CPSA_P_New PCI SSC Card Production Security AssessorCPSA Physical NewExam Free Practice Exam Questions (2025 Updated)

 According to the PCI Card Production Physical Security Requirements, one of the objectives of physical security is to deter, detect, and delay unauthorized access to card production facilities and equipment. This objective requires that the facility has adequate security measures to prevent or respond to any physical attacks or intrusions, such as alarms, locks, cameras, guards, etc. However, these measures may not be sufficient if the facility is located in a rural area, where law enforcement services may not be able to reach the facility in a timely manner in case of an emergency. Therefore, the location of the facility may pose a risk to the security of card production and provisioning activities, and the CPSA should assess the adequacy of the facility’s security plan and procedures to mitigate this risk. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 1, Page 41

 According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must use magnetic contacts that are permanently alarmed and that are connected to the security control-room panels to protect doors that provide access to buildings containing air conditioning equipment. The vendor must also ensure that the air conditioning equipment is located in a secure area that is not accessible to unauthorized personnel, and that the air conditioning system is monitored and maintained to prevent unauthorized access or tampering. The vendor must also have procedures to respond to any alarms or incidents related to the air conditioning system, and to report them to the relevant parties. The vendor must not use security tape, electrical contacts, or physical locks alone, as these may not provide adequate protection or detection of unauthorized access or tampering. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 21-221

The assessor is the person who conducts the PCI Card Production Security Assessment and prepares the Card Production Report on Compliance (ROC) and the Card Production Attestation of Compliance (AOC). The assessor should be familiar with the forms that are needed to complete an assessment and provide guidance to the vendor on how to fill them out. The assessor should also ensure that the forms are consistent with the PCI Card Production Standards and the PCI CPSA Qualification Requirements. The other options are not the best sources of information for the vendor, as they may not be directly involved in the assessment process or have the expertise to advise on the forms. References:

PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 81

PCI Card Production Security Assessor (CPSA) Qualification Requirements, Version 1.0, April 2019, page 10

PCI Card Production and Provisioning Template for Report on Compliance, Version 1.0, April 2019, page 3

PCI Card Production and Provisioning Attestation of Compliance, Version 1.0, April 2019, page 22

According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must have a secure inner shipping delivery room that is equipped with an alarm system and an access-control system. The alarm system must be triggered when any door of the inner shipping delivery room is opened without proper authorization. The access-control system must only allow the opening of the last activated door to liberate a person detected inside of the inner shipping delivery room and stop the alarm. This is to prevent unauthorized access or exit from the inner shipping delivery room, and to ensure that only one door can be opened at a time. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 18-191

According to the Card Production Security Assessor (CPSA) Qualification Requirements, an assessor must provide their client with a Quality Assurance Manual at the start of every assessment. The Quality Assurance Manual is a document that describes the assessor’s methodology, procedures, and quality control measures for conducting assessments. The manual must be consistent with the CPSA Program Guide and the PCI Card Production and Provisioning Security Requirements. The manual must also include a description of the assessor’s roles and responsibilities, the assessment scope and objectives, the assessment plan and timeline, the assessment report format and content, and the assessor’s conflict of interestpolicy. References: Card Production Security Assessor (CPSA) Qualification Requirements, v1.0, April 2019, page 111

The Attestation of Compliance (AOC) is the document that describes the results of a PCI Card Production Assessment, and is signed by both the CPSA and the vendor executive officer. The AOC is a summary of the findings and conclusions of the assessment, and indicates whether the vendor meets the PCI Card Production Logical Security Requirements and/or the PCI Card Production Physical Security Requirements. The AOC must be completed using the template provided by PCI SSC, and must be submitted to PCI SSC along with the Report on Compliance (ROC) and other supporting documents. The AOC must also be provided to the vendor’s clients upon request. References:

PCI Card Production Security Assessor (CPSA) Qualification Requirements, v1.0, April 2019, page 11, requirement 7.1.1

PCI Card Production and Provisioning Attestation of Compliance, v2.0, April 2019, page 1, section 1

According to the PCI Card Production and Provisioning Template for Report on Compliance, for each requirement listed in a ROC, all types of findings must have a full narrative response. A finding is the result of the assessor’s evaluation of the entity’s compliance status for each requirement. The types of findings are:

Compliant: The entity meets the requirement as stated in the PCI Card Production Standards.

Non-Compliant: The entity does not meet the requirement as stated in the PCI Card Production Standards.

Not Applicable: The requirement does not apply to the entity’s environment or operations.

Not Tested: The requirement was not tested by the assessor for a valid reason.

New: The entity has implemented a new process, system, or control that affects the requirement since the last assessment.

Closed: The entity has remediated a previous non-compliant finding and has provided sufficient evidence to the assessor.

A full narrative response is a detailed explanation of the finding, including the following elements:

The scope of testing performed by the assessor to evaluate the requirement

The testing procedures and tools used by the assessor

The sampling methodology and rationale used by the assessor

The evidence collected and reviewed by the assessor

The observations and conclusions made by the assessor

The recommendations and remediation actions (if any) suggested by the assessor

A full narrative response is required for all types of findings to provide a clear and comprehensive documentation of the entity’s compliance status and to support the assessor’s professional judgment and opinion. A full narrative response also helps the payment brands, the PCI SSC, and the entity itself to understand the entity’s environment, risks, and controls, and to verify the accuracy and validity of the assessment. References:

PCI Card Production and Provisioning Template for Report on Compliance, Version 1.0, April 2019, page 4

PCI Card Production and Provisioning Template for Report on Compliance, Version 1.0, April 2019, page 5

PCI Card Production and Provisioning Template for Report on Compliance, Version 1.0, April 2019, page 6

The PCI SSC has a quality assurance (QA) program that monitors the performance and compliance of CPSA Companies and CPSA Employees. The QA program is based on eight guiding principles that the assessor community must adhere to, one of which is to maintain consistent assessor procedures and reporting. The PCI SSC reviews the reports submitted by the CPSA Companies and provides feedback on the quality and completeness of the reports. If a CPSA Company submits multiple reports that are incomplete and do not contain the information described in the reporting instructions, they may be violating the QA program and the CPSA Qualification Requirements. The PCI SSC may take corrective actions against the CPSA Company, such as issuing a warning, requiring additional training, imposing remediation, or revoking the CPSA Company status. Remediation is a process that requires the CPSA Company to improve in one or more areas of their operations and demonstrate compliance with the PCI SSC requirements. Revocation is a process that terminates the CPSA Company status and removes the CPSA Company from the list of qualified assessors on the PCI SSC website. The PCI SSC has the sole authority and discretion to determine the appropriate corrective actions for any non-compliance issues by the CPSA Companies or CPSA Employees. The payment brands do not have the power to put the CPSA Companies into remediation or revoke their status, nor do they have the power to fine them. The payment brands may, however, impose their own sanctions or penalties on the card production entities that are assessed by the CPSA Companies, based on their own contractual agreements and compliance programs. References:

Card Production Security Assessor (CPSA) Program Guide, Section 3 and 5.1

Card Production Security Assessor (CPSA) Qualification Requirements, Section 3.1 and 3.2

CPSA Remediation Statement

According to the PCI Card Production Logical Security Requirements, vendors must have a list of pre-approved third parties that are authorized to access the facility and the systems involved in card production. However, other third parties may be granted access under exceptional circumstances, such as emergency repairs or maintenance, provided that they are approved by the physical security manager or senior management. The vendor must also ensure that the third parties comply with the security policies and procedures, and that their access is logged and monitored. References: PCI Card Production Logical Security Requirements, v2.0, April 2019, page 13

The best way to check that you are using the most current version of the Card Production requirements is to download it from PCI SSC’s Document Library. The PCI SSC’s Document Library is a repository of all the PCI standards, guidelines, and supporting documents that are developed and maintained by the PCI SSC. The Document Library is accessible to the public and provides the latest versions of the documents, as well as the summary of changes and the effective dates. The Document Library also allows you to search, filter, and sort the documents by category, type, date, and keyword. Therefore, by downloading the Card Production requirements from the Document Library, you can ensure that you have the most up-to-date and authoritative version of the requirements. The other options are not the best ways to check the version of the Card Production requirements, as they may not be reliable, efficient, or available. Having the CPSA Company’s point of contact request the document may not be feasible, as the point of contact may not have the authority, the access, or the time to do so. Emailing a request for the document to PCI SSC may not be effective, as the PCI SSC may not respond promptly or provide the document in the format that you need. Viewing the document directly via PCI SSC Assessor Portal may not be possible, as the Assessor Portal may not have the latest version of the document or may require a login credential that you do not have. References:

PCI SSC Document Library1

PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 52

According to the PCI Card Production and Provisioning Physical Security Requirements, the HSA Access Control system must enforce both dual control and dual presence principles. Dual control means that at least two authorized individuals must act together to perform a critical function or access a sensitive area. Dual presence means that at least two authorized individuals must be physically present in the same area at all times. These principles are intended to prevent unauthorized or fraudulent activities by requiring mutual supervision and accountability. Therefore, the HSA Access Control system must ensure that no single individual can enter, exit, or operate within the HSA without the cooperation and the presence of another authorized individual. References:

PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page 121

PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page 131

 According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must test all alarms on external doors of the card production and provisioning vendor environment at least every month. The vendor must also document the results of the tests and retain them for at least one year. The vendor must also have procedures to respond to any alarms or incidents, and to report them to the relevant parties. The vendor must not test the alarms less frequently than every month, as this may compromise the security and integrity of the card production and provisioning vendor environment and increase the risk of unauthorized access or theft. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 9-101

 According to the Card Production Security Assessor (CPSA) Qualification Requirements, CPSAs must maintain their qualification status by either completing the annual requalification training provided by PCI SSC or performing at least three (3) PCI Card Production Assessments for different facilities over the previous one-year period. This ensures that CPSAs remain current with technical and industry changes and demonstrate professionalism. References: Card Production Security Assessor (CPSA) Qualification Requirements, v1.1, March 2022, page 10

The PCI SSC does not enforce compliance, nor does it mandate penalties for non-compliance. Compliance with the PCI Card Production Standards is enforced by the payment brands. The payment brands may have their own compliance programs and may apply penalties or fines to entities that are not compliant or suffer a breach. Therefore, a vendor who wants to know if they will be penalized if their vault is not compliant should ask the payment brands that they work with or are contracted by. References:

Payment Card Industry (PCI) Card Production Security Assessors Program Guide, Version 1.0, April 2019, page 51

PCI Card Production Security Assessor (CPSA) Qualification Requirements, Version 1.0, April 2019, page 62