CPSA Qualification CPSA_P_New Exam Dumps and Certification Test Engine [Q15-Q39]

Share

(PDF) CPSA Qualification CPSA_P_New Exam and Certification Test Engine

Use CPSA_P_New Exam Dumps (2024 PDF Dumps) To Have Reliable CPSA_P_New Test Engine

NEW QUESTION # 15
The receptionist responsible for the entrance and departure of visitors must have which of the following?

  • A. An unobstructed view of the reception area at all times
  • B. A means of communicating directly with the visitor while on the premises
  • C. A constant, open communication channel with a guard
  • D. A shredder for the destruction of disposable visitor badges

Answer: A

Explanation:
Explanation
According to the PCI Card Production Physical Security Requirements, the receptionist responsible for the entrance and departure of visitors must have an unobstructed view of the reception area at all times. This is to ensure that the receptionist can monitor and control the access of visitors, and to prevent any unauthorized entry or exit of personnel or materials. The receptionist must also have a means of verifying the identity of visitors, such as a photo ID or a visitor log, and a means of issuing and collecting visitor badges, such as a badge printer or a badge holder. The receptionist must also have a means of communicating with the security personnel or the security control room, such as a phone or an intercom, in case of any emergency or suspicious activity. References:
PCI Card Production Physical Security Requirements, v2.0, April 2019, page 21, requirement 5.3.1 PCI Card Production Physical Security Requirements, v2.0, April 2019, page 22, requirement 5.3.2 PCI Card Production Physical Security Requirements, v2.0, April 2019, page 23, requirement 5.3.3


NEW QUESTION # 16
An assessor is unsure if log review and interview is sufficient testing for a requirement. Who can best answer this question?

  • A. Vendor
  • B. Issuing banks
  • C. PCI SSC
  • D. Payment brands

Answer: C

Explanation:
Explanation
The PCI SSC (Payment Card Industry Security Standards Council) is the organization that develops and maintains the PCI Card Production Standards and related validation requirements, programs, and supporting documentation. The PCI SSC also provides training and qualification for CPSA Companies and CPSA Employees to perform PCI Card Production Assessments. The PCI SSC is the best source of guidance and clarification for any questions or issues related to the assessment process, testing methods, reporting requirements, and interpretation of the standards. The assessor can contact the PCI SSC by email, phone, or online form, as specified in the CPSA Program Guide1. The payment brands, issuing banks, and vendors are not responsible for defining or explaining the assessment requirements or testing methods, and may not have the same level of expertise or authority as the PCI SSC. References:
Card Production Security Assessor (CPSA) Program Guide, Section 2.1 and 5.1 Card Production Security Assessor (CPSA) Qualification Requirements, Section 1.1 and 2.1


NEW QUESTION # 17
A vendor wants to know if they will be penalized if their vault is not compliant. Who should they ask?

  • A. Issuing banks
  • B. PCI SSC
  • C. Payment brands
  • D. Assessor

Answer: C

Explanation:
Explanation
The PCI SSC does not enforce compliance, nor does it mandate penalties for non-compliance. Compliance with the PCI Card Production Standards is enforced by the payment brands. The payment brands may have their own compliance programs and may apply penalties or fines to entities that are not compliant or suffer a breach. Therefore, a vendor who wants to know if they will be penalized if their vault is not compliant should ask the payment brands that they work with or are contracted by. References:
Payment Card Industry (PCI) Card Production Security Assessors Program Guide, Version 1.0, April
2019, page 51
PCI Card Production Security Assessor (CPSA) Qualification Requirements, Version 1.0, April 2019, page 62


NEW QUESTION # 18
Who is required to approve visitor entry to the HSA or cloud-based provisioning environment?

  • A. The Security Manager
  • B. Both the Security Manager and the Production Manager
  • C. The head of the vendor facility
  • D. The Security Manager, Production Manager, and the head of the vendor facility

Answer: A

Explanation:
Explanation
According to the PCI Card Production and Provisioning - Physical Security Requirements, the Security Manager is the person who is responsible for approving visitor entry to the High Security Area (HSA) or cloud-based provisioning environment. The HSA is the area where card production and provisioning activities take place, such as card manufacturing, personalization, PIN generation and printing, and fulfillment. The cloud-based provisioning environment is the logical equivalent of the HSA for entities that provide over-the-air (OTA) provisioning or host card emulation (HCE) provisioning services. The Security Manager must ensure that visitors have a legitimate business need toenter the HSA or cloud-based provisioning environment, and must authorize their access in advance. The Security Manager must also maintain a visitor log that records the visitor's name, company, date, time, and purpose of visit, as well as the escort's name and signature. The Security Manager must also ensure that visitors are escorted by authorized personnel at all times, and that they wear a distinctive visitor badge. The head of the vendor facility, the Production Manager, or any other person is not required to approve visitor entry to the HSA or cloud-based provisioning environment, unless they are also designated as the Security Manager by the vendor. References:
Payment Card Industry (PCI) Card Production and Provisioning - Physical Security Requirements, Section 3.1.1 and 3.1.2 Payment Card Industry (PCI) Card Production and Provisioning - Glossary of Terms, Abbreviations, and Acronyms, Definitions of Security Manager, High Security Area, Cloud-Based Provisioning Environment, OTA Provisioning, and HCE Provisioning


NEW QUESTION # 19
You are driving to a vendor for their first assessment. The facility is in a rural area, twenty miles away from the nearest large town. What most concerns you about the location?

  • A. Power blackouts may affect security systems
  • B. The local fire service may not be able to reach the facility within 15 minutes
  • C. There may not be adequate retail outlets, which may cause problems when sourcing lunch items for onsite personnel
  • D. Law enforcement services may not be able to reach the facility in a timely manner

Answer: D

Explanation:
Explanation
According to the PCI Card Production Physical Security Requirements, one of the objectives of physical security is to deter, detect, and delay unauthorized access to card production facilities and equipment. This objective requires that the facility has adequate security measures to prevent or respond to any physical attacks or intrusions, such as alarms, locks, cameras, guards, etc. However, these measures may not be sufficient if the facility is located in a rural area, where law enforcement services may not be able to reach the facility in a timely manner in case of an emergency. Therefore, the location of the facility may pose a risk to the security of card production and provisioning activities, and the CPSA should assess the adequacy of the facility's security plan and procedures to mitigate this risk. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 1, Page 41


NEW QUESTION # 20
In which of the following locations must the CCTV and access control servers be located?

  • A. Within a room in the HSA with security controls equivalent to the SCR applied
  • B. Within the SCR or a room with equivalent security
  • C. Within the Security Control Room (SCR)
  • D. Within the secure server room inside of the HSA

Answer: B

Explanation:
Explanation
According to the PCI Card Production Physical Security Requirements, the CCTV and access control servers must be located within the Security Control Room (SCR) or a room with equivalent security. This means that the room must have the same level of physical protection as the SCR, such as locks, alarms, sensors, cameras, and access control devices. The purpose of this requirement is to prevent unauthorized access, tampering, or theft of the servers that store and process sensitive data related to card production and security. References: PCI Card Production Physical Security Requirements, v2.0, April 2019, page 16


NEW QUESTION # 21
The vendor's technical documentation shows that the alarm system does not send alerts to the security control room. After a discussion you learn that the alarm works perfectly, and sends a clear signal to summon the local police every time an emergency exit is opened. Why might this cause a problem for their assessment?

  • A. During busy times, the local police may not be able to respond
  • B. If the local police have not been issued with an exterior key. they will not be able to investigate the cause of the alarm and reset it
  • C. During working hours, the alarm should be managed in the security control room, or by a central monitoring service
  • D. If the local police receive too many false-positive alerts, they may not respond within 15 minutes of the alarm

Answer: C

Explanation:
Explanation
According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must have an alarm system that monitors and detects unauthorized access to the card production and provisioning facilities, and that alerts the security control room or a central monitoring service. The alarm system must also be able to identify the location and cause of the alarm, and allow authorized personnel to reset it. The alarm system must be operational 24/7, and must be tested at least annually. The vendor must also have procedures to respond to alarms and incidents, and to report them to the relevant parties. If the alarm system does not send alerts to the security control room, or a central monitoring service, during working hours, the vendor may not be able to comply with these requirements, and may not be able to prevent, detect, or respond to unauthorized access or security breaches. This may cause a problem for their assessment, as they may not meet the PCI Card Production and Provisioning Physical Security Requirements. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 9-101


NEW QUESTION # 22
During an assessment you ask to see employee records for employees with access to the HSA. The records include information about the screening process, including background information from the employee application process. The oldest background Information that is available is for an employee that left the vendor (terminated their contract) one year previously. You note this as non-compliant, why?

  • A. The vendor must only retain background information for all current employees, not for those that have been terminated
  • B. The vendor must retain the background information for at least 18 months after termination of contract
  • C. Employee information, including background checks, must be stored for at least seven years
  • D. Employee information must be securely destroyed (e.g. securely wiped) within 2 years (after termination of contract)

Answer: D

Explanation:
Explanation
According to the PCI Card Production Logical Security Requirements, the vendor must securely destroy all employee information, including background checks, within two years of the employee's termination of contract. This is to prevent unauthorized access to sensitive employee data and to comply with the PCI DSS requirement 3.1, which states that cardholder data must not be stored longer than necessary. The vendor must also have a documented policy and procedure for the secure destruction of employee information, and must maintain a log of all destruction activities. References:
PCI Card Production Logical Security Requirements, v2.0, April 2019, page 19, requirement 6.1.1 PCI DSS, v3.2.1, May 2018, page 25, requirement 3.1


NEW QUESTION # 23
A vendor is unsure which forms are needed to complete an assessment. Who should they ask?

  • A. Assessor
  • B. Issuing banks
  • C. PCI SSC
  • D. Payment brands

Answer: A

Explanation:
Explanation
The assessor is the person who conducts the PCI Card Production Security Assessment and prepares the Card Production Report on Compliance (ROC) and the Card Production Attestation of Compliance (AOC). The assessor should be familiar with the forms that are needed to complete an assessment and provide guidance to the vendor on how to fill them out. The assessor should also ensure that the forms are consistent with the PCI Card Production Standards and the PCI CPSA Qualification Requirements. The other options are not the best sources of information for the vendor, as they may not be directly involved in the assessment process or have the expertise to advise on the forms. References:
PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 81 PCI Card Production Security Assessor (CPSA) Qualification Requirements, Version 1.0, April 2019, page 10 PCI Card Production and Provisioning Template for Report on Compliance, Version 1.0, April 2019, page 3 PCI Card Production and Provisioning Attestation of Compliance, Version 1.0, April 2019, page 22


NEW QUESTION # 24
Where can misprinted, partially finished cards be shredded?

  • A. Only in the HSA destruction room
  • B. Either in the HSA printing room or destruction room
  • C. In any HSA room approved by the security manager
  • D. Either in the HSA destruction room or a loading bay that meets all requirements of a destruction room

Answer: A

Explanation:
Explanation
According to the PCI Card Production Physical Security Requirements, one of the security controls for card destruction is to ensure that misprinted, partially finished, or rejected cards are shredded only in the HSA destruction room. This is to prevent unauthorized access, theft, or misuse of the cards, which may contain sensitive data or features. The HSA destruction room should have adequate security measures, such as locks, alarms, cameras, etc., to protect the cards until they are shredded. The shredding process should render the cards unusable and unrecognizable, and the shredded material should be disposed of securely. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 5, Requirement 5.1.1, Page 111


NEW QUESTION # 25
If a vendor plans to terminate an employee, which of these must be done?

  • A. The employee's locker and desk must be searched prior to termination
  • B. The security manager must be notified in writing prior to termination
  • C. The employee must be escorted from the premises immediately
  • D. The Human Resources department must be notified prior to termination

Answer: B

Explanation:
Explanation
According to the PCI Card Production Logical Security Requirements, the vendor must have a formal employee termination process that includes notifying the security manager in writing prior to the termination of any employee who has access to cardholder data or sensitive authentication data. This is to ensure that the security manager can take appropriate actions to revoke the employee's access rights, credentials, and keys, and to prevent any unauthorized use or disclosure of cardholder data or sensitive authentication data by the terminated employee. The vendor must also have a documented policy and procedure for the employee termination process, and must maintain a log of all termination activities. References:
PCI Card Production Logical Security Requirements, v2.0, April 2019, page 19, requirement 6.1.2 PCI Card Production Logical Security Requirements, v2.0, April 2019, page 20, requirement 6.1.3


NEW QUESTION # 26
Which of the following personnel changes must result in the vendor notifying the Vendor Program Administration (VPA)?

  • A. Any change to a role that directly affects the security of card products and related components
  • B. Adding additional rights to someone's role to give them access to the mam production vault
  • C. Promoting someone to senior management level
  • D. Hiring someone that will directly interact with the card issuers

Answer: A

Explanation:
Explanation
According to the PCI CPSA Qualification Requirements, one of the administrative requirements for CPSA Companies is to notify the VPA of any changes to the roles of CPSA Employees or other personnel that directly affect the security of card products and related components. This is to ensure that the CPSA Company maintains the quality and integrity of the CPSA Program and the PCI Card Production Security Standards. The VPA should be notified within 10 business days of the change, and the CPSA Company should provide evidence of the qualifications and training of theaffected personnel. References: PCI CPSA Qualification Requirements, Version 1.1, April 2020, Section 6.1.3, Page 121


NEW QUESTION # 27
Which of the following must every assessor do to maintain their CPSA certification?

  • A. Complete annual requalification training or complete 3 assessments for different facilities each year
  • B. Earn and document at least 20 hours of Continuing Professional Education (CPE) over 3 years
  • C. Submit evidence of internal training in a relevant area (as per the QRs)
  • D. Earn an additional professional certification from List A or B of the Qualification Requirements (QRs)

Answer: A

Explanation:
Explanation
According to the Card Production Security Assessor (CPSA) Qualification Requirements, CPSAs must maintain their qualification status by either completing the annual requalification training provided by PCI SSC or performing at least three (3) PCI Card Production Assessments for different facilities over the previous one-year period. This ensures that CPSAs remain current with technical and industry changes and demonstrate professionalism. References: Card Production Security Assessor (CPSA) Qualification Requirements, v1.1, March 2022, page 10


NEW QUESTION # 28
To liberate a person detected inside of the inner shipping delivery room and stop the alarm, the software monitoring the access-control system must only allow the opening of which door?

  • A. The last activated door
  • B. The internal facing door
  • C. The external facing door
  • D. The least secure door

Answer: A

Explanation:
Explanation
According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must have a secure inner shipping delivery room that is equipped with an alarm system and an access-control system. The alarm system must be triggered when any door of the inner shipping delivery room is opened without proper authorization. The access-control system must only allow the opening of the last activated door to liberate a person detected inside of the inner shipping delivery room and stop the alarm. This is to prevent unauthorized access or exit from the inner shipping delivery room, and to ensure that only one door can be opened at a time. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 18-191


NEW QUESTION # 29
When must HSA motion detectors generate an alarm event?

  • A. Each time movement is detected and the access-control system indicates the room is not occupied
  • B. Each time movement is detected outside of regular business hours
  • C. Each time movement is detected and the access-control system indicates the room is occupied
  • D. Each time movement is detected

Answer: A

Explanation:
Explanation
According to the PCI Card Production Physical Security Requirements, one of the security controls for high-security areas (HSAs) is to have motion detectors that generate an alarm event when movement is detected and the access-control system indicates the room is not occupied. This is to prevent unauthorized access or intrusion to the HSAs, where sensitive card production and provisioning activities take place. The motion detectors should be configured to cover all areas within the HSA and should be tested periodically to ensure proper functionality. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 2, Requirement 2.1.1, Page 61


NEW QUESTION # 30
Which of the following security awareness measures is required for compliance?

  • A. Security awareness exams for all personnel
  • B. Security posters must be placed in the facility
  • C. Annual training on common attack methods
  • D. Annual training on use of mantraps

Answer: C

Explanation:
Explanation
According to the PCI Card Production and Provisioning Logical Security Requirements, the vendor must implement a formal security awareness program to make all personnel aware of the importance of card production and provisioning security. The security awareness program must include annual training on common attack methods, such as phishing, social engineering, malware, and ransomware, and how to prevent, detect, and report them. The security awareness program must also include training on the vendor's security policies and procedures, the roles and responsibilities of personnel, the applicable PCI Card Production and Provisioning Security Requirements, and the consequences of non-compliance. The vendor must also require all personnel to acknowledge at least annually that they have read and understood the security policies and procedures. The vendor must not use security posters alone, as they are not sufficient to meet the security awareness program requirements. The vendor may use security awareness exams for all personnel, but they are not mandatory for compliance. The vendor may also train personnel on the use of mantraps, but this is not relevant to the logical security requirements. References: PCI Card Production and Provisioning Logical Security Requirements and Test Procedures v3.0, January 2022, pages 28-291


NEW QUESTION # 31
For how long must a CPSA Company maintain workpapers and technical information obtained during an assessment?

  • A. 1 year
  • B. As long as the entity under assessment is a client of the CPSA Company
  • C. Until each applicable payment brand has accepted (and signed off) the ROC and AOC
  • D. 3 years

Answer: D

Explanation:
Explanation
According to the PCI CPSA Program Guide, a CPSA Company must maintain workpapers and technical information obtained during an assessment for a minimum of three years from the date of the assessment. The workpapers and technical information must be stored securely and made available to PCI SSC upon request.
The workpapers and technical information must include, but are not limited to, the following:
The Card Production Report on Compliance (ROC) and the Card Production Attestation of Compliance (AOC) The Card Production Entity's policies and procedures The Card Production Entity's network diagrams and data flow diagrams The results of any testing performed by the CPSA Company or the Card Production Entity The evidence of any remediation actions taken by the Card Production Entity The correspondence between the CPSA Company and the Card Production Entity The correspondence between the CPSA Company and the payment brands The feedback form completed by the Card Production Entity References:
PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 111


NEW QUESTION # 32
In relation to guards, which of the following must the vendor ensure?

  • A. There is always at least one guard in the HSA and one guard in the security control room at all times
  • B. A clear segregation of duties is maintained between production staff and guards
  • C. A clear segregation of duties is maintained between guard and reception related job functions
  • D. There is always at least one guard on-site, including outside of working hours, to monitor security systems and premises

Answer: C

Explanation:
Explanation
According to the PCI Card Production Physical Security Requirements, the vendor must ensure that a clear segregation of duties is maintained between guard and reception related job functions. This is to prevent any conflict of interest or collusion that could compromise the security of the card production and provisioning processes or the cardholder data. The vendor must also ensure that the guards are adequately trained, supervised, and evaluated, and that they follow the security policies and procedures established by the vendor.
The vendor must also have a documented policy and procedure for the selection, hiring, and termination of guards, and must maintain a log of all guard activities. References:
PCI Card Production Physical Security Requirements, v2.0, April 2019, page 24, requirement 6.1.1 PCI Card Production Physical Security Requirements, v2.0, April 2019, page 25, requirement 6.1.2 PCI Card Production Physical Security Requirements, v2.0, April 2019, page 26, requirement 6.1.3 PCI Card Production Physical Security Requirements, v2.0, April 2019, page 27, requirement 6.1.4


NEW QUESTION # 33
A vendor uses codes from a chip manufacturer to 'unlock' chips and prepare them for use by adding applications and keys. Which of the following best describes this process?

  • A. Data preparation
  • B. Pre-personalization
  • C. Manufacture
  • D. Data creation

Answer: B

Explanation:
Explanation
According to the PCI Card Production and Provisioning Logical Security Requirements, pre-personalization is the process of unlocking the chip and loading the applications and keys onto the chip. This process is performed by the vendor using codes provided by the chip manufacturer. The codes are used to authenticate the vendor and enable the chip to accept the applications and keys. The pre-personalization process prepares the chip for the subsequent personalization process, where the chip is associated with a specific cardholder account andactivated. The pre-personalization process is different from data creation, data preparation, and manufacture, which are other processes involved in card production and provisioning. References: PCI Card Production and Provisioning Logical Security Requirements and Test Procedures v3.0, January 2022, pages
6-71


NEW QUESTION # 34
Which of the following statements is true in relation to visitor access badges?

  • A. Each visitor entering the facility must be issued and must visibly wear a disposable ID badge that identifies them as a non-employee
  • B. Each visitor entering the facility must wear their issued access badge above waist height
  • C. Unissued visitor access badges must be securely stored
  • D. Badges with access-controls must not be issued to visitors

Answer: A


NEW QUESTION # 35
Before you go on-site, the vendor's primary contact communicates a legitimate reason for delaying the assessment for several months. Who can approve the change in the report delivery schedule?

  • A. Affected issuers
  • B. PCI SSC
  • C. Payment brands
  • D. Vendor senior management

Answer: B

Explanation:
Explanation
According to the PCI CPSA Qualification Requirements, one of the administrative requirements for CPSA Companies is to adhere to the report delivery schedule as defined by the PCI SSC. The report delivery schedule specifies the deadlines for submitting the PCI Card Production Reports on Compliance (ROCs) and Attestations of Compliance (AOCs) to the PCI SSC and the payment brands. The report delivery schedule also defines the circumstances under which a CPSA Company may request an extension or a waiver of the report delivery deadline. The PCI SSC is the only entity that can approve the change in the report delivery schedule, and the CPSA Company must submit a written request to the PCI SSC with a valid reason for the delay and the proposed new delivery date. The PCI SSC will review the request and notify the CPSA Company of its decision. The PCI SSC may also notify the payment brands and the affected issuers of the change in the report delivery schedule. References: PCI CPSA Qualification Requirements, Version 1.1, April 2020, Section 6.1.4, Page 121


NEW QUESTION # 36
......

CPSA_P_New Dumps Full Questions with Free PDF Questions to Pass: https://troytec.validtorrent.com/CPSA_P_New-valid-exam-torrent.html