• Home
  • Articles
  • Provide PCI CPSA_P_New Practice Test Engine for Preparation [Q22-Q39]

Provide PCI CPSA_P_New Practice Test Engine for Preparation [Q22-Q39]

Share

Provide PCI CPSA_P_New Practice Test Engine for Preparation

Detailed New CPSA_P_New Exam Questions for Concept Clearance

NEW QUESTION # 22
Which of the following statements is true in relation to visitor access badges?

  • A. Each visitor entering the facility must be issued and must visibly wear a disposable ID badge that identifies them as a non-employee
  • B. Each visitor entering the facility must wear their issued access badge above waist height
  • C. Unissued visitor access badges must be securely stored
  • D. Badges with access-controls must not be issued to visitors

Answer: A


NEW QUESTION # 23
Which of the follow best describes a Technical FAQ?

  • A. Technical FAQs only apply to the specific technology as the FAQ defines it
  • B. Technical FAQs can be submitted to PCI SSC at any time
  • C. Use of the Technical FAQs is optional, they are considered guidance
  • D. Use of the Technical FAQs is mandatory, they shall be used during an assessment

Answer: C

Explanation:
Explanation
According to the PCI CPSA Qualification Requirements, Technical FAQs are documents that provide guidance on specific technical topics related to the PCI Card Production Security Standards. Technical FAQs are not mandatory, but they are recommended to be used by CPSA Companies and CPSA Employees during the card production assessment process. Technical FAQs are intended to help clarify the intent and applicability of the PCI Card Production Security Requirements, and to provide examples and best practices for achieving compliance. Technical FAQs are published by the PCI SSC on its website, and are updated periodically based on feedback from the card production industry and the payment brands. References: PCI CPSA Qualification Requirements, Version 1.1, April 2020, Section 4.2, Page 81


NEW QUESTION # 24
Which of the following must be used by the vendor to protect doors that provide access to buildings containing air conditioning equipment?

  • A. Electrical contacts that log each open and close event to a secure system memory
  • B. Physical locks with a limited set of keys under constant supervision by a guard in the security control-room
  • C. Security tape that will leave an observable trace each time a door is opened
  • D. Magnetic contacts that are permanently alarmed and that are connected to the security control-room panels

Answer: D

Explanation:
Explanation
According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must use magnetic contacts that are permanently alarmed and that are connected to the security control-room panels to protect doors that provide access to buildings containing air conditioning equipment. The vendor must also ensure that the air conditioning equipment is located in a secure area that is not accessible to unauthorized personnel, and that the air conditioning system is monitored and maintained to prevent unauthorized access or tampering. The vendor must also have procedures to respond to any alarms or incidents related to the air conditioning system, and to report them to the relevant parties. The vendor must not use security tape, electrical contacts, or physical locks alone, as these may not provide adequate protection or detection of unauthorized access or tampering. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 21-221


NEW QUESTION # 25
Who is required to approve visitor entry to the HSA or cloud-based provisioning environment?

  • A. The head of the vendor facility
  • B. The Security Manager, Production Manager, and the head of the vendor facility
  • C. Both the Security Manager and the Production Manager
  • D. The Security Manager

Answer: D

Explanation:
Explanation
According to the PCI Card Production and Provisioning - Physical Security Requirements, the Security Manager is the person who is responsible for approving visitor entry to the High Security Area (HSA) or cloud-based provisioning environment. The HSA is the area where card production and provisioning activities take place, such as card manufacturing, personalization, PIN generation and printing, and fulfillment. The cloud-based provisioning environment is the logical equivalent of the HSA for entities that provide over-the-air (OTA) provisioning or host card emulation (HCE) provisioning services. The Security Manager must ensure that visitors have a legitimate business need toenter the HSA or cloud-based provisioning environment, and must authorize their access in advance. The Security Manager must also maintain a visitor log that records the visitor's name, company, date, time, and purpose of visit, as well as the escort's name and signature. The Security Manager must also ensure that visitors are escorted by authorized personnel at all times, and that they wear a distinctive visitor badge. The head of the vendor facility, the Production Manager, or any other person is not required to approve visitor entry to the HSA or cloud-based provisioning environment, unless they are also designated as the Security Manager by the vendor. References:
Payment Card Industry (PCI) Card Production and Provisioning - Physical Security Requirements, Section 3.1.1 and 3.1.2 Payment Card Industry (PCI) Card Production and Provisioning - Glossary of Terms, Abbreviations, and Acronyms, Definitions of Security Manager, High Security Area, Cloud-Based Provisioning Environment, OTA Provisioning, and HCE Provisioning


NEW QUESTION # 26
Which of the following principles must be enforce by the HSA Access Control system?

  • A. Dual control
  • B. Dual guard entry when required
  • C. Dual presence
  • D. Dual control and dual presence

Answer: D

Explanation:
Explanation
According to the PCI Card Production and Provisioning Physical Security Requirements, the HSA Access Control system must enforce both dual control and dual presence principles. Dual control means that at least two authorized individuals must act together to perform a critical function or access a sensitive area. Dual presence means that at least two authorized individuals must be physically present in the same area at all times. These principles are intended to prevent unauthorized or fraudulent activities by requiring mutual supervision and accountability. Therefore, the HSA Access Control system must ensure that no single individual can enter, exit, or operate within the HSA without the cooperation and the presence of another authorized individual. References:
PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page
121
PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page
131


NEW QUESTION # 27
Which of the following statements about unsolicited visitors is true?

  • A. They must be able to prove a legitimate reason for their visit prior to entry
  • B. They must be registered, their identities confirmed, and must be allocated an escort before entry
  • C. They must complete an NDA before entry is granted
  • D. They must be turned away

Answer: B

Explanation:
Explanation
According to the PCI Card Production and Provisioning Physical Security Requirements, unsolicited visitors are defined as "individuals who do not have a pre-arranged appointment or a legitimate reason for visiting the Card Production Entity". The requirement for dealing with unsolicited visitors is that they must be registered, their identities confirmed, and must be allocated an escort before entry. The escort must accompany the unsolicited visitor at all times and ensure that they do not access any restricted areas or sensitive information.
The other options are not true statements about unsolicited visitors, as they may not comply with the PCI Card Production Standards or the best practices for physical security. References:
PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page
101
PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page
111


NEW QUESTION # 28
Where can misprinted, partially finished cards be shredded?

  • A. Either in the HSA destruction room or a loading bay that meets all requirements of a destruction room
  • B. Only in the HSA destruction room
  • C. Either in the HSA printing room or destruction room
  • D. In any HSA room approved by the security manager

Answer: B

Explanation:
Explanation
According to the PCI Card Production Physical Security Requirements, one of the security controls for card destruction is to ensure that misprinted, partially finished, or rejected cards are shredded only in the HSA destruction room. This is to prevent unauthorized access, theft, or misuse of the cards, which may contain sensitive data or features. The HSA destruction room should have adequate security measures, such as locks, alarms, cameras, etc., to protect the cards until they are shredded. The shredding process should render the cards unusable and unrecognizable, and the shredded material should be disposed of securely. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 5, Requirement 5.1.1, Page 111


NEW QUESTION # 29
During an assessment you ask to see employee records for employees with access to the HSA. The records include information about the screening process, including background information from the employee application process. The oldest background Information that is available is for an employee that left the vendor (terminated their contract) one year previously. You note this as non-compliant, why?

  • A. The vendor must retain the background information for at least 18 months after termination of contract
  • B. The vendor must only retain background information for all current employees, not for those that have been terminated
  • C. Employee information, including background checks, must be stored for at least seven years
  • D. Employee information must be securely destroyed (e.g. securely wiped) within 2 years (after termination of contract)

Answer: D

Explanation:
Explanation
According to the PCI Card Production Logical Security Requirements, the vendor must securely destroy all employee information, including background checks, within two years of the employee's termination of contract. This is to prevent unauthorized access to sensitive employee data and to comply with the PCI DSS requirement 3.1, which states that cardholder data must not be stored longer than necessary. The vendor must also have a documented policy and procedure for the secure destruction of employee information, and must maintain a log of all destruction activities. References:
PCI Card Production Logical Security Requirements, v2.0, April 2019, page 19, requirement 6.1.1 PCI DSS, v3.2.1, May 2018, page 25, requirement 3.1


NEW QUESTION # 30
Before you go on-site, the vendor's primary contact communicates a legitimate reason for delaying the assessment for several months. Who can approve the change in the report delivery schedule?

  • A. Payment brands
  • B. Affected issuers
  • C. Vendor senior management
  • D. PCI SSC

Answer: D

Explanation:
Explanation
According to the PCI CPSA Qualification Requirements, one of the administrative requirements for CPSA Companies is to adhere to the report delivery schedule as defined by the PCI SSC. The report delivery schedule specifies the deadlines for submitting the PCI Card Production Reports on Compliance (ROCs) and Attestations of Compliance (AOCs) to the PCI SSC and the payment brands. The report delivery schedule also defines the circumstances under which a CPSA Company may request an extension or a waiver of the report delivery deadline. The PCI SSC is the only entity that can approve the change in the report delivery schedule, and the CPSA Company must submit a written request to the PCI SSC with a valid reason for the delay and the proposed new delivery date. The PCI SSC will review the request and notify the CPSA Company of its decision. The PCI SSC may also notify the payment brands and the affected issuers of the change in the report delivery schedule. References: PCI CPSA Qualification Requirements, Version 1.1, April 2020, Section 6.1.4, Page 121


NEW QUESTION # 31
When must HSA motion detectors generate an alarm event?

  • A. Each time movement is detected
  • B. Each time movement is detected and the access-control system indicates the room is not occupied
  • C. Each time movement is detected and the access-control system indicates the room is occupied
  • D. Each time movement is detected outside of regular business hours

Answer: B

Explanation:
Explanation
According to the PCI Card Production Physical Security Requirements, one of the security controls for high-security areas (HSAs) is to have motion detectors that generate an alarm event when movement is detected and the access-control system indicates the room is not occupied. This is to prevent unauthorized access or intrusion to the HSAs, where sensitive card production and provisioning activities take place. The motion detectors should be configured to cover all areas within the HSA and should be tested periodically to ensure proper functionality. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 2, Requirement 2.1.1, Page 61


NEW QUESTION # 32
A vendor hosts virtual secure elements holding cardholder information in their data center. When a cardholder makes a purchase, the vendor creates a payment token which is sent to the cardholder's mobile device. Which of the following best describes the vendor's activities?

  • A. Secure Element (SE) provisioning
  • B. Card personalization
  • C. Host Card Emulation (HCE) provisioning
  • D. Over-the-air (OTA) provisioning

Answer: C

Explanation:
Explanation
Host Card Emulation (HCE) provisioning is the process of creating and storing cardholder data in a virtual secure element hosted in a remote server, and generating a payment token that can be used by a mobile device to perform a contactless transaction. HCE provisioning is one of the methods of cloud-based provisioning, which does not require the use of a physical secure element on the mobile device. HCE provisioning is different from Secure Element (SE) provisioning, which involves loading cardholder data into a physical secure element embedded or attached to the mobile device. HCE provisioning is also different from Over-the-air (OTA) provisioning, which involves transmitting cardholder data from a remote server to a physical secure element on the mobiledevice using a wireless communication channel. In this scenario, the vendor hosts virtual secure elements holding cardholder information in their data center, and creates a payment token that is sent to the cardholder's mobile device. This best describes the vendor's activities as HCE provisioning. References:
PCI Card Production and Provisioning Logical Security Requirements, v2.0, April 2019, page 8, section
1.3
PCI Card Production and Provisioning Logical Security Requirements, v2.0, April 2019, page 9, section
1.4
PCI Card Production and Provisioning Logical Security Requirements, v2.0, April 2019, page 10, section 1.5 PCI Card Production and Provisioning Logical Security Requirements, v2.0, April 2019, page 43, Appendix A: Applicability of Requirements


NEW QUESTION # 33
An assessor must provide which of the following to their client at the start of every assessment?

  • A. Attestation of Compliance
  • B. Vendor Release Agreement
  • C. CPSA Feedback Form
  • D. Quality Assurance Manual

Answer: D

Explanation:
Explanation
According to the Card Production Security Assessor (CPSA) Qualification Requirements, an assessor must provide their client with a Quality Assurance Manual at the start of every assessment. The Quality Assurance Manual is a document that describes the assessor's methodology, procedures, and quality control measures for conducting assessments. The manual must be consistent with the CPSA Program Guide and the PCI Card Production and Provisioning Security Requirements. The manual must also include a description of the assessor's roles and responsibilities, the assessment scope and objectives, the assessment plan and timeline, the assessment report format and content, and the assessor's conflict of interestpolicy. References: Card Production Security Assessor (CPSA) Qualification Requirements, v1.0, April 2019, page 111


NEW QUESTION # 34
A vendor puts cardholder information into a chip by sliding a payment card through a machine that programs it and verifies the data. The chip can make contactless transactions. Which of the following best describes the vendor's activity?

  • A. Secure Element (SE) provisioning
  • B. Host Card Emulation (HCE) provisioning
  • C. Card personalization
  • D. Fulfillment

Answer: C

Explanation:
Explanation
Card personalization is the process of transferring cardholder information, such as account number, name, expiration date, and other data, to a payment card. This can be done by various methods, such as magnetic stripe encoding, embossing, laser engraving, or chip programming. Chip programming is the method of personalizing a card that has an embedded microchip that can store and process data. Chip cards can support contact or contactless transactions, depending on the chip type and the terminal capabilities. Contact transactions require the card to be inserted into a reader, while contactless transactions use radio frequency (RF) communication between the card and the reader. The vendor in the question is performing card personalization by programming the chip and verifying the data on the card. References:
Payment Card Industry (PCI) Card Production and Provisioning - Logical Security Requirements, Section 1.1.1 Payment Card Industry (PCI) Card Production and Provisioning - Physical Security Requirements, Section 1.1.1 Payment Card Industry (PCI) Card Production and Provisioning - Glossary of Terms, Abbreviations, and Acronyms, Definitions of Card Personalization, Chip Card, Contact Card, and Contactless Card


NEW QUESTION # 35
In which of the following locations must the CCTV and access control servers be located?

  • A. Within the secure server room inside of the HSA
  • B. Within a room in the HSA with security controls equivalent to the SCR applied
  • C. Within the Security Control Room (SCR)
  • D. Within the SCR or a room with equivalent security

Answer: D

Explanation:
Explanation
According to the PCI Card Production Physical Security Requirements, the CCTV and access control servers must be located within the Security Control Room (SCR) or a room with equivalent security. This means that the room must have the same level of physical protection as the SCR, such as locks, alarms, sensors, cameras, and access control devices. The purpose of this requirement is to prevent unauthorized access, tampering, or theft of the servers that store and process sensitive data related to card production and security. References: PCI Card Production Physical Security Requirements, v2.0, April 2019, page 16


NEW QUESTION # 36
Which of these are guards allowed access to?

  • A. HSAs
  • B. Loading bays
  • C. Audit logs
  • D. Physical master keys that provide access to card production or provisioning areas

Answer: B

Explanation:
Explanation
According to the PCI Card Production Physical Security Requirements, one of the security controls for contracted guard services is to ensure that they have limited access to card production or provisioning areas, and that they do not have access to HSAs, audit logs, or physical master keys that provide access to card production or provisioning areas. This is to prevent unauthorized access, theft, or misuse of card material or data by the contracted guard service. However, the contracted guard service may have access to loading bays, as long as they are escorted by authorized personnel and do not handle or interfere with card shipments. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section
1.1, Objective 2, Requirement 2.2.1, Page 71


NEW QUESTION # 37
Who performs regular AQM audits of CPSA companies?

  • A. Payment brands
  • B. Vendor
  • C. PCI SSC
  • D. Issuing banks

Answer: C

Explanation:
Explanation
The PCI Security Standards Council (PCI SSC) performs regular Assessor Quality Management (AQM) audits of CPSA companies to ensure that they comply with the PCI CPSA Qualification Requirements and the PCI Card Production Standards. The AQM audits are conducted by PCI SSC staff or authorized third parties, and may include onsite visits, remote reviews, or both. The AQM audits aim to verify the quality and consistency of the CPSA companies' assessment processes, reports, and documentation, as well as their adherence to the PCI SSC Code of Professional Responsibility. The AQM audits may result in corrective actions, sanctions, or revocation of the CPSA company status, depending on the severity and frequency of the non-compliance issues identified. References:
PCI Card Production Security Assessor (CPSA) Qualification Requirements, v1.0, April 2019, page 12, requirement 8.1 PCI Card Production Security Assessor (CPSA) Program Guide, v1.0, April 2019, page 6, section 3.2


NEW QUESTION # 38
To liberate a person detected inside of the inner shipping delivery room and stop the alarm, the software monitoring the access-control system must only allow the opening of which door?

  • A. The least secure door
  • B. The internal facing door
  • C. The external facing door
  • D. The last activated door

Answer: D

Explanation:
Explanation
According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must have a secure inner shipping delivery room that is equipped with an alarm system and an access-control system. The alarm system must be triggered when any door of the inner shipping delivery room is opened without proper authorization. The access-control system must only allow the opening of the last activated door to liberate a person detected inside of the inner shipping delivery room and stop the alarm. This is to prevent unauthorized access or exit from the inner shipping delivery room, and to ensure that only one door can be opened at a time. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 18-191


NEW QUESTION # 39
......

CPSA_P_New 2024 Training With 52 QA's: https://tesking.pass4cram.com/CPSA_P_New-dumps-torrent.html

Related Articles

more
PCI CPSA_P_New Certification Practice Exam

The most valid exam cram is the best study and review material for your upcoming IT exam. With the useful and accurate pass4cram study material, you will pass your exam with a high core.

Latest Valid Exams

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 Pass4cram NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy