CPSA_P_New Card Production Security AssessorCPSA Physical NewExam Questions and Answers

 According to the PCI Card Production Logical Security Requirements, the vendor must have a formal employee termination process that includes notifying the security manager in writing prior to the termination of any employee who has access to cardholder data or sensitive authentication data. This is to ensure that the security manager can take appropriate actions to revoke the employee’s access rights, credentials, and keys, and to prevent any unauthorized use or disclosure of cardholder data or sensitive authentication data by the terminated employee. The vendor must also have a documented policy and procedure for the employee termination process, and must maintain a log of all termination activities.  References :

PCI Card Production Logical Security Requirements, v2.0, April 2019, page 19, requirement 6.1.2

PCI Card Production Logical Security Requirements, v2.0, April 2019, page 20, requirement 6.1.3

According to the PCI Card Production and Provisioning – Physical Security Requirements, the Security Manager is the person who is responsible for approving visitor entry to the High Security Area (HSA) or cloud-based provisioning environment. The HSA is the area where card production and provisioning activities take place, such as card manufacturing, personalization, PIN generation and printing, and fulfillment. The cloud-based provisioning environment is the logical equivalent of the HSA for entities that provide over-the-air (OTA) provisioning or host card emulation (HCE) provisioning services. The Security Manager must ensure that visitors have a legitimate business need to enter the HSA or cloud-based provisioning environment, and must authorize their access in advance. The Security Manager must also maintain a visitor log that records the visitor’s name, company, date, time, and purpose of visit, as well as the escort’s name and signature. The Security Manager must also ensure that visitors are escorted by authorized personnel at all times, and that they wear a distinctive visitor badge. The head of the vendor facility, the Production Manager, or any other person is not required to approve visitor entry to the HSA or cloud-based provisioning environment, unless they are also designated as the Security Manager by the vendor.  References:

Payment Card Industry (PCI) Card Production and Provisioning – Physical Security Requirements , Section 3.1.1 and 3.1.2

Payment Card Industry (PCI) Card Production and Provisioning – Glossary of Terms, Abbreviations, and Acronyms , Definitions of Security Manager, High Security Area, Cloud-Based Provisioning Environment, OTA Provisioning, and HCE Provisioning

Data preparation is the process of creating cardholder data and keys for each card, and formatting them for the hardware that will put them on a card. Data preparation involves the use of an HSM to generate keys and encrypt data, and the creation of an encrypted file that contains the cardholder data and keys. Data preparation is one of the steps in the card production lifecycle, and it precedes the manufacture and personalization of the cards.  References :

Card Production Security Assessor (CPSA) Qualification Requirements, v1.0, April 2019, page 10

PCI Card Production Logical Security Requirements, v2.0, April 2019, page 9

PCI Card Production Physical Security Requirements, v2.0, April 2019, page 9

According to the PCI Card Production Physical Security Requirements, the goods-tools trap is a secure area that separates the HSA from the outside world, and is used to control the entry and exit of card products, tools, and other materials. The goods-tools trap must have two doors that are interlocked, meaning that only one door can be opened at a time. The goods-tools trap must also have a CCTV camera and an alarm system.  The process of bringing card products into the HSA using the goods-tools trap must follow these steps 1 :

The card products must be delivered to the goods-tools trap by authorized personnel, who must present their identification to the guard and sign a delivery note.

The guard must verify the identification of the personnel and the quantity and quality of the card products, and record the details in a log.

The guard must then escort the personnel to the first door of the goods-tools trap, and open it using a key or a card reader. The personnel must place the card products inside the goods-tools trap and exit the area. The guard must then lock the first door.

The guard must then notify the production staff inside the HSA that the card products are ready to be collected. The production staff must present their identification to the guard and sign a receipt note.

The guard must then escort the production staff to the second door of the goods-tools trap, and open it using a key or a card reader. The production staff must collect the card products from the goods-tools trap and enter the HSA. The guard must then lock the second door.

In this scenario, the guard escorted the production staff, along with the box, into the pre-press room. This is not compliant, because the guard is not authorized to enter the HSA, and the card products must remain under dual control at all times. The guard should have stayed outside the HSA and only opened the second door of the goods-tools trap for the production staff. This would ensure that the card products are securely transferred from the goods-tools trap to the HSA, and that the guard does not compromise the security of the HSA.  References :

PCI Card Production Physical Security Requirements, v2.0, April 2019, page 15, requirement 2.1.1

PCI Card Production Physical Security Requirements, v2.0, April 2019, page 16, requirement 2.1.2

PCI Card Production Physical Security Requirements, v2.0, April 2019, page 17, requirement 2.1.3

PCI Card Production Physical Security Requirements, v2.0, April 2019, page 18, requirement 2.1.4

 According to the PCI Card Production and Provisioning Physical Security Requirements, the security control room is the area where the security systems are monitored and controlled. The requirement for the security control room is that access must be monitored in real-time by a guard or an automated system that alerts the guard of any unauthorized access attempts. The security control room must also be protected by physical barriers and access control devices that prevent unauthorized entry. The other options are not requirements of the security control room, although they may be implemented as additional security measures.  References :

PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page 15 1

PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page 16 1

The Attestation of Compliance (AOC) is the document that describes the results of a PCI Card Production Assessment, and is signed by both the CPSA and the vendor executive officer. The AOC is a summary of the findings and conclusions of the assessment, and indicates whether the vendor meets the PCI Card Production Logical Security Requirements and/or the PCI Card Production Physical Security Requirements. The AOC must be completed using the template provided by PCI SSC, and must be submitted to PCI SSC along with the Report on Compliance (ROC) and other supporting documents. The AOC must also be provided to the vendor’s clients upon request.  References :

PCI Card Production Security Assessor (CPSA) Qualification Requirements, v1.0, April 2019, page 11, requirement 7.1.1

PCI Card Production and Provisioning Attestation of Compliance, v2.0, April 2019, page 1, section 1

According to the PCI CPSA Qualification Requirements, one of the administrative requirements for CPSA Companies is to adhere to the report delivery schedule as defined by the PCI SSC. The report delivery schedule specifies the deadlines for submitting the PCI Card Production Reports on Compliance (ROCs) and Attestations of Compliance (AOCs) to the PCI SSC and the payment brands. The report delivery schedule also defines the circumstances under which a CPSA Company may request an extension or a waiver of the report delivery deadline. The PCI SSC is the only entity that can approve the change in the report delivery schedule, and the CPSA Company must submit a written request to the PCI SSC with a valid reason for the delay and the proposed new delivery date. The PCI SSC will review the request and notify the CPSA Company of its decision. The PCI SSC may also notify the payment brands and the affected issuers of the change in the report delivery schedule.  References:  PCI CPSA Qualification Requirements, Version 1.1, April 2020, Section 6.1.4, Page 12 1

The PCI SSC does not enforce compliance, nor does it mandate penalties for non-compliance. Compliance with the PCI Card Production Standards is enforced by the payment brands. The payment brands may have their own compliance programs and may apply penalties or fines to entities that are not compliant or suffer a breach. Therefore, a vendor who wants to know if they will be penalized if their vault is not compliant should ask the payment brands that they work with or are contracted by.  References :

Payment Card Industry (PCI) Card Production Security Assessors Program Guide, Version 1.0, April 2019, page 5 1

PCI Card Production Security Assessor (CPSA) Qualification Requirements, Version 1.0, April 2019, page 6 2

According to the PCI Card Production and Provisioning Logical Security Requirements, pre-personalization is the process of unlocking the chip and loading the applications and keys onto the chip. This process is performed by the vendor using codes provided by the chip manufacturer. The codes are used to authenticate the vendor and enable the chip to accept the applications and keys. The pre-personalization process prepares the chip for the subsequent personalization process, where the chip is associated with a specific cardholder account and activated. The pre-personalization process is different from data creation, data preparation, and manufacture, which are other processes involved in card production and provisioning.  References : PCI Card Production and Provisioning Logical Security Requirements and Test Procedures v3.0, January 2022, pages 6-7 1

 According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must test all alarms on external doors of the card production and provisioning vendor environment at least every month. The vendor must also document the results of the tests and retain them for at least one year. The vendor must also have procedures to respond to any alarms or incidents, and to report them to the relevant parties. The vendor must not test the alarms less frequently than every month, as this may compromise the security and integrity of the card production and provisioning vendor environment and increase the risk of unauthorized access or theft.  References : PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 9-10 1

According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must have a secure inner shipping delivery room that is equipped with an alarm system and an access-control system. The alarm system must be triggered when any door of the inner shipping delivery room is opened without proper authorization. The access-control system must only allow the opening of the last activated door to liberate a person detected inside of the inner shipping delivery room and stop the alarm. This is to prevent unauthorized access or exit from the inner shipping delivery room, and to ensure that only one door can be opened at a time.  References : PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 18-19 1

 According to the PCI Card Production Physical Security Requirements, one of the security controls for contracted guard services is to ensure that they have limited access to card production or provisioning areas, and that they do not have access to HSAs, audit logs, or physical master keys that provide access to card production or provisioning areas. This is to prevent unauthorized access, theft, or misuse of card material or data by the contracted guard service. However, the contracted guard service may have access to loading bays, as long as they are escorted by authorized personnel and do not handle or interfere with card shipments.  References:  PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 2, Requirement 2.2.1, Page 7 1