Practice Free CPSA_P_New Exam Online Questions
Question #1
In which of the following locations must the CCTV and access control servers be located?
- A . Within the Security Control Room (SCR)
- B . Within a room in the HSA with security controls equivalent to the SCR applied
- C . Within the SCR or a room with equivalent security
- D . Within the secure server room inside of the HSA
Correct Answer: C
C
Explanation:
According to the PCI Card Production Physical Security Requirements, the CCTV and access control servers must be located within the Security Control Room (SCR) or a room with equivalent security. This means that the room must have the same level of physical protection as the SCR, such as locks, alarms, sensors, cameras, and access control devices. The purpose of this requirement is to prevent unauthorized access, tampering, or theft of the servers that store and process sensitive data related to card production and security.
References: PCI Card Production Physical Security Requirements, v2.0, April 2019, page 16
C
Explanation:
According to the PCI Card Production Physical Security Requirements, the CCTV and access control servers must be located within the Security Control Room (SCR) or a room with equivalent security. This means that the room must have the same level of physical protection as the SCR, such as locks, alarms, sensors, cameras, and access control devices. The purpose of this requirement is to prevent unauthorized access, tampering, or theft of the servers that store and process sensitive data related to card production and security.
References: PCI Card Production Physical Security Requirements, v2.0, April 2019, page 16
Question #2
Which of the following must every assessor do to maintain their CPSA certification?
- A . Complete annual requalification training or complete 3 assessments for different facilities each year
- B . Earn and document at least 20 hours of Continuing Professional Education (CPE) over 3 years
- C . Earn an additional professional certification from List A or B of the Qualification Requirements (QRs)
- D . Submit evidence of internal training in a relevant area (as per the QRs)
Correct Answer: A
A
Explanation:
According to the Card Production Security Assessor (CPSA) Qualification Requirements, CPSAs must maintain their qualification status by either completing the annual requalification training provided by PCI SSC or performing at least three (3) PCI Card Production Assessments for different facilities over the previous one-year period. This ensures that CPSAs remain current with technical and industry changes and demonstrate professionalism.
References: Card Production Security Assessor (CPSA) Qualification Requirements, v1.1, March 2022, page 10
A
Explanation:
According to the Card Production Security Assessor (CPSA) Qualification Requirements, CPSAs must maintain their qualification status by either completing the annual requalification training provided by PCI SSC or performing at least three (3) PCI Card Production Assessments for different facilities over the previous one-year period. This ensures that CPSAs remain current with technical and industry changes and demonstrate professionalism.
References: Card Production Security Assessor (CPSA) Qualification Requirements, v1.1, March 2022, page 10
Question #3
A vendor wants to know if they will be penalized if their vault is not compliant. Who should they ask?
- A . PCI SSC
- B . Assessor
- C . Issuing banks
- D . Payment brands
Correct Answer: D
D
Explanation:
The PCI SSC does not enforce compliance, nor does it mandate penalties for non-compliance. Compliance with the PCI Card Production Standards is enforced by the payment brands. The payment brands may have their own compliance programs and may apply penalties or fines to entities that are not compliant or suffer a breach. Therefore, a vendor who wants to know if they will be penalized if their vault is not compliant should ask the payment brands that they work with or are contracted by.
References:
Payment Card Industry (PCI) Card Production Security Assessors Program Guide, Version 1.0, April 2019, page 51
PCI Card Production Security Assessor (CPSA) Qualification Requirements, Version 1.0, April 2019, page 62
D
Explanation:
The PCI SSC does not enforce compliance, nor does it mandate penalties for non-compliance. Compliance with the PCI Card Production Standards is enforced by the payment brands. The payment brands may have their own compliance programs and may apply penalties or fines to entities that are not compliant or suffer a breach. Therefore, a vendor who wants to know if they will be penalized if their vault is not compliant should ask the payment brands that they work with or are contracted by.
References:
Payment Card Industry (PCI) Card Production Security Assessors Program Guide, Version 1.0, April 2019, page 51
PCI Card Production Security Assessor (CPSA) Qualification Requirements, Version 1.0, April 2019, page 62
Question #4
The vendor’s technical documentation shows that the alarm system does not send alerts to the security control room. After a discussion you learn that the alarm works perfectly, and sends a clear signal to summon the local police every time an emergency exit is opened.
Why might this cause a problem for their assessment?
- A . If the local police have not been issued with an exterior key. they will not be able to investigate the cause of the alarm and reset it
- B . During working hours, the alarm should be managed in the security control room, or by a central monitoring service
- C . If the local police receive too many false-positive alerts, they may not respond within 15 minutes of the alarm
- D . During busy times, the local police may not be able to respond
Correct Answer: B
B
Explanation:
According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must have an alarm system that monitors and detects unauthorized access to the card production and provisioning facilities, and that alerts the security control room or a central monitoring service. The alarm system must also be able to identify the location and cause of the alarm, and allow authorized personnel to reset it. The alarm system must be operational 24/7, and must be tested at least annually. The vendor must also have procedures to respond to alarms and incidents, and to report them to the relevant parties. If the alarm system does not send alerts to the security control room, or a central monitoring service, during working hours, the vendor may not be able to comply with these requirements, and may not be able to prevent, detect, or respond to unauthorized access or security breaches. This may cause a problem for their assessment, as they may not meet the PCI Card Production and Provisioning Physical Security Requirements.
References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 9-101
B
Explanation:
According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must have an alarm system that monitors and detects unauthorized access to the card production and provisioning facilities, and that alerts the security control room or a central monitoring service. The alarm system must also be able to identify the location and cause of the alarm, and allow authorized personnel to reset it. The alarm system must be operational 24/7, and must be tested at least annually. The vendor must also have procedures to respond to alarms and incidents, and to report them to the relevant parties. If the alarm system does not send alerts to the security control room, or a central monitoring service, during working hours, the vendor may not be able to comply with these requirements, and may not be able to prevent, detect, or respond to unauthorized access or security breaches. This may cause a problem for their assessment, as they may not meet the PCI Card Production and Provisioning Physical Security Requirements.
References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 9-101
Question #5
A card production vendor employs a contracted guard service from an outside source.
What is one of the responsibilities of the contracted service?
- A . Provide only certified guards
- B . Register their service with the VPA
- C . Maintain their own liability insurance in case of losses to card material
- D . Undergo their own Card Production assessment and provide evidence of a passing result
Correct Answer: C
C
Explanation:
According to the PCI Card Production Physical Security Requirements, one of the security controls for contracted guard services is to ensure that they maintain their own liability insurance in case of losses to card material. This is to protect the card production vendor from any financial losses or damages caused by the contracted guard service, such as negligence, theft, or misuse of card material. The contracted guard service should also comply with the vendor’s security policies and procedures, and undergo background checks and security training.
References: PCI Card Production Physical Security
Requirements, Version 1.0, April 2019, Section 1.1, Objective 2, Requirement 2.2.1, Page 71
C
Explanation:
According to the PCI Card Production Physical Security Requirements, one of the security controls for contracted guard services is to ensure that they maintain their own liability insurance in case of losses to card material. This is to protect the card production vendor from any financial losses or damages caused by the contracted guard service, such as negligence, theft, or misuse of card material. The contracted guard service should also comply with the vendor’s security policies and procedures, and undergo background checks and security training.
References: PCI Card Production Physical Security
Requirements, Version 1.0, April 2019, Section 1.1, Objective 2, Requirement 2.2.1, Page 71
Question #6
John works for ACME Inc Personalizers. an organization that personalizes payment cards as well as printing the corresponding PIN mailers for distribution directly to the cardholder.
Which of the following statements is true?
- A . If John is involved in card personalization then he must not be involved in the printing of the corresponding PINs
- B . If John is involved in card personalization, then he must never be involved in the card shipment process
- C . If John is involved in card personalization, then he must never be involved in PIN printing
- D . If John is involved in PIN printing, then he must never be involved in the card shipment process
Correct Answer: C
Question #7
The receptionist responsible for the entrance and departure of visitors must have which of the following?
- A . A shredder for the destruction of disposable visitor badges
- B . A constant, open communication channel with a guard
- C . An unobstructed view of the reception area at all times
- D . A means of communicating directly with the visitor while on the premises
Correct Answer: C
C
Explanation:
According to the PCI Card Production Physical Security Requirements, the receptionist responsible for the entrance and departure of visitors must have an unobstructed view of the reception area at all times. This is to ensure that the receptionist can monitor and control the access of visitors, and to prevent any unauthorized entry or exit of personnel or materials. The receptionist must also have a means of verifying the identity of visitors, such as a photo ID or a visitor log, and a means of issuing and collecting visitor badges, such as a badge printer or a badge holder. The receptionist must also have a means of communicating with the security personnel or the security control room, such as a phone or an intercom, in case of any emergency or suspicious activity.
References:
PCI Card Production Physical Security Requirements, v2.0, April 2019, page 21, requirement 5.3.1
PCI Card Production Physical Security Requirements, v2.0, April 2019, page 22, requirement 5.3.2
PCI Card Production Physical Security Requirements, v2.0, April 2019, page 23, requirement 5.3.3
C
Explanation:
According to the PCI Card Production Physical Security Requirements, the receptionist responsible for the entrance and departure of visitors must have an unobstructed view of the reception area at all times. This is to ensure that the receptionist can monitor and control the access of visitors, and to prevent any unauthorized entry or exit of personnel or materials. The receptionist must also have a means of verifying the identity of visitors, such as a photo ID or a visitor log, and a means of issuing and collecting visitor badges, such as a badge printer or a badge holder. The receptionist must also have a means of communicating with the security personnel or the security control room, such as a phone or an intercom, in case of any emergency or suspicious activity.
References:
PCI Card Production Physical Security Requirements, v2.0, April 2019, page 21, requirement 5.3.1
PCI Card Production Physical Security Requirements, v2.0, April 2019, page 22, requirement 5.3.2
PCI Card Production Physical Security Requirements, v2.0, April 2019, page 23, requirement 5.3.3
Question #8
An assessor is unsure if log review and interview is sufficient testing for a requirement. Who can best answer this question?
- A . Payment brands
- B . Issuing banks
- C . Vendor
- D . PCI SSC
Correct Answer: D
D
Explanation:
The PCI SSC (Payment Card Industry Security Standards Council) is the organization that develops and maintains the PCI Card Production Standards and related validation requirements, programs, and supporting documentation. The PCI SSC also provides training and qualification for CPSA Companies and CPSA Employees to perform PCI Card Production Assessments. The PCI SSC is the best source of guidance and clarification for any questions or issues related to the assessment process, testing methods, reporting requirements, and interpretation of the standards. The assessor can contact the PCI SSC by email, phone, or online form, as specified in the CPSA Program Guide1. The payment brands, issuing banks, and vendors are not responsible for defining or explaining the assessment requirements
or testing methods, and may not have the same level of expertise or authority as the PCI SSC.
References:
Card Production Security Assessor (CPSA) Program Guide, Section 2.1 and 5.1
Card Production Security Assessor (CPSA) Qualification Requirements, Section 1.1 and 2.1
Reference: [Reference: https://www.pcisecuritystandards.org/about_us/#:~:text=The%20PCI%20SSC%20mission%20is,and%20
effective%20implementation%20by%20stakeholders, ]
D
Explanation:
The PCI SSC (Payment Card Industry Security Standards Council) is the organization that develops and maintains the PCI Card Production Standards and related validation requirements, programs, and supporting documentation. The PCI SSC also provides training and qualification for CPSA Companies and CPSA Employees to perform PCI Card Production Assessments. The PCI SSC is the best source of guidance and clarification for any questions or issues related to the assessment process, testing methods, reporting requirements, and interpretation of the standards. The assessor can contact the PCI SSC by email, phone, or online form, as specified in the CPSA Program Guide1. The payment brands, issuing banks, and vendors are not responsible for defining or explaining the assessment requirements
or testing methods, and may not have the same level of expertise or authority as the PCI SSC.
References:
Card Production Security Assessor (CPSA) Program Guide, Section 2.1 and 5.1
Card Production Security Assessor (CPSA) Qualification Requirements, Section 1.1 and 2.1
Reference: [Reference: https://www.pcisecuritystandards.org/about_us/#:~:text=The%20PCI%20SSC%20mission%20is,and%20
effective%20implementation%20by%20stakeholders, ]
Question #9
After reviewing their completed ROC and AOC, which state that they are compliant, the vendor wishes to be listed on PCI SSC’s list of Compliant Card Vendors.
How should you assist them with the listing process?
- A . Submit the full ROC to PCI SSC
- B . Submit only the AOC to PCI SSC
- C . Inform the vendor that PCI SSC does not list compliant vendors
- D . Inform the vendor that they must request a listing via the payment brand(s) that received their ROC
Correct Answer: D
D
Explanation:
According to the CPSA Program Guide1, PCI SSC does not list compliant card vendors on its website. The PCI SSC only lists the qualified CPSA Companies and CPSA Employees who are authorized to perform PCI Card Production Security Assessments. The PCI SSC also does not receive or review the full ROCs or AOCs from the card vendors or the CPSA Companies. The ROCs and AOCs are submitted by the CPSA Companies to the applicable payment brands that have contracted with the card vendors for card production and provisioning services. The payment brands are responsible for verifying the compliance status of the card vendors and determining whether to list them on their own websites or databases. Therefore, the CPSA Company should inform the vendor that they must request a listing via the payment brand(s) that received their ROC, and that the listing process may vary depending on the payment brand’s policies and procedures. The CPSA Company should also advise the vendor to maintain their compliance with the PCI Card Production Standards and to undergo annual assessments by a qualified CPSA Company.
D
Explanation:
According to the CPSA Program Guide1, PCI SSC does not list compliant card vendors on its website. The PCI SSC only lists the qualified CPSA Companies and CPSA Employees who are authorized to perform PCI Card Production Security Assessments. The PCI SSC also does not receive or review the full ROCs or AOCs from the card vendors or the CPSA Companies. The ROCs and AOCs are submitted by the CPSA Companies to the applicable payment brands that have contracted with the card vendors for card production and provisioning services. The payment brands are responsible for verifying the compliance status of the card vendors and determining whether to list them on their own websites or databases. Therefore, the CPSA Company should inform the vendor that they must request a listing via the payment brand(s) that received their ROC, and that the listing process may vary depending on the payment brand’s policies and procedures. The CPSA Company should also advise the vendor to maintain their compliance with the PCI Card Production Standards and to undergo annual assessments by a qualified CPSA Company.
Question #10
To liberate a person detected inside of the inner shipping delivery room and stop the alarm, the software monitoring the access-control system must only allow the opening of which door?
- A . The external facing door
- B . The internal facing door
- C . The last activated door
- D . The least secure door
Correct Answer: C
C
Explanation:
According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must have a secure inner shipping delivery room that is equipped with an alarm system and an access-control system. The alarm system must be triggered when any door of the inner shipping delivery room is opened without proper authorization. The access-control system must only allow the opening of the last activated door to liberate a person detected inside of the inner shipping delivery room and stop the alarm. This is to prevent unauthorized access or exit from the inner shipping delivery room, and to ensure that only one door can be opened at a time.
References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 18-191
C
Explanation:
According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must have a secure inner shipping delivery room that is equipped with an alarm system and an access-control system. The alarm system must be triggered when any door of the inner shipping delivery room is opened without proper authorization. The access-control system must only allow the opening of the last activated door to liberate a person detected inside of the inner shipping delivery room and stop the alarm. This is to prevent unauthorized access or exit from the inner shipping delivery room, and to ensure that only one door can be opened at a time.
References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 18-191
1 2