CPSA_P_New Sample Questions Answers

According to the PCI Card Production and Provisioning Template for Report on Compliance, for each requirement listed in a ROC, all types of findings must have a full narrative response. A finding is the result of the assessor’s evaluation of the entity’s compliance status for each requirement. The types of findings are:

• Compliant: The entity meets the requirement as stated in the PCI Card Production Standards.
• Non-Compliant: The entity does not meet the requirement as stated in the PCI Card Production Standards.
• Not Applicable: The requirement does not apply to the entity’s environment or operations.
• Not Tested: The requirement was not tested by the assessor for a valid reason.
• New: The entity has implemented a new process, system, or control that affects the requirement since the last assessment.
• Closed: The entity has remediated a previous non-compliant finding and has provided sufficient evidence to the assessor.

A full narrative response is a detailed explanation of the finding, including the following elements:

• The scope of testing performed by the assessor to evaluate the requirement
• The testing procedures and tools used by the assessor
• The sampling methodology and rationale used by the assessor
• The evidence collected and reviewed by the assessor
• The observations and conclusions made by the assessor
• The recommendations and remediation actions (if any) suggested by the assessor

A full narrative response is required for all types of findings to provide a clear and comprehensive documentation of the entity’s compliance status and to support the assessor’s professional judgment and opinion. A full narrative response also helps the payment brands, the PCI SSC, and the entity itself to understand the entity’s environment, risks, and controls, and to verify the accuracy and validity of the assessment. References:

• PCI Card Production and Provisioning Template for Report on Compliance, Version 1.0, April 2019, page 4
• PCI Card Production and Provisioning Template for Report on Compliance, Version 1.0, April 2019, page 5
• PCI Card Production and Provisioning Template for Report on Compliance, Version 1.0, April 2019, page 6

According to the Card Production Security Assessor (CPSA) Qualification Requirements, an assessor must provide their client with a Quality Assurance Manual at the start of every assessment. The Quality Assurance Manual is a document that describes the assessor’s methodology, procedures, and quality control measures for conducting assessments. The manual must be consistent with the CPSA Program Guide and the PCI Card Production and Provisioning Security Requirements. The manual must also include a description of the assessor’s roles and responsibilities, the assessment scope and objectives, the assessment plan and timeline, the assessment report format and content, and the assessor’s conflict of interestpolicy. References: Card Production Security Assessor (CPSA) Qualification Requirements, v1.0, April 2019, page 111

According to the PCI Card Production Physical Security Requirements, one of the security controls for contracted guard services is to ensure that they maintain their own liability insurance in case of losses to card material. This is to protect the card production vendor from any financial losses or damages caused by the contracted guard service, such as negligence,theft, or misuse of card material. The contracted guard service should also comply with the vendor’s security policies and procedures, and undergo background checks and security training. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 2, Requirement 2.2.1, Page 71

According to the PCI Card Production Logical Security Requirements, a vendor’s HSA access must be enforced by a security turnstile that has a logical access-control system that ensures anti pass-back. This means that the system must prevent a person from using the same badge to enter or exit the HSA more than once without completing the access cycle. The access cycle is the process of entering or exiting the HSA through the turnstile, which may involve biometric verification, PIN entry, or other authentication methods. The status of the access must change upon initial presentation of an authorised badge, prior to completion of the access cycle, to prevent another person from using the same badge to enter or exit the HSA. For example, if a person presents an authorised badge to enter the HSA, the system must register that the badge is inside the HSA and deny access to anyone else who tries to use the same badge until the person exits the HSA with the same badge. References: PCI Card Production Logical Security Requirements, v2.0, April 2019, page 12

According to the PCI Card Production and Provisioning Physical Security Requirements, the HSA Access Control system must enforce both dual control and dual presence principles. Dual control means that at least two authorized individuals must act together to perform a critical function or access a sensitive area. Dual presence means that at least two authorized individuals must be physically present in the same area at all times. These principles are intended to prevent unauthorized or fraudulent activities by requiring mutual supervision and accountability. Therefore, the HSA Access Control system must ensure that no single individual can enter, exit, or operate within the HSA without the cooperation and the presence of another authorized individual. References:

• PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page 121
• PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page 131

The assessor is the person who conducts the PCI Card Production Security Assessment and prepares the Card Production Report on Compliance (ROC) and the Card Production Attestation of Compliance (AOC). The assessor should be familiar with the forms that are needed to complete an assessment and provide guidance to the vendor on how to fill them out. The assessor should also ensure that the forms are consistent with the PCI Card Production Standards and the PCI CPSA Qualification Requirements. The other options are not the best sources of information for the vendor, as they may not be directly involved in the assessment process or have the expertise to advise on the forms. References:

• PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 81
• PCI Card Production Security Assessor (CPSA) Qualification Requirements, Version 1.0, April 2019, page 10
• PCI Card Production and Provisioning Template for Report on Compliance, Version 1.0, April 2019, page 3
• PCI Card Production and Provisioning Attestation of Compliance, Version 1.0, April 2019, page 22

Host Card Emulation (HCE) provisioning is the process of creating and storing cardholder data in a virtual secure element hosted in a remote server, and generating a payment token that can be used by a mobile device to perform a contactless transaction. HCE provisioning is one of the methods of cloud-based provisioning, which does not require the use of a physical secure element on the mobile device. HCE provisioning is different from Secure Element (SE) provisioning, which involves loading cardholder data into a physical secure element embedded or attached to the mobile device. HCE provisioning is also different from Over-the-air (OTA) provisioning, which involves transmitting cardholder data from a remote server to a physical secure element on the mobiledevice using a wireless communication channel. In this scenario, the vendor hosts virtual secure elements holding cardholder information in their data center, and creates a payment token that is sent to the cardholder’s mobile device. This best describes the vendor’s activities as HCE provisioning. References:

• PCI Card Production and Provisioning Logical Security Requirements, v2.0, April 2019, page 8, section 1.3
• PCI Card Production and Provisioning Logical Security Requirements, v2.0, April 2019, page 9, section 1.4
• PCI Card Production and Provisioning Logical Security Requirements, v2.0, April 2019, page 10, section 1.5
• PCI Card Production and Provisioning Logical Security Requirements, v2.0, April 2019, page 43, Appendix A: Applicability of Requirements

 Card personalization is the process of transferring cardholder information, such as account number, name, expiration date, and other data, to a payment card. This can be done by various methods, such as magnetic stripe encoding, embossing, laser engraving, or chip programming. Chip programming is the method of personalizing a card that has an embedded microchip that can store and process data. Chip cards can support contact or contactless transactions, depending on the chip type and the terminal capabilities. Contact transactions require the card to be inserted into a reader, while contactless transactions use radio frequency (RF) communication between the card and the reader. The vendor in the question is performing card personalization by programming the chip and verifying the data on the card. References:

• Payment Card Industry (PCI) Card Production and Provisioning – Logical Security Requirements, Section 1.1.1
• Payment Card Industry (PCI) Card Production and Provisioning – Physical Security Requirements, Section 1.1.1
• Payment Card Industry (PCI) Card Production and Provisioning – Glossary of Terms, Abbreviations, and Acronyms, Definitions of Card Personalization, Chip Card, Contact Card, and Contactless Card

The PCI SSC (Payment Card Industry Security Standards Council) is the organization that develops and maintains the PCI Card Production Standards and related validation requirements, programs, and supporting documentation. The PCI SSC also provides training and qualification for CPSA Companies and CPSA Employees to perform PCI Card Production Assessments. The PCI SSC is the best source of guidance and clarification for any questions or issues related to the assessment process, testing methods, reporting requirements, and interpretation of the standards. The assessor can contact the PCI SSC by email, phone, or online form, as specified in the CPSA Program Guide1. The payment brands, issuing banks, and vendors are not responsible for defining or explaining the assessment requirements or testing methods, and may not have the same level of expertise or authority as the PCI SSC. References:

• Card Production Security Assessor (CPSA) Program Guide, Section 2.1 and 5.1
• Card Production Security Assessor (CPSA) Qualification Requirements, Section 1.1 and 2.1

According to the PCI Card Production Physical Security Requirements, the goods-tools trap is a secure area that separates the HSA from the outside world, and is used to control the entry and exit of card products, tools, and other materials. The goods-tools trap must have two doors that are interlocked, meaning that only one door can be opened at a time. The goods-tools trap must also have a CCTV camera and an alarm system. The process of bringing card products into the HSA using the goods-tools trap must follow these steps1:

• The card products must be delivered to the goods-tools trap by authorized personnel, who must present their identification to the guard and sign a delivery note.
• The guard must verify the identification of the personnel and the quantity and quality of the card products, and record the details in a log.
• The guard must then escort the personnel to the first door of the goods-tools trap, and open it using a key or a card reader. The personnel must place the card products inside the goods-tools trap and exit the area. The guard must then lock the first door.
• The guard must then notify the production staff inside the HSA that the card products are ready to be collected. The production staff must present their identification to the guard and sign a receipt note.
• The guard must then escort the production staff to the second door of the goods-tools trap, and open it using a key or a card reader. The production staff must collect the card products from the goods-tools trap and enter the HSA. The guard must then lock the second door.

In this scenario, the guard escorted the production staff, along with the box, into the pre-press room. This is not compliant, because the guard is not authorized to enter the HSA, and the card products must remain under dual control at all times. The guard should have stayed outside the HSA and only opened the second door of the goods-tools trap for the production staff. This would ensure that the card products are securely transferred from the goods-tools trap to the HSA, and that the guard does not compromise the security of the HSA. References:

• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 15, requirement 2.1.1
• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 16, requirement 2.1.2
• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 17, requirement 2.1.3
• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 18, requirement 2.1.4

The PCI Security Standards Council (PCI SSC) performs regular Assessor Quality Management (AQM) audits of CPSA companies to ensure that they comply with the PCI CPSA Qualification Requirements and the PCI Card Production Standards. The AQM audits are conducted by PCI SSC staff or authorized third parties, and may include onsite visits, remote reviews, or both. The AQM audits aim to verify the quality and consistency of the CPSA companies’ assessment processes, reports, and documentation, as well as their adherence to the PCI SSC Code of Professional Responsibility. The AQM audits may result in corrective actions, sanctions, or revocation of the CPSA company status, depending on the severity and frequency of the non-compliance issues identified. References:

• PCI Card Production Security Assessor (CPSA) Qualification Requirements, v1.0, April 2019, page 12, requirement 8.1
• PCI Card Production Security Assessor (CPSA) Program Guide, v1.0, April 2019, page 6, section 3.2

According to the PCI Card Production and Provisioning Physical Security Requirements, unsolicited visitors are defined as “individuals who do not have a pre-arranged appointment or a legitimate reason for visiting the Card Production Entity”. The requirement for dealing with unsolicited visitors is that they must be registered, their identities confirmed, and must be allocated an escort before entry. The escort must accompany the unsolicited visitor at all times and ensure that they do not access any restricted areas or sensitive information. The other options are not true statements about unsolicited visitors, as they may not comply with the PCI Card Production Standards or the best practices for physical security. References:

• PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page 101
• PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page 111