Card Production Security AssessorCPSA Physical NewExam Questions and Answers
Which of the following statements is true about the facility’s non-emergency exits?
Options:
They must be contact-alarm monitored only when card production activities are taking place
They must be configured to prevent staff tailgating
They may be left unlocked when a guard is present
They must be fitted with biometric access-control devices
Answer:
BExplanation:
According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must ensure that all non-emergency exits are configured to prevent staff tailgating. Tailgating is the act of following someone closely through a door or other entry point without proper authorization. The vendor must use access-control devices, such as turnstiles, mantraps, or biometric readers, to prevent tailgating and unauthorized access or exit. The vendor must also monitor and alarm all non-emergency exits 24/7, and have procedures to respond to any alarms or incidents. The vendor must not leave any non-emergency exits unlocked, even when a guard is present, as this may compromise the security of the facility and the card production andprovisioning materials. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 8-91
Who performs regular AQM audits of CPSA companies?
Options:
Issuing banks
Payment brands
PCI SSC
Vendor
Answer:
CExplanation:
The PCI Security Standards Council (PCI SSC) performs regular Assessor Quality Management (AQM) audits of CPSA companies to ensure that they comply with the PCI CPSA Qualification Requirements and the PCI Card Production Standards. The AQM audits are conducted by PCI SSC staff or authorized third parties, and may include onsite visits, remote reviews, or both. The AQM audits aim to verify the quality and consistency of the CPSA companies’ assessment processes, reports, and documentation, as well as their adherence to the PCI SSC Code of Professional Responsibility. The AQM audits may result in corrective actions, sanctions, or revocation of the CPSA company status, depending on the severity and frequency of the non-compliance issues identified. References:
- PCI Card Production Security Assessor (CPSA) Qualification Requirements, v1.0, April 2019, page 12, requirement 8.1
- PCI Card Production Security Assessor (CPSA) Program Guide, v1.0, April 2019, page 6, section 3.2
A CPSA Company has submitted multiple reports that are incomplete and do not contain the information described in the reporting instructions. Which of the following are possible outcomes?
Options:
They may be put into remediation or revoked by the applicable payment brands
They may be put into remediation or revoked by PCI SSC
They may be fined by the applicable payment brands
They may be fined by PCI SSC
Answer:
BExplanation:
The PCI SSC has a quality assurance (QA) program that monitors the performance and compliance of CPSA Companies and CPSA Employees. The QA program is based on eight guiding principles that the assessor community must adhere to, one of which is to maintain consistent assessor procedures and reporting. The PCI SSC reviews the reports submitted by the CPSA Companies and provides feedback on the quality and completeness of the reports. If a CPSA Company submits multiple reports that are incomplete and do not contain the information described in the reporting instructions, they may be violating the QA program and the CPSA Qualification Requirements. The PCI SSC may take corrective actions against the CPSA Company, such as issuing a warning, requiring additional training, imposing remediation, or revoking the CPSA Company status. Remediation is a process that requires the CPSA Company to improve in one or more areas of their operations and demonstrate compliance with the PCI SSC requirements. Revocation is a process that terminates the CPSA Company status and removes the CPSA Company from the list of qualified assessors on the PCI SSC website. The PCI SSC has the sole authority and discretion to determine the appropriate corrective actions for any non-compliance issues by the CPSA Companies or CPSA Employees. The payment brands do not have the power to put the CPSA Companies into remediation or revoke their status, nor do they have the power to fine them. The payment brands may, however, impose their own sanctions or penalties on the card production entities that are assessed by the CPSA Companies, based on their own contractual agreements and compliance programs. References:
- Card Production Security Assessor (CPSA) Program Guide, Section 3 and 5.1
- Card Production Security Assessor (CPSA) Qualification Requirements, Section 3.1 and 3.2
- CPSA Remediation Statement
To liberate a person detected inside of the inner shipping delivery room and stop the alarm, the software monitoring the access-control system must only allow the opening of which door?
Options:
The external facing door
The internal facing door
The last activated door
The least secure door
Answer:
CExplanation:
According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must have a secure inner shipping delivery room that is equipped with an alarm system and an access-control system. The alarm system must be triggered when any door of the inner shipping delivery room is opened without proper authorization. The access-control system must only allow the opening of the last activated door to liberate a person detected inside of the inner shipping delivery room and stop the alarm. This is to prevent unauthorized access or exit from the inner shipping delivery room, and to ensure that only one door can be opened at a time. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 18-191
During an assessment you ask to see employee records for employees with access to the HSA. The records include information about the screening process, including background information from the employee application process. The oldest background Information that is available is for an employee that left the vendor (terminated their contract) one year previously. You note this as non-compliant, why?
Options:
Employee information, including background checks, must be stored for at least seven years
Employee information must be securely destroyed (e.g. securely wiped) within 2 years (after termination of contract)
The vendor must retain the background information for at least 18 months after termination of contract
The vendor must only retain background information for all current employees, not for those that have been terminated
Answer:
BExplanation:
According to the PCI Card Production Logical Security Requirements, the vendor must securely destroy all employee information, including background checks, within two years of the employee’s termination of contract. This is to prevent unauthorized access to sensitive employee data and to comply with the PCI DSS requirement 3.1, which states that cardholder data must not be stored longer than necessary. The vendor must also have a documented policy and procedure for the secure destruction of employee information, and must maintain a log of all destruction activities. References:
- PCI Card Production Logical Security Requirements, v2.0, April 2019, page 19, requirement 6.1.1
- PCI DSS, v3.2.1, May 2018, page 25, requirement 3.1
Which of the following principles must be enforce by the HSA Access Control system?
Options:
Dual control
Dual presence
Dual control and dual presence
Dual guard entry when required
Answer:
CExplanation:
According to the PCI Card Production and Provisioning Physical Security Requirements, the HSA Access Control system must enforce both dual control and dual presence principles. Dual control means that at least two authorized individuals must act together to perform a critical function or access a sensitive area. Dual presence means that at least two authorized individuals must be physically present in the same area at all times. These principles are intended to prevent unauthorized or fraudulent activities by requiring mutual supervision and accountability. Therefore, the HSA Access Control system must ensure that no single individual can enter, exit, or operate within the HSA without the cooperation and the presence of another authorized individual. References:
- PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page 121
- PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page 131
When must HSA motion detectors generate an alarm event?
Options:
Each time movement is detected
Each time movement is detected outside of regular business hours
Each time movement is detected and the access-control system indicates the room is occupied
Each time movement is detected and the access-control system indicates the room is not occupied
Answer:
DExplanation:
According to the PCI Card Production Physical Security Requirements, one of the security controls for high-security areas (HSAs) is to have motion detectors that generate an alarm event when movement is detected and the access-control system indicates the room is not occupied. This is to prevent unauthorized access or intrusion to the HSAs, where sensitive card production and provisioning activities take place. The motion detectors should be configured to cover all areas within the HSA and should be tested periodically to ensure proper functionality. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 2, Requirement 2.1.1, Page 61
Which of the follow best describes a Technical FAQ?
Options:
Technical FAQs only apply to the specific technology as the FAQ defines it
Technical FAQs can be submitted to PCI SSC at any time
Use of the Technical FAQs is mandatory, they shall be used during an assessment
Use of the Technical FAQs is optional, they are considered guidance
Answer:
DExplanation:
According to the PCI CPSA Qualification Requirements, Technical FAQs are documents that provide guidance on specific technical topics related to the PCI Card Production Security Standards. Technical FAQs are not mandatory, but they are recommended to be used by CPSA Companies and CPSA Employees during the card production assessment process. Technical FAQs are intended to help clarify the intent and applicability of the PCI Card Production Security Requirements, and to provide examples and best practices for achieving compliance. Technical FAQs are published by the PCI SSC on its website, and are updated periodically based on feedback from the card production industry and the payment brands. References: PCI CPSA Qualification Requirements, Version 1.1, April 2020, Section 4.2, Page 81
In relation to guards, which of the following must the vendor ensure?
Options:
A clear segregation of duties is maintained between production staff and guards
A clear segregation of duties is maintained between guard and reception related job functions
There is always at least one guard on-site, including outside of working hours, to monitor security systems and premises
There is always at least one guard in the HSA and one guard in the security control room at all times
Answer:
BExplanation:
According to the PCI Card Production Physical Security Requirements, the vendor must ensure that a clear segregation of duties is maintained between guard and reception related job functions. This is to prevent any conflict of interest or collusion that could compromise the security of the card production and provisioning processes or the cardholder data. The vendor must also ensure that the guards are adequately trained, supervised, and evaluated, and that they follow the security policies and procedures established by the vendor. The vendor must also have a documented policy and procedure for the selection, hiring, and termination of guards, and must maintain a log of all guard activities. References:
- PCI Card Production Physical Security Requirements, v2.0, April 2019, page 24, requirement 6.1.1
- PCI Card Production Physical Security Requirements, v2.0, April 2019, page 25, requirement 6.1.2
- PCI Card Production Physical Security Requirements, v2.0, April 2019, page 26, requirement 6.1.3
- PCI Card Production Physical Security Requirements, v2.0, April 2019, page 27, requirement 6.1.4
Which document describes the results of an assessment, and is signed by both the assessor and the vendor executive officer?
Options:
Security Assessment Questionnaire (SAQ)
Attestation of Compliance (AOC)
Report on Compliance (ROC)
Letter of Approval (LOA)
Answer:
BExplanation:
The Attestation of Compliance (AOC) is the document that describes the results of a PCI Card Production Assessment, and is signed by both the CPSA and the vendor executive officer. The AOC is a summary of the findings and conclusions of the assessment, and indicates whether the vendor meets the PCI Card Production Logical Security Requirements and/or the PCI Card Production Physical Security Requirements. The AOC must be completed using the template provided by PCI SSC, and must be submitted to PCI SSC along with the Report on Compliance (ROC) and other supporting documents. The AOC must also be provided to the vendor’s clients upon request. References:
- PCI Card Production Security Assessor (CPSA) Qualification Requirements, v1.0, April 2019, page 11, requirement 7.1.1
- PCI Card Production and Provisioning Attestation of Compliance, v2.0, April 2019, page 1, section 1
After reviewing their completed ROC and AOC, which state that they are compliant, the vendor wishes to be listed on PCI SSC’s list of Compliant Card Vendors. How should you assist them with the listing process?
Options:
Submit the full ROC to PCI SSC
Submit only the AOC to PCI SSC
Inform the vendor that PCI SSC does not list compliant vendors
Inform the vendor that they must request a listing via the payment brand(s) that received their ROC
Answer:
DExplanation:
According to the CPSA Program Guide1, PCI SSC does not list compliant card vendors on its website. The PCI SSC only lists the qualified CPSA Companies and CPSA Employees who are authorized to perform PCI Card Production Security Assessments. The PCI SSC also does not receive or review the full ROCs or AOCs from the card vendors or the CPSA Companies. The ROCs and AOCs are submitted by the CPSA Companies to the applicable payment brands that have contracted with the card vendors for card production and provisioning services. The payment brands are responsible for verifying the compliance status of the card vendors and determining whether to list them on their own websites or databases. Therefore, the CPSA Company should inform the vendor that they must request a listing via the payment brand(s) that received their ROC, and that the listing process may vary depending on the payment brand’s policies and procedures. The CPSA Company should also advise the vendor to maintain their compliance with the PCI Card Production Standards and to undergo annual assessments by a qualified CPSA Company.
Who is required to approve visitor entry to the HSA or cloud-based provisioning environment?
Options:
The head of the vendor facility
The Security Manager
Both the Security Manager and the Production Manager
The Security Manager, Production Manager, and the head of the vendor facility
Answer:
BExplanation:
According to the PCI Card Production and Provisioning – Physical Security Requirements, the Security Manager is the person who is responsible for approving visitor entry to the High Security Area (HSA) or cloud-based provisioning environment. The HSA is the area where card production and provisioning activities take place, such as card manufacturing, personalization, PIN generation and printing, and fulfillment. The cloud-based provisioning environment is the logical equivalent of the HSA for entities that provide over-the-air (OTA) provisioning or host card emulation (HCE) provisioning services. The Security Manager must ensure that visitors have a legitimate business need toenter the HSA or cloud-based provisioning environment, and must authorize their access in advance. The Security Manager must also maintain a visitor log that records the visitor’s name, company, date, time, and purpose of visit, as well as the escort’s name and signature. The Security Manager must also ensure that visitors are escorted by authorized personnel at all times, and that they wear a distinctive visitor badge. The head of the vendor facility, the Production Manager, or any other person is not required to approve visitor entry to the HSA or cloud-based provisioning environment, unless they are also designated as the Security Manager by the vendor. References:
- Payment Card Industry (PCI) Card Production and Provisioning – Physical Security Requirements, Section 3.1.1 and 3.1.2
- Payment Card Industry (PCI) Card Production and Provisioning – Glossary of Terms, Abbreviations, and Acronyms, Definitions of Security Manager, High Security Area, Cloud-Based Provisioning Environment, OTA Provisioning, and HCE Provisioning
A vendor puts cardholder information into a chip by sliding a payment card through a machine that programs it and verifies the data. The chip can make contactless transactions. Which of the following best describes the vendor’s activity?
Options:
Card personalization
Host Card Emulation (HCE) provisioning
Secure Element (SE) provisioning
Fulfillment
Answer:
AExplanation:
Card personalization is the process of transferring cardholder information, such as account number, name, expiration date, and other data, to a payment card. This can be done by various methods, such as magnetic stripe encoding, embossing, laser engraving, or chip programming. Chip programming is the method of personalizing a card that has an embedded microchip that can store and process data. Chip cards can support contact or contactless transactions, depending on the chip type and the terminal capabilities. Contact transactions require the card to be inserted into a reader, while contactless transactions use radio frequency (RF) communication between the card and the reader. The vendor in the question is performing card personalization by programming the chip and verifying the data on the card. References:
- Payment Card Industry (PCI) Card Production and Provisioning – Logical Security Requirements, Section 1.1.1
- Payment Card Industry (PCI) Card Production and Provisioning – Physical Security Requirements, Section 1.1.1
- Payment Card Industry (PCI) Card Production and Provisioning – Glossary of Terms, Abbreviations, and Acronyms, Definitions of Card Personalization, Chip Card, Contact Card, and Contactless Card
Which of these are guards allowed access to?
Options:
HSAs
Audit logs
Loading bays
Physical master keys that provide access to card production or provisioning areas
Answer:
CExplanation:
According to the PCI Card Production Physical Security Requirements, one of the security controls for contracted guard services is to ensure that they have limited access to card production or provisioning areas, and that they do not have access to HSAs, audit logs, or physical master keys that provide access to card production or provisioning areas. This is to prevent unauthorized access, theft, or misuse of card material or data by the contracted guard service. However, the contracted guard service may have access to loading bays, as long as they are escorted by authorized personnel and do not handle or interfere with card shipments. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 2, Requirement 2.2.1, Page 71
You wish to check that you are using the most current version of the Card Production requirements. What should you do?
Options:
Have the CPSA Company’s point of contact request the document
Download it from PCI SSC’s Document Library
Email a request for the document to PCI SSC
View it directly via PCI SSC Assessor Portal
Answer:
BExplanation:
The best way to check that you are using the most current version of the Card Production requirements is to download it from PCI SSC’s Document Library. The PCI SSC’s Document Library is a repository of all the PCI standards, guidelines, and supporting documents that are developed and maintained by the PCI SSC. The Document Library is accessible to the public and provides the latest versions of the documents, as well as the summary of changes and the effective dates. The Document Library also allows you to search, filter, and sort the documents by category, type, date, and keyword. Therefore, by downloading the Card Production requirements from the Document Library, you can ensure that you have the most up-to-date and authoritative version of the requirements. The other options are not the best ways to check the version of the Card Production requirements, as they may not be reliable, efficient, or available. Having the CPSA Company’s point of contact request the document may not be feasible, as the point of contact may not have the authority, the access, or the time to do so. Emailing a request for the document to PCI SSC may not be effective, as the PCI SSC may not respond promptly or provide the document in the format that you need. Viewing the document directly via PCI SSC Assessor Portal may not be possible, as the Assessor Portal may not have the latest version of the document or may require a login credential that you do not have. References:
- PCI SSC Document Library1
- PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 52
