What is your conclusion?

During an assessment you do a walk-through of bringing card products into the HSA using the goods-tools trap. You act as production staff, using an empty cardboard box as the card products. During the process, the guard escorts you, along with the box, into the pre-press room.

What is your conclusion?

A. Compliant, because the guard escorted you

B. Compliant, because the guard ensured that the card product remained under dual control

C. Not compliant, because an inventory of the card product did not take place prior to entry

D. Not compliant, because the guard escorted you

View Answer

Answer: D

Explanation:

According to the PCI Card Production Physical Security Requirements, the goods-tools trap is a secure area that separates the HSA from the outside world, and is used to control the entry and exit of card products, tools, and other materials. The goods-tools trap must have two doors that are interlocked, meaning that only one door can be opened at a time. The goods-tools trap must also have a CCTV camera and an alarm system. The process of bringing card products into the HSA using the goods-tools trap must follow these steps1:

The card products must be delivered to the goods-tools trap by authorized personnel, who must present their identification to the guard and sign a delivery note.

The guard must verify the identification of the personnel and the quantity and quality of the card products, and record the details in a log.

The guard must then escort the personnel to the first door of the goods-tools trap, and open it using a key or a card reader. The personnel must place the card products inside the goods-tools trap and exit the area. The guard must then lock the first door.

The guard must then notify the production staff inside the HSA that the card products are ready to be collected. The production staff must present their identification to the guard and sign a receipt note. The guard must then escort the production staff to the second door of the goods-tools trap, and open it using a key or a card reader. The production staff must collect the card products from the goods-tools trap and enter the HSA. The guard must then lock the second door.

In this scenario, the guard escorted the production staff, along with the box, into the pre-press room. This is not compliant, because the guard is not authorized to enter the HSA, and the card products must remain under dual control at all times. The guard should have stayed outside the HSA and only opened the second door of the goods-tools trap for the production staff. This would ensure that the card products are securely transferred from the goods-tools trap to the HSA, and that the guard does not compromise the security of the HSA.

References:

PCI Card Production Physical Security Requirements, v2.0, April 2019, page 15, requirement 2.1.1

PCI Card Production Physical Security Requirements, v2.0, April 2019, page 16, requirement 2.1.2

PCI Card Production Physical Security Requirements, v2.0, April 2019, page 17, requirement 2.1.3

PCI Card Production Physical Security Requirements, v2.0, April 2019, page 18, requirement 2.1.4