Monday, November 11, 2013

The Exam - I Passed

Well, that's finally done!

Some notes on the process ...

Testing Center

I arrived 1 hour early.  I did a last minute review of some notes.
You need to show two pieces of I.D.
You have to basically empty your pockets before entry.  No wallet, keys, pencils, etc.  They put all my personal stuff in a basket and locked it up in a cabinet.
Use the restroom before going in.
For the exam, I received a mylar sheet and a marker to use.  I did a "brain dump" of a couple last minute memorizations

The Test.

Overall, the testing program is pretty intuitive, how to flag questions, how to go back, etc.
The clock starts ticking when you click on the [begin] button.
You have 90 minutes for 60 questions.
In the upper right side of the screen is the question number and the remaining time.
All questions are multiple choice.
You can "flag" questions to come back to later, so your answers aren't final until you hit the final submit.
I went through my flagged questions (about 20) a second time.
There were 3-4 that I was pretty uncertain of, but was able to eliminate a couple completely wrong answers to increase my odds.
I went through the entire exam a second time to review my answers.
I finished in 59 minutes.  I was not at all rushed.
When I hit the final [complete] button the results were near instantaneous.
I received a "Congratulations - pass" display with some other text and a printout.
No score was shown

Observations / Advice.

The bulk of my time, perhaps 90% + was spent on PCI DSS.  This worked, but next time I'll invest some energy in P2PE and PA-DSS
I hadn't expected questions that referenced the requirement numbers only, so next time I would memorize those.  For example (there is no Requirement 13.2) a question may ask:
According to Requirement 13.2, which of the following is true:  A  B  C  or D
Expect more than one correct answer.  You'll need to pick the "best right" answer.  Be sure that your best answer directly answers the question.

An electronic certificate was mailed in approximately 24 hours - No hardcopy is provided.


  1. well done dude! i am looking at going for pcip in jan 2014 so i will be reading this blog very closely!


  2. I just passed the PCIP exam - my observation so far:

    Nearly all questions which were referring to specific PCI DSS requirement numbers had a brief description of the requirement content in the question.
    One exception: one question was referring to requirement 3.4 without additional explanation - but every PCIP you know what this requirement is about by heart.

    Mainly questions were about PCI DSS, 2-3 about PA-DSS, 2-3 about P2PE.
    3-4 questions were about "general" topics, such as different PCI certifications (ISA - certification bound to employees company, PCIP - certification valid for 2 years, PFI - will do Forensic investigation following a CHD breach) etc.

    Only for a few questions I experienced multiple correct answers - for most of the questions 3 answers were simple wrong - so eliminating wrong answers is always a good approach.

    I had already some experience regarding PCI DSS so far as I was involved in a PCI certification project in the past. It took me 25 minutes to complete the exam.

  3. Well done !!! I am studying for the PCIP and already scheduled my exam for May. I also created a some practice questions myself because I could not find any at all.
    Congrats on your PCIP certification !!!

  4. Did you have questions on the S-A-Q (Self Assessment Questionnaires)?

  5. Willian, I do not recall any questions specific to the content of SAQs themselves, but I would walk in with an understanding of why/when to use SAQs

  6. I am sitting down for the exam next Friday May 09th.
    I am making sure to memorize the requirements and some sub-requirements, specially those regarding cardholder data storage (Requirement 3 and 7). Since there is no practice questions anywhere, I create my own set of questions, and I am practicing the knowledge through them. I hope it helps me.
    I let you guys know how it went once I finish the exam.

  7. Hey guys, I just want to share that I just passed the PCIP exam.
    The exam was composed of 60 questions to be responded in 90 minutes.The exam was really straightforward, with a few surprises. I took the online training so I was expecting that all the questions were based only on the training material; however, there were 4 to 6 questions there were totally unrelated with the training material such as specific questions on PA-DSS sub-requirements, QSA, ISA, ASV roles and P2PE. There were one question asking about QIR, which they do not mention on the PCIP training material. It makes me think that the material needs further crafting to make it 100% accurate. There is also no practice questions for the exam, so I had to come up with my own set which helped me to memorize requirements and concepts. Download the PDF here:

    During the exam I flagged around 6 to 7 questions, which I came back to revise, since I had plenty of time yet. (I finished the exam in 61 minutes). There were no multiple selection questions, only single selection. Questions based on the requirements or sub requirements started always with an introduction on the requirement so the answer was easier to identify even though I had to think through for a little bit in some cases, but I recommend you memorize the requirements and some of the most critical sub-requirements since it is important not only for the exam.
    In the end, of the exam, they do not display your score, but the passing score is 75% (Information I got directly from the PCI training department). So I assume I scored 75% or higher. The only message displayed in the end is: “Congratulations on passing the Payment Card Industry Professional Exam”. Your certificate will be emailed to you within two weeks.
    Anyway, that’s basically it. Dan, thank you very much for putting the effort on sharing your experience with the PCIP exam, it really helped me during my preparation for this exam. I appreciate it.

    Willian Guilherme
    Senior Security Consultant

  8. Thank you for the practice questions

  9. Dan, thank you very much for creating study guides and flashcards and sharing your overall experience. I just passed my test today, the guidance you provided was very helpful.

  10. I just complete the PCI Fundamentals course and took the online ISA training course. I can now schedule my test date, but I know that I am not even close to taking and passing the test at this point. I guess I need to memorize the entire PCI DSS sections. I find it hard to believe that they expect you to know what 9.9.1.c is off the top of your head (just used that one as an example). If I was a certified ISA and doing an assessment I am sure I would have some sort of checklist with me... Do you really need to memorize all testing procedures and the corresponding numbers? From what I read this test is not of knowledge of the subject but more about memorization of where the knowledge is within the PCI DSS guide. Is this a pretty accurate statement?

  11. I observed a couple instances of the section numbers, but others say they haven't. I did not memorize them and passed regardless. So I guess that I would suggest getting a general idea and understanding of the categories vs. memorization.
    Good luck.

  12. Hi All. Thank you for all that have shared posts to this blog. I too also got the PCI ISA online training. I started the training back on June 15, 2015. Since then (according to my history) I have been through it 35 times. I even went back through the fundamentals course a couple of time. I have a pretty good understanding of the ROC, SAQs, ASVs, and not all the 10 requirements and the major 1 to 3 sub requirements. The thing that scares my to death, is on other sites people say the test is 100% memorization of all the sub-sub requirements 9ie, what is 12.4.5, 10.3.4, 9.2.3, etc). I am not good with memorization. If this is accurate then this test is not worth it. once someone becomes ISA certified, they will complete the ROC which has all the requirements, sub requirements and aub-sub requirements, so why do you have to memorized in order to become qualified. I heard this test was best suited for people with photographic memories than people that actually have a really good understanding of PCI. Does anyone know if this is correct? I really want to get this test behind me so I can focus on my other work that is piling up. I have scheduled the test for Sept 17 but3no way do I want to wait that long, however if I fail the test, I basically lose my job and o if I have to memorized all 256 sub requirements, that is going to take an act of God. Please help!! Any advice on someone that has been through the ISA V 3.1 exam your experience with this test on details of it would be greatly appreciated. Do you also need to know the Payment Brands Level 1,2,3,4 guidelines? Thank you very much in advance.

    1. It sounds like you're pretty well prepared.
      How do your study habits usually equate to taking exams?
      If you've had reasonable success, you may consider taking the exam.
      Don't let the exam scare you. Don't let it get into your head.
      If you know it, then proceed.
      That's my .02

  13. Hi,

    I have passed my PCI ISA exam recently. Before giving this exam, I was also bit nervous by reading few blogs or sites where users had mentioned that they could not pass the exam in first attempt. It took me around 1.5 months to go through the PCI fundamentals and pass the fundamental exam. I had started preparing for PCI-ISA final exam using online study materials provided by PCI as well as all documents downloaded from PCI site including PCI DSS standard v3.2, SAQs, ROC Template etc.

    I have scheduled my exam after 2 months of preparation of Study Material, Standard and other documents. This exam was for 90 minutes and contains 75 questions. I was expecting 60 questions in 90 minutes, so I had to speed up on going through questions, few questions were not direct and were having 2 similar answers. I had flagged few questions which were taking more time for me. Finally, I was able to complete all questions and only 2-3 minutes left for review. I have quickly reviewed flagged questions, selected best answer and saw that time has completed. So, when I had submitted on final button, my heart was bit sinking and I was eager to see the result. Finally, result has come out and I was passed in it :)

    But to pass this exam, you need to prepare well on standard, study material and other documents including SAQ and ROC templates, so you very well understand the intent and guidelines behind every requirement, sub requirement.


    Kuldeep Tomar

  14. How many questions are on the level 1 exam how much time do they give because I'm trying to get ready for it

  15. Hi William,

    For first level, there were 50 questions and time available was 90 minutes. Few questions were tricky and took lots of time.