Tuesday, May 21, 2013

Study Questions

I haven't taken the exam, so I don't really know what will be on it.

Even if I did take the exam, there is an ethical issue with providing exam questions to others, so I'm not going there GF.

I have not been able to locate any practice questions, so I've created some myself based on the required reading.

Maybe they're easier than the exam, maybe they're more difficult.  Maybe they'll be useful, maybe not.  Maybe I'll have a cheeseburger for lunch, maybe not.  Who cares, it's "practice", right?

The questions (and answers) are immediately following this post

Study Questions - Multiple choice

Answers are on the bottom of this post.


1)  Which of the following items are included in the Compensating Controls worksheet:

A.   Constraints, assumptions, identified risks and definition of compensating controls
B.   Constraints, objectives, identified risks and definition of compensating controls
C.   Constraints, assumptions, mitigated risks and definition of compensating controls
D.   Constraints, objectives, mitigated risks and maintenance
E.    None of the above items are included in the Compensating Controls worksheet.

2)   Which of the following items CANNOT be stored:

A.   Cardholder name
B.   Service code
C.   PIN
D.   Personal Account Number
E.   All of the above items may be stored
F.   None of the above items may be stored

3)   The process of isolating the cardholder data environment from the remainder of an entity’s network is called:

A.  Network segmentation
B.  Network virtualization
C.  Data isolation
D.  Access controls
E.  None of the above is correct

4)   For those entities that outsource storage, processing or transmission of cardholder data to third party service providers which of the following must be completed:

A.  Report on Compliance (ROC)
B.  PCI Forensics Investigation
C.  Compensation Controls worksheet
D.  All of the above
E.  Since the processes have been outsourced, there is no further compliance obligation,

5)   Which of the following are NOT a part of the Report on Compliance (ROC):

A.  Executive summary
B.  Contact information and report date
C.  Findings and observations
D.  All of the above are required
E.  None of the above are required

6.  The first step of a PCI assessment is to:

A.  Define a comprehensive list of stakeholders
B.  Assess risk
C.  Develop a timeline of the assessment
D.  Determine the scope of the review

7.  Steps to reducing the scope of the cardholder data environment may include all items below EXCEPT:

A.  Reducing the number of locations where cardholder data is present
B.  Eliminate unnecessary data
C.  Purge all data that is older than 1 week
D.  Consolidation of necessary data

E.  All the above items are correct

8.   Before wireless technology is implemented:

A.  Establish all WEP and WPA security keys and disseminate only on a "need to know" basis
B.  An entity should carefully evaluate the need for the technology against the risk
C.  Run penetration tests on the entity's  network
D.  Secure the locations of all Wireless Access Points 
E.  All the above items should be addressed and documented.


1)  ANSWER:  B

 Constraints, objectives, identified risk, definition of compensating controls, validation of    compensating controls and maintenance are all requirements from Appendix C of the PCI Data Security Standard.

2)  ANSWER:  C

PCI Data Security Standard page 8 tells us that cardholder name, service code and Personal Account Number and expiration date may be stored.

Full magnetic stripe data, CAV2/CVC2/CVV2/CID and PIN/PIN block cannot be stored per requirement 3.2

3)  ANSWER:  A

PCI Data Security Standard page 10 states that network segmentation is not a requirement but is e strongly recommended

4)  ANSWER:  A

Per the PCI Data Security Standard page 11, a Report on Compliance must document the role of each service provider.

5.  ANSWER:  D

The Report on Compliance (ROC)  includes (1) Executive summary, (2) description of scope of work and approach taken, (3) details about reviewed environment, (4) contact information and report date,  (5) quarterly scan results and (6) findings and observations.  This information is in the PCI Data Security Standard pages 14 - 17

6.  ANSWER:  D

Identify all locations and flows and ensure that they are included in scope.  This information is in the PCI Data Security Standard page 10

7.  ANSWER:  C

Reducing the number of locations where cardholder data is present,  Eliminate unnecessary data and  Consolidation of necessary data are all steps in reducing scope or "Network Segmentation" per the PCI Data Security Standard page 11

8.  ANSWER:  B

The PCI Data Security Standard states on page 11 an entity should carefully evaluate the need for the wireless technology against the risk.  Also, consider deploying wireless technology only for non-sensitive data transmission.

Study Questions - Short Answer

The PCIP exam is multiple choice.

However, "short answer" questions require you to know a specific answer.  This removes the 20% or 25% probability of making an accurate guess.

All questions below were taken from the PCI glossary.

I'm thinking that this would be good flashcard material ...

Answers are at the bottom of this post.


1)   In the context of PCI DSS, this is a method of concealing a segment of data when displayed or printed. This tecnique  is used when there is no business requirement to view the entire PAN. It relates to protection of PAN when displayed or printed. See Truncation for protection of PAN when stored in files, databases, etc.

2)  The main computer hardware on which computer software is resident.

3)  Hardware and/or software technology that protects network resources from unauthorized access. This item permits or denies computer traffic between networks with different security levels based upon a set of rules and other criteria.

4)  This test attempts to exploit vulnerabilities to determine whether unauthorized access or other malicious activity is possible.

5)  For the purposes of the PCI DSS, a ___________ is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.

6)  Authentication and authorization data repository utilized for querying and modifying user permissions and granting access to protected internal resources.

 7)  Process of rendering cardholder data unreadable by converting data into a fixed-length message digest via Strong Cryptography. This is a (mathematical) function in which a non-secret algorithm takes any arbitrary length message as input and produces a fixed length output

8)  Device that allows wireless communication devices to connect to a wireless network. Usually connected to a wired network, it can relay data between wireless devices and wired devices on the network.

9)  Flaw or weakness which, if exploited, may result in an intentional or unintentional compromise of a system.

10)  Chronological record of system activities. Provides an independently verifiable trail sufficient to permit reconstruction, review, and examination of sequence of environments and activities surrounding or leading to operation, procedure, or event in a transaction from inception to final results.



1)  Masking

2)  Host 

3)  Firewall

4)  Penetration test 

5)  Merchant

6)  Lightweight Directory Access Protocol (LDAP)

7)  Hashing

8)  Wireless Access Point or "AP"

9)  Vulnerability

10)  Audit log or Audit trail


Seminar Notes - PCI DSS Workshop

I had the opportunity to attend a PCI DSS Workshop sponsored by the Treasury Institute recently.

Roughly half of the workshop covered the Payment Card Industry Professional (PCIP) certification.

Although I'm certainly not an expert in PCI, I found that the workshop contained a wealth of information that was presented by PCI industry experts.

Based on the info provided, I am going to take the PCIP exam within a couple weeks.

I don't know that I'll pass, but I'm going to try.  The information in this blog is what I will be studying for the exam.

Stay tuned, I'll let you know how it goes.

Monday, May 20, 2013

Seminar Notes - Requirements 1, 2 and 3

My notes on the first three requirements.  These were run through pretty quickly.

This information was presented by Emma Sutcliffe, Director of Standards Coordination, PCI Security Standards Council

Req 1 - Firewall definitions

Need to establish firewall and router standards

Install firewalls on any mobile or employee owned computers which connect through the internet (use personal firewall software)

Restrict/prohibit access from public and untrusted networks.

Allow only intended services

Dilbert on firewalls (Not from the seminar)

Req 2 -  No default passwords

This was continually reinforced throughout the entire seminar.  This is "low hanging fruit" for a hacker.  Usually a google search will produce default passwords.

Encrypt all non-console administrative access

Don't share your password (Not from the seminar)
Dilbert on forgotten passwords (Not from seminar)

Req 3 - Protect stored data

Store only the minimum required data.  Consider retention policies and data disposal.

Do not store authentication data after authorization

Mask Personal Account Number (PAN) when displayed - you can only show the first 6 and last 4 numbers.

Create a quarterly process to identify purge candidates

Sunday, May 19, 2013

Seminar Notes - Requirements 4, 5 and 6

This information was presented by Emma Sutcliffe, Director of Standards Coordination, PCI Security Standards Council

Req 4 - Encrypt encryption across public networks

Use strong cryptology, such as:
- Secure Sockets Layer (SSL) [link],
- IP Security (IPSEC)  [link],
- Secure Shell (SSH) [link]

Never send unprotected Personal Account Numbers (PAN) by end user technologies such as email, chat, instant messaging (IM), etc.

Req 5 - Use and regularly update anti-virus

Prevent malware
Use on all systems
Make sure antivirus is current and running.
Generate audit logs
Retain logs for 12 months, ensure that 3 months are readily viewable.

Req 6 - Develop and maintain secure systems and applications

Install vendor-supplied security patches within one month of release.
You must have the most recently released patches
Identify and assign a risk ranking to newly discovered vulnerabilities
Address critical issues within one month
Address less critical issues within three months
Develop software based on industry standard best practices
Follow change control [link]
Address threats and vulnerabilities on an ongoing basis.

Saturday, May 18, 2013

Seminar Notes - Requirements 7 and 8

This information was presented by Emma Sutcliffe, Director of Standards Coordination, PCI Security Standards Council

Req 7 - Restrict access based on "Need to know"

Provide the least amount of data and privileges
Set all access to "Deny all" unless specifically needed
Base access on job classification and function
Utilize "role based access control"

Req 8 - Assign a unique ID to each person with computer access

Incorporate "Two Factor" authentication [link] for remote access
Timeouts should be set to 15 minutes or less
Render all passwords unreadable during transmission and storage

For security, employ at least one of these:

- Something you KNOW - password or pass phrase
- Something you HAVE - token devices or digital certificate smart cards
- Something you ARE - such as a biometric

Strong passwords [link]:

- Change the password at least every 90 days
- the minimum length of the password is seven characters
- Use both alpha and numeric characters
- keep the password unique - do not re-use your last 4 passwords

Friday, May 17, 2013

Seminar Notes - Requirements 9 and 10

This information was presented by Emma Sutcliffe, Director of Standards Coordination, PCI Security Standards Council

Req 9 - Restrict Physical Access to Data

"Media" = all paper and electronic resources
"Onsite personnel" = FTE's, part-time, temp employees, contractors and consultants
"Visitor" = vendor or huest of any on-site personnel, service workers and anyone that needs to enter the facility, usually less than one day.

Limit and monitor access
Use visitor logs with physical audits
Store backups in a secure location
Develop procedures to easily distinguish between on-site personnel and visitors
Physically secure all media
Get management approval of all removed media
Destroy media when no longer needed
Use video cameras and/or access controls to monitor physical access -
      Review and store at least three months

1)  Authorize
2)  Use a physical token such as a badge
3)  Surrender the physical token when leaving or expired.

Req 10 - Track and monitor all access to network and data.

Track activities
Establish a process linking all access to specific users
Implement audit trails (automated) [link - definition]
Synchronize all system clocks
Secure audit trails so they cannot be altered
Review audit trails at least daily
Retain audit trails one year
Track all actions by admin or root accounts
Track all access to cardholder data
Monitor log deletes and unusual shrinkage or growth
Harvesting and parsing tools may be used

Seminar Notes - Requirements 11 and 12

This information was presented by Emma Sutcliffe, Director of Standards Coordination, PCI Security Standards Council

Req 11 - Regularly Test Security Systems and Processes, System Components, processes and Custom Software

Look for unnatural wireless access points [link - definition], even if there is no wireless
Run network vulnerability scans at least quarterly
Run penetration tests [link - definition] at least once a year
Use intrusion detection  systems and/or intrusion prevention
Look for changes to critical files at least weekly
Check for changes to executable files at least weekly

Req 12 -Maintain a policy that addresses information security for all personnel.

All personnel should be aware of sensibility of data and their responsibilities.
Establish, publish, maintain and disseminate a security policy
Develop daily operational security policies
Assign to individuals or team security management responsibilities
Screen personnel prior to hire to minimize attacks
Implement an incident response plan and respond immediately to breaches
Obtain a written agreement (include acknowledgement) from your service provider(s) responsible for security of cardholder data. 

Wednesday, May 15, 2013

Seminar Notes - Miscellaneous Notes

If you take plastic, then PCI applies to you.

PCI Scope includes
     If you store, process or transmit cardholder data
     Any connected systems

When shredding, you must use cross-cut shredders

PCL doesn't care about signatures

You cannot use wireless or bluetooth keyboards
You cannot process email transactions
You cannot process voice recordings

Finance leads PCI in 60% of organizations, The remaining organizations use a team of Finance and IT

PCI is a "business issue" not an "IT issue"

Compliance is "black and white".  Either you are compliant or you are not.

You can outsource processing, but not responsibility

The Attestation of Compliance (AOC) is usally signed by a C-level executive

You should only render services that you are fully qualified to do.

Local laws take precedence over PCI regulations

PCI Standards have a three year lifestyle before changes are put in place