PCIP Exam Prep Free practice test →

Free PCIP Practice Questions

10 free, exam-style PCI Professional Qualification (PCIP) practice questions with answers and explanations. No signup required. Work through them below, then take the full free PCIP practice test to study every exam domain.

Question 1

A merchant wants to retain certain data elements after a transaction has been authorized in order to support future recurring billing. Which data element is the merchant PERMITTED to store after authorization?

  1. The primary account number (PAN), if rendered unreadable
  2. The card verification value (CVV2), for recurring charges
  3. The full contents of the magnetic stripe (track data)
  4. The PIN block, provided that it is encrypted
Show answer & explanation

Correct answer: A - The primary account number (PAN), if rendered unreadable

Question 2

Which statement BEST describes the relationship between the PCI Security Standards Council (PCI SSC) and the payment brands (Visa, Mastercard, American Express, Discover, JCB)?

  1. The PCI SSC enforces compliance and issues fines for any violations
  2. The payment brands write the standards while the PCI SSC audits merchants
  3. Both the PCI SSC and the payment brands certify merchants as compliant
  4. The PCI SSC maintains the standards; the brands enforce compliance
Show answer & explanation

Correct answer: D - The PCI SSC maintains the standards; the brands enforce compliance

Question 3

Under PCI DSS v4.x, multi-factor authentication (MFA) is required for which of the following?

  1. Only remote access originating from third-party vendors
  2. All access into the cardholder data environment (CDE)
  3. Only administrative access from within the internal network
  4. Customer logins to the merchant's e-commerce checkout page
Show answer & explanation

Correct answer: B - All access into the cardholder data environment (CDE)

Question 4

An e-commerce merchant fully outsources all payment processing to a PCI DSS-validated third party. The merchant's website redirects customers to that third party, and the merchant never stores, processes, or transmits cardholder data on its own systems. Which Self-Assessment Questionnaire is MOST appropriate?

  1. SAQ D
  2. SAQ C
  3. SAQ A
  4. SAQ A-EP
Show answer & explanation

Correct answer: C - SAQ A

Question 5

PCI DSS requires audit log history to be retained for a minimum period, with a portion kept immediately available for analysis. What is the requirement?

  1. Retain 12 months of logs, with 3 months immediately available
  2. Retain 6 months of logs, with 1 month immediately available
  3. Retain 24 months of logs, with 6 months immediately available
  4. Retain 3 months of logs, with all of it immediately available
Show answer & explanation

Correct answer: A - Retain 12 months of logs, with 3 months immediately available

Question 6

A risk-mature organization decides to satisfy a PCI DSS requirement by designing its own controls to meet the requirement's stated objective, rather than implementing the control exactly as written. This is known as the:

  1. Compensating control method
  2. Defined approach
  3. Prioritized approach
  4. Customized approach
Show answer & explanation

Correct answer: D - Customized approach

Question 7

PCI DSS Requirement 4 addresses the protection of cardholder data specifically when it is:

  1. Stored on a merchant's internal database servers
  2. Transmitted across open, public networks
  3. Displayed on a point-of-sale terminal screen
  4. Printed on a customer transaction receipt
Show answer & explanation

Correct answer: B - Transmitted across open, public networks

Question 8

PCI DSS requires external vulnerability scans to be performed at least once every three months. Who is authorized to perform these required external scans?

  1. Any member of the organization's internal IT security team
  2. A Qualified Security Assessor (QSA)
  3. An Approved Scanning Vendor (ASV)
  4. The organization's acquiring bank
Show answer & explanation

Correct answer: C - An Approved Scanning Vendor (ASV)

Question 9

A retailer isolates its cardholder data environment (CDE) from the rest of its corporate network using network segmentation. With respect to PCI DSS, network segmentation is:

  1. A mandatory requirement for every merchant and service provider
  2. Required only for merchants that validate at Level 1
  3. An accepted substitute for completing a Self-Assessment Questionnaire
  4. Not required, but it can reduce PCI DSS scope
Show answer & explanation

Correct answer: D - Not required, but it can reduce PCI DSS scope

Question 10

A large organization wants one of its own employees to conduct internal PCI DSS assessments of the organization's cardholder data environment. Which qualification is designed for this internal, in-house assessor role?

  1. Qualified Security Assessor (QSA)
  2. Approved Scanning Vendor (ASV)
  3. Internal Security Assessor (ISA)
  4. PCI Forensic Investigator (PFI)
Show answer & explanation

Correct answer: C - Internal Security Assessor (ISA)

Ready for the real thing?

Practice hundreds more PCIP questions with instant scoring, weak-area drills, and full exam simulations.

Start the free practice test See pricing