Question 1

A vendor receives cardholder information and keys from a bank. The vendor then performs the
following:
* Uses its HSM to create keys
* Creates cardholder information specific to each cardholder, including name and PAN
* Formats the data for the hardware that will put it on a card
* Writes it to an encrypted file
Which of the following best describes this process?

Accepted Answer

B

Explanation: The described activities—using an HSM to create keys, formatting cardholder-specific data like PAN and name, and writing the formatted data to an encrypted file for the personalization hardware—perfectly align with the official definition of "Data Preparation." According to the PCI Card Production and Provisioning Logical Security Standard, Data Preparation is the process of formatting cardholder data and other sensitive information into the specific format required by the personalization system, which may include key generation. This is the logical phase that precedes the physical personalization of a payment card.

Question 2

When must HSA motion detectors generate an alarm event?

Accepted Answer

D

Explanation: For High-Security Areas (HSAs), the PCI Card Production and Provisioning Security Requirements mandate the integration of multiple physical security controls to ensure a high level of assurance. Motion detectors must be correlated with the access-control system. An alarm event is required only when motion is detected without a corresponding authorized entry being registered by the access-control system (i.e., the system indicates the room is unoccupied). This logic prevents a high volume of false alarms during legitimate, authorized access while ensuring that any unauthorized presence immediately triggers a security response. This integrated approach is a fundamental principle for securing sensitive environments.

Question 3

Who is required to approve visitor entry to the HSA or cloud-based provisioning environment?

Accepted Answer

D

Explanation: The PCI Card Production and Provisioning Security Requirements mandate a stringent, multi-layered approval process for visitor access to High-Security Areas (HSAs) and equivalent cloud environments. This is to ensure robust oversight and accountability. The standard explicitly requires pre-approval in writing from three distinct management roles: the Security Manager, who is responsible for security policy; the Production Manager, who oversees the sensitive operations within the area; and the head of the vendor facility, who holds ultimate site-level responsibility. This tripartite approval ensures that security, operational, and overall management perspectives are all considered before granting access to the most critical zones.

Question 4

Before you go on-site, the vendor’s primary contact communicates a legitimate reason for delaying the assessment for several months. Who can approve the change in the report delivery schedule?

Accepted Answer

B

Explanation: The payment brands (e.g., Visa, Mastercard, American Express) are responsible for managing their respective cardholder data security and compliance programs. They set the rules, validation requirements, and reporting deadlines for entities within their ecosystem. While the PCI Security Standards Council (SSC) develops and maintains the standards, it does not manage individual entity compliance or enforcement. Therefore, any request for a delay or change in the assessment reporting schedule must be directed to and approved by the relevant payment brand(s) that require the assessment from the vendor.

Question 5

Which of the following principles must be enforce by the HSA Access Control system?

Accepted Answer

C

Explanation: The PCI PIN Security Standard mandates dual control for sensitive cryptographic operations involving a Hardware Security Appliance (HSA), also known as a Secure Cryptographic Device (SCD). Dual control is a process requiring two or more individuals to complete a task, ensuring no single person can compromise a key or function. For simultaneous operations like loading clear-text key components, the standard requires the action to be "performed by at least two people." This requirement inherently necessitates the physical presence of both individuals (dual presence) to execute their distinct parts of the task (dual control). Therefore, the complete access control system, encompassing both technical and procedural controls for the HSA, must enforce both principles.

Question 6

In which of the following locations must the CCTV and access control servers be located?

Accepted Answer

C

Explanation: The PCI Card Production and Provisioning Physical Security Standard mandates that the servers hosting the CCTV and access control systems, which are critical to the facility's security posture, must be protected from unauthorized access and tampering. The standard provides two acceptable options for their location: either within the Security Control Room (SCR) itself or in a separate room. If a separate room is used, it must be fortified with security controls that are equivalent to those required for the SCR, ensuring the same high level of protection is maintained for this critical infrastructure.

Question 7

A vendor wants to know if they will be penalized if their vault is not compliant. Who should they ask?

Accepted Answer

D

Explanation: The Payment Brands (e.g., Visa, Mastercard, American Express) and their partners, the acquiring banks, are responsible for establishing and enforcing compliance programs. They hold the contractual authority to impose penalties, such as fines, increased transaction fees, or termination of card processing privileges, on vendors who are not compliant. The vendor's agreement with their acquirer dictates the specific consequences, which are driven by the rules set forth by the Payment Brands. Therefore, the Payment Brands are the ultimate authority on penalties for non-compliance.

Question 8

A vendor’s HSA access is enforced by a security turnstile they have a logical access-control system
that ensures anti pass-back. The device is functioning correctly. When must the status of the access
change?

Accepted Answer

D

Explanation: The fundamental purpose of an anti-passback system is to prevent a single access credential from being used for consecutive entries without an intervening exit. To be effective, the logical access-control system must change the credential's state from "outside" to "inside" (or an equivalent state) immediately upon the successful authentication of the badge. Waiting for the person to complete the access cycle would introduce a vulnerability. During the time between the badge presentation and the completion of the cycle, the badge could be passed back to another individual for a fraudulent second entry before the system has updated its state, thereby defeating the control.

Question 9

During an assessment you ask to see employee records for employees with access to the HS

Accepted Answer

A

Explanation: PCI Card Production & Provisioning security standards require vendors to keep each employee’s background-screening file for a minimum of seven (7) years after the individual’s employment or contract ends. Because the assessor could only review screening records dating back one year, the vendor is failing to meet the mandated seven-year retention period and is therefore non-compliant.

Question 10

Who performs regular AQM audits of CPSA companies?

Accepted Answer

C

Explanation: The PCI Security Standards Council (PCI SSC) is the global body that develops, manages, and maintains security standards and assessor qualification programs for the payment card industry. The Assessor Quality Management (AQM) program is a PCI SSC initiative specifically designed to ensure the quality, consistency, and performance of its certified assessor companies, which includes Card Production and Security Assessor (CPSA) companies. As the governing body for the CPSA program, the PCI SSC is solely responsible for conducting these regular AQM audits to validate that CPSA companies and their employees adhere to all program requirements and maintain the highest assessment standards.

Free PCI CPSA Actual Exam Questions