When preparing for security exams such as Security+ or SSCP, you should know the differences between a CAC, PIV, and smart card. These are also known as a common access card (CAC), a personal identity verification (PIV) card, and a smart card. All three are used for authentication. More specifically, each of them are in the Something You Have factor of authentication.
Users prove their identity with authentication and there are three factors of authentication. They are commonly known as:
- Something you know, such as a password or PIN
- Something you have, such as a smart card, CAC, PIV, or RSA token
- Something you are, using biometrics
Pass the Security+ exam the first time you take it.
CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide

Smart Card
A smart card is a credit card sized card that has an embedded microchip and one or more certificates. The information on the card identifies the user and the certificate also includes the user’s private key used for asymmetric cryptography.
Users are often required to enter a personal identification number (PIN) along with the smart card. Using a smart card (something you have) and a PIN (something you know) provides multifactor authentication. Combining two or more factors of authentication is more secure than using only a single factor.
Both a CAC and PIV provide the same benefits of a smart card, but also include photo identification.
CAC
A common access card (CAC) is a smart card used by employees and other personnel in the United States Department of Defense (DoD). A CAC includes a picture of the user along with other information such as their name. DoD employees wear the CAC as a badge and can show it to guards to prove their identity. They can also use it as a smart card to log onto systems.
PIV
A personal identity verification (PIV) card is also a specialized type of smart card used by personnel in United States federal agencies. Just as a CAC does, the PIV card includes a picture of the user along with their name. A PIV can be used for visual verification of users, and then as a smart card when users log onto their computer.
Benefits of Smart Card, CAC, and PIV
Each of these provide some specific benefits worth emphasizing. They are:
- Authentication. A basic purpose is to allow users to prove their identity.
- Confidentiality. The certificate can be used with asymmetric cryptography to ensure confidentiality of data.
- Integrity. The certificate can also be used with digital signatures and provide integrity for the message.
- Non-repudiation. In addition to providing integrity, a digital signature also provides integrity.
Security+ Practice Test Question
Q. Which of the following includes a photo and can be used for identification?
A. MAC
B. DAC
C. RBAC
D. CAC
Answer below

Master Security+ Performance Based Questions Video
Security+ (SY0-601) Practice Test Questions
SY0-601 Practice Test Questions
Over 385 realistic Security+ practice test questions
At least 10 performance-based questions
All questions include explanations so you’ll know why the correct answers are correct,
and why the incorrect answers are incorrect.
Upgrade Your Resume with the Security+ New Version
Multiple quiz formats to let you use these questions based on the way you learn.
- Learn mode – randomized. View each of the questions in random order. Learn mode allows you to keep selecting answers until you select the correct answer. Once you select the correct answer, you’ll see the explanation. Click here to see how learn mode works.
- Test mode – randomized. View each of the questions in random order. In test mode, you can only see the correct answers and explanations after you complete the test. Click here to see how test mode works.
- Test mode – 75 random questions. View 75 random questions from the full test bank similar to how the Security+ exam has a potential maximum of 75 multiple choice questions.
Pass the First Time You Take It
Get the full bank of SY0-601 Practice Test Questions Here
Click here if you’re looking for SY0-501 Online Study Package
Security+ Full Access Package
 | Pass the First Time! |
Up-to-date Content
New multiple-choice and performance-based
questions added regularly
Pass the first time with quality practice test questions, performance-based questions, flashcards, and audio.
Buy The Full Access Study Package Today
60 Days Access
Need more time?
You can easily renew for another 60 days at a significantly reduced price.
All materials are available online shortly after making your payment.
Get the Security+ Full Access Study Package Here
Our online Security+ study materials are the perfect complement to the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. They can also be used to help ensure you’re ready no matter what study guide you’re using.
This exam is expensive.
Make sure you’re ready before exam day.
Here’s what you’ll get:
- All of the multiple-choice questions from the best-selling CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. See a demo here. All questions have full explanations so you’ll know why the correct answers are correct and why the incorrect answers are incorrect.
- Over 40 new multiple-choice questions we’ve added after publishing the study guide.
- Over 30 performance-based questions. See a demo here.
- All of the flashcards from the study guide. View them in any Web browser.
- All of the audio from the study guide. Listen to a sample here.
- Access to a free discount code for 10% off your Security+ voucher.
Buy The Full Access Study Package Today
60 Days Access
All materials are available online shortly after making your payment.
Get the Security+ Full Access Study Package Here
Security+ Practice Question Answer: D
A common access card (CAC) includes a picture used for identification and can also be used as a smart card. While not included in the answers, a personal identity verification (PIV) card also includes a picture and can be used as a smart card. A media access control (MAC) address is assigned to a network interface card or wireless network adapter. Discretionary access control (DAC) is an access control model; Microsoft’s NTFS uses DAC. Role based access control (RBAC) is an access control model; RBAC uses roles or groups and users are placed into a role or group based on their assigned jobs.
Other Security+ Study Resources
Security+ Full Access Package
 | Pass the First Time! |
Up-to-date Content
New multiple-choice and performance-based
questions added regularly
Pass the first time with quality practice test questions, performance-based questions, flashcards, and audio.
Buy The Full Access Study Package Today
60 Days Access
Need more time?
You can easily renew for another 60 days at a significantly reduced price.
All materials are available online shortly after making your payment.
Get the Security+ Full Access Study Package Here
Our online Security+ study materials are the perfect complement to the CompTIA Security+: Get Certified Get Ahead: SY0-601 Study Guide. They can also be used to help ensure you’re ready no matter what study guide you’re using.
This exam is expensive.
Make sure you’re ready before exam day.
Here’s what you’ll get:
- All of the multiple-choice questions from the best-selling CompTIA Security+: Get Certified Get Ahead: SY0-601 Study Guide. See a demo here. All questions have full explanations so you’ll know why the correct answers are correct and why the incorrect answers are incorrect.
- Realistic SY0-601 Security+ Practice Test Questions
- Performance-based questions.
- All of the flashcards from the study guide. View them in any Web browser. See demo here
- All of the audio from the study guide.
- Access to a free discount code for 10% off your Security+ voucher.
Buy The Full Access Study Package Today
60 Days Access
All materials are available online shortly after making your payment.
Get the Security+ Full Access Study Package Here
Apps for Your Mobile Devices
Free No Risk Discount CompTIA Voucher Code
Hi, Thanks for the article. If you have knowledge about this, can you please explain how CAC and PIV differ? I mean, apart from the difference in the group of users (DoD employees for CAC, and Federal employees for PIV). I know that there are differences in CAs etc., but I’m more interested in communication protocol differences, etc. Thank you for your time!
Hi Jakub,
I don’t have any more details on how they are implemented. I’m sure there are documents on the protocols and procedures used for CACs and PIVs within the U.S. government but I doubt those are publicly available.
From the perspective of the security exams though, you don’t need to know those details.
Darril