Free Practice Questions for PCI SSC CPSA_P_New Exam

According to the PCI Card Production and Provisioning Physical Security Requirements, unsolicited visitors are defined as “individuals who do not have a pre-arranged appointment or a legitimate reason for visiting the Card Production Entity”. The requirement for dealing with unsolicited visitors is that they must be registered, their identities confirmed, and must be allocated an escort before entry. The escort must accompany the unsolicited visitor at all times and ensure that they do not access any restricted areas or sensitive information. The other options are not true statements about unsolicited visitors, as they may not comply with the PCI Card Production Standards or the best practices for physical security. References:

PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page 101

PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page 111

The PCI Security Standards Council (PCI SSC) performs regular Assessor Quality Management (AQM) audits of CPSA companies to ensure that they comply with the PCI CPSA Qualification Requirements and the PCI Card Production Standards. The AQM audits are conducted by PCI SSC staff or authorized third parties, and may include onsite visits, remote reviews, or both. The AQM audits aim to verify the quality and consistency of the CPSA companies’ assessment processes, reports, and documentation, as well as their adherence to the PCI SSC Code of Professional Responsibility. The AQM audits may result in corrective actions, sanctions, or revocation of the CPSA company status, depending on the severity and frequency of the non-compliance issues identified. References:

PCI Card Production Security Assessor (CPSA) Qualification Requirements, v1.0, April 2019, page 12, requirement 8.1

PCI Card Production Security Assessor (CPSA) Program Guide, v1.0, April 2019, page 6, section 3.2

The PCI SSC (Payment Card Industry Security Standards Council) is the organization that develops and maintains the PCI Card Production Standards and related validation requirements, programs, and supporting documentation. The PCI SSC also provides training and qualification for CPSA Companies and CPSA Employees to perform PCI Card Production Assessments. The PCI SSC is the best source of guidance and clarification for any questions or issues related to the assessment process, testing methods, reporting requirements, and interpretation of the standards. The assessor can contact the PCI SSC by email, phone, or online form, as specified in the CPSA Program Guide1. The payment brands, issuing banks, and vendors are not responsible for defining or explaining the assessment requirements or testing methods, and may not have the same level of expertise or authority as the PCI SSC. References:

Card Production Security Assessor (CPSA) Program Guide, Section 2.1 and 5.1

Card Production Security Assessor (CPSA) Qualification Requirements, Section 1.1 and 2.1

According to the PCI CPSA Qualification Requirements, one of the administrative requirements for CPSA Companies is to notify the VPA of any changes to the roles of CPSA Employees or other personnel that directly affect the security of card products and related components. This is to ensure that the CPSA Company maintains the quality and integrity of the CPSA Program and the PCI Card Production Security Standards. The VPA should be notified within 10 business days of the change, and the CPSA Company should provide evidence of the qualifications and training of theaffected personnel. References: PCI CPSA Qualification Requirements, Version 1.1, April 2020, Section 6.1.3, Page 121

 According to the PCI Card Production Physical Security Requirements, one of the objectives of physical security is to deter, detect, and delay unauthorized access to card production facilities and equipment. This objective requires that the facility has adequate security measures to prevent or respond to any physical attacks or intrusions, such as alarms, locks, cameras, guards, etc. However, these measures may not be sufficient if the facility is located in a rural area, where law enforcement services may not be able to reach the facility in a timely manner in case of an emergency. Therefore, the location of the facility may pose a risk to the security of card production and provisioning activities, and the CPSA should assess the adequacy of the facility’s security plan and procedures to mitigate this risk. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 1, Page 41

According to the PCI Card Production Physical Security Requirements, the vendor must ensure that a clear segregation of duties is maintained between guard and reception related job functions. This is to prevent any conflict of interest or collusion that could compromise the security of the card production and provisioning processes or the cardholder data. The vendor must also ensure that the guards are adequately trained, supervised, and evaluated, and that they follow the security policies and procedures established by the vendor. The vendor must also have a documented policy and procedure for the selection, hiring, and termination of guards, and must maintain a log of all guard activities. References:

PCI Card Production Physical Security Requirements, v2.0, April 2019, page 24, requirement 6.1.1

PCI Card Production Physical Security Requirements, v2.0, April 2019, page 25, requirement 6.1.2

PCI Card Production Physical Security Requirements, v2.0, April 2019, page 26, requirement 6.1.3

PCI Card Production Physical Security Requirements, v2.0, April 2019, page 27, requirement 6.1.4

According to the PCI Card Production Physical Security Requirements, one of the security controls for card destruction is to ensure that misprinted, partially finished, or rejected cards are shredded only in the HSA destruction room. This is to prevent unauthorized access, theft, or misuse of the cards, which may contain sensitive data or features. The HSA destruction room should have adequate security measures, such as locks, alarms, cameras, etc., to protect the cards until they are shredded. The shredding process should render the cards unusable and unrecognizable, and the shredded material should be disposed of securely. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 5, Requirement 5.1.1, Page 111

 According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must use magnetic contacts that are permanently alarmed and that are connected to the security control-room panels to protect doors that provide access to buildings containing air conditioning equipment. The vendor must also ensure that the air conditioning equipment is located in a secure area that is not accessible to unauthorized personnel, and that the air conditioning system is monitored and maintained to prevent unauthorized access or tampering. The vendor must also have procedures to respond to any alarms or incidents related to the air conditioning system, and to report them to the relevant parties. The vendor must not use security tape, electrical contacts, or physical locks alone, as these may not provide adequate protection or detection of unauthorized access or tampering. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 21-221

The PCI SSC is the best-placed organization to answer a query about a missing field in the card production reporting template, as they are the ones who develop and maintain the template and the standards. The card production reporting template is the mandatory template for use in completing a Card Production Report on Compliance (ROC), which provides detail on how to document the findings of a PCI Card Production Assessment. The template is based on the PCI Card Production and Provisioning LogicalSecurity Requirements and the PCI Card Production and Provisioning Physical Security Requirements, which are also developed and maintained by the PCI SSC. Therefore, the PCI SSC has the authority and the expertise to clarify any issues or questions regarding the template and the standards. The other options are not the best sources of information for the query, as they may not have the same level of knowledge or involvement in the template and the standards. References:

PCI Card Production and Provisioning Template for Report on Compliance, Version 1.0, April 2019, page 31

PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 52

PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 82