Question #1
A vendor puts cardholder information into a chip by sliding a payment card through a machine that
programs it and verifies the data. The chip can make contactless transactions.
Which of the following best describes the vendor’s activity?
- A . Card personalization
- B . Host Card Emulation (HCE) provisioning
- C . Secure Element (SE) provisioning
- D . Fulfillment
Correct Answer: A
A
Explanation:
Card personalization is the process of transferring cardholder information, such as account number, name, expiration date, and other data, to a payment card. This can be done by various methods, such as magnetic stripe encoding, embossing, laser engraving, or chip programming. Chip programming is the method of personalizing a card that has an embedded microchip that can store and process data. Chip cards can support contact or contactless transactions, depending on the chip type and the terminal capabilities. Contact transactions require the card to be inserted into a reader, while contactless transactions use radio frequency (RF) communication between the card and the reader. The vendor in the question is performing card personalization by programming the chip and verifying the data on the card.
References:
Payment Card Industry (PCI) Card Production and Provisioning C Logical Security Requirements, Section 1.1.1
Payment Card Industry (PCI) Card Production and Provisioning C Physical Security Requirements, Section 1.1.1
Payment Card Industry (PCI) Card Production and Provisioning C Glossary of Terms, Abbreviations, and Acronyms, Definitions of Card Personalization, Chip Card, Contact Card, and Contactless Card
Reference: [Reference: https://www.epsprogramming.com/blog/what-is-secure-provisioning, ]
A
Explanation:
Card personalization is the process of transferring cardholder information, such as account number, name, expiration date, and other data, to a payment card. This can be done by various methods, such as magnetic stripe encoding, embossing, laser engraving, or chip programming. Chip programming is the method of personalizing a card that has an embedded microchip that can store and process data. Chip cards can support contact or contactless transactions, depending on the chip type and the terminal capabilities. Contact transactions require the card to be inserted into a reader, while contactless transactions use radio frequency (RF) communication between the card and the reader. The vendor in the question is performing card personalization by programming the chip and verifying the data on the card.
References:
Payment Card Industry (PCI) Card Production and Provisioning C Logical Security Requirements, Section 1.1.1
Payment Card Industry (PCI) Card Production and Provisioning C Physical Security Requirements, Section 1.1.1
Payment Card Industry (PCI) Card Production and Provisioning C Glossary of Terms, Abbreviations, and Acronyms, Definitions of Card Personalization, Chip Card, Contact Card, and Contactless Card
Reference: [Reference: https://www.epsprogramming.com/blog/what-is-secure-provisioning, ]
Question #2
You are driving to a vendor for their first assessment. The facility is in a rural area, twenty miles away from the nearest large town.
What most concerns you about the location?
- A . The local fire service may not be able to reach the facility within 15 minutes
- B . Law enforcement services may not be able to reach the facility in a timely manner
- C . Power blackouts may affect security systems
- D . There may not be adequate retail outlets, which may cause problems when sourcing lunch items for onsite personnel
Correct Answer: B
Question #3
A vendor wants to know if they will be penalized if their vault is not compliant. Who should they ask?
- A . PCI SSC
- B . Assessor
- C . Issuing banks
- D . Payment brands
Correct Answer: D
D
Explanation:
The PCI SSC does not enforce compliance, nor does it mandate penalties for non-compliance. Compliance with the PCI Card Production Standards is enforced by the payment brands. The payment brands may have their own compliance programs and may apply penalties or fines to entities that are not compliant or suffer a breach. Therefore, a vendor who wants to know if they will be penalized if their vault is not compliant should ask the payment brands that they work with or are contracted by.
References:
Payment Card Industry (PCI) Card Production Security Assessors Program Guide, Version 1.0, April 2019, page 51
PCI Card Production Security Assessor (CPSA) Qualification Requirements, Version 1.0, April 2019, page 62
D
Explanation:
The PCI SSC does not enforce compliance, nor does it mandate penalties for non-compliance. Compliance with the PCI Card Production Standards is enforced by the payment brands. The payment brands may have their own compliance programs and may apply penalties or fines to entities that are not compliant or suffer a breach. Therefore, a vendor who wants to know if they will be penalized if their vault is not compliant should ask the payment brands that they work with or are contracted by.
References:
Payment Card Industry (PCI) Card Production Security Assessors Program Guide, Version 1.0, April 2019, page 51
PCI Card Production Security Assessor (CPSA) Qualification Requirements, Version 1.0, April 2019, page 62
Question #4
A vendor receives cardholder information and keys from a bank.
The vendor then performs the following:
* Uses its HSM to create keys
* Creates cardholder information specific to each cardholder, including name and PAN
* Formats the data for the hardware that will put it on a card
* Writes it to an encrypted file
Which of the following best describes this process?
- A . Data creation
- B . Data preparation
- C . Manufacture
- D . Pre-personalization
Correct Answer: B
B
Explanation:
Data preparation is the process of creating cardholder data and keys for each card, and formatting them for the hardware that will put them on a card. Data preparation involves the use of an HSM to generate keys and encrypt data, and the creation of an encrypted file that contains the cardholder data and keys. Data preparation is one of the steps in the card production lifecycle, and it precedes the manufacture and personalization of the cards.
References:
Card Production Security Assessor (CPSA) Qualification Requirements, v1.0, April 2019, page 10
PCI Card Production Logical Security Requirements, v2.0, April 2019, page 9 PCI Card Production Physical Security Requirements, v2.0, April 2019, page 9
B
Explanation:
Data preparation is the process of creating cardholder data and keys for each card, and formatting them for the hardware that will put them on a card. Data preparation involves the use of an HSM to generate keys and encrypt data, and the creation of an encrypted file that contains the cardholder data and keys. Data preparation is one of the steps in the card production lifecycle, and it precedes the manufacture and personalization of the cards.
References:
Card Production Security Assessor (CPSA) Qualification Requirements, v1.0, April 2019, page 10
PCI Card Production Logical Security Requirements, v2.0, April 2019, page 9 PCI Card Production Physical Security Requirements, v2.0, April 2019, page 9
Question #5
An assessor must provide which of the following to their client at the start of every assessment?
- A . CPSA Feedback Form
- B . Quality Assurance Manual
- C . Attestation of Compliance
- D . Vendor Release Agreement
Correct Answer: B
B
Explanation:
According to the Card Production Security Assessor (CPSA) Qualification Requirements, an assessor must provide their client with a Quality Assurance Manual at the start of every assessment. The Quality Assurance Manual is a document that describes the assessor’s methodology, procedures, and quality control measures for conducting assessments. The manual must be consistent with the CPSA Program Guide and the PCI Card Production and Provisioning Security Requirements. The manual must also include a description of the assessor’s roles and responsibilities, the assessment scope and objectives, the assessment plan and timeline, the assessment report format and content, and the assessor’s conflict of interestpolicy.
References: Card Production Security Assessor (CPSA) Qualification Requirements, v1.0, April 2019, page 111
Reference: [Reference: https://listings.pcisecuritystandards.org/documents/Card_Production_Security__Assessor_(CPSA)_Quali fication_Requirements__v1.0_Apr__2019.pdf, ]
B
Explanation:
According to the Card Production Security Assessor (CPSA) Qualification Requirements, an assessor must provide their client with a Quality Assurance Manual at the start of every assessment. The Quality Assurance Manual is a document that describes the assessor’s methodology, procedures, and quality control measures for conducting assessments. The manual must be consistent with the CPSA Program Guide and the PCI Card Production and Provisioning Security Requirements. The manual must also include a description of the assessor’s roles and responsibilities, the assessment scope and objectives, the assessment plan and timeline, the assessment report format and content, and the assessor’s conflict of interestpolicy.
References: Card Production Security Assessor (CPSA) Qualification Requirements, v1.0, April 2019, page 111
Reference: [Reference: https://listings.pcisecuritystandards.org/documents/Card_Production_Security__Assessor_(CPSA)_Quali fication_Requirements__v1.0_Apr__2019.pdf, ]
Question #6
An assessor is unsure if log review and interview is sufficient testing for a requirement. Who can best answer this question?
- A . Payment brands
- B . Issuing banks
- C . Vendor
- D . PCI SSC
Correct Answer: D
D
Explanation:
The PCI SSC (Payment Card Industry Security Standards Council) is the organization that develops and maintains the PCI Card Production Standards and related validation requirements, programs, and supporting documentation. The PCI SSC also provides training and qualification for CPSA Companies and CPSA Employees to perform PCI Card Production Assessments. The PCI SSC is the best source of guidance and clarification for any questions or issues related to the assessment process, testing methods, reporting requirements, and interpretation of the standards. The assessor can contact the PCI SSC by email, phone, or online form, as specified in the CPSA Program Guide1. The payment brands, issuing banks, and vendors are not responsible for defining or explaining the assessment requirements
or testing methods, and may not have the same level of expertise or authority as the PCI SSC.
References:
Card Production Security Assessor (CPSA) Program Guide, Section 2.1 and 5.1
Card Production Security Assessor (CPSA) Qualification Requirements, Section 1.1 and 2.1
Reference: [Reference: https://www.pcisecuritystandards.org/about_us/#:~:text=The%20PCI%20SSC%20mission%20is,and%20
effective%20implementation%20by%20stakeholders, ]
D
Explanation:
The PCI SSC (Payment Card Industry Security Standards Council) is the organization that develops and maintains the PCI Card Production Standards and related validation requirements, programs, and supporting documentation. The PCI SSC also provides training and qualification for CPSA Companies and CPSA Employees to perform PCI Card Production Assessments. The PCI SSC is the best source of guidance and clarification for any questions or issues related to the assessment process, testing methods, reporting requirements, and interpretation of the standards. The assessor can contact the PCI SSC by email, phone, or online form, as specified in the CPSA Program Guide1. The payment brands, issuing banks, and vendors are not responsible for defining or explaining the assessment requirements
or testing methods, and may not have the same level of expertise or authority as the PCI SSC.
References:
Card Production Security Assessor (CPSA) Program Guide, Section 2.1 and 5.1
Card Production Security Assessor (CPSA) Qualification Requirements, Section 1.1 and 2.1
Reference: [Reference: https://www.pcisecuritystandards.org/about_us/#:~:text=The%20PCI%20SSC%20mission%20is,and%20
effective%20implementation%20by%20stakeholders, ]
Question #7
When must HSA motion detectors generate an alarm event?
- A . Each time movement is detected
- B . Each time movement is detected outside of regular business hours
- C . Each time movement is detected and the access-control system indicates the room is occupied
- D . Each time movement is detected and the access-control system indicates the room is not occupied
Correct Answer: D
D
Explanation:
According to the PCI Card Production Physical Security Requirements, one of the security controls for high-security areas (HSAs) is to have motion detectors that generate an alarm event when movement is detected and the access-control system indicates the room is not occupied. This is to prevent unauthorized access or intrusion to the HSAs, where sensitive card production and provisioning activities take place. The motion detectors should be configured to cover all areas within the HSA and should be tested periodically to ensure proper functionality.
References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 2, Requirement 2.1.1, Page 61
D
Explanation:
According to the PCI Card Production Physical Security Requirements, one of the security controls for high-security areas (HSAs) is to have motion detectors that generate an alarm event when movement is detected and the access-control system indicates the room is not occupied. This is to prevent unauthorized access or intrusion to the HSAs, where sensitive card production and provisioning activities take place. The motion detectors should be configured to cover all areas within the HSA and should be tested periodically to ensure proper functionality.
References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 2, Requirement 2.1.1, Page 61
Question #8
Which of these is a requirement of the security control room?
- A . Access must be controlled by a physical key (in case of power-failure)
- B . Access must be monitored in real-time
- C . At least one guard must be present at all times
- D . Dual-control must be used to grant entry
Correct Answer: B
B
Explanation:
According to the PCI Card Production and Provisioning Physical Security Requirements, the security control room is the area where the security systems are monitored and controlled. The requirement for the security control room is that access must be monitored in real-time by a guard or an automated system that alerts the guard of any unauthorized access attempts. The security control room must also be protected by physical barriers and access control devices that prevent unauthorized entry. The other options are not requirements of the security control room, although they may be implemented as additional security measures.
References:
PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page
151
PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page 161
B
Explanation:
According to the PCI Card Production and Provisioning Physical Security Requirements, the security control room is the area where the security systems are monitored and controlled. The requirement for the security control room is that access must be monitored in real-time by a guard or an automated system that alerts the guard of any unauthorized access attempts. The security control room must also be protected by physical barriers and access control devices that prevent unauthorized entry. The other options are not requirements of the security control room, although they may be implemented as additional security measures.
References:
PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page
151
PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page 161
Question #9
During an assessment you ask to see employee records for employees with access to the HSA. The records include information about the screening process, including background information from the employee application process. The oldest background Information that is available is for an employee that left the vendor (terminated their contract) one year previously.
You note this as non- compliant, why?
- A . Employee information, including background checks, must be stored for at least seven years
- B . Employee information must be securely destroyed (e.g. securely wiped) within 2 years (after termination of contract)
- C . The vendor must retain the background information for at least 18 months after termination of contract
- D . The vendor must only retain background information for all current employees, not for those that
have been terminated
Correct Answer: B
B
Explanation:
According to the PCI Card Production Logical Security Requirements, the vendor must securely destroy all employee information, including background checks, within two years of the employee’s termination of contract. This is to prevent unauthorized access to sensitive employee data and to comply with the PCI DSS requirement 3.1, which states that cardholder data must not be stored longer than necessary. The vendor must also have a documented policy and procedure for the secure destruction of employee information, and must maintain a log of all destruction activities.
References:
PCI Card Production Logical Security Requirements, v2.0, April 2019, page 19, requirement 6.1.1 PCI DSS, v3.2.1, May 2018, page 25, requirement 3.1
B
Explanation:
According to the PCI Card Production Logical Security Requirements, the vendor must securely destroy all employee information, including background checks, within two years of the employee’s termination of contract. This is to prevent unauthorized access to sensitive employee data and to comply with the PCI DSS requirement 3.1, which states that cardholder data must not be stored longer than necessary. The vendor must also have a documented policy and procedure for the secure destruction of employee information, and must maintain a log of all destruction activities.
References:
PCI Card Production Logical Security Requirements, v2.0, April 2019, page 19, requirement 6.1.1 PCI DSS, v3.2.1, May 2018, page 25, requirement 3.1
Question #10
The vendor’s technical documentation shows that the alarm system does not send alerts to the security control room. After a discussion you learn that the alarm works perfectly, and sends a clear signal to summon the local police every time an emergency exit is opened.
Why might this cause a problem for their assessment?
- A . If the local police have not been issued with an exterior key. they will not be able to investigate the cause of the alarm and reset it
- B . During working hours, the alarm should be managed in the security control room, or by a central monitoring service
- C . If the local police receive too many false-positive alerts, they may not respond within 15 minutes of the alarm
- D . During busy times, the local police may not be able to respond
Correct Answer: B
B
Explanation:
According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must have an alarm system that monitors and detects unauthorized access to the card production and provisioning facilities, and that alerts the security control room or a central monitoring service. The alarm system must also be able to identify the location and cause of the alarm, and allow authorized personnel to reset it. The alarm system must be operational 24/7, and must be tested at least annually. The vendor must also have procedures to respond to alarms and incidents, and to report them to the relevant parties. If the alarm system does not send alerts to the security control room, or a central monitoring service, during working hours, the vendor may not be able to comply with these requirements, and may not be able to prevent, detect, or respond to unauthorized access or security breaches. This may cause a problem for their assessment, as they may not meet the PCI Card Production and Provisioning Physical Security Requirements.
References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 9-101
B
Explanation:
According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must have an alarm system that monitors and detects unauthorized access to the card production and provisioning facilities, and that alerts the security control room or a central monitoring service. The alarm system must also be able to identify the location and cause of the alarm, and allow authorized personnel to reset it. The alarm system must be operational 24/7, and must be tested at least annually. The vendor must also have procedures to respond to alarms and incidents, and to report them to the relevant parties. If the alarm system does not send alerts to the security control room, or a central monitoring service, during working hours, the vendor may not be able to comply with these requirements, and may not be able to prevent, detect, or respond to unauthorized access or security breaches. This may cause a problem for their assessment, as they may not meet the PCI Card Production and Provisioning Physical Security Requirements.
References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 9-101
Question #11
A CPSA Company has submitted multiple reports that are incomplete and do not contain the information described in the reporting instructions.
Which of the following are possible outcomes?
- A . They may be put into remediation or revoked by the applicable payment brands
- B . They may be put into remediation or revoked by PCI SSC
- C . They may be fined by the applicable payment brands
- D . They may be fined by PCI SSC
Correct Answer: B
B
Explanation:
The PCI SSC has a quality assurance (QA) program that monitors the performance and compliance of CPSA Companies and CPSA Employees. The QA program is based on eight guiding principles that the assessor community must adhere to, one of which is to maintain consistent assessor procedures and reporting. The PCI SSC reviews the reports submitted by the CPSA Companies and provides feedback on the quality and completeness of the reports. If a CPSA Company submits multiple reports that are incomplete and do not contain the information described in the reporting instructions, they may be violating the QA program and the CPSA Qualification Requirements. The PCI SSC may take corrective actions against the CPSA Company, such as issuing a warning, requiring additional training, imposing remediation, or revoking the CPSA Company status. Remediation is a process that requires the CPSA Company to improve in one or more areas of their operations and demonstrate compliance with the PCI SSC requirements. Revocation is a process that terminates the CPSA Company status and removes the CPSA Company from the list of qualified assessors on the PCI SSC website. The PCI SSC has the sole authority and discretion to determine the appropriate corrective actions for any non-compliance issues by the CPSA Companies or CPSA Employees. The payment brands do not have the power to put the CPSA Companies into remediation or revoke their status, nor do they have the power to fine them. The payment brands may, however, impose their own sanctions or penalties on the card production entities that are assessed by the CPSA Companies, based on their own contractual agreements and compliance programs.
References:
Card Production Security Assessor (CPSA) Program Guide, Section 3 and 5.1
Card Production Security Assessor (CPSA) Qualification Requirements, Section 3.1 and 3.2
CPSA Remediation Statement
B
Explanation:
The PCI SSC has a quality assurance (QA) program that monitors the performance and compliance of CPSA Companies and CPSA Employees. The QA program is based on eight guiding principles that the assessor community must adhere to, one of which is to maintain consistent assessor procedures and reporting. The PCI SSC reviews the reports submitted by the CPSA Companies and provides feedback on the quality and completeness of the reports. If a CPSA Company submits multiple reports that are incomplete and do not contain the information described in the reporting instructions, they may be violating the QA program and the CPSA Qualification Requirements. The PCI SSC may take corrective actions against the CPSA Company, such as issuing a warning, requiring additional training, imposing remediation, or revoking the CPSA Company status. Remediation is a process that requires the CPSA Company to improve in one or more areas of their operations and demonstrate compliance with the PCI SSC requirements. Revocation is a process that terminates the CPSA Company status and removes the CPSA Company from the list of qualified assessors on the PCI SSC website. The PCI SSC has the sole authority and discretion to determine the appropriate corrective actions for any non-compliance issues by the CPSA Companies or CPSA Employees. The payment brands do not have the power to put the CPSA Companies into remediation or revoke their status, nor do they have the power to fine them. The payment brands may, however, impose their own sanctions or penalties on the card production entities that are assessed by the CPSA Companies, based on their own contractual agreements and compliance programs.
References:
Card Production Security Assessor (CPSA) Program Guide, Section 3 and 5.1
Card Production Security Assessor (CPSA) Qualification Requirements, Section 3.1 and 3.2
CPSA Remediation Statement
Question #12
Where can misprinted, partially finished cards be shredded?
- A . In any HSA room approved by the security manager
- B . Either in the HSA printing room or destruction room
- C . Only in the HSA destruction room
- D . Either in the HSA destruction room or a loading bay that meets all requirements of a destruction
room
Correct Answer: C
C
Explanation:
According to the PCI Card Production Physical Security Requirements, one of the security controls for card destruction is to ensure that misprinted, partially finished, or rejected cards are shredded only in the HSA destruction room. This is to prevent unauthorized access, theft, or misuse of the cards, which may contain sensitive data or features. The HSA destruction room should have adequate security measures, such as locks, alarms, cameras, etc., to protect the cards until they are shredded. The shredding process should render the cards unusable and unrecognizable, and the shredded material should be disposed of securely.
References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 5, Requirement 5.1.1, Page 111
C
Explanation:
According to the PCI Card Production Physical Security Requirements, one of the security controls for card destruction is to ensure that misprinted, partially finished, or rejected cards are shredded only in the HSA destruction room. This is to prevent unauthorized access, theft, or misuse of the cards, which may contain sensitive data or features. The HSA destruction room should have adequate security measures, such as locks, alarms, cameras, etc., to protect the cards until they are shredded. The shredding process should render the cards unusable and unrecognizable, and the shredded material should be disposed of securely.
References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 5, Requirement 5.1.1, Page 111
Question #13
A vendor is unsure which forms are needed to complete an assessment. Who should they ask?
- A . Assessor
- B . Issuing banks
- C . Payment brands
- D . PCI SSC
Correct Answer: A
A
Explanation:
The assessor is the person who conducts the PCI Card Production Security Assessment and prepares the Card Production Report on Compliance (ROC) and the Card Production Attestation of Compliance (AOC). The assessor should be familiar with the forms that are needed to complete an assessment and provide guidance to the vendor on how to fill them out. The assessor should also ensure that the forms are consistent with the PCI Card Production Standards and the PCI CPSA Qualification Requirements. The other options are not the best sources of information for the vendor, as they may not be directly involved in the assessment process or have the expertise to advise on the forms.
References
PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 81 PCI Card Production Security Assessor (CPSA) Qualification Requirements, Version 1.0, April 2019, page 10
PCI Card Production and Provisioning Template for Report on Compliance, Version 1.0, April 2019, page 3
PCI Card Production and Provisioning Attestation of Compliance, Version 1.0, April 2019, page 22
A
Explanation:
The assessor is the person who conducts the PCI Card Production Security Assessment and prepares the Card Production Report on Compliance (ROC) and the Card Production Attestation of Compliance (AOC). The assessor should be familiar with the forms that are needed to complete an assessment and provide guidance to the vendor on how to fill them out. The assessor should also ensure that the forms are consistent with the PCI Card Production Standards and the PCI CPSA Qualification Requirements. The other options are not the best sources of information for the vendor, as they may not be directly involved in the assessment process or have the expertise to advise on the forms.
References
PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 81 PCI Card Production Security Assessor (CPSA) Qualification Requirements, Version 1.0, April 2019, page 10
PCI Card Production and Provisioning Template for Report on Compliance, Version 1.0, April 2019, page 3
PCI Card Production and Provisioning Attestation of Compliance, Version 1.0, April 2019, page 22
Question #14
During an assessment you do a walk-through of bringing card products into the HSA using the goods-tools trap. You act as production staff, using an empty cardboard box as the card products. During the process, the guard escorts you, along with the box, into the pre-press room.
What is your conclusion?
- A . Compliant, because the guard escorted you
- B . Compliant, because the guard ensured that the card product remained under dual control
- C . Not compliant, because an inventory of the card product did not take place prior to entry
- D . Not compliant, because the guard escorted you
Correct Answer: D
D
Explanation:
According to the PCI Card Production Physical Security Requirements, the goods-tools trap is a secure area that separates the HSA from the outside world, and is used to control the entry and exit of card products, tools, and other materials. The goods-tools trap must have two doors that are interlocked, meaning that only one door can be opened at a time. The goods-tools trap must also have a CCTV camera and an alarm system. The process of bringing card products into the HSA using the goods-tools trap must follow these steps1:
The card products must be delivered to the goods-tools trap by authorized personnel, who must present their identification to the guard and sign a delivery note.
The guard must verify the identification of the personnel and the quantity and quality of the card products, and record the details in a log.
The guard must then escort the personnel to the first door of the goods-tools trap, and open it using a key or a card reader. The personnel must place the card products inside the goods-tools trap and exit the area. The guard must then lock the first door.
The guard must then notify the production staff inside the HSA that the card products are ready to be collected. The production staff must present their identification to the guard and sign a receipt note. The guard must then escort the production staff to the second door of the goods-tools trap, and open it using a key or a card reader. The production staff must collect the card products from the goods-tools trap and enter the HSA. The guard must then lock the second door.
In this scenario, the guard escorted the production staff, along with the box, into the pre-press room. This is not compliant, because the guard is not authorized to enter the HSA, and the card products must remain under dual control at all times. The guard should have stayed outside the HSA and only opened the second door of the goods-tools trap for the production staff. This would ensure that the card products are securely transferred from the goods-tools trap to the HSA, and that the guard does not compromise the security of the HSA.
References:
PCI Card Production Physical Security Requirements, v2.0, April 2019, page 15, requirement 2.1.1
PCI Card Production Physical Security Requirements, v2.0, April 2019, page 16, requirement 2.1.2
PCI Card Production Physical Security Requirements, v2.0, April 2019, page 17, requirement 2.1.3
PCI Card Production Physical Security Requirements, v2.0, April 2019, page 18, requirement 2.1.4
D
Explanation:
According to the PCI Card Production Physical Security Requirements, the goods-tools trap is a secure area that separates the HSA from the outside world, and is used to control the entry and exit of card products, tools, and other materials. The goods-tools trap must have two doors that are interlocked, meaning that only one door can be opened at a time. The goods-tools trap must also have a CCTV camera and an alarm system. The process of bringing card products into the HSA using the goods-tools trap must follow these steps1:
The card products must be delivered to the goods-tools trap by authorized personnel, who must present their identification to the guard and sign a delivery note.
The guard must verify the identification of the personnel and the quantity and quality of the card products, and record the details in a log.
The guard must then escort the personnel to the first door of the goods-tools trap, and open it using a key or a card reader. The personnel must place the card products inside the goods-tools trap and exit the area. The guard must then lock the first door.
The guard must then notify the production staff inside the HSA that the card products are ready to be collected. The production staff must present their identification to the guard and sign a receipt note. The guard must then escort the production staff to the second door of the goods-tools trap, and open it using a key or a card reader. The production staff must collect the card products from the goods-tools trap and enter the HSA. The guard must then lock the second door.
In this scenario, the guard escorted the production staff, along with the box, into the pre-press room. This is not compliant, because the guard is not authorized to enter the HSA, and the card products must remain under dual control at all times. The guard should have stayed outside the HSA and only opened the second door of the goods-tools trap for the production staff. This would ensure that the card products are securely transferred from the goods-tools trap to the HSA, and that the guard does not compromise the security of the HSA.
References:
PCI Card Production Physical Security Requirements, v2.0, April 2019, page 15, requirement 2.1.1
PCI Card Production Physical Security Requirements, v2.0, April 2019, page 16, requirement 2.1.2
PCI Card Production Physical Security Requirements, v2.0, April 2019, page 17, requirement 2.1.3
PCI Card Production Physical Security Requirements, v2.0, April 2019, page 18, requirement 2.1.4
Question #15
Under which circumstances may boxes containing card stock remain unsealed within the vault?
- A . Where stock from those boxes will be pulled multiple times per day
- B . Where the stock from those boxes will be pulled once at the beginning of production
- C . Always, as long as an accurate inventory is being maintained
- D . This is never permitted
Correct Answer: D
D
Explanation:
According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must ensure that all boxes containing card stock are sealed with tamper-evident tape or labels when stored in the vault. The vendor must also maintain a log of all card stock movements in and out of the vault, and reconcile the card stock inventory at least daily. The vendor must not leave any boxes containing card stock unsealed within the vault, regardless of the frequency of stock pulling, as this may compromise the security and integrity of the card stock and increase the risk of unauthorized access or theft.
References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 12-131
D
Explanation:
According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must ensure that all boxes containing card stock are sealed with tamper-evident tape or labels when stored in the vault. The vendor must also maintain a log of all card stock movements in and out of the vault, and reconcile the card stock inventory at least daily. The vendor must not leave any boxes containing card stock unsealed within the vault, regardless of the frequency of stock pulling, as this may compromise the security and integrity of the card stock and increase the risk of unauthorized access or theft.
References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 12-131