This page was exported from Valid Premium Exam [ http://premium.validexam.com ] Export date:Mon Feb 24 15:35:07 2025 / +0000 GMT ___________________________________________________ Title: [Jan 26, 2024] Fully Updated Free Actual PCI CPSA_P_New Exam Questions [Q21-Q43] --------------------------------------------------- [Jan 26, 2024] Fully Updated Free Actual PCI CPSA_P_New Exam Questions Free CPSA_P_New Questions for PCI CPSA_P_New Exam [Jan-2024] NEW QUESTION 21Which of the follow best describes a Technical FAQ?  Technical FAQs only apply to the specific technology as the FAQ defines it  Technical FAQs can be submitted to PCI SSC at any time  Use of the Technical FAQs is mandatory, they shall be used during an assessment  Use of the Technical FAQs is optional, they are considered guidance ExplanationAccording to the PCI CPSA Qualification Requirements, Technical FAQs are documents that provide guidance on specific technical topics related to the PCI Card Production Security Standards. Technical FAQs are not mandatory, but they are recommended to be used by CPSA Companies and CPSA Employees during the card production assessment process. Technical FAQs are intended to help clarify the intent and applicability of the PCI Card Production Security Requirements, and to provide examples and best practices for achieving compliance. Technical FAQs are published by the PCI SSC on its website, and are updated periodically based on feedback from the card production industry and the payment brands. References: PCI CPSA Qualification Requirements, Version 1.1, April 2020, Section 4.2, Page 81NEW QUESTION 22Which of the following personnel changes must result in the vendor notifying the Vendor Program Administration (VPA)?  Adding additional rights to someone’s role to give them access to the mam production vault  Any change to a role that directly affects the security of card products and related components  Hiring someone that will directly interact with the card issuers  Promoting someone to senior management level ExplanationAccording to the PCI CPSA Qualification Requirements, one of the administrative requirements for CPSA Companies is to notify the VPA of any changes to the roles of CPSA Employees or other personnel that directly affect the security of card products and related components. This is to ensure that the CPSA Company maintains the quality and integrity of the CPSA Program and the PCI Card Production Security Standards. The VPA should be notified within 10 business days of the change, and the CPSA Company should provide evidence of the qualifications and training of theaffected personnel. References: PCI CPSA Qualification Requirements, Version 1.1, April 2020, Section 6.1.3, Page 121NEW QUESTION 23A vendor is unsure which forms are needed to complete an assessment. Who should they ask?  Payment brands  Issuing banks  PCI SSC  Assessor NEW QUESTION 24During an assessment you walk the perimeter of the building with a guard you find an emergency exit door from the facility and ask the guard what is on the other side. The guard can’t remember, and so uses their assigned, secure key to open the door and show you a corridor within the facility. What most concerns you about the situation?  The exit door should not lead into the facility  The exit door should not be capable of being opened from the outside  The guard should not have forgotten where the door leads to  The guard should have sought permission from their manager before opening the door ExplanationAccording to the PCI Card Production and Provisioning Physical Security Requirements, emergency exit doors must be equipped with devices that prevent unauthorized entry from the outside, such as panic bars, crash bars, or push pads. These devices allow the door to be opened from the inside without a key or a code, but prevent the door from being opened from the outside by unauthorized persons. Therefore, the most concerning aspect of the situation is that the exit door can be opened from the outside with a key, which creates a security risk for the facility. The other options are not as concerning, as they do not directly affect the security of the exit door. The exit door can lead into the facility as long as it provides a safe and unobstructed path to the exit discharge. The guard’s memory lapse is not a major issue, as long as they follow the proper proceduresand protocols for opening the door. The guard’s permission from their manager is not relevant, as long as they have the authority and the responsibility to open the door for inspection purposes. References:PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page171PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page181NEW QUESTION 25A vendor is unsure which forms are needed to complete an assessment. Who should they ask?  Assessor  Issuing banks  Payment brands  PCI SSC ExplanationThe assessor is the person who conducts the PCI Card Production Security Assessment and prepares the Card Production Report on Compliance (ROC) and the Card Production Attestation of Compliance (AOC). The assessor should be familiar with the forms that are needed to complete an assessment and provide guidance to the vendor on how to fill them out. The assessor should also ensure that the forms are consistent with the PCI Card Production Standards and the PCI CPSA Qualification Requirements. The other options are not the best sources of information for the vendor, as they may not be directly involved in the assessment process or have the expertise to advise on the forms. References:PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 81 PCI Card Production Security Assessor (CPSA) Qualification Requirements, Version 1.0, April 2019, page 10 PCI Card Production and Provisioning Template for Report on Compliance, Version 1.0, April 2019, page 3 PCI Card Production and Provisioning Attestation of Compliance, Version 1.0, April 2019, page 22NEW QUESTION 26A vendor has a list of pre-approved third parties which may be granted access to the facility. Under what circumstances can other third-parties be granted access?  None, only people on the pre-approved list may enter  When they are approved by the physical security manager or senior management  When the third party s liability insurance covers the risk  When no card production activities are taking place ExplanationAccording to the PCI Card Production Logical Security Requirements, vendors must have a list of pre-approved third parties that are authorized to access the facility and the systems involved in card production. However, other third parties may be granted access under exceptional circumstances, such as emergency repairs or maintenance, provided that they are approved by the physical security manager or senior management. The vendor must also ensure that the third parties comply with the security policies and procedures, and that their access is logged and monitored. References: PCI Card Production Logical Security Requirements, v2.0, April 2019, page 13NEW QUESTION 27You wish to check that you are using the most current version of the Card Production requirements. What should you do?  Have the CPSA Company’s point of contact request the document  Download it from PCI SSC’s Document Library  Email a request for the document to PCI SSC  View it directly via PCI SSC Assessor Portal ExplanationThe best way to check that you are using the most current version of the Card Production requirements is to download it from PCI SSC’s Document Library. The PCI SSC’s Document Library is a repository of all the PCI standards, guidelines, and supporting documents that are developed and maintained by the PCI SSC. The Document Library is accessible to the public and provides the latest versions of the documents, as well as the summary of changes and the effective dates. The Document Library also allows you to search, filter, and sort the documents by category, type, date, and keyword. Therefore, by downloading the Card Production requirements from the Document Library, you can ensure that you have the most up-to-date and authoritative version of the requirements. The other options are not the best ways to check the version of the Card Production requirements, as they may not be reliable, efficient, or available. Having the CPSA Company’s point of contact request the document may not be feasible, as the point of contact may not have the authority, the access, or the time to do so. Emailing a request for the document to PCI SSC may not be effective, as the PCI SSC may not respond promptly or provide the document in the format that you need. Viewing the document directly via PCI SSC Assessor Portal may not be possible, as the Assessor Portal may not have the latest version of the document or may require a login credential that you do not have. References:PCI SSC Document Library1PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 52NEW QUESTION 28When must HSA motion detectors generate an alarm event?  Each time movement is detected  Each time movement is detected outside of regular business hours  Each time movement is detected and the access-control system indicates the room is occupied  Each time movement is detected and the access-control system indicates the room is not occupied ExplanationAccording to the PCI Card Production Physical Security Requirements, one of the security controls for high-security areas (HSAs) is to have motion detectors that generate an alarm event when movement is detected and the access-control system indicates the room is not occupied. This is to prevent unauthorized access or intrusion to the HSAs, where sensitive card production and provisioning activities take place. The motion detectors should be configured to cover all areas within the HSA and should be tested periodically to ensure proper functionality. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 2, Requirement 2.1.1, Page 61NEW QUESTION 29During an assessment you ask to see employee records for employees with access to the HSA. The records include information about the screening process, including background information from the employee application process. The oldest background Information that is available is for an employee that left the vendor (terminated their contract) one year previously. You note this as non-compliant, why?  Employee information, including background checks, must be stored for at least seven years  Employee information must be securely destroyed (e.g. securely wiped) within 2 years (after termination of contract)  The vendor must retain the background information for at least 18 months after termination of contract  The vendor must only retain background information for all current employees, not for those that have been terminated ExplanationAccording to the PCI Card Production Logical Security Requirements, the vendor must securely destroy all employee information, including background checks, within two years of the employee’s termination of contract. This is to prevent unauthorized access to sensitive employee data and to comply with the PCI DSS requirement 3.1, which states that cardholder data must not be stored longer than necessary. The vendor must also have a documented policy and procedure for the secure destruction of employee information, and must maintain a log of all destruction activities. References:PCI Card Production Logical Security Requirements, v2.0, April 2019, page 19, requirement 6.1.1 PCI DSS, v3.2.1, May 2018, page 25, requirement 3.1NEW QUESTION 30In which of the following locations must the CCTV and access control servers be located?  Within the secure server room inside of the HSA  Within the Security Control Room (SCR)  Within a room in the HSA with security controls equivalent to the SCR applied  Within the SCR or a room with equivalent security ExplanationAccording to the PCI Card Production Physical Security Requirements, the CCTV and access control servers must be located within the Security Control Room (SCR) or a room with equivalent security. This means that the room must have the same level of physical protection as the SCR, such as locks, alarms, sensors, cameras, and access control devices. The purpose of this requirement is to prevent unauthorized access, tampering, or theft of the servers that store and process sensitive data related to card production and security. References: PCI Card Production Physical Security Requirements, v2.0, April 2019, page 16NEW QUESTION 31Who is required to approve visitor entry to the HSA or cloud-based provisioning environment?  The head of the vendor facility  The Security Manager  Both the Security Manager and the Production Manager  The Security Manager, Production Manager, and the head of the vendor facility ExplanationAccording to the PCI Card Production and Provisioning – Physical Security Requirements, the Security Manager is the person who is responsible for approving visitor entry to the High Security Area (HSA) or cloud-based provisioning environment. The HSA is the area where card production and provisioning activities take place, such as card manufacturing, personalization, PIN generation and printing, and fulfillment. The cloud-based provisioning environment is the logical equivalent of the HSA for entities that provide over-the-air (OTA) provisioning or host card emulation (HCE) provisioning services. The Security Manager must ensure that visitors have a legitimate business need toenter the HSA or cloud-based provisioning environment, and must authorize their access in advance. The Security Manager must also maintain a visitor log that records the visitor’s name, company, date, time, and purpose of visit, as well as the escort’s name and signature. The Security Manager must also ensure that visitors are escorted by authorized personnel at all times, and that they wear a distinctive visitor badge. The head of the vendor facility, the Production Manager, or any other person is not required to approve visitor entry to the HSA or cloud-based provisioning environment, unless they are also designated as the Security Manager by the vendor. References:Payment Card Industry (PCI) Card Production and Provisioning – Physical Security Requirements, Section 3.1.1 and 3.1.2 Payment Card Industry (PCI) Card Production and Provisioning – Glossary of Terms, Abbreviations, and Acronyms, Definitions of Security Manager, High Security Area, Cloud-Based Provisioning Environment, OTA Provisioning, and HCE ProvisioningNEW QUESTION 32How frequently must alarms on external doors of a card production and provisioning vendor environment be tested?  Every day  Every week  Every month  Every 3 months ExplanationAccording to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must test all alarms on external doors of the card production and provisioning vendor environment at least every month.The vendor must also document the results of the tests and retain them for at least one year. The vendor must also have procedures to respond to any alarms or incidents, and to report them to the relevant parties. The vendor must not test the alarms less frequently than every month, as this may compromise the security and integrity of the card production and provisioning vendor environment and increase the risk of unauthorized access or theft. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 9-101NEW QUESTION 33Where can misprinted, partially finished cards be shredded?  In any HSA room approved by the security manager  Either in the HSA printing room or destruction room  Only in the HSA destruction room  Either in the HSA destruction room or a loading bay that meets all requirements of a destruction room ExplanationAccording to the PCI Card Production Physical Security Requirements, one of the security controls for card destruction is to ensure that misprinted, partially finished, or rejected cards are shredded only in the HSA destruction room. This is to prevent unauthorized access, theft, or misuse of the cards, which may contain sensitive data or features. The HSA destruction room should have adequate security measures, such as locks, alarms, cameras, etc., to protect the cards until they are shredded. The shredding process should render the cards unusable and unrecognizable, and the shredded material should be disposed of securely. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 5, Requirement 5.1.1, Page 111NEW QUESTION 34Which of the following statements is true about the facility’s non-emergency exits?  They must be contact-alarm monitored only when card production activities are taking place  They must be configured to prevent staff tailgating  They may be left unlocked when a guard is present  They must be fitted with biometric access-control devices ExplanationAccording to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must ensure that all non-emergency exits are configured to prevent staff tailgating. Tailgating is the act of following someone closely through a door or other entry point without proper authorization. The vendor must use access-control devices, such as turnstiles, mantraps, or biometric readers, to prevent tailgating and unauthorized access or exit. The vendor must also monitor and alarm all non-emergency exits 24/7, and have procedures to respond to any alarms or incidents. The vendor must not leave any non-emergency exits unlocked, even when a guard is present, as this may compromise the security of the facility and the card production andprovisioning materials. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 8-91NEW QUESTION 35Which of the following must be used by the vendor to protect doors that provide access to buildings containing air conditioning equipment?  Security tape that will leave an observable trace each time a door is opened  Electrical contacts that log each open and close event to a secure system memory  Magnetic contacts that are permanently alarmed and that are connected to the security control-room panels  Physical locks with a limited set of keys under constant supervision by a guard in the security control-room ExplanationAccording to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must use magnetic contacts that are permanently alarmed and that are connected to the security control-room panels to protect doors that provide access to buildings containing air conditioning equipment. The vendor must also ensure that the air conditioning equipment is located in a secure area that is not accessible to unauthorized personnel, and that the air conditioning system is monitored and maintained to prevent unauthorized access or tampering. The vendor must also have procedures to respond to any alarms or incidents related to the air conditioning system, and to report them to the relevant parties. The vendor must not use security tape, electrical contacts, or physical locks alone, as these may not provide adequate protection or detection of unauthorized access or tampering. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 21-221NEW QUESTION 36Which of these are guards allowed access to?  HSAs  Audit logs  Loading bays  Physical master keys that provide access to card production or provisioning areas ExplanationAccording to the PCI Card Production Physical Security Requirements, one of the security controls for contracted guard services is to ensure that they have limited access to card production or provisioning areas, and that they do not have access to HSAs, audit logs, or physical master keys that provide access to card production or provisioning areas. This is to prevent unauthorized access, theft, or misuse of card material or data by the contracted guard service. However, the contracted guard service may have access to loading bays, as long as they are escorted by authorized personnel and do not handle or interfere with card shipments. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section1.1, Objective 2, Requirement 2.2.1, Page 71NEW QUESTION 37Which of the following must every assessor do to maintain their CPSA certification?  Complete annual requalification training or complete 3 assessments for different facilities each year  Earn and document at least 20 hours of Continuing Professional Education (CPE) over 3 years  Earn an additional professional certification from List A or B of the Qualification Requirements (QRs)  Submit evidence of internal training in a relevant area (as per the QRs) ExplanationAccording to the Card Production Security Assessor (CPSA) Qualification Requirements, CPSAs must maintain their qualification status by either completing the annual requalification training provided by PCI SSC or performing at least three (3) PCI Card Production Assessments for different facilities over the previous one-year period. This ensures that CPSAs remain current with technical and industry changes and demonstrate professionalism. References: Card Production Security Assessor (CPSA) Qualification Requirements, v1.1, March 2022, page 10NEW QUESTION 38A vendor’s HSA access is enforced by a security turnstile they have a logical access-control system that ensures anti pass-back. The device is functioning correctly. When must the status of the access change?  Only when an unauthorised badge is presented  Only when the person has successfully completed the access cycle  Upon initial entry of the person into the device, prior to completion of the access cycle  Upon initial presentation of an authorised badge, prior to completion of the access cycle ExplanationAccording to the PCI Card Production Logical Security Requirements, a vendor’s HSA access must be enforced by a security turnstile that has a logical access-control system that ensures anti pass-back. This means that the system must prevent a person from using the same badge to enter or exit the HSA more than once without completing the access cycle. The access cycle is the process of entering or exiting the HSA through the turnstile, which may involve biometric verification, PIN entry, or other authentication methods. The status of the access must change upon initial presentation of an authorised badge, prior to completion of the access cycle, to prevent another person from using the same badge to enter or exit the HSA. For example, if a person presents an authorised badge to enter the HSA, the system must register that the badge is inside the HSA and deny access to anyone else who tries to use the same badge until the person exits the HSA with the same badge. References: PCI Card Production Logical Security Requirements, v2.0, April 2019, page 12NEW QUESTION 39Which of the following statements about unsolicited visitors is true?  They must be turned away  They must complete an NDA before entry is granted  They must be able to prove a legitimate reason for their visit prior to entry  They must be registered, their identities confirmed, and must be allocated an escort before entry ExplanationAccording to the PCI Card Production and Provisioning Physical Security Requirements, unsolicited visitors are defined as “individuals who do not have a pre-arranged appointment or a legitimate reason for visiting the Card Production Entity”. The requirement for dealing with unsolicited visitors is that they must be registered, their identities confirmed, and must be allocated an escort before entry. The escort must accompany the unsolicited visitor at all times and ensure that they do not access any restricted areas or sensitive information.The other options are not true statements about unsolicited visitors, as they may not comply with the PCI Card Production Standards or the best practices for physical security. References:PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page101PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page111NEW QUESTION 40Which of these is a requirement of the security control room?  Access must be controlled by a physical key (in case of power-failure)  Access must be monitored in real-time  At least one guard must be present at all times  Dual-control must be used to grant entry ExplanationAccording to the PCI Card Production and Provisioning Physical Security Requirements, the security control room is the area where the security systems are monitored and controlled. The requirement for the security control room is that access must be monitoredin real-time by a guard or an automated system that alerts the guard of any unauthorized access attempts. The security control room must also be protected by physical barriers and access control devices that prevent unauthorized entry. The other options are not requirements of the security control room, although they may be implemented as additional security measures. References:PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page151PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page161NEW QUESTION 41If a vendor plans to terminate an employee, which of these must be done?  The employee must be escorted from the premises immediately  The employee’s locker and desk must be searched prior to termination  The Human Resources department must be notified prior to termination  The security manager must be notified in writing prior to termination ExplanationAccording to the PCI Card Production Logical Security Requirements, the vendor must have a formal employee termination process that includes notifying the security manager in writing prior to the termination of any employee who has access to cardholder data or sensitive authentication data. This is to ensure that the security manager can take appropriate actions to revoke the employee’s access rights, credentials, and keys, and to prevent any unauthorized use or disclosure of cardholder data or sensitive authentication data by the terminated employee. The vendor must also have a documented policy and procedure for the employee termination process, and must maintain a log of all termination activities. References:PCI Card Production Logical Security Requirements, v2.0, April 2019, page 19, requirement 6.1.2 PCI Card Production Logical Security Requirements, v2.0, April 2019, page 20, requirement 6.1.3 Loading … Validate your CPSA_P_New Exam Preparation with CPSA_P_New Practice Test: https://www.validexam.com/CPSA_P_New-latest-dumps.html --------------------------------------------------- Images: https://premium.validexam.com/wp-content/plugins/watu/loading.gif https://premium.validexam.com/wp-content/plugins/watu/loading.gif --------------------------------------------------- --------------------------------------------------- Post date: 2024-01-26 11:52:48 Post date GMT: 2024-01-26 11:52:48 Post modified date: 2024-01-26 11:52:48 Post modified date GMT: 2024-01-26 11:52:48