CPSA_P_New Card Production Security AssessorCPSA Physical NewExam Questions and Answers

According to the PCI Card Production Physical Security Requirements, the goods-tools trap is a secure area that separates the HSA from the outside world, and is used to control the entry and exit of card products, tools, and other materials. The goods-tools trap must have two doors that are interlocked, meaning that only one door can be opened at a time. The goods-tools trap must also have a CCTV camera and an alarm system. The process of bringing card products into the HSA using the goods-tools trap must follow these steps1:

• The card products must be delivered to the goods-tools trap by authorized personnel, who must present their identification to the guard and sign a delivery note.
• The guard must verify the identification of the personnel and the quantity and quality of the card products, and record the details in a log.
• The guard must then escort the personnel to the first door of the goods-tools trap, and open it using a key or a card reader. The personnel must place the card products inside the goods-tools trap and exit the area. The guard must then lock the first door.
• The guard must then notify the production staff inside the HSA that the card products are ready to be collected. The production staff must present their identification to the guard and sign a receipt note.
• The guard must then escort the production staff to the second door of the goods-tools trap, and open it using a key or a card reader. The production staff must collect the card products from the goods-tools trap and enter the HSA. The guard must then lock the second door.

In this scenario, the guard escorted the production staff, along with the box, into the pre-press room. This is not compliant, because the guard is not authorized to enter the HSA, and the card products must remain under dual control at all times. The guard should have stayed outside the HSA and only opened the second door of the goods-tools trap for the production staff. This would ensure that the card products are securely transferred from the goods-tools trap to the HSA, and that the guard does not compromise the security of the HSA. References:

• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 15, requirement 2.1.1
• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 16, requirement 2.1.2
• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 17, requirement 2.1.3
• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 18, requirement 2.1.4

The PCI SSC (Payment Card Industry Security Standards Council) is the organization that develops and maintains the PCI Card Production Standards and related validation requirements, programs, and supporting documentation. The PCI SSC also provides training and qualification for CPSA Companies and CPSA Employees to perform PCI Card Production Assessments. The PCI SSC is the best source of guidance and clarification for any questions or issues related to the assessment process, testing methods, reporting requirements, and interpretation of the standards. The assessor can contact the PCI SSC by email, phone, or online form, as specified in the CPSA Program Guide1. The payment brands, issuing banks, and vendors are not responsible for defining or explaining the assessment requirements or testing methods, and may not have the same level of expertise or authority as the PCI SSC. References:

• Card Production Security Assessor (CPSA) Program Guide, Section 2.1 and 5.1
• Card Production Security Assessor (CPSA) Qualification Requirements, Section 1.1 and 2.1

According to the PCI Card Production and Provisioning Logical Security Requirements, the vendor must implement a formal security awareness program to make all personnel aware of the importance of card production and provisioning security. The security awareness program must include annual training on common attack methods, such as phishing, social engineering, malware, and ransomware, and how to prevent, detect, and report them. The security awareness program must also include training on the vendor’s security policies and procedures, the roles and responsibilities of personnel, the applicable PCI Card Production and Provisioning Security Requirements, and the consequences of non-compliance. The vendor must also require all personnel to acknowledge at least annually that they have read and understood the security policies and procedures. The vendor must not use security posters alone, as they are not sufficient to meet the security awareness program requirements. The vendor may use security awareness exams for all personnel, but they are not mandatory for compliance. The vendor may also train personnel on the use of mantraps, but this is not relevant to the logical security requirements. References: PCI Card Production and Provisioning Logical Security Requirements and Test Procedures v3.0, January 2022, pages 28-291

 According to the PCI Card Production and Provisioning Physical Security Requirements, the security control room is the area where the security systems are monitored and controlled. The requirement for the security control room is that access must be monitoredin real-time by a guard or an automated system that alerts the guard of any unauthorized access attempts. The security control room must also be protected by physical barriers and access control devices that prevent unauthorized entry. The other options are not requirements of the security control room, although they may be implemented as additional security measures. References:

• PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page 151
• PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page 161

 According to the PCI Card Production Physical Security Requirements, one of the objectives of physical security is to deter, detect, and delay unauthorized access to card production facilities and equipment. This objective requires that the facility has adequate security measures to prevent or respond to any physical attacks or intrusions, such as alarms, locks, cameras, guards, etc. However, these measures may not be sufficient if the facility is located in a rural area, where law enforcement services may not be able to reach the facility in a timely manner in case of an emergency. Therefore, the location of the facility may pose a risk to the security of card production and provisioning activities, and the CPSA should assess the adequacy of the facility’s security plan and procedures to mitigate this risk. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 1, Page 41

According to the PCI Card Production and Provisioning Logical Security Requirements, Secure Element (SE) provisioning is the process of adding cardholder account information to a secure element on a mobile device via an over-the-air or over-the-internet communication channel. A secure element is a tamper-resistant platform that can securely host applications and their confidential and cryptographic data. A SIM card is an example of a secure element that can be used for mobile payments. SE provisioning is different from Host Card Emulation (HCE) provisioning, which is the process of adding cardholder account information to a cloud-based server that emulates a secure element on a mobile device. SE provisioning is also different from card personalization, which is the process of adding cardholder account information to a physical card. Over-the-air (OTA) provisioning is a generic term that can refer to either SE or HCE provisioning, depending on the type of mobile payment system used. References: PCI Card Production and Provisioning Logical Security Requirements and Test Procedures v3.0, January 2022, pages 6-71

According to the PCI Card Production Physical Security Requirements, one of the security controls for contracted guard services is to ensure that they maintain their own liability insurance in case of losses to card material. This is to protect the card production vendor from any financial losses or damages caused by the contracted guard service, such as negligence,theft, or misuse of card material. The contracted guard service should also comply with the vendor’s security policies and procedures, and undergo background checks and security training. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 2, Requirement 2.2.1, Page 71

According to the PCI Card Production Logical Security Requirements, vendors must have a list of pre-approved third parties that are authorized to access the facility and the systems involved in card production. However, other third parties may be granted access under exceptional circumstances, such as emergency repairs or maintenance, provided that they are approved by the physical security manager or senior management. The vendor must also ensure that the third parties comply with the security policies and procedures, and that their access is logged and monitored. References: PCI Card Production Logical Security Requirements, v2.0, April 2019, page 13

According to the PCI Card Production Logical Security Requirements, the vendor must securely destroy all employee information, including background checks, within two years of the employee’s termination of contract. This is to prevent unauthorized access to sensitive employee data and to comply with the PCI DSS requirement 3.1, which states that cardholder data must not be stored longer than necessary. The vendor must also have a documented policy and procedure for the secure destruction of employee information, and must maintain a log of all destruction activities. References:

• PCI Card Production Logical Security Requirements, v2.0, April 2019, page 19, requirement 6.1.1
• PCI DSS, v3.2.1, May 2018, page 25, requirement 3.1

According to the PCI Card Production Physical Security Requirements, one of the security controls for high-security areas (HSAs) is to have motion detectors that generate an alarm event when movement is detected and the access-control system indicates the room is not occupied. This is to prevent unauthorized access or intrusion to the HSAs, where sensitive card production and provisioning activities take place. The motion detectors should be configured to cover all areas within the HSA and should be tested periodically to ensure proper functionality. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 2, Requirement 2.1.1, Page 61

 According to the PCI Card Production and Provisioning Physical Security Requirements, emergency exit doors must be equipped with devices that prevent unauthorized entry from the outside, such as panic bars, crash bars, or push pads. These devices allow the door to be opened from the inside without a key or a code, but prevent the door from being opened from the outside by unauthorized persons. Therefore, the most concerning aspect of the situation is that the exit door can be opened from the outside with a key, which creates a security risk for the facility. The other options are not as concerning, as they do not directly affect the security of the exit door. The exit door can lead into the facility as long as it provides a safe and unobstructed path to the exit discharge. The guard’s memory lapse is not a major issue, as long as they follow the proper proceduresand protocols for opening the door. The guard’s permission from their manager is not relevant, as long as they have the authority and the responsibility to open the door for inspection purposes. References:

• PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page 171
• PCI Card Production and Provisioning Physical Security Requirements, Version 1.0, April 2019, page 181

The PCI SSC does not enforce compliance, nor does it mandate penalties for non-compliance. Compliance with the PCI Card Production Standards is enforced by the payment brands. The payment brands may have their own compliance programs and may apply penalties or fines to entities that are not compliant or suffer a breach. Therefore, a vendor who wants to know if they will be penalized if their vault is not compliant should ask the payment brands that they work with or are contracted by. References:

• Payment Card Industry (PCI) Card Production Security Assessors Program Guide, Version 1.0, April 2019, page 51
• PCI Card Production Security Assessor (CPSA) Qualification Requirements, Version 1.0, April 2019, page 62