Tuesday, July 8, 2014

Certification period expanded

Here's some good news.  The PCIP credential is now valid for three years instead of two.

An email notification just came out:


Dear PCIP,
You may have recently received an email from the PCI Security Standards Council regarding changes in the PCI Professional Program.  The email outlined a change to the PCIP recertification period from two years to three and included a copy of your PCIP certificate.  While the revised requalification period has been approved, the email did not reflect accurate information.
Please disregard both the email and attachment.
In the coming weeks, you will receive a follow up communication outlining details for the requalification process and updated certificates. Please be assured our records are accurate and this issue has not affected your status as an active PCI Professional.
We appreciate your participation in the PCIP Program and apologize for any confusion.
Should you have any queries please address them to the PCIP Program Manager at pcip@pcisecuritystandards.org.
Gill WoodcockDirector of Certification Programs

Friday, January 3, 2014


Found this list of "flash cards" posted online


I would rate these a 4 out of 5.  Every little bit helps.

Monday, November 11, 2013

The Exam - I Passed

Well, that's finally done!

Some notes on the process ...

Testing Center

I arrived 1 hour early.  I did a last minute review of some notes.
You need to show two pieces of I.D.
You have to basically empty your pockets before entry.  No wallet, keys, pencils, etc.  They put all my personal stuff in a basket and locked it up in a cabinet.
Use the restroom before going in.
For the exam, I received a mylar sheet and a marker to use.  I did a "brain dump" of a couple last minute memorizations

The Test.

Overall, the testing program is pretty intuitive, how to flag questions, how to go back, etc.
The clock starts ticking when you click on the [begin] button.
You have 90 minutes for 60 questions.
In the upper right side of the screen is the question number and the remaining time.
All questions are multiple choice.
You can "flag" questions to come back to later, so your answers aren't final until you hit the final submit.
I went through my flagged questions (about 20) a second time.
There were 3-4 that I was pretty uncertain of, but was able to eliminate a couple completely wrong answers to increase my odds.
I went through the entire exam a second time to review my answers.
I finished in 59 minutes.  I was not at all rushed.
When I hit the final [complete] button the results were near instantaneous.
I received a "Congratulations - pass" display with some other text and a printout.
No score was shown

Observations / Advice.

The bulk of my time, perhaps 90% + was spent on PCI DSS.  This worked, but next time I'll invest some energy in P2PE and PA-DSS
I hadn't expected questions that referenced the requirement numbers only, so next time I would memorize those.  For example (there is no Requirement 13.2) a question may ask:
According to Requirement 13.2, which of the following is true:  A  B  C  or D
Expect more than one correct answer.  You'll need to pick the "best right" answer.  Be sure that your best answer directly answers the question.

An electronic certificate was mailed in approximately 24 hours - No hardcopy is provided.

Sunday, November 10, 2013

EXAM - Pre-exam Thoughts

This certification has not been out for very long.

There are only about 1000 PCIP's in the world.

A couple things that I'm used to finding for exam prep are not evident with this new certification:

1)  I can't seem to find a clear detailed scope of what material the exam will cover.  I've extracted some objectives from a training class and am assuming that this will be fairly accurate.  Rumor is that you need a 75% passing grade.

2)  Since this is still pretty new, there are not a lot of posts/emails to be found on experiences with the exam.

3)  I have not been able to locate any practice exams or sample questions.  I will try to create some myself within this blog.

4)  I have been seeing cases where expert opinion regarding PCI varies according to who you talk to.  Many items appear to be open to interpretation.  This is not really what you want going into a multiple choice exam.

Not bitchin' / Just sayin'

Minor issues (I hope).  We will forge ahead.

Saturday, November 9, 2013

EXAM - How the heck can I take it?

Doing an internet search will not help you get this thing moving.

You'll need to access this page directly   [HERE]

Yeow!  Here are the costs:

Fee Category
Non-Participating Organization
Participating Organization
PCIP Application Administration Fee – includes first two years of qualification, account maintenance and listing
Account Maintenance Renewal Fee - assessed after the first two year period and every two years thereafter
PCIP Training/eLearning Course - includes access to eLearning course and ability to take the exam once.
PCIP Exam Fee
PCIP Exam Retake Fee

Here is a breakdown of the steps you need to take:

1) Pre-Register. 

Go to this site [HERE], and enter your demographic information. You will need to know if your company is a Participating Organization (PO) and if they are, enter the reference code.

This takes all of 2 minutes.

Upon submitting my info, I received an email confirmation almost immediately stating that they've received my registration.

2)  Registration is reviewed.

You have no additional actions yet.  My review and reply to this pre-registration took just about 4 hours.  I wonder if this would take longer on the weekend with nobody in the office?

Here is a copy of the email I received:

PCI Security Standards Council

7/24/2013 10:50:01 AM
Dear Dan Whatsyername,

Thank you for showing interest in the PCIP Program. You will receive two invoices in the next couple of days. One for the application fee and one for the training and/or exam fee. Once the invoices are paid you will receive credentials to log into the portal to submit your PCIP Professional Application.

If you have any questions please contact pcip@pcisecuritystandards.org

Thank You,

Dawn Perna
PCIP Program Manager

T: +1 (781) 876-6222

Please do not reply directly to this email.

So now I wait for the invoices and will update this post when I do.

3)  Invoice

Well that didn't take long.

Approx. 4 more hours later and I have the first .pdf invoice by email.

Dear PCIP Candidate,

Thank you for your interest in the PCIP Program. Attached is an invoice for your PCIP Application fee.
Please note that until payment is received, we are unable to issue login credentials for the PCIP Application.  All application fees are NON-TRANSFERABLE and NON-REFUNDABLE.

Best regards,

Lynsey Chaplik, Sr. Staff Accountant
Accounts Receivable
PCI Security Standards Council, LLC
401 Edgewater Pl., Ste. 600
Wakefield, MA 01880 USA

Options for payment include:

          1)  Mail invoice and a personal check.
          2)  Mail invoice and include your credit card number, exp date, security code
          3)  Wire transfer the loot
          4)  Fax invoice with a credit card number.

Funny.  They shouldn't have to tell an exam candidate "do not email credit card info", but they do.  I would suggest that if you do email your credit card info that they automatically fail you on the exam giving you a score of "LOL".

They won't take phone orders either.

Now I just need to come up with some cash and get the second invoice.

This isn't going to be cheap.

4)  Second Invoice.

The second invoice for the exam came 24 hours later.  They've processed these pretty fast.

But, man, this sure isn't cheap (have I said this before?).

I need to work on some funding before I can progress.

5)  OK, Work paid

Here's the latest email:

PCIP Registration

We have received payment for your application fee. Thank you.

You now need to login to the website portal to complete the second part of your PCIP application.

To login to the PCI SSC portal please visit https://programs.pcissc.org and choose the 'PCIP Application' area.

Your username to access the portal is below
Username: xxxxxxxxxxx

You can retrieve your password using the 'Forgot Password' feature located here.


Please do not reply directly to this email.

6)  Complete the second part of the Application

Click on the link indicated in the email above

 Then there are three parts:

          A)  Download and sign the "ATTESTATION" document at 

          B)  Upload a copy of your resume

          C)  Upload your signed copy of the "ATTESTATION" document from step A above and click on the check box if you agree to "advocate, adhere to, and support the Code of Professional Responsibility".

7)  OK, I did some of this stuff. 

And received the following email from the testing center:

On Tuesday, October 15, 2013 11:57 AM, "PearsonVUEConfirmation@pearson.com" <PearsonVUEConfirmation@pearson.com> wrote:

PCI Security Standards Council has requested a Pearson VUE Web Account be created to allow you to schedule and manage your exam appointments at www.pearsonvue.com. Below are your username and temporary password.

Temporary Password:

When you first sign in, as a security measure for your protection, you will be required to select a new password. We recommend choosing your new password carefully to make it hard for anyone else to guess.

We recommend choosing a new password that is both easy to type and easy to remember so that you do not have to record it where someone else might see it. Your new password must contain at least seven characters and may not contain your username. Use both uppercase and lowercase letters as well as numbers and/or symbols, preferably in unexpected ways. Avoid names and words that would be easy to guess.


If you have any questions, please visit our website at pearsonvue.com/pci/contact to find the contact information for your testing program.

Thank you for choosing Pearson VUE!
8)  Now to set up a testing date.

I'm not ready for this, but having the date set will get me to move more in a more focused manner.

IMPORTANT NOTE:  It looks like there is ~ a 30 day window to select the date.  I didn't complete this process in a timely manner and was left with a very small window.

Friday, November 8, 2013

EXAM - PCIP Exam Objectives

The only place I could really determine the scope/objectives of the exam were extracted from a PCIP training course description.

They include:

1.    Principles of PCI DSS, PA-DSS, PTS, P2PE, and PIN Security

2.    Understanding PCI DSS v2.0 requirements and intent (two documents below)

       Payment Card Industry (PCI) Data Security Standard
       Navigating PCI Requirements

3.    Overview of basic payment industry terminology

       How Credit Card Payments Work - authorize.net video 
       PCI Security Standards Glossary

4.    Appropriate uses of compensating controls

       Refer to Appendices B & C in the following document:
       Payment Card Industry (PCI) Data Security Standard

5.    How and when to use Self-Assessment Questionnaires (SAQs)
       SAQ Info

6.   Recognizing how new technologies affect the PCI (P2PE, tokenization, mobile, cloud)
      Note:  at the seminar I attended we were informed that guidlines and supplemental documents
      were not included in the exam.

       Point to Point Encryption (P2PE) FAQ's       
       https://www.pcisecuritystandards.org/documents/Tokenization_Guidelines_Info_Supplement.pdf        PCI DSS Cloud Computing Guid e lines

7.    PCI Code of Professional Responsibility
       Link to Code of Professional Responsibility

8.   Case study application

Thursday, November 7, 2013

Study Material - Code of Professional Responsibility

Located at https://programs.pcissc.org/user/pcipreg/PCIP%20Code%20of%20Professional%20Responsibility.pdf

Copyright 2012 PCI Security Standards Council, LLC

Appendix B

Code of Professional Responsibility

The PCI Security Standards Council (PCI SSC) is an open global forum for the ongoing development,enhancement, storage, dissemination and implementation of security standards for account data protection. PCI SSC’s mission is to enhance payment account data security by driving education and awareness of the PCI SSC security standards (the “PCI Standards”). To help achieve this goal, PCI has adopted this Code of Professional Responsibility to help ensure information security professionals adhere to the highest standards of ethical and professional conduct. Adherence with this Code will help ensure the safe handling of cardholder information and enhance payment card data security.

All PCI SSC qualified individuals and all PCI SSC qualification candidates must advocate, adhere to, and support the following Code of Professional Responsibility. PCI SSC qualified individuals who intentionally or knowingly violate any principle of this Code will be subject revocation of qualification and/or other disciplinary action by PCI SSC.


Professional Competence and Due Care

Perform each aspect of your work honorably, responsibly, and legally

Act in the best interests of all entities that you provide services or support to, while maintaining high standards of conduct and being consistent with the PCI Standards and guidance

Deliver diligent and competent services in accordance with the PCI Standards and applicable laws

Render only those services for which you are fully competent and qualified

Promptly advise all entities that you provide services or support to on changes in PCI

Standards and guidance

Participate in learning throughout your career to maintain the knowledge, skills and expertise needed in the payment security industry

Promote current information security best practices and standards Security and Confidentiality

Respect and safeguard confidential, proprietary, or otherwise sensitive information with which you come into contact in the course of professional activities, unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties

Take affirmative steps to comply with the PCI Standards to assure that confidential information is maintained securely

Immediately notify the appropriate authorities and proper industry personnel should you suspect a compromise or breach in security


Refrain from conduct which would damage or reflect poorly on the reputation of PCI SSC, its standards, the profession, or the practice of colleagues, clients, and employers

Report ethical violations to PCI SSC in a timely manner

Refrain from any activities which might constitute a conflict of interest

Perform all duties with objectivity

Compliance with Industry Laws and Standards

Perform duties in accordance with the PCI Standards

Comply with existing laws and regulations, with local laws taking precedence over PCI Standards

Cooperate with law enforcement agencies

Violation and Enforcement

Depending on the severity of the violation, disciplinary action could include:


A written warning could be issued that specifies the consequences if the situation occurs again, or if there is another violation.


PCI SSC qualification could be suspended for all programs in which the individual participates.


PCI SSC qualification could be revoked for all programs in which the individual actively participates.

PCI SSC is committed to enforcing its Code of Professional Responsibility, and has adopted a procedure that allows fair and objective review of allegations of violations of the Code.

Copyright 2012 PCI Security Standards Council, LLC