• Home
  • Articles
  • 2024 Updated Verified CPSA_P_New dumps Q&As - Pass Guarantee or Full Refund [Q17-Q37]

2024 Updated Verified CPSA_P_New dumps Q&As - Pass Guarantee or Full Refund [Q17-Q37]

Share

2024 Updated Verified CPSA_P_New dumps Q&As - Pass Guarantee or Full Refund

CPSA_P_New PDF Questions and Testing Engine With 52 Questions

NEW QUESTION # 17
Which of the following must every assessor do to maintain their CPSA certification?

  • A. Earn an additional professional certification from List A or B of the Qualification Requirements (QRs)
  • B. Submit evidence of internal training in a relevant area (as per the QRs)
  • C. Earn and document at least 20 hours of Continuing Professional Education (CPE) over 3 years
  • D. Complete annual requalification training or complete 3 assessments for different facilities each year

Answer: D

Explanation:
Explanation
According to the Card Production Security Assessor (CPSA) Qualification Requirements, CPSAs must maintain their qualification status by either completing the annual requalification training provided by PCI SSC or performing at least three (3) PCI Card Production Assessments for different facilities over the previous one-year period. This ensures that CPSAs remain current with technical and industry changes and demonstrate professionalism. References: Card Production Security Assessor (CPSA) Qualification Requirements, v1.1, March 2022, page 10


NEW QUESTION # 18
A CPSA Company has submitted multiple reports that are incomplete and do not contain the information described in the reporting instructions. Which of the following are possible outcomes?

  • A. They may be fined by the applicable payment brands
  • B. They may be put into remediation or revoked by the applicable payment brands
  • C. They may be put into remediation or revoked by PCI SSC
  • D. They may be fined by PCI SSC

Answer: C

Explanation:
Explanation
The PCI SSC has a quality assurance (QA) program that monitors the performance and compliance of CPSA Companies and CPSA Employees. The QA program is based on eight guiding principles that the assessor community must adhere to, one of which is to maintain consistent assessor procedures and reporting. The PCI SSC reviews the reports submitted by the CPSA Companies and provides feedback on the quality and completeness of the reports. If a CPSA Company submits multiple reports that are incomplete and do not contain the information described in the reporting instructions, they may be violating the QA program and the CPSA Qualification Requirements. The PCI SSC may take corrective actions against the CPSA Company, such as issuing a warning, requiring additional training, imposing remediation, or revoking the CPSA Company status. Remediation is a process that requires the CPSA Company to improve in one or more areas of their operations and demonstrate compliance with the PCI SSC requirements. Revocation is a process that terminates the CPSA Company status and removes the CPSA Company from the list of qualified assessors on the PCI SSC website. The PCI SSC has the sole authority and discretion to determine the appropriate corrective actions for any non-compliance issues by the CPSA Companies or CPSA Employees. The payment brands do not have the power to put the CPSA Companies into remediation or revoke their status, nor do they have the power to fine them. The payment brands may, however, impose their own sanctions or penalties on the card production entities that are assessed by the CPSA Companies, based on their own contractual agreements and compliance programs. References:
Card Production Security Assessor (CPSA) Program Guide, Section 3 and 5.1 Card Production Security Assessor (CPSA) Qualification Requirements, Section 3.1 and 3.2 CPSA Remediation Statement


NEW QUESTION # 19
If you have a query about a missing field in the card production reporting template, which organization is best-placed to answer it?

  • A. The payment brands
  • B. The issuer
  • C. The vendor
  • D. PCI SSC

Answer: D

Explanation:
Explanation
The PCI SSC is the best-placed organization to answer a query about a missing field in the card production reporting template, as they are the ones who develop and maintain the template and the standards. The card production reporting template is the mandatory template for use in completing a Card Production Report on Compliance (ROC), which provides detail on how to document the findings of a PCI Card Production Assessment. The template is based on the PCI Card Production and Provisioning LogicalSecurity Requirements and the PCI Card Production and Provisioning Physical Security Requirements, which are also developed and maintained by the PCI SSC. Therefore, the PCI SSC has the authority and the expertise to clarify any issues or questions regarding the template and the standards. The other options are not the best sources of information for the query, as they may not have the same level of knowledge or involvement in the template and the standards. References:
PCI Card Production and Provisioning Template for Report on Compliance, Version 1.0, April 2019, page 31 PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 52 PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 82


NEW QUESTION # 20
Before you go on-site, the vendor's primary contact communicates a legitimate reason for delaying the assessment for several months. Who can approve the change in the report delivery schedule?

  • A. Vendor senior management
  • B. Payment brands
  • C. Affected issuers
  • D. PCI SSC

Answer: D

Explanation:
Explanation
According to the PCI CPSA Qualification Requirements, one of the administrative requirements for CPSA Companies is to adhere to the report delivery schedule as defined by the PCI SSC. The report delivery schedule specifies the deadlines for submitting the PCI Card Production Reports on Compliance (ROCs) and Attestations of Compliance (AOCs) to the PCI SSC and the payment brands. The report delivery schedule also defines the circumstances under which a CPSA Company may request an extension or a waiver of the report delivery deadline. The PCI SSC is the only entity that can approve the change in the report delivery schedule, and the CPSA Company must submit a written request to the PCI SSC with a valid reason for the delay and the proposed new delivery date. The PCI SSC will review the request and notify the CPSA Company of its decision. The PCI SSC may also notify the payment brands and the affected issuers of the change in the report delivery schedule. References: PCI CPSA Qualification Requirements, Version 1.1, April 2020, Section 6.1.4, Page 121


NEW QUESTION # 21
John works for ACME Inc Personalizers. an organization that personalizes payment cards as well as printing the corresponding PIN mailers for distribution directly to the cardholder. Which of the following statements is true?

  • A. If John is involved in card personalization then he must not be involved in the printing of the corresponding PINs
  • B. If John is involved in PIN printing, then he must never be involved in the card shipment process
  • C. If John is involved in card personalization, then he must never be involved in the card shipment process
  • D. If John is involved in card personalization, then he must never be involved in PIN printing

Answer: D

Explanation:
Explanation
According to the PCI Card Production and Provisioning - Logical Security Requirements, there must be a clear segregation of duties between the staff involved in different card production and provisioning activities, such as card personalization, PIN generation and printing, and card fulfillment. This is to prevent any unauthorized access, modification, or disclosure of sensitive cardholder data and to ensure the integrity and confidentiality of the card production process. Therefore, if John is involved in card personalization, which is the process of transferring cardholder information to a payment card, then he must never be involved in PIN printing, which is the process of printing the personal identification number associated with the cardholder account on a mailer. This way, John cannot link the cardholder data on the card with the PIN on the mailer, and cannot compromise the security of the cardholder authentication. The other statements are not true, as there is no requirement that prohibits John from being involved in the card shipment process, as long as he does not have access to both the card and the PIN mailer at the same time. References:
Payment Card Industry (PCI) Card Production and Provisioning - Logical Security Requirements, Section 2.1.1 and 2.1.2 Payment Card Industry (PCI) Card Production and Provisioning - Glossary of Terms, Abbreviations, and Acronyms, Definitions of Card Personalization and PIN Printing


NEW QUESTION # 22
A vendor puts cardholder information into a chip by sliding a payment card through a machine that programs it and verifies the data. The chip can make contactless transactions. Which of the following best describes the vendor's activity?

  • A. Fulfillment
  • B. Secure Element (SE) provisioning
  • C. Card personalization
  • D. Host Card Emulation (HCE) provisioning

Answer: C

Explanation:
Explanation
Card personalization is the process of transferring cardholder information, such as account number, name, expiration date, and other data, to a payment card. This can be done by various methods, such as magnetic stripe encoding, embossing, laser engraving, or chip programming. Chip programming is the method of personalizing a card that has an embedded microchip that can store and process data. Chip cards can support contact or contactless transactions, depending on the chip type and the terminal capabilities. Contact transactions require the card to be inserted into a reader, while contactless transactions use radio frequency (RF) communication between the card and the reader. The vendor in the question is performing card personalization by programming the chip and verifying the data on the card. References:
Payment Card Industry (PCI) Card Production and Provisioning - Logical Security Requirements, Section 1.1.1 Payment Card Industry (PCI) Card Production and Provisioning - Physical Security Requirements, Section 1.1.1 Payment Card Industry (PCI) Card Production and Provisioning - Glossary of Terms, Abbreviations, and Acronyms, Definitions of Card Personalization, Chip Card, Contact Card, and Contactless Card


NEW QUESTION # 23
A vendor receives cardholder information and keys from a bank. The vendor then performs the following:
* Uses its HSM to create keys
* Creates cardholder information specific to each cardholder, including name and PAN
* Formats the data for the hardware that will put it on a card
* Writes it to an encrypted file
Which of the following best describes this process?

  • A. Data preparation
  • B. Pre-personalization
  • C. Manufacture
  • D. Data creation

Answer: A

Explanation:
Explanation
Data preparation is the process of creating cardholder data and keys for each card, and formatting them for the hardware that will put them on a card. Data preparation involves the use of an HSM to generate keys and encrypt data, and the creation of an encrypted file that contains the cardholder data and keys. Data preparation is one of the steps in the card production lifecycle, and it precedes the manufacture and personalization of the cards. References:
Card Production Security Assessor (CPSA) Qualification Requirements, v1.0, April 2019, page 10 PCI Card Production Logical Security Requirements, v2.0, April 2019, page 9 PCI Card Production Physical Security Requirements, v2.0, April 2019, page 9


NEW QUESTION # 24
A vendor is unsure which forms are needed to complete an assessment. Who should they ask?

  • A. PCI SSC
  • B. Assessor
  • C. Issuing banks
  • D. Payment brands

Answer: B


NEW QUESTION # 25
How frequently must alarms on external doors of a card production and provisioning vendor environment be tested?

  • A. Every month
  • B. Every week
  • C. Every day
  • D. Every 3 months

Answer: A

Explanation:
Explanation
According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must test all alarms on external doors of the card production and provisioning vendor environment at least every month.
The vendor must also document the results of the tests and retain them for at least one year. The vendor must also have procedures to respond to any alarms or incidents, and to report them to the relevant parties. The vendor must not test the alarms less frequently than every month, as this may compromise the security and integrity of the card production and provisioning vendor environment and increase the risk of unauthorized access or theft. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 9-101


NEW QUESTION # 26
An assessor must provide which of the following to their client at the start of every assessment?

  • A. Attestation of Compliance
  • B. Vendor Release Agreement
  • C. Quality Assurance Manual
  • D. CPSA Feedback Form

Answer: C

Explanation:
Explanation
According to the Card Production Security Assessor (CPSA) Qualification Requirements, an assessor must provide their client with a Quality Assurance Manual at the start of every assessment. The Quality Assurance Manual is a document that describes the assessor's methodology, procedures, and quality control measures for conducting assessments. The manual must be consistent with the CPSA Program Guide and the PCI Card Production and Provisioning Security Requirements. The manual must also include a description of the assessor's roles and responsibilities, the assessment scope and objectives, the assessment plan and timeline, the assessment report format and content, and the assessor's conflict of interestpolicy. References: Card Production Security Assessor (CPSA) Qualification Requirements, v1.0, April 2019, page 111


NEW QUESTION # 27
Which of the following statements is true in relation to visitor access badges?

  • A. Unissued visitor access badges must be securely stored
  • B. Each visitor entering the facility must be issued and must visibly wear a disposable ID badge that identifies them as a non-employee
  • C. Each visitor entering the facility must wear their issued access badge above waist height
  • D. Badges with access-controls must not be issued to visitors

Answer: B


NEW QUESTION # 28
Who performs regular AQM audits of CPSA companies?

  • A. Vendor
  • B. Issuing banks
  • C. Payment brands
  • D. PCI SSC

Answer: D

Explanation:
Explanation
The PCI Security Standards Council (PCI SSC) performs regular Assessor Quality Management (AQM) audits of CPSA companies to ensure that they comply with the PCI CPSA Qualification Requirements and the PCI Card Production Standards. The AQM audits are conducted by PCI SSC staff or authorized third parties, and may include onsite visits, remote reviews, or both. The AQM audits aim to verify the quality and consistency of the CPSA companies' assessment processes, reports, and documentation, as well as their adherence to the PCI SSC Code of Professional Responsibility. The AQM audits may result in corrective actions, sanctions, or revocation of the CPSA company status, depending on the severity and frequency of the non-compliance issues identified. References:
PCI Card Production Security Assessor (CPSA) Qualification Requirements, v1.0, April 2019, page 12, requirement 8.1 PCI Card Production Security Assessor (CPSA) Program Guide, v1.0, April 2019, page 6, section 3.2


NEW QUESTION # 29
A card production vendor employs a contracted guard service from an outside source. What is one of the responsibilities of the contracted service?

  • A. Undergo their own Card Production assessment and provide evidence of a passing result
  • B. Register their service with the VPA
  • C. Provide only certified guards
  • D. Maintain their own liability insurance in case of losses to card material

Answer: D

Explanation:
Explanation
According to the PCI Card Production Physical Security Requirements, one of the security controls for contracted guard services is to ensure that they maintain their own liability insurance in case of losses to card material. This is to protect the card production vendor from any financial losses or damages caused by the contracted guard service, such as negligence,theft, or misuse of card material. The contracted guard service should also comply with the vendor's security policies and procedures, and undergo background checks and security training. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 2, Requirement 2.2.1, Page 71


NEW QUESTION # 30
Which of the follow best describes a Technical FAQ?

  • A. Use of the Technical FAQs is mandatory, they shall be used during an assessment
  • B. Technical FAQs only apply to the specific technology as the FAQ defines it
  • C. Use of the Technical FAQs is optional, they are considered guidance
  • D. Technical FAQs can be submitted to PCI SSC at any time

Answer: C

Explanation:
Explanation
According to the PCI CPSA Qualification Requirements, Technical FAQs are documents that provide guidance on specific technical topics related to the PCI Card Production Security Standards. Technical FAQs are not mandatory, but they are recommended to be used by CPSA Companies and CPSA Employees during the card production assessment process. Technical FAQs are intended to help clarify the intent and applicability of the PCI Card Production Security Requirements, and to provide examples and best practices for achieving compliance. Technical FAQs are published by the PCI SSC on its website, and are updated periodically based on feedback from the card production industry and the payment brands. References: PCI CPSA Qualification Requirements, Version 1.1, April 2020, Section 4.2, Page 81


NEW QUESTION # 31
You wish to check that you are using the most current version of the Card Production requirements. What should you do?

  • A. Email a request for the document to PCI SSC
  • B. View it directly via PCI SSC Assessor Portal
  • C. Have the CPSA Company's point of contact request the document
  • D. Download it from PCI SSC's Document Library

Answer: D

Explanation:
Explanation
The best way to check that you are using the most current version of the Card Production requirements is to download it from PCI SSC's Document Library. The PCI SSC's Document Library is a repository of all the PCI standards, guidelines, and supporting documents that are developed and maintained by the PCI SSC. The Document Library is accessible to the public and provides the latest versions of the documents, as well as the summary of changes and the effective dates. The Document Library also allows you to search, filter, and sort the documents by category, type, date, and keyword. Therefore, by downloading the Card Production requirements from the Document Library, you can ensure that you have the most up-to-date and authoritative version of the requirements. The other options are not the best ways to check the version of the Card Production requirements, as they may not be reliable, efficient, or available. Having the CPSA Company's point of contact request the document may not be feasible, as the point of contact may not have the authority, the access, or the time to do so. Emailing a request for the document to PCI SSC may not be effective, as the PCI SSC may not respond promptly or provide the document in the format that you need. Viewing the document directly via PCI SSC Assessor Portal may not be possible, as the Assessor Portal may not have the latest version of the document or may require a login credential that you do not have. References:
PCI SSC Document Library1
PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 52


NEW QUESTION # 32
Which of these are guards allowed access to?

  • A. Physical master keys that provide access to card production or provisioning areas
  • B. HSAs
  • C. Audit logs
  • D. Loading bays

Answer: D

Explanation:
Explanation
According to the PCI Card Production Physical Security Requirements, one of the security controls for contracted guard services is to ensure that they have limited access to card production or provisioning areas, and that they do not have access to HSAs, audit logs, or physical master keys that provide access to card production or provisioning areas. This is to prevent unauthorized access, theft, or misuse of card material or data by the contracted guard service. However, the contracted guard service may have access to loading bays, as long as they are escorted by authorized personnel and do not handle or interfere with card shipments. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section
1.1, Objective 2, Requirement 2.2.1, Page 71


NEW QUESTION # 33
An assessor is unsure if log review and interview is sufficient testing for a requirement. Who can best answer this question?

  • A. Vendor
  • B. Issuing banks
  • C. Payment brands
  • D. PCI SSC

Answer: D

Explanation:
Explanation
The PCI SSC (Payment Card Industry Security Standards Council) is the organization that develops and maintains the PCI Card Production Standards and related validation requirements, programs, and supporting documentation. The PCI SSC also provides training and qualification for CPSA Companies and CPSA Employees to perform PCI Card Production Assessments. The PCI SSC is the best source of guidance and clarification for any questions or issues related to the assessment process, testing methods, reporting requirements, and interpretation of the standards. The assessor can contact the PCI SSC by email, phone, or online form, as specified in the CPSA Program Guide1. The payment brands, issuing banks, and vendors are not responsible for defining or explaining the assessment requirements or testing methods, and may not have the same level of expertise or authority as the PCI SSC. References:
Card Production Security Assessor (CPSA) Program Guide, Section 2.1 and 5.1 Card Production Security Assessor (CPSA) Qualification Requirements, Section 1.1 and 2.1


NEW QUESTION # 34
Which of the following must be used by the vendor to protect doors that provide access to buildings containing air conditioning equipment?

  • A. Physical locks with a limited set of keys under constant supervision by a guard in the security control-room
  • B. Security tape that will leave an observable trace each time a door is opened
  • C. Electrical contacts that log each open and close event to a secure system memory
  • D. Magnetic contacts that are permanently alarmed and that are connected to the security control-room panels

Answer: D

Explanation:
Explanation
According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must use magnetic contacts that are permanently alarmed and that are connected to the security control-room panels to protect doors that provide access to buildings containing air conditioning equipment. The vendor must also ensure that the air conditioning equipment is located in a secure area that is not accessible to unauthorized personnel, and that the air conditioning system is monitored and maintained to prevent unauthorized access or tampering. The vendor must also have procedures to respond to any alarms or incidents related to the air conditioning system, and to report them to the relevant parties. The vendor must not use security tape, electrical contacts, or physical locks alone, as these may not provide adequate protection or detection of unauthorized access or tampering. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 21-221


NEW QUESTION # 35
A vendor uses codes from a chip manufacturer to 'unlock' chips and prepare them for use by adding applications and keys. Which of the following best describes this process?

  • A. Data preparation
  • B. Manufacture
  • C. Data creation
  • D. Pre-personalization

Answer: D

Explanation:
Explanation
According to the PCI Card Production and Provisioning Logical Security Requirements, pre-personalization is the process of unlocking the chip and loading the applications and keys onto the chip. This process is performed by the vendor using codes provided by the chip manufacturer. The codes are used to authenticate the vendor and enable the chip to accept the applications and keys. The pre-personalization process prepares the chip for the subsequent personalization process, where the chip is associated with a specific cardholder account andactivated. The pre-personalization process is different from data creation, data preparation, and manufacture, which are other processes involved in card production and provisioning. References: PCI Card Production and Provisioning Logical Security Requirements and Test Procedures v3.0, January 2022, pages
6-71


NEW QUESTION # 36
A cardholder wants to make purchases using their phone, so they have their cardholder information programmed into their SIM card using their mobile phone provider. Which of the following best describes this system?

  • A. Card personalization
  • B. Secure Element (SE) provisioning
  • C. Over-the-air (OTA) provisioning
  • D. Host Card Emulation (HCE) provisioning

Answer: B

Explanation:
Explanation
According to the PCI Card Production and Provisioning Logical Security Requirements, Secure Element (SE) provisioning is the process of adding cardholder account information to a secure element on a mobile device via an over-the-air or over-the-internet communication channel. A secure element is a tamper-resistant platform that can securely host applications and their confidential and cryptographic data. A SIM card is an example of a secure element that can be used for mobile payments. SE provisioning is different from Host Card Emulation (HCE) provisioning, which is the process of adding cardholder account information to a cloud-based server that emulates a secure element on a mobile device. SE provisioning is also different from card personalization, which is the process of adding cardholder account information to a physical card.
Over-the-air (OTA) provisioning is a generic term that can refer to either SE or HCE provisioning, depending on the type of mobile payment system used. References: PCI Card Production and Provisioning Logical Security Requirements and Test Procedures v3.0, January 2022, pages 6-71


NEW QUESTION # 37
......

Exam Engine for CPSA_P_New Exam Free Demo & 365 Day Updates: https://www.practicevce.com/PCI/CPSA_P_New-practice-exam-dumps.html

Test Engine to Practice Test for CPSA_P_New Valid and Updated Dumps: https://drive.google.com/open?id=16bjaqqi86vFiehqm3x6ToprcVsIGCMoy

Related Articles

more
PCI CPSA_P_New Certification Practice Exam