• Home
  • Articles
  • Pass Your PCI Exam with CPSA_P_New Exam Dumps (Updated 52 Questions) [Q21-Q39]

Pass Your PCI Exam with CPSA_P_New Exam Dumps (Updated 52 Questions) [Q21-Q39]

Share

Pass Your PCI Exam with CPSA_P_New Exam Dumps (Updated 52 Questions)

CPSA_P_New Exam Dumps - PCI Practice Test Questions

NEW QUESTION # 21
Who performs regular AQM audits of CPSA companies?

  • A. Issuing banks
  • B. PCI SSC
  • C. Payment brands
  • D. Vendor

Answer: B

Explanation:
Explanation
The PCI Security Standards Council (PCI SSC) performs regular Assessor Quality Management (AQM) audits of CPSA companies to ensure that they comply with the PCI CPSA Qualification Requirements and the PCI Card Production Standards. The AQM audits are conducted by PCI SSC staff or authorized third parties, and may include onsite visits, remote reviews, or both. The AQM audits aim to verify the quality and consistency of the CPSA companies' assessment processes, reports, and documentation, as well as their adherence to the PCI SSC Code of Professional Responsibility. The AQM audits may result in corrective actions, sanctions, or revocation of the CPSA company status, depending on the severity and frequency of the non-compliance issues identified. References:
PCI Card Production Security Assessor (CPSA) Qualification Requirements, v1.0, April 2019, page 12, requirement 8.1 PCI Card Production Security Assessor (CPSA) Program Guide, v1.0, April 2019, page 6, section 3.2


NEW QUESTION # 22
A vendor is unsure which forms are needed to complete an assessment. Who should they ask?

  • A. Issuing banks
  • B. Assessor
  • C. Payment brands
  • D. PCI SSC

Answer: B

Explanation:
Explanation
The assessor is the person who conducts the PCI Card Production Security Assessment and prepares the Card Production Report on Compliance (ROC) and the Card Production Attestation of Compliance (AOC). The assessor should be familiar with the forms that are needed to complete an assessment and provide guidance to the vendor on how to fill them out. The assessor should also ensure that the forms are consistent with the PCI Card Production Standards and the PCI CPSA Qualification Requirements. The other options are not the best sources of information for the vendor, as they may not be directly involved in the assessment process or have the expertise to advise on the forms. References:
PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 81 PCI Card Production Security Assessor (CPSA) Qualification Requirements, Version 1.0, April 2019, page 10 PCI Card Production and Provisioning Template for Report on Compliance, Version 1.0, April 2019, page 3 PCI Card Production and Provisioning Attestation of Compliance, Version 1.0, April 2019, page 22


NEW QUESTION # 23
A vendor uses codes from a chip manufacturer to 'unlock' chips and prepare them for use by adding applications and keys. Which of the following best describes this process?

  • A. Data creation
  • B. Pre-personalization
  • C. Data preparation
  • D. Manufacture

Answer: B

Explanation:
Explanation
According to the PCI Card Production and Provisioning Logical Security Requirements, pre-personalization is the process of unlocking the chip and loading the applications and keys onto the chip. This process is performed by the vendor using codes provided by the chip manufacturer. The codes are used to authenticate the vendor and enable the chip to accept the applications and keys. The pre-personalization process prepares the chip for the subsequent personalization process, where the chip is associated with a specific cardholder account andactivated. The pre-personalization process is different from data creation, data preparation, and manufacture, which are other processes involved in card production and provisioning. References: PCI Card Production and Provisioning Logical Security Requirements and Test Procedures v3.0, January 2022, pages
6-71


NEW QUESTION # 24
A vendor has a list of pre-approved third parties which may be granted access to the facility. Under what circumstances can other third-parties be granted access?

  • A. None, only people on the pre-approved list may enter
  • B. When no card production activities are taking place
  • C. When they are approved by the physical security manager or senior management
  • D. When the third party s liability insurance covers the risk

Answer: C

Explanation:
Explanation
According to the PCI Card Production Logical Security Requirements, vendors must have a list of pre-approved third parties that are authorized to access the facility and the systems involved in card production. However, other third parties may be granted access under exceptional circumstances, such as emergency repairs or maintenance, provided that they are approved by the physical security manager or senior management. The vendor must also ensure that the third parties comply with the security policies and procedures, and that their access is logged and monitored. References: PCI Card Production Logical Security Requirements, v2.0, April 2019, page 13


NEW QUESTION # 25
If you have a query about a missing field in the card production reporting template, which organization is best-placed to answer it?

  • A. The vendor
  • B. PCI SSC
  • C. The payment brands
  • D. The issuer

Answer: B

Explanation:
Explanation
The PCI SSC is the best-placed organization to answer a query about a missing field in the card production reporting template, as they are the ones who develop and maintain the template and the standards. The card production reporting template is the mandatory template for use in completing a Card Production Report on Compliance (ROC), which provides detail on how to document the findings of a PCI Card Production Assessment. The template is based on the PCI Card Production and Provisioning LogicalSecurity Requirements and the PCI Card Production and Provisioning Physical Security Requirements, which are also developed and maintained by the PCI SSC. Therefore, the PCI SSC has the authority and the expertise to clarify any issues or questions regarding the template and the standards. The other options are not the best sources of information for the query, as they may not have the same level of knowledge or involvement in the template and the standards. References:
PCI Card Production and Provisioning Template for Report on Compliance, Version 1.0, April 2019, page 31 PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 52 PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 82


NEW QUESTION # 26
An assessor is unsure if log review and interview is sufficient testing for a requirement. Who can best answer this question?

  • A. Issuing banks
  • B. PCI SSC
  • C. Payment brands
  • D. Vendor

Answer: B

Explanation:
Explanation
The PCI SSC (Payment Card Industry Security Standards Council) is the organization that develops and maintains the PCI Card Production Standards and related validation requirements, programs, and supporting documentation. The PCI SSC also provides training and qualification for CPSA Companies and CPSA Employees to perform PCI Card Production Assessments. The PCI SSC is the best source of guidance and clarification for any questions or issues related to the assessment process, testing methods, reporting requirements, and interpretation of the standards. The assessor can contact the PCI SSC by email, phone, or online form, as specified in the CPSA Program Guide1. The payment brands, issuing banks, and vendors are not responsible for defining or explaining the assessment requirements or testing methods, and may not have the same level of expertise or authority as the PCI SSC. References:
Card Production Security Assessor (CPSA) Program Guide, Section 2.1 and 5.1 Card Production Security Assessor (CPSA) Qualification Requirements, Section 1.1 and 2.1


NEW QUESTION # 27
When must HSA motion detectors generate an alarm event?

  • A. Each time movement is detected and the access-control system indicates the room is occupied
  • B. Each time movement is detected outside of regular business hours
  • C. Each time movement is detected
  • D. Each time movement is detected and the access-control system indicates the room is not occupied

Answer: D

Explanation:
Explanation
According to the PCI Card Production Physical Security Requirements, one of the security controls for high-security areas (HSAs) is to have motion detectors that generate an alarm event when movement is detected and the access-control system indicates the room is not occupied. This is to prevent unauthorized access or intrusion to the HSAs, where sensitive card production and provisioning activities take place. The motion detectors should be configured to cover all areas within the HSA and should be tested periodically to ensure proper functionality. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 2, Requirement 2.1.1, Page 61


NEW QUESTION # 28
Which of the following statements about unsolicited visitors is true?

  • A. They must be registered, their identities confirmed, and must be allocated an escort before entry
  • B. They must complete an NDA before entry is granted
  • C. They must be turned away
  • D. They must be able to prove a legitimate reason for their visit prior to entry

Answer: A

Explanation:
Explanation
According to the PCI Card Production and Provisioning Physical Security Requirements, unsolicited visitors are defined as "individuals who do not have a pre-arranged appointment or a legitimate reason for visiting the Card Production Entity". The requirement for dealing with unsolicited visitors is that they must be registered, their identities confirmed, and must be allocated an escort before entry. The escort must accompany the unsolicited visitor at all times and ensure that they do not access any restricted areas or sensitive information.
The other options are not true statements about unsolicited visitors, as they may not comply with the PCI Card Production Standards or the best practices for physical security. References:
PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page
101
PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page
111


NEW QUESTION # 29
Which of the following security awareness measures is required for compliance?

  • A. Annual training on common attack methods
  • B. Security awareness exams for all personnel
  • C. Security posters must be placed in the facility
  • D. Annual training on use of mantraps

Answer: A

Explanation:
Explanation
According to the PCI Card Production and Provisioning Logical Security Requirements, the vendor must implement a formal security awareness program to make all personnel aware of the importance of card production and provisioning security. The security awareness program must include annual training on common attack methods, such as phishing, social engineering, malware, and ransomware, and how to prevent, detect, and report them. The security awareness program must also include training on the vendor's security policies and procedures, the roles and responsibilities of personnel, the applicable PCI Card Production and Provisioning Security Requirements, and the consequences of non-compliance. The vendor must also require all personnel to acknowledge at least annually that they have read and understood the security policies and procedures. The vendor must not use security posters alone, as they are not sufficient to meet the security awareness program requirements. The vendor may use security awareness exams for all personnel, but they are not mandatory for compliance. The vendor may also train personnel on the use of mantraps, but this is not relevant to the logical security requirements. References: PCI Card Production and Provisioning Logical Security Requirements and Test Procedures v3.0, January 2022, pages 28-291


NEW QUESTION # 30
Where can misprinted, partially finished cards be shredded?

  • A. Only in the HSA destruction room
  • B. Either in the HSA printing room or destruction room
  • C. In any HSA room approved by the security manager
  • D. Either in the HSA destruction room or a loading bay that meets all requirements of a destruction room

Answer: A

Explanation:
Explanation
According to the PCI Card Production Physical Security Requirements, one of the security controls for card destruction is to ensure that misprinted, partially finished, or rejected cards are shredded only in the HSA destruction room. This is to prevent unauthorized access, theft, or misuse of the cards, which may contain sensitive data or features. The HSA destruction room should have adequate security measures, such as locks, alarms, cameras, etc., to protect the cards until they are shredded. The shredding process should render the cards unusable and unrecognizable, and the shredded material should be disposed of securely. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 5, Requirement 5.1.1, Page 111


NEW QUESTION # 31
To liberate a person detected inside of the inner shipping delivery room and stop the alarm, the software monitoring the access-control system must only allow the opening of which door?

  • A. The last activated door
  • B. The external facing door
  • C. The least secure door
  • D. The internal facing door

Answer: A

Explanation:
Explanation
According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must have a secure inner shipping delivery room that is equipped with an alarm system and an access-control system. The alarm system must be triggered when any door of the inner shipping delivery room is opened without proper authorization. The access-control system must only allow the opening of the last activated door to liberate a person detected inside of the inner shipping delivery room and stop the alarm. This is to prevent unauthorized access or exit from the inner shipping delivery room, and to ensure that only one door can be opened at a time. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 18-191


NEW QUESTION # 32
In which of the following locations must the CCTV and access control servers be located?

  • A. Within the secure server room inside of the HSA
  • B. Within the SCR or a room with equivalent security
  • C. Within a room in the HSA with security controls equivalent to the SCR applied
  • D. Within the Security Control Room (SCR)

Answer: B

Explanation:
Explanation
According to the PCI Card Production Physical Security Requirements, the CCTV and access control servers must be located within the Security Control Room (SCR) or a room with equivalent security. This means that the room must have the same level of physical protection as the SCR, such as locks, alarms, sensors, cameras, and access control devices. The purpose of this requirement is to prevent unauthorized access, tampering, or theft of the servers that store and process sensitive data related to card production and security. References: PCI Card Production Physical Security Requirements, v2.0, April 2019, page 16


NEW QUESTION # 33
A vendor wants to know if they will be penalized if their vault is not compliant. Who should they ask?

  • A. Issuing banks
  • B. Assessor
  • C. Payment brands
  • D. PCI SSC

Answer: C

Explanation:
Explanation
The PCI SSC does not enforce compliance, nor does it mandate penalties for non-compliance. Compliance with the PCI Card Production Standards is enforced by the payment brands. The payment brands may have their own compliance programs and may apply penalties or fines to entities that are not compliant or suffer a breach. Therefore, a vendor who wants to know if they will be penalized if their vault is not compliant should ask the payment brands that they work with or are contracted by. References:
Payment Card Industry (PCI) Card Production Security Assessors Program Guide, Version 1.0, April
2019, page 51
PCI Card Production Security Assessor (CPSA) Qualification Requirements, Version 1.0, April 2019, page 62


NEW QUESTION # 34
Which of the following must be used by the vendor to protect doors that provide access to buildings containing air conditioning equipment?

  • A. Electrical contacts that log each open and close event to a secure system memory
  • B. Magnetic contacts that are permanently alarmed and that are connected to the security control-room panels
  • C. Security tape that will leave an observable trace each time a door is opened
  • D. Physical locks with a limited set of keys under constant supervision by a guard in the security control-room

Answer: B

Explanation:
Explanation
According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must use magnetic contacts that are permanently alarmed and that are connected to the security control-room panels to protect doors that provide access to buildings containing air conditioning equipment. The vendor must also ensure that the air conditioning equipment is located in a secure area that is not accessible to unauthorized personnel, and that the air conditioning system is monitored and maintained to prevent unauthorized access or tampering. The vendor must also have procedures to respond to any alarms or incidents related to the air conditioning system, and to report them to the relevant parties. The vendor must not use security tape, electrical contacts, or physical locks alone, as these may not provide adequate protection or detection of unauthorized access or tampering. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 21-221


NEW QUESTION # 35
For how long must a vendor retain all applicant and employee background information on file?

  • A. It is not a requirement to store this information beyond termination of the contract
  • B. For at least 18 months after termination of the contract of employment
  • C. For at least 12 months after termination of the contract of employment
  • D. For at least 24 months after termination of the contract of employment

Answer: C

Explanation:
Explanation
According to the PCI CPSA Qualification Requirements, one of the administrative requirements for CPSA Companies is to retain all applicant and employee background information on file for at least 12 months after termination of the contract of employment. This is to ensure that the CPSA Company can provide evidence of the background checks performed on the CPSA Employees or other personnel involved in card production and provisioning activities. The background checks should include criminal history, employment history, education verification, and reference checks, and should be conducted at least every two years or upon rehire. References: PCI CPSA Qualification Requirements, Version 1.1, April 2020, Section 6.1.2, Page 111


NEW QUESTION # 36
The receptionist responsible for the entrance and departure of visitors must have which of the following?

  • A. A constant, open communication channel with a guard
  • B. A shredder for the destruction of disposable visitor badges
  • C. An unobstructed view of the reception area at all times
  • D. A means of communicating directly with the visitor while on the premises

Answer: C

Explanation:
Explanation
According to the PCI Card Production Physical Security Requirements, the receptionist responsible for the entrance and departure of visitors must have an unobstructed view of the reception area at all times. This is to ensure that the receptionist can monitor and control the access of visitors, and to prevent any unauthorized entry or exit of personnel or materials. The receptionist must also have a means of verifying the identity of visitors, such as a photo ID or a visitor log, and a means of issuing and collecting visitor badges, such as a badge printer or a badge holder. The receptionist must also have a means of communicating with the security personnel or the security control room, such as a phone or an intercom, in case of any emergency or suspicious activity. References:
PCI Card Production Physical Security Requirements, v2.0, April 2019, page 21, requirement 5.3.1 PCI Card Production Physical Security Requirements, v2.0, April 2019, page 22, requirement 5.3.2 PCI Card Production Physical Security Requirements, v2.0, April 2019, page 23, requirement 5.3.3


NEW QUESTION # 37
A cardholder wants to make purchases using their phone, so they have their cardholder information programmed into their SIM card using their mobile phone provider. Which of the following best describes this system?

  • A. Card personalization
  • B. Over-the-air (OTA) provisioning
  • C. Secure Element (SE) provisioning
  • D. Host Card Emulation (HCE) provisioning

Answer: C

Explanation:
Explanation
According to the PCI Card Production and Provisioning Logical Security Requirements, Secure Element (SE) provisioning is the process of adding cardholder account information to a secure element on a mobile device via an over-the-air or over-the-internet communication channel. A secure element is a tamper-resistant platform that can securely host applications and their confidential and cryptographic data. A SIM card is an example of a secure element that can be used for mobile payments. SE provisioning is different from Host Card Emulation (HCE) provisioning, which is the process of adding cardholder account information to a cloud-based server that emulates a secure element on a mobile device. SE provisioning is also different from card personalization, which is the process of adding cardholder account information to a physical card.
Over-the-air (OTA) provisioning is a generic term that can refer to either SE or HCE provisioning, depending on the type of mobile payment system used. References: PCI Card Production and Provisioning Logical Security Requirements and Test Procedures v3.0, January 2022, pages 6-71


NEW QUESTION # 38
The vendor's technical documentation shows that the alarm system does not send alerts to the security control room. After a discussion you learn that the alarm works perfectly, and sends a clear signal to summon the local police every time an emergency exit is opened. Why might this cause a problem for their assessment?

  • A. If the local police have not been issued with an exterior key. they will not be able to investigate the cause of the alarm and reset it
  • B. If the local police receive too many false-positive alerts, they may not respond within 15 minutes of the alarm
  • C. During working hours, the alarm should be managed in the security control room, or by a central monitoring service
  • D. During busy times, the local police may not be able to respond

Answer: C

Explanation:
Explanation
According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must have an alarm system that monitors and detects unauthorized access to the card production and provisioning facilities, and that alerts the security control room or a central monitoring service. The alarm system must also be able to identify the location and cause of the alarm, and allow authorized personnel to reset it. The alarm system must be operational 24/7, and must be tested at least annually. The vendor must also have procedures to respond to alarms and incidents, and to report them to the relevant parties. If the alarm system does not send alerts to the security control room, or a central monitoring service, during working hours, the vendor may not be able to comply with these requirements, and may not be able to prevent, detect, or respond to unauthorized access or security breaches. This may cause a problem for their assessment, as they may not meet the PCI Card Production and Provisioning Physical Security Requirements. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 9-101


NEW QUESTION # 39
......

New Real CPSA_P_New Exam Dumps Questions: https://drive.google.com/open?id=1_KZBezeFVPwT618-ClJ1BKsnD9R13jbm

Pass Your CPSA_P_New Exam Easily with Accurate PDF Questions: https://www.dumpstillvalid.com/CPSA_P_New-prep4sure-review.html

Related Articles

more
PCI CPSA_P_New Certification Practice Exam

All the exam dumps and exam training material of DumpStillValid are valid and reliable. DumpStillValid provides you with the up to date exam dumps and keeps the latest information for you. Dumps are still valid, to make your decision.

Contact Us

Our Working Time: ( GMT 0:00-15:00 )   From Monday to Saturday

Contact now

Copyright © 2026 DumpStillValid NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy