Free PCI SSC CPSA_P_New Practice Exam with Questions & Answers

 According to the PCI Card Production Physical Security Requirements, the receptionist responsible for the entrance and departure of visitors must have an unobstructed view of the reception area at all times. This is to ensure that the receptionist can monitor and control the access of visitors, and to prevent any unauthorized entry or exit of personnel or materials. The receptionist must also have a means of verifying the identity of visitors, such as a photo ID or a visitor log, and a means of issuing and collecting visitor badges, such as a badge printer or a badge holder. The receptionist must also have a means of communicating with the security personnel or the security control room, such as a phone or an intercom, in case of any emergency or suspicious activity. References:

• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 21, requirement 5.3.1
• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 22, requirement 5.3.2
• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 23, requirement 5.3.3

According to the PCI Card Production and Provisioning Physical Security Requirements, unsolicited visitors are defined as “individuals who do not have a pre-arranged appointment or a legitimate reason for visiting the Card Production Entity”. The requirement for dealing with unsolicited visitors is that they must be registered, their identities confirmed, and must be allocated an escort before entry. The escort must accompany the unsolicited visitor at all times and ensure that they do not access any restricted areas or sensitive information. The other options are not true statements about unsolicited visitors, as they may not comply with the PCI Card Production Standards or the best practices for physical security. References:

• PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page 101
• PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page 111

Data preparation is the process of creating cardholder data and keys for each card, and formatting them for the hardware that will put them on a card. Data preparation involves the use of an HSM to generate keys and encrypt data, and the creation of an encrypted file that contains the cardholder data and keys. Data preparation is one of the steps in the card production lifecycle, and it precedes the manufacture and personalization of the cards. References:

• Card Production Security Assessor (CPSA) Qualification Requirements, v1.0, April 2019, page 10
• PCI Card Production Logical Security Requirements, v2.0, April 2019, page 9
• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 9

The Attestation of Compliance (AOC) is the document that describes the results of a PCI Card Production Assessment, and is signed by both the CPSA and the vendor executive officer. The AOC is a summary of the findings and conclusions of the assessment, and indicates whether the vendor meets the PCI Card Production Logical Security Requirements and/or the PCI Card Production Physical Security Requirements. The AOC must be completed using the template provided by PCI SSC, and must be submitted to PCI SSC along with the Report on Compliance (ROC) and other supporting documents. The AOC must also be provided to the vendor’s clients upon request. References:

• PCI Card Production Security Assessor (CPSA) Qualification Requirements, v1.0, April 2019, page 11, requirement 7.1.1
• PCI Card Production and Provisioning Attestation of Compliance, v2.0, April 2019, page 1, section 1

The assessor is the person who conducts the PCI Card Production Security Assessment and prepares the Card Production Report on Compliance (ROC) and the Card Production Attestation of Compliance (AOC). The assessor should be familiar with the forms that are needed to complete an assessment and provide guidance to the vendor on how to fill them out. The assessor should also ensure that the forms are consistent with the PCI Card Production Standards and the PCI CPSA Qualification Requirements. The other options are not the best sources of information for the vendor, as they may not be directly involved in the assessment process or have the expertise to advise on the forms. References:

• PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 81
• PCI Card Production Security Assessor (CPSA) Qualification Requirements, Version 1.0, April 2019, page 10
• PCI Card Production and Provisioning Template for Report on Compliance, Version 1.0, April 2019, page 3
• PCI Card Production and Provisioning Attestation of Compliance, Version 1.0, April 2019, page 22

According to the PCI Card Production Logical Security Requirements, a vendor’s HSA access must be enforced by a security turnstile that has a logical access-control system that ensures anti pass-back. This means that the system must prevent a person from using the same badge to enter or exit the HSA more than once without completing the access cycle. The access cycle is the process of entering or exiting the HSA through the turnstile, which may involve biometric verification, PIN entry, or other authentication methods. The status of the access must change upon initial presentation of an authorised badge, prior to completion of the access cycle, to prevent another person from using the same badge to enter or exit the HSA. For example, if a person presents an authorised badge to enter the HSA, the system must register that the badge is inside the HSA and deny access to anyone else who tries to use the same badge until the person exits the HSA with the same badge. References: PCI Card Production Logical Security Requirements, v2.0, April 2019, page 12

According to the PCI Card Production Physical Security Requirements, one of the security controls for contracted guard services is to ensure that they maintain their own liability insurance in case of losses to card material. This is to protect the card production vendor from any financial losses or damages caused by the contracted guard service, such as negligence,theft, or misuse of card material. The contracted guard service should also comply with the vendor’s security policies and procedures, and undergo background checks and security training. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 2, Requirement 2.2.1, Page 71

The PCI Security Standards Council (PCI SSC) performs regular Assessor Quality Management (AQM) audits of CPSA companies to ensure that they comply with the PCI CPSA Qualification Requirements and the PCI Card Production Standards. The AQM audits are conducted by PCI SSC staff or authorized third parties, and may include onsite visits, remote reviews, or both. The AQM audits aim to verify the quality and consistency of the CPSA companies’ assessment processes, reports, and documentation, as well as their adherence to the PCI SSC Code of Professional Responsibility. The AQM audits may result in corrective actions, sanctions, or revocation of the CPSA company status, depending on the severity and frequency of the non-compliance issues identified. References:

• PCI Card Production Security Assessor (CPSA) Qualification Requirements, v1.0, April 2019, page 12, requirement 8.1
• PCI Card Production Security Assessor (CPSA) Program Guide, v1.0, April 2019, page 6, section 3.2

According to the PCI Card Production and Provisioning – Logical Security Requirements, there must be a clear segregation of duties between the staff involved in different card production and provisioning activities, such as card personalization, PIN generation and printing, and card fulfillment. This is to prevent any unauthorized access, modification, or disclosure of sensitive cardholder data and to ensure the integrity and confidentiality of the card production process. Therefore, if John is involved in card personalization, which is the process of transferring cardholder information to a payment card, then he must never be involved in PIN printing, which is the process of printing the personal identification number associated with the cardholder account on a mailer. This way, John cannot link the cardholder data on the card with the PIN on the mailer, and cannot compromise the security of the cardholder authentication. The other statements are not true, as there is no requirement that prohibits John from being involved in the card shipment process, as long as he does not have access to both the card and the PIN mailer at the same time. References:

• Payment Card Industry (PCI) Card Production and Provisioning – Logical Security Requirements, Section 2.1.1 and 2.1.2
• Payment Card Industry (PCI) Card Production and Provisioning – Glossary of Terms, Abbreviations, and Acronyms, Definitions of Card Personalization and PIN Printing