Practice Free CPSA_P_New Exam Online Questions
Question #11
Where can misprinted, partially finished cards be shredded?
- A . In any HSA room approved by the security manager
- B . Either in the HSA printing room or destruction room
- C . Only in the HSA destruction room
- D . Either in the HSA destruction room or a loading bay that meets all requirements of a destruction
room
Correct Answer: C
C
Explanation:
According to the PCI Card Production Physical Security Requirements, one of the security controls for card destruction is to ensure that misprinted, partially finished, or rejected cards are shredded only in the HSA destruction room. This is to prevent unauthorized access, theft, or misuse of the cards, which may contain sensitive data or features. The HSA destruction room should have adequate security measures, such as locks, alarms, cameras, etc., to protect the cards until they are shredded. The shredding process should render the cards unusable and unrecognizable, and the shredded material should be disposed of securely.
References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 5, Requirement 5.1.1, Page 111
C
Explanation:
According to the PCI Card Production Physical Security Requirements, one of the security controls for card destruction is to ensure that misprinted, partially finished, or rejected cards are shredded only in the HSA destruction room. This is to prevent unauthorized access, theft, or misuse of the cards, which may contain sensitive data or features. The HSA destruction room should have adequate security measures, such as locks, alarms, cameras, etc., to protect the cards until they are shredded. The shredding process should render the cards unusable and unrecognizable, and the shredded material should be disposed of securely.
References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 5, Requirement 5.1.1, Page 111
Question #12
A vendor is unsure which forms are needed to complete an assessment. Who should they ask?
- A . Assessor
- B . Issuing banks
- C . Payment brands
- D . PCI SSC
Correct Answer: A
A
Explanation:
The assessor is the person who conducts the PCI Card Production Security Assessment and prepares the Card Production Report on Compliance (ROC) and the Card Production Attestation of Compliance (AOC). The assessor should be familiar with the forms that are needed to complete an assessment and provide guidance to the vendor on how to fill them out. The assessor should also ensure that the forms are consistent with the PCI Card Production Standards and the PCI CPSA Qualification Requirements. The other options are not the best sources of information for the vendor, as they may not be directly involved in the assessment process or have the expertise to advise on the forms.
References
PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 81 PCI Card Production Security Assessor (CPSA) Qualification Requirements, Version 1.0, April 2019, page 10
PCI Card Production and Provisioning Template for Report on Compliance, Version 1.0, April 2019, page 3
PCI Card Production and Provisioning Attestation of Compliance, Version 1.0, April 2019, page 22
A
Explanation:
The assessor is the person who conducts the PCI Card Production Security Assessment and prepares the Card Production Report on Compliance (ROC) and the Card Production Attestation of Compliance (AOC). The assessor should be familiar with the forms that are needed to complete an assessment and provide guidance to the vendor on how to fill them out. The assessor should also ensure that the forms are consistent with the PCI Card Production Standards and the PCI CPSA Qualification Requirements. The other options are not the best sources of information for the vendor, as they may not be directly involved in the assessment process or have the expertise to advise on the forms.
References
PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 81 PCI Card Production Security Assessor (CPSA) Qualification Requirements, Version 1.0, April 2019, page 10
PCI Card Production and Provisioning Template for Report on Compliance, Version 1.0, April 2019, page 3
PCI Card Production and Provisioning Attestation of Compliance, Version 1.0, April 2019, page 22
Question #13
Which of these is a requirement of the security control room?
- A . Access must be controlled by a physical key (in case of power-failure)
- B . Access must be monitored in real-time
- C . At least one guard must be present at all times
- D . Dual-control must be used to grant entry
Correct Answer: B
B
Explanation:
According to the PCI Card Production and Provisioning Physical Security Requirements, the security control room is the area where the security systems are monitored and controlled. The requirement for the security control room is that access must be monitored in real-time by a guard or an automated system that alerts the guard of any unauthorized access attempts. The security control room must also be protected by physical barriers and access control devices that prevent unauthorized entry. The other options are not requirements of the security control room, although they may be implemented as additional security measures.
References:
PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page
151
PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page 161
B
Explanation:
According to the PCI Card Production and Provisioning Physical Security Requirements, the security control room is the area where the security systems are monitored and controlled. The requirement for the security control room is that access must be monitored in real-time by a guard or an automated system that alerts the guard of any unauthorized access attempts. The security control room must also be protected by physical barriers and access control devices that prevent unauthorized entry. The other options are not requirements of the security control room, although they may be implemented as additional security measures.
References:
PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page
151
PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page 161
Question #14
Which of the following statements is true in relation to visitor access badges?
- A . Each visitor entering the facility must be issued and must visibly wear a disposable ID badge that identifies them as a non-employee
- B . Each visitor entering the facility must wear their issued access badge above waist height
- C . Badges with access-controls must not be issued to visitors
- D . Unissued visitor access badges must be securely stored
Correct Answer: A
A
Explanation:
Reference: https://www.idsecurityonline.com/blog/visitor-badges-essential.htm, According to the PCI Card Production Physical Security Requirements, the vendor must have a visitor access control policy and procedure that includes issuing and visibly wearing a disposable ID badge that identifies the visitor as a non-employee. This is to ensure that visitors are easily distinguishable from employees and authorized personnel, and to prevent unauthorized access to cardholder data or sensitive areas. The visitor ID badge must be collected and destroyed at the end of the visit, and the vendor must maintain a visitor log that records the visitor’s name, company, purpose of visit, date and time of entry and exit, and escort name.
References: PCI Card Production Physical Security Requirements, v2.0, April 2019, page 21, requirement 5.4.1, PCI Card Production Physical Security Requirements, v2.0, April 2019, page 22, requirement 5.4.2, PCI Card Production Physical Security Requirements, v2.0, April 2019, page 23, requirement 5.4.3, ]
A
Explanation:
Reference: https://www.idsecurityonline.com/blog/visitor-badges-essential.htm, According to the PCI Card Production Physical Security Requirements, the vendor must have a visitor access control policy and procedure that includes issuing and visibly wearing a disposable ID badge that identifies the visitor as a non-employee. This is to ensure that visitors are easily distinguishable from employees and authorized personnel, and to prevent unauthorized access to cardholder data or sensitive areas. The visitor ID badge must be collected and destroyed at the end of the visit, and the vendor must maintain a visitor log that records the visitor’s name, company, purpose of visit, date and time of entry and exit, and escort name.
References: PCI Card Production Physical Security Requirements, v2.0, April 2019, page 21, requirement 5.4.1, PCI Card Production Physical Security Requirements, v2.0, April 2019, page 22, requirement 5.4.2, PCI Card Production Physical Security Requirements, v2.0, April 2019, page 23, requirement 5.4.3, ]
Question #15
If you have a query about a missing field in the card production reporting template, which organization is best-placed to answer it?
- A . The payment brands
- B . The vendor
- C . The issuer
- D . PCI SSC
Correct Answer: D
D
Explanation:
The PCI SSC is the best-placed organization to answer a query about a missing field in the card production reporting template, as they are the ones who develop and maintain the template and the standards. The card production reporting template is the mandatory template for use in completing a Card Production Report on Compliance (ROC), which provides detail on how to document the findings of a PCI Card Production Assessment. The template is based on the PCI Card Production and Provisioning Logical Security Requirements and the PCI Card Production and Provisioning Physical Security Requirements, which are also developed and maintained by the PCI SSC. Therefore, the PCI SSC has the authority and the expertise to clarify any issues or questions regarding the template and the standards. The other options are not the best sources of information for the query, as they may not have the same level of knowledge or involvement in the template and the standards.
References
PCI Card Production and Provisioning Template for Report on Compliance, Version 1.0, April 2019, page 31
PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 52 PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 82
D
Explanation:
The PCI SSC is the best-placed organization to answer a query about a missing field in the card production reporting template, as they are the ones who develop and maintain the template and the standards. The card production reporting template is the mandatory template for use in completing a Card Production Report on Compliance (ROC), which provides detail on how to document the findings of a PCI Card Production Assessment. The template is based on the PCI Card Production and Provisioning Logical Security Requirements and the PCI Card Production and Provisioning Physical Security Requirements, which are also developed and maintained by the PCI SSC. Therefore, the PCI SSC has the authority and the expertise to clarify any issues or questions regarding the template and the standards. The other options are not the best sources of information for the query, as they may not have the same level of knowledge or involvement in the template and the standards.
References
PCI Card Production and Provisioning Template for Report on Compliance, Version 1.0, April 2019, page 31
PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 52 PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 82
1 2