Monday, September 14, 2015


Last year (July 2014) I took the PCI Professional online course and passed the exam at a Pearson VUE testing center in Mt. Laurel, NJ.  This year I had to take the PCI-Internal Security Assessor course because it became a requirement at my place of employment.  This past Friday I passed the exam at Pearson VUE so I am now a certified PCI-ISA, and I still hold my PCI Professional title as well.  The PCI-ISA certification lasts only one year, so I'll have to re-certify each year, but the PCI-P certification lasts three years.

I felt that these two tests had a lot of overlap, so if you already have the PCI-P certification I would highly recommend going for the PCI-ISA certification if your company is a PCI participating organization and will sponsor you.  The PCI-ISA certification is only valid as long as you work for the sponsoring company.  So if I quit tomorrow or get laid off, I lose the PCI-ISA cert.

If you are taking the PCI-ISA course now and are getting ready to take the exam, I would recommend studying all of the PCI requirements and making yourself very familiar with certain specifics (be aware of things like keeping online logs for 3 months, but keeping additional logs retrievable for 1 year; passwords should be a minimum length of 7 characters and set to expire every 90 days; employees should acknowledge reading the information security policy annually; etc.).  There were quite a few questions on my exam about encryption key management, too.

All questions were multiple choice, with only one correct answer.  No question asked me to choose more than one answer.  There were a handful of True/False questions, but not too many.  I had 90 minutes to complete 75 questions, but I was able to flag any question that I wanted to come back to at the end (whether I selected an answer or not).  I had about 50 minutes left on the clock when I ended the exam, so I had used a little more than half the time.  But I had studied as much as I possibly could have prior to taking the exam.  Despite this, I still flagged about 6 questions early on that I just did not recall studying.  When I went back to them at the end I didn't change my initial answers so I felt pretty good about them.  Of course, you won't find out which questions you got wrong (if any); you just find out whether you passed or failed.

Good luck!

No comments: