CPSA_P_New Card Production Security AssessorCPSA Physical NewExam Questions and Answers

According to the PCI Card Production Physical Security Requirements, one of the security controls for high-security areas (HSAs) is to have motion detectors that generate an alarm event when movement is detected and the access-control system indicates the room is not occupied. This is to prevent unauthorized access or intrusion to the HSAs, where sensitive card production and provisioning activities take place. The motion detectors should be configured to cover all areas within the HSA and should be tested periodically to ensure proper functionality. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 2, Requirement 2.1.1, Page 61

The PCI SSC has a quality assurance (QA) program that monitors the performance and compliance of CPSA Companies and CPSA Employees. The QA program is based on eight guiding principles that the assessor community must adhere to, one of which is to maintain consistent assessor procedures and reporting. The PCI SSC reviews the reports submitted by the CPSA Companies and provides feedback on the quality and completeness of the reports. If a CPSA Company submits multiple reports that are incomplete and do not contain the information described in the reporting instructions, they may be violating the QA program and the CPSA Qualification Requirements. The PCI SSC may take corrective actions against the CPSA Company, such as issuing a warning, requiring additional training, imposing remediation, or revoking the CPSA Company status. Remediation is a process that requires the CPSA Company to improve in one or more areas of their operations and demonstrate compliance with the PCI SSC requirements. Revocation is a process that terminates the CPSA Company status and removes the CPSA Company from the list of qualified assessors on the PCI SSC website. The PCI SSC has the sole authority and discretion to determine the appropriate corrective actions for any non-compliance issues by the CPSA Companies or CPSA Employees. The payment brands do not have the power to put the CPSA Companies into remediation or revoke their status, nor do they have the power to fine them. The payment brands may, however, impose their own sanctions or penalties on the card production entities that are assessed by the CPSA Companies, based on their own contractual agreements and compliance programs. References:

• Card Production Security Assessor (CPSA) Program Guide, Section 3 and 5.1
• Card Production Security Assessor (CPSA) Qualification Requirements, Section 3.1 and 3.2
• CPSA Remediation Statement

According to the PCI Card Production Physical Security Requirements, the goods-tools trap is a secure area that separates the HSA from the outside world, and is used to control the entry and exit of card products, tools, and other materials. The goods-tools trap must have two doors that are interlocked, meaning that only one door can be opened at a time. The goods-tools trap must also have a CCTV camera and an alarm system. The process of bringing card products into the HSA using the goods-tools trap must follow these steps1:

• The card products must be delivered to the goods-tools trap by authorized personnel, who must present their identification to the guard and sign a delivery note.
• The guard must verify the identification of the personnel and the quantity and quality of the card products, and record the details in a log.
• The guard must then escort the personnel to the first door of the goods-tools trap, and open it using a key or a card reader. The personnel must place the card products inside the goods-tools trap and exit the area. The guard must then lock the first door.
• The guard must then notify the production staff inside the HSA that the card products are ready to be collected. The production staff must present their identification to the guard and sign a receipt note.
• The guard must then escort the production staff to the second door of the goods-tools trap, and open it using a key or a card reader. The production staff must collect the card products from the goods-tools trap and enter the HSA. The guard must then lock the second door.

In this scenario, the guard escorted the production staff, along with the box, into the pre-press room. This is not compliant, because the guard is not authorized to enter the HSA, and the card products must remain under dual control at all times. The guard should have stayed outside the HSA and only opened the second door of the goods-tools trap for the production staff. This would ensure that the card products are securely transferred from the goods-tools trap to the HSA, and that the guard does not compromise the security of the HSA. References:

• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 15, requirement 2.1.1
• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 16, requirement 2.1.2
• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 17, requirement 2.1.3
• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 18, requirement 2.1.4

 According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must use magnetic contacts that are permanently alarmed and that are connected to the security control-room panels to protect doors that provide access to buildings containing air conditioning equipment. The vendor must also ensure that the air conditioning equipment is located in a secure area that is not accessible to unauthorized personnel, and that the air conditioning system is monitored and maintained to prevent unauthorized access or tampering. The vendor must also have procedures to respond to any alarms or incidents related to the air conditioning system, and to report them to the relevant parties. The vendor must not use security tape, electrical contacts, or physical locks alone, as these may not provide adequate protection or detection of unauthorized access or tampering. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 21-221

According to the PCI Card Production Physical Security Requirements, the vendor must ensure that a clear segregation of duties is maintained between guard and reception related job functions. This is to prevent any conflict of interest or collusion that could compromise the security of the card production and provisioning processes or the cardholder data. The vendor must also ensure that the guards are adequately trained, supervised, and evaluated, and that they follow the security policies and procedures established by the vendor. The vendor must also have a documented policy and procedure for the selection, hiring, and termination of guards, and must maintain a log of all guard activities. References:

• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 24, requirement 6.1.1
• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 25, requirement 6.1.2
• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 26, requirement 6.1.3
• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 27, requirement 6.1.4

According to the PCI CPSA Program Guide, a CPSA Company must maintain workpapers and technical information obtained during an assessment for a minimum of three years from the date of the assessment. The workpapers and technical information must be stored securely and made available to PCI SSC upon request. The workpapers and technical information must include, but are not limited to, the following:

• The Card Production Report on Compliance (ROC) and the Card Production Attestation of Compliance (AOC)
• The Card Production Entity’s policies and procedures
• The Card Production Entity’s network diagrams and data flow diagrams
• The results of any testing performed by the CPSA Company or the Card Production Entity
• The evidence of any remediation actions taken by the Card Production Entity
• The correspondence between the CPSA Company and the Card Production Entity
• The correspondence between the CPSA Company and the payment brands
• The feedback form completed by the Card Production Entity References:
• PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 111

Data preparation is the process of creating cardholder data and keys for each card, and formatting them for the hardware that will put them on a card. Data preparation involves the use of an HSM to generate keys and encrypt data, and the creation of an encrypted file that contains the cardholder data and keys. Data preparation is one of the steps in the card production lifecycle, and it precedes the manufacture and personalization of the cards. References:

• Card Production Security Assessor (CPSA) Qualification Requirements, v1.0, April 2019, page 10
• PCI Card Production Logical Security Requirements, v2.0, April 2019, page 9
• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 9

According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must have a secure inner shipping delivery room that is equipped with an alarm system and an access-control system. The alarm system must be triggered when any door of the inner shipping delivery room is opened without proper authorization. The access-control system must only allow the opening of the last activated door to liberate a person detected inside of the inner shipping delivery room and stop the alarm. This is to prevent unauthorized access or exit from the inner shipping delivery room, and to ensure that only one door can be opened at a time. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 18-191

According to the CPSA Program Guide1, PCI SSC does not list compliant card vendors on its website. The PCI SSC only lists the qualified CPSA Companies and CPSA Employees who are authorized to perform PCI Card Production Security Assessments. The PCI SSC also does not receive or review the full ROCs or AOCs from the card vendors or the CPSA Companies. The ROCs and AOCs are submitted by the CPSA Companies to the applicable payment brands that have contracted with the card vendors for card production and provisioning services. The payment brands are responsible for verifying the compliance status of the card vendors and determining whether to list them on their own websites or databases. Therefore, the CPSA Company should inform the vendor that they must request a listing via the payment brand(s) that received their ROC, and that the listing process may vary depending on the payment brand’s policies and procedures. The CPSA Company should also advise the vendor to maintain their compliance with the PCI Card Production Standards and to undergo annual assessments by a qualified CPSA Company.

According to the PCI Card Production and Provisioning Template for Report on Compliance, for each requirement listed in a ROC, all types of findings must have a full narrative response. A finding is the result of the assessor’s evaluation of the entity’s compliance status for each requirement. The types of findings are:

• Compliant: The entity meets the requirement as stated in the PCI Card Production Standards.
• Non-Compliant: The entity does not meet the requirement as stated in the PCI Card Production Standards.
• Not Applicable: The requirement does not apply to the entity’s environment or operations.
• Not Tested: The requirement was not tested by the assessor for a valid reason.
• New: The entity has implemented a new process, system, or control that affects the requirement since the last assessment.
• Closed: The entity has remediated a previous non-compliant finding and has provided sufficient evidence to the assessor.

A full narrative response is a detailed explanation of the finding, including the following elements:

• The scope of testing performed by the assessor to evaluate the requirement
• The testing procedures and tools used by the assessor
• The sampling methodology and rationale used by the assessor
• The evidence collected and reviewed by the assessor
• The observations and conclusions made by the assessor
• The recommendations and remediation actions (if any) suggested by the assessor

A full narrative response is required for all types of findings to provide a clear and comprehensive documentation of the entity’s compliance status and to support the assessor’s professional judgment and opinion. A full narrative response also helps the payment brands, the PCI SSC, and the entity itself to understand the entity’s environment, risks, and controls, and to verify the accuracy and validity of the assessment. References:

• PCI Card Production and Provisioning Template for Report on Compliance, Version 1.0, April 2019, page 4
• PCI Card Production and Provisioning Template for Report on Compliance, Version 1.0, April 2019, page 5
• PCI Card Production and Provisioning Template for Report on Compliance, Version 1.0, April 2019, page 6

Host Card Emulation (HCE) provisioning is the process of creating and storing cardholder data in a virtual secure element hosted in a remote server, and generating a payment token that can be used by a mobile device to perform a contactless transaction. HCE provisioning is one of the methods of cloud-based provisioning, which does not require the use of a physical secure element on the mobile device. HCE provisioning is different from Secure Element (SE) provisioning, which involves loading cardholder data into a physical secure element embedded or attached to the mobile device. HCE provisioning is also different from Over-the-air (OTA) provisioning, which involves transmitting cardholder data from a remote server to a physical secure element on the mobiledevice using a wireless communication channel. In this scenario, the vendor hosts virtual secure elements holding cardholder information in their data center, and creates a payment token that is sent to the cardholder’s mobile device. This best describes the vendor’s activities as HCE provisioning. References:

• PCI Card Production and Provisioning Logical Security Requirements, v2.0, April 2019, page 8, section 1.3
• PCI Card Production and Provisioning Logical Security Requirements, v2.0, April 2019, page 9, section 1.4
• PCI Card Production and Provisioning Logical Security Requirements, v2.0, April 2019, page 10, section 1.5
• PCI Card Production and Provisioning Logical Security Requirements, v2.0, April 2019, page 43, Appendix A: Applicability of Requirements

The PCI SSC (Payment Card Industry Security Standards Council) is the organization that develops and maintains the PCI Card Production Standards and related validation requirements, programs, and supporting documentation. The PCI SSC also provides training and qualification for CPSA Companies and CPSA Employees to perform PCI Card Production Assessments. The PCI SSC is the best source of guidance and clarification for any questions or issues related to the assessment process, testing methods, reporting requirements, and interpretation of the standards. The assessor can contact the PCI SSC by email, phone, or online form, as specified in the CPSA Program Guide1. The payment brands, issuing banks, and vendors are not responsible for defining or explaining the assessment requirements or testing methods, and may not have the same level of expertise or authority as the PCI SSC. References:

• Card Production Security Assessor (CPSA) Program Guide, Section 2.1 and 5.1
• Card Production Security Assessor (CPSA) Qualification Requirements, Section 1.1 and 2.1