptop must have personal firewall software or an equivalent installed
D: Sarah cannot access wi-fi networks
Q12: Which entity in the payment ecosystem provides consumers with payment cards
A: Card brands
B: Card brands and issuers
C: Issuers
D: Card brands and acquirers
Q13 When can you use cardholder data in test environments?
A Never
B When troubleshooting
C Only when authorised by a QSA
D When supervised by a PCIP and deleted after use
Q14: Which of the following is not considered sensitive authentication data (SAD)
A Service code
B PIN
C CVC2/CVV2
D Full magnetic stripe track data
Q15 Is it OK to use Telnet for administrative access to the routers in your CDE?
A: Of course
B: Yes, if it is encapsulated in an encrypted VPN
C: Yes, if the routers do not support SSH
D: It is never OK to use telnet for administrative access
Q16 In the payment process what step typically follows authorisation?
A Clearing
B Acquiring
C Settlement
D Funds release
Q17 Which of the following is not an example of multi-factor authentication?
A: A username, password and certificate
B: A fingerprint and a password
C: A username, password and secret phrase
D: A smart card and an iris scan
Q18 What special provisions apply to public facing web applications?
A: None
B: Use automated code automated application vulnerability security assessment tools or methods AND a web application firewall
C: Use automated code automated application vulnerability security assessment tools or methods OR a web application firewall
D: Use real-time security monitoring tools
Q19 How many hours of CPE must a PCIP accumulate each year?
A: 5 Hours
B: 10 hours
C: 20 hours
D: 40 hours
Q20 A company’s mainframe doesn’t support encryption – so it is unable to comply with requirement 3.4 – what should the company do?
A: As this is a legitimate technical constraint, the company should develop appropriate documented compensating controls
B: Ask the QSA if it can ignore requirement 3.4
C: As the mainframe does not support encryption, mark the requirement as not applicable (N/A)
D: Request a PCI waiver from the PCI SSC
Q21 Which PCI standard would apply to a merchant that had purchased and was using a validated PCI P2PE solution?
A: PA DSS
B: PCI DSS
C: PCI P2PE
D: None because the merchant only has encrypted data
Q22 Where does the standard require the use of firewalls?
A: Between the internet and the CDE, a DMZ and the internal network, between wireless networks and the CDE
B: Between the internet and internal networks
C: Between the wireless networks and the CDE, between the internet and the CDE
D: The standard does not require the use of firewalls, they are just recommended
Q23 Which of the following can be used to transmit cardholder data?
A Email
B Instant messaging
C SMS
D Encrypted communications
Q24 How quickly should critical patches be applied?
A: As soon as possible
B: Within 7 days
C: Within one month
D: Within 3 months
Q25 When should a company make use of a compensating control?
A: When it cannot afford to implement a PCI DSS control
B: When its own risk assessment suggests a PCI DSS requirement is not needed
C: When a QSA runs out of time in the company’s annual assessment
D: When the company cannot meet the requirement due to legitimate technical or documented business constraints.
Q26. Which words in the right order complete this sentence? In a four-party model, a merchant transaction flows from the merchant to the _________, then the _________ and finally to the __________
A: Issuer, Acquirer, Card Brand
B: Card Brand, Issuer, Acquirer
C: Acquirer, Card Brand. PCI SSC
D: Acquirer, Card Brand, Issuer
Q27 Why would a merchant typically use a QIR?
A: After a compromise of cardholder data
B: To prepare for a new PCI DSS assessment
C: To purchase a PCI DSS compliance certificate
D: To implement a PA DSS application
Q28 Are stateful firewalls _______ for connections into the Cardholder Data Environment?
A: Recommended
B: Required
C: Optional
D: Not mentioned
Q29 If PAN is to be stored in a database, which of the following is not an acceptable way of storing a PAN?
A: Encrypted using strong cryptography and key management
B: Split into two parts, each half stored in a separate table
C: A one-way hash based on strong cryptography
D: Truncated
Q30: What entities may conduct external vulnerability scans?
A: A QSA
B: A PCIP
C: An ASV
D: A Penetration Tester
Q31 How quickly must inactive accounts be removed or disabled?
A: After 30 days’ inactivity
B: After 90 days’ inactivity
C: After 180 days’ inactivity
D: After one year of inactivity
Q32: What sanction does the PCI SSC not have against a PCIP who is in contravention of the PCI SSC Code of Professional Responsibility?
A: Issue a warning to the PCIP
B: Issue a warning to the PCIP’s employer
C: Suspend the PCIP from all PCI Programs
D: Revoke the PCIP qualification
And here’s a link to the answer sheet. Remember, this is password protected and the password is encryption. If this is useful please make a donation to a charity that means something to you 🙂
