• Home
  • Articles
  • 100% Pass Guaranteed Accurate CPSA_P_New Answers 365 Days Free Updates [Q25-Q41]

100% Pass Guaranteed Accurate CPSA_P_New Answers 365 Days Free Updates [Q25-Q41]

Share

100% Pass Guaranteed Accurate CPSA_P_New Answers 365 Days Free Updates

CPSA_P_New DUMPS Q&As with Explanations Verified & Correct Answers

NEW QUESTION # 25
Which of these is a requirement of the security control room?

  • A. At least one guard must be present at all times
  • B. Access must be controlled by a physical key (in case of power-failure)
  • C. Dual-control must be used to grant entry
  • D. Access must be monitored in real-time

Answer: D

Explanation:
Explanation
According to the PCI Card Production and Provisioning Physical Security Requirements, the security control room is the area where the security systems are monitored and controlled. The requirement for the security control room is that access must be monitoredin real-time by a guard or an automated system that alerts the guard of any unauthorized access attempts. The security control room must also be protected by physical barriers and access control devices that prevent unauthorized entry. The other options are not requirements of the security control room, although they may be implemented as additional security measures. References:
PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page
151
PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page
161


NEW QUESTION # 26
The receptionist responsible for the entrance and departure of visitors must have which of the following?

  • A. An unobstructed view of the reception area at all times
  • B. A shredder for the destruction of disposable visitor badges
  • C. A constant, open communication channel with a guard
  • D. A means of communicating directly with the visitor while on the premises

Answer: A

Explanation:
Explanation
According to the PCI Card Production Physical Security Requirements, the receptionist responsible for the entrance and departure of visitors must have an unobstructed view of the reception area at all times. This is to ensure that the receptionist can monitor and control the access of visitors, and to prevent any unauthorized entry or exit of personnel or materials. The receptionist must also have a means of verifying the identity of visitors, such as a photo ID or a visitor log, and a means of issuing and collecting visitor badges, such as a badge printer or a badge holder. The receptionist must also have a means of communicating with the security personnel or the security control room, such as a phone or an intercom, in case of any emergency or suspicious activity. References:
PCI Card Production Physical Security Requirements, v2.0, April 2019, page 21, requirement 5.3.1 PCI Card Production Physical Security Requirements, v2.0, April 2019, page 22, requirement 5.3.2 PCI Card Production Physical Security Requirements, v2.0, April 2019, page 23, requirement 5.3.3


NEW QUESTION # 27
In relation to guards, which of the following must the vendor ensure?

  • A. There is always at least one guard on-site, including outside of working hours, to monitor security systems and premises
  • B. A clear segregation of duties is maintained between production staff and guards
  • C. There is always at least one guard in the HSA and one guard in the security control room at all times
  • D. A clear segregation of duties is maintained between guard and reception related job functions

Answer: D

Explanation:
Explanation
According to the PCI Card Production Physical Security Requirements, the vendor must ensure that a clear segregation of duties is maintained between guard and reception related job functions. This is to prevent any conflict of interest or collusion that could compromise the security of the card production and provisioning processes or the cardholder data. The vendor must also ensure that the guards are adequately trained, supervised, and evaluated, and that they follow the security policies and procedures established by the vendor.
The vendor must also have a documented policy and procedure for the selection, hiring, and termination of guards, and must maintain a log of all guard activities. References:
PCI Card Production Physical Security Requirements, v2.0, April 2019, page 24, requirement 6.1.1 PCI Card Production Physical Security Requirements, v2.0, April 2019, page 25, requirement 6.1.2 PCI Card Production Physical Security Requirements, v2.0, April 2019, page 26, requirement 6.1.3 PCI Card Production Physical Security Requirements, v2.0, April 2019, page 27, requirement 6.1.4


NEW QUESTION # 28
A vendor has a list of pre-approved third parties which may be granted access to the facility. Under what circumstances can other third-parties be granted access?

  • A. When the third party s liability insurance covers the risk
  • B. When no card production activities are taking place
  • C. None, only people on the pre-approved list may enter
  • D. When they are approved by the physical security manager or senior management

Answer: D

Explanation:
Explanation
According to the PCI Card Production Logical Security Requirements, vendors must have a list of pre-approved third parties that are authorized to access the facility and the systems involved in card production. However, other third parties may be granted access under exceptional circumstances, such as emergency repairs or maintenance, provided that they are approved by the physical security manager or senior management. The vendor must also ensure that the third parties comply with the security policies and procedures, and that their access is logged and monitored. References: PCI Card Production Logical Security Requirements, v2.0, April 2019, page 13


NEW QUESTION # 29
You are driving to a vendor for their first assessment. The facility is in a rural area, twenty miles away from the nearest large town. What most concerns you about the location?

  • A. Law enforcement services may not be able to reach the facility in a timely manner
  • B. The local fire service may not be able to reach the facility within 15 minutes
  • C. There may not be adequate retail outlets, which may cause problems when sourcing lunch items for onsite personnel
  • D. Power blackouts may affect security systems

Answer: A

Explanation:
Explanation
According to the PCI Card Production Physical Security Requirements, one of the objectives of physical security is to deter, detect, and delay unauthorized access to card production facilities and equipment. This objective requires that the facility has adequate security measures to prevent or respond to any physical attacks or intrusions, such as alarms, locks, cameras, guards, etc. However, these measures may not be sufficient if the facility is located in a rural area, where law enforcement services may not be able to reach the facility in a timely manner in case of an emergency. Therefore, the location of the facility may pose a risk to the security of card production and provisioning activities, and the CPSA should assess the adequacy of the facility's security plan and procedures to mitigate this risk. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 1, Page 41


NEW QUESTION # 30
A vendor's HSA access is enforced by a security turnstile they have a logical access-control system that ensures anti pass-back. The device is functioning correctly. When must the status of the access change?

  • A. Upon initial entry of the person into the device, prior to completion of the access cycle
  • B. Only when the person has successfully completed the access cycle
  • C. Upon initial presentation of an authorised badge, prior to completion of the access cycle
  • D. Only when an unauthorised badge is presented

Answer: C

Explanation:
Explanation
According to the PCI Card Production Logical Security Requirements, a vendor's HSA access must be enforced by a security turnstile that has a logical access-control system that ensures anti pass-back. This means that the system must prevent a person from using the same badge to enter or exit the HSA more than once without completing the access cycle. The access cycle is the process of entering or exiting the HSA through the turnstile, which may involve biometric verification, PIN entry, or other authentication methods. The status of the access must change upon initial presentation of an authorised badge, prior to completion of the access cycle, to prevent another person from using the same badge to enter or exit the HSA. For example, if a person presents an authorised badge to enter the HSA, the system must register that the badge is inside the HSA and deny access to anyone else who tries to use the same badge until the person exits the HSA with the same badge. References: PCI Card Production Logical Security Requirements, v2.0, April 2019, page 12


NEW QUESTION # 31
A vendor hosts virtual secure elements holding cardholder information in their data center. When a cardholder makes a purchase, the vendor creates a payment token which is sent to the cardholder's mobile device. Which of the following best describes the vendor's activities?

  • A. Card personalization
  • B. Over-the-air (OTA) provisioning
  • C. Host Card Emulation (HCE) provisioning
  • D. Secure Element (SE) provisioning

Answer: C

Explanation:
Explanation
Host Card Emulation (HCE) provisioning is the process of creating and storing cardholder data in a virtual secure element hosted in a remote server, and generating a payment token that can be used by a mobile device to perform a contactless transaction. HCE provisioning is one of the methods of cloud-based provisioning, which does not require the use of a physical secure element on the mobile device. HCE provisioning is different from Secure Element (SE) provisioning, which involves loading cardholder data into a physical secure element embedded or attached to the mobile device. HCE provisioning is also different from Over-the-air (OTA) provisioning, which involves transmitting cardholder data from a remote server to a physical secure element on the mobiledevice using a wireless communication channel. In this scenario, the vendor hosts virtual secure elements holding cardholder information in their data center, and creates a payment token that is sent to the cardholder's mobile device. This best describes the vendor's activities as HCE provisioning. References:
PCI Card Production and Provisioning Logical Security Requirements, v2.0, April 2019, page 8, section
1.3
PCI Card Production and Provisioning Logical Security Requirements, v2.0, April 2019, page 9, section
1.4
PCI Card Production and Provisioning Logical Security Requirements, v2.0, April 2019, page 10, section 1.5 PCI Card Production and Provisioning Logical Security Requirements, v2.0, April 2019, page 43, Appendix A: Applicability of Requirements


NEW QUESTION # 32
Which of the follow best describes a Technical FAQ?

  • A. Use of the Technical FAQs is optional, they are considered guidance
  • B. Technical FAQs can be submitted to PCI SSC at any time
  • C. Technical FAQs only apply to the specific technology as the FAQ defines it
  • D. Use of the Technical FAQs is mandatory, they shall be used during an assessment

Answer: A

Explanation:
Explanation
According to the PCI CPSA Qualification Requirements, Technical FAQs are documents that provide guidance on specific technical topics related to the PCI Card Production Security Standards. Technical FAQs are not mandatory, but they are recommended to be used by CPSA Companies and CPSA Employees during the card production assessment process. Technical FAQs are intended to help clarify the intent and applicability of the PCI Card Production Security Requirements, and to provide examples and best practices for achieving compliance. Technical FAQs are published by the PCI SSC on its website, and are updated periodically based on feedback from the card production industry and the payment brands. References: PCI CPSA Qualification Requirements, Version 1.1, April 2020, Section 4.2, Page 81


NEW QUESTION # 33
An assessor is unsure if log review and interview is sufficient testing for a requirement. Who can best answer this question?

  • A. PCI SSC
  • B. Payment brands
  • C. Vendor
  • D. Issuing banks

Answer: A

Explanation:
Explanation
The PCI SSC (Payment Card Industry Security Standards Council) is the organization that develops and maintains the PCI Card Production Standards and related validation requirements, programs, and supporting documentation. The PCI SSC also provides training and qualification for CPSA Companies and CPSA Employees to perform PCI Card Production Assessments. The PCI SSC is the best source of guidance and clarification for any questions or issues related to the assessment process, testing methods, reporting requirements, and interpretation of the standards. The assessor can contact the PCI SSC by email, phone, or online form, as specified in the CPSA Program Guide1. The payment brands, issuing banks, and vendors are not responsible for defining or explaining the assessment requirements or testing methods, and may not have the same level of expertise or authority as the PCI SSC. References:
Card Production Security Assessor (CPSA) Program Guide, Section 2.1 and 5.1 Card Production Security Assessor (CPSA) Qualification Requirements, Section 1.1 and 2.1


NEW QUESTION # 34
For how long must a CPSA Company maintain workpapers and technical information obtained during an assessment?

  • A. 3 years
  • B. Until each applicable payment brand has accepted (and signed off) the ROC and AOC
  • C. 1 year
  • D. As long as the entity under assessment is a client of the CPSA Company

Answer: A

Explanation:
Explanation
According to the PCI CPSA Program Guide, a CPSA Company must maintain workpapers and technical information obtained during an assessment for a minimum of three years from the date of the assessment. The workpapers and technical information must be stored securely and made available to PCI SSC upon request.
The workpapers and technical information must include, but are not limited to, the following:
The Card Production Report on Compliance (ROC) and the Card Production Attestation of Compliance (AOC) The Card Production Entity's policies and procedures The Card Production Entity's network diagrams and data flow diagrams The results of any testing performed by the CPSA Company or the Card Production Entity The evidence of any remediation actions taken by the Card Production Entity The correspondence between the CPSA Company and the Card Production Entity The correspondence between the CPSA Company and the payment brands The feedback form completed by the Card Production Entity References:
PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 111


NEW QUESTION # 35
A vendor discovers that a recent shipment of cards is missing a set. Which of the following responses would you expect in a compliant organization?

  • A. After an incident review, the VPA, issuer and law enforcement are all notified within 24 hours
  • B. An immediate call is made to the issuer and the VPA who, between them, contact law enforcement and put together a joint statement
  • C. The head of security initiates a meeting, and once the VPA approves the messaging, law enforcement is notified in two days
  • D. A report is requested by the issuer, the vendor sends it to them, and the issuer handles the incident with the local police

Answer: A

Explanation:
Explanation
According to the PCI Card Production Physical Security Requirements, one of the security controls for card shipment is to ensure that the vendor has an incident response plan in place to handle any card shipment incidents, such as loss, theft, or tampering. The incident response plan should include the following steps1:
The vendor should conduct an incident review to determine the cause and scope of the incident, and document the findings and actions taken.
The vendor should notify the VPA, the issuer, and law enforcement of the incident within 24 hours of discovery, or as soon as possible.
The vendor should cooperate with the VPA, the issuer, and law enforcement in the investigation and resolution of the incident, and provide any evidence or information requested.
The vendor should implement corrective actions to prevent the recurrence of the incident, and report the results to the VPA and the issuer. Therefore, the response that best reflects a compliant organization is option D, which follows the steps of the incident response plan as required by the PCI Card Production Physical Security Requirements. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 6, Requirement 6.2, Page 131


NEW QUESTION # 36
A vendor is unsure which forms are needed to complete an assessment. Who should they ask?

  • A. Assessor
  • B. Payment brands
  • C. PCI SSC
  • D. Issuing banks

Answer: A

Explanation:
Explanation
The assessor is the person who conducts the PCI Card Production Security Assessment and prepares the Card Production Report on Compliance (ROC) and the Card Production Attestation of Compliance (AOC). The assessor should be familiar with the forms that are needed to complete an assessment and provide guidance to the vendor on how to fill them out. The assessor should also ensure that the forms are consistent with the PCI Card Production Standards and the PCI CPSA Qualification Requirements. The other options are not the best sources of information for the vendor, as they may not be directly involved in the assessment process or have the expertise to advise on the forms. References:
PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 81 PCI Card Production Security Assessor (CPSA) Qualification Requirements, Version 1.0, April 2019, page 10 PCI Card Production and Provisioning Template for Report on Compliance, Version 1.0, April 2019, page 3 PCI Card Production and Provisioning Attestation of Compliance, Version 1.0, April 2019, page 22


NEW QUESTION # 37
Which of the following must every assessor do to maintain their CPSA certification?

  • A. Earn and document at least 20 hours of Continuing Professional Education (CPE) over 3 years
  • B. Complete annual requalification training or complete 3 assessments for different facilities each year
  • C. Earn an additional professional certification from List A or B of the Qualification Requirements (QRs)
  • D. Submit evidence of internal training in a relevant area (as per the QRs)

Answer: B

Explanation:
Explanation
According to the Card Production Security Assessor (CPSA) Qualification Requirements, CPSAs must maintain their qualification status by either completing the annual requalification training provided by PCI SSC or performing at least three (3) PCI Card Production Assessments for different facilities over the previous one-year period. This ensures that CPSAs remain current with technical and industry changes and demonstrate professionalism. References: Card Production Security Assessor (CPSA) Qualification Requirements, v1.1, March 2022, page 10


NEW QUESTION # 38
In which of the following locations must the CCTV and access control servers be located?

  • A. Within the Security Control Room (SCR)
  • B. Within the SCR or a room with equivalent security
  • C. Within a room in the HSA with security controls equivalent to the SCR applied
  • D. Within the secure server room inside of the HSA

Answer: B

Explanation:
Explanation
According to the PCI Card Production Physical Security Requirements, the CCTV and access control servers must be located within the Security Control Room (SCR) or a room with equivalent security. This means that the room must have the same level of physical protection as the SCR, such as locks, alarms, sensors, cameras, and access control devices. The purpose of this requirement is to prevent unauthorized access, tampering, or theft of the servers that store and process sensitive data related to card production and security. References: PCI Card Production Physical Security Requirements, v2.0, April 2019, page 16


NEW QUESTION # 39
During an assessment you walk the perimeter of the building with a guard you find an emergency exit door from the facility and ask the guard what is on the other side. The guard can't remember, and so uses their assigned, secure key to open the door and show you a corridor within the facility. What most concerns you about the situation?

  • A. The guard should not have forgotten where the door leads to
  • B. The guard should have sought permission from their manager before opening the door
  • C. The exit door should not be capable of being opened from the outside
  • D. The exit door should not lead into the facility

Answer: C

Explanation:
Explanation
According to the PCI Card Production and Provisioning Physical Security Requirements, emergency exit doors must be equipped with devices that prevent unauthorized entry from the outside, such as panic bars, crash bars, or push pads. These devices allow the door to be opened from the inside without a key or a code, but prevent the door from being opened from the outside by unauthorized persons. Therefore, the most concerning aspect of the situation is that the exit door can be opened from the outside with a key, which creates a security risk for the facility. The other options are not as concerning, as they do not directly affect the security of the exit door. The exit door can lead into the facility as long as it provides a safe and unobstructed path to the exit discharge. The guard's memory lapse is not a major issue, as long as they follow the proper proceduresand protocols for opening the door. The guard's permission from their manager is not relevant, as long as they have the authority and the responsibility to open the door for inspection purposes. References:
PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page
171
PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page
181


NEW QUESTION # 40
Which of the following statements is true in relation to visitor access badges?

  • A. Badges with access-controls must not be issued to visitors
  • B. Each visitor entering the facility must be issued and must visibly wear a disposable ID badge that identifies them as a non-employee
  • C. Each visitor entering the facility must wear their issued access badge above waist height
  • D. Unissued visitor access badges must be securely stored

Answer: B


NEW QUESTION # 41
......

CPSA_P_New dumps Exam Material with 52 Questions: https://www.preppdf.com/PCI/CPSA_P_New-prepaway-exam-dumps.html

CPSA_P_New Questions and Answers Guarantee you Oass the Test Easily: https://drive.google.com/open?id=1VJ06DXAbyPUBeU285talpAOb8a-aVU3r

Related Articles

more
PCI CPSA_P_New Certification Practice Exam