PCI SSC CPSA_P_New Card Production Security AssessorCPSA Physical NewExam Exam Practice Test

According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must ensure that all non-emergency exits are configured to prevent staff tailgating. Tailgating is the act of following someone closely through a door or other entry point without proper authorization. The vendor must use access-control devices, such as turnstiles, mantraps, or biometric readers, to prevent tailgating and unauthorized access or exit. The vendor must also monitor and alarm all non-emergency exits 24/7, and have procedures to respond to any alarms or incidents. The vendor must not leave any non-emergency exits unlocked, even when a guard is present, as this may compromise the security of the facility and the card production andprovisioning materials. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 8-91

According to the PCI Card Production Logical Security Requirements, the vendor must securely destroy all employee information, including background checks, within two years of the employee’s termination of contract. This is to prevent unauthorized access to sensitive employee data and to comply with the PCI DSS requirement 3.1, which states that cardholder data must not be stored longer than necessary. The vendor must also have a documented policy and procedure for the secure destruction of employee information, and must maintain a log of all destruction activities. References:

• PCI Card Production Logical Security Requirements, v2.0, April 2019, page 19, requirement 6.1.1
• PCI DSS, v3.2.1, May 2018, page 25, requirement 3.1

The Attestation of Compliance (AOC) is the document that describes the results of a PCI Card Production Assessment, and is signed by both the CPSA and the vendor executive officer. The AOC is a summary of the findings and conclusions of the assessment, and indicates whether the vendor meets the PCI Card Production Logical Security Requirements and/or the PCI Card Production Physical Security Requirements. The AOC must be completed using the template provided by PCI SSC, and must be submitted to PCI SSC along with the Report on Compliance (ROC) and other supporting documents. The AOC must also be provided to the vendor’s clients upon request. References:

• PCI Card Production Security Assessor (CPSA) Qualification Requirements, v1.0, April 2019, page 11, requirement 7.1.1
• PCI Card Production and Provisioning Attestation of Compliance, v2.0, April 2019, page 1, section 1

According to the PCI Card Production and Provisioning Physical Security Requirements, the HSA Access Control system must enforce both dual control and dual presence principles. Dual control means that at least two authorized individuals must act together to perform a critical function or access a sensitive area. Dual presence means that at least two authorized individuals must be physically present in the same area at all times. These principles are intended to prevent unauthorized or fraudulent activities by requiring mutual supervision and accountability. Therefore, the HSA Access Control system must ensure that no single individual can enter, exit, or operate within the HSA without the cooperation and the presence of another authorized individual. References:

• PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page 121
• PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page 131

According to the PCI Card Production and Provisioning Physical Security Requirements, unsolicited visitors are defined as “individuals who do not have a pre-arranged appointment or a legitimate reason for visiting the Card Production Entity”. The requirement for dealing with unsolicited visitors is that they must be registered, their identities confirmed, and must be allocated an escort before entry. The escort must accompany the unsolicited visitor at all times and ensure that they do not access any restricted areas or sensitive information. The other options are not true statements about unsolicited visitors, as they may not comply with the PCI Card Production Standards or the best practices for physical security. References:

• PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page 101
• PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page 111

According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must have an alarm system that monitors and detects unauthorized access to the card production and provisioning facilities, and that alerts the security control room or a central monitoring service. The alarm system must also be able to identify the location and cause of the alarm, and allow authorized personnel to reset it. The alarm system must be operational 24/7, and must be tested at least annually. The vendor must also have procedures to respond to alarms and incidents, and to report them to the relevant parties. If the alarm system does not send alerts to the security control room, or a central monitoring service, during working hours, the vendor may not be able to comply with these requirements, and may not be able to prevent, detect, or respond to unauthorized access or security breaches. This may cause a problem for their assessment, as they may not meet the PCI Card Production and Provisioning Physical Security Requirements. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 9-101

According to the PCI Card Production and Provisioning Logical Security Requirements, the vendor must implement a formal security awareness program to make all personnel aware of the importance of card production and provisioning security. The security awareness program must include annual training on common attack methods, such as phishing, social engineering, malware, and ransomware, and how to prevent, detect, and report them. The security awareness program must also include training on the vendor’s security policies and procedures, the roles and responsibilities of personnel, the applicable PCI Card Production and Provisioning Security Requirements, and the consequences of non-compliance. The vendor must also require all personnel to acknowledge at least annually that they have read and understood the security policies and procedures. The vendor must not use security posters alone, as they are not sufficient to meet the security awareness program requirements. The vendor may use security awareness exams for all personnel, but they are not mandatory for compliance. The vendor may also train personnel on the use of mantraps, but this is not relevant to the logical security requirements. References: PCI Card Production and Provisioning Logical Security Requirements and Test Procedures v3.0, January 2022, pages 28-291

According to the PCI CPSA Program Guide, a CPSA Company must maintain workpapers and technical information obtained during an assessment for a minimum of three years from the date of the assessment. The workpapers and technical information must be stored securely and made available to PCI SSC upon request. The workpapers and technical information must include, but are not limited to, the following:

• The Card Production Report on Compliance (ROC) and the Card Production Attestation of Compliance (AOC)
• The Card Production Entity’s policies and procedures
• The Card Production Entity’s network diagrams and data flow diagrams
• The results of any testing performed by the CPSA Company or the Card Production Entity
• The evidence of any remediation actions taken by the Card Production Entity
• The correspondence between the CPSA Company and the Card Production Entity
• The correspondence between the CPSA Company and the payment brands
• The feedback form completed by the Card Production Entity References:
• PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 111

 According to the PCI Card Production Physical Security Requirements, the receptionist responsible for the entrance and departure of visitors must have an unobstructed view of the reception area at all times. This is to ensure that the receptionist can monitor and control the access of visitors, and to prevent any unauthorized entry or exit of personnel or materials. The receptionist must also have a means of verifying the identity of visitors, such as a photo ID or a visitor log, and a means of issuing and collecting visitor badges, such as a badge printer or a badge holder. The receptionist must also have a means of communicating with the security personnel or the security control room, such as a phone or an intercom, in case of any emergency or suspicious activity. References:

• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 21, requirement 5.3.1
• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 22, requirement 5.3.2
• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 23, requirement 5.3.3

According to the PCI Card Production Physical Security Requirements, one of the security controls for high-security areas (HSAs) is to have motion detectors that generate an alarm event when movement is detected and the access-control system indicates the room is not occupied. This is to prevent unauthorized access or intrusion to the HSAs, where sensitive card production and provisioning activities take place. The motion detectors should be configured to cover all areas within the HSA and should be tested periodically to ensure proper functionality. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 2, Requirement 2.1.1, Page 61

Data preparation is the process of creating cardholder data and keys for each card, and formatting them for the hardware that will put them on a card. Data preparation involves the use of an HSM to generate keys and encrypt data, and the creation of an encrypted file that contains the cardholder data and keys. Data preparation is one of the steps in the card production lifecycle, and it precedes the manufacture and personalization of the cards. References:

• Card Production Security Assessor (CPSA) Qualification Requirements, v1.0, April 2019, page 10
• PCI Card Production Logical Security Requirements, v2.0, April 2019, page 9
• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 9

The PCI SSC is the best-placed organization to answer a query about a missing field in the card production reporting template, as they are the ones who develop and maintain the template and the standards. The card production reporting template is the mandatory template for use in completing a Card Production Report on Compliance (ROC), which provides detail on how to document the findings of a PCI Card Production Assessment. The template is based on the PCI Card Production and Provisioning LogicalSecurity Requirements and the PCI Card Production and Provisioning Physical Security Requirements, which are also developed and maintained by the PCI SSC. Therefore, the PCI SSC has the authority and the expertise to clarify any issues or questions regarding the template and the standards. The other options are not the best sources of information for the query, as they may not have the same level of knowledge or involvement in the template and the standards. References:

• PCI Card Production and Provisioning Template for Report on Compliance, Version 1.0, April 2019, page 31
• PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 52
• PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 82

According to the PCI Card Production and Provisioning – Physical Security Requirements, the Security Manager is the person who is responsible for approving visitor entry to the High Security Area (HSA) or cloud-based provisioning environment. The HSA is the area where card production and provisioning activities take place, such as card manufacturing, personalization, PIN generation and printing, and fulfillment. The cloud-based provisioning environment is the logical equivalent of the HSA for entities that provide over-the-air (OTA) provisioning or host card emulation (HCE) provisioning services. The Security Manager must ensure that visitors have a legitimate business need toenter the HSA or cloud-based provisioning environment, and must authorize their access in advance. The Security Manager must also maintain a visitor log that records the visitor’s name, company, date, time, and purpose of visit, as well as the escort’s name and signature. The Security Manager must also ensure that visitors are escorted by authorized personnel at all times, and that they wear a distinctive visitor badge. The head of the vendor facility, the Production Manager, or any other person is not required to approve visitor entry to the HSA or cloud-based provisioning environment, unless they are also designated as the Security Manager by the vendor. References:

• Payment Card Industry (PCI) Card Production and Provisioning – Physical Security Requirements, Section 3.1.1 and 3.1.2
• Payment Card Industry (PCI) Card Production and Provisioning – Glossary of Terms, Abbreviations, and Acronyms, Definitions of Security Manager, High Security Area, Cloud-Based Provisioning Environment, OTA Provisioning, and HCE Provisioning

According to the PCI Card Production Physical Security Requirements, one of the security controls for contracted guard services is to ensure that they maintain their own liability insurance in case of losses to card material. This is to protect the card production vendor from any financial losses or damages caused by the contracted guard service, such as negligence,theft, or misuse of card material. The contracted guard service should also comply with the vendor’s security policies and procedures, and undergo background checks and security training. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 2, Requirement 2.2.1, Page 71