CPSA_P_New Exam Dumps : Card Production Security AssessorCPSA Physical NewExam

According to the PCI Card Production Physical Security Requirements, the goods-tools trap is a secure area that separates the HSA from the outside world, and is used to control the entry and exit of card products, tools, and other materials. The goods-tools trap must have two doors that are interlocked, meaning that only one door can be opened at a time. The goods-tools trap must also have a CCTV camera and an alarm system. The process of bringing card products into the HSA using the goods-tools trap must follow these steps1:

• The card products must be delivered to the goods-tools trap by authorized personnel, who must present their identification to the guard and sign a delivery note.
• The guard must verify the identification of the personnel and the quantity and quality of the card products, and record the details in a log.
• The guard must then escort the personnel to the first door of the goods-tools trap, and open it using a key or a card reader. The personnel must place the card products inside the goods-tools trap and exit the area. The guard must then lock the first door.
• The guard must then notify the production staff inside the HSA that the card products are ready to be collected. The production staff must present their identification to the guard and sign a receipt note.
• The guard must then escort the production staff to the second door of the goods-tools trap, and open it using a key or a card reader. The production staff must collect the card products from the goods-tools trap and enter the HSA. The guard must then lock the second door.

In this scenario, the guard escorted the production staff, along with the box, into the pre-press room. This is not compliant, because the guard is not authorized to enter the HSA, and the card products must remain under dual control at all times. The guard should have stayed outside the HSA and only opened the second door of the goods-tools trap for the production staff. This would ensure that the card products are securely transferred from the goods-tools trap to the HSA, and that the guard does not compromise the security of the HSA. References:

• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 15, requirement 2.1.1
• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 16, requirement 2.1.2
• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 17, requirement 2.1.3
• PCI Card Production Physical Security Requirements, v2.0, April 2019, page 18, requirement 2.1.4

The assessor is the person who conducts the PCI Card Production Security Assessment and prepares the Card Production Report on Compliance (ROC) and the Card Production Attestation of Compliance (AOC). The assessor should be familiar with the forms that are needed to complete an assessment and provide guidance to the vendor on how to fill them out. The assessor should also ensure that the forms are consistent with the PCI Card Production Standards and the PCI CPSA Qualification Requirements. The other options are not the best sources of information for the vendor, as they may not be directly involved in the assessment process or have the expertise to advise on the forms. References:

• PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 81
• PCI Card Production Security Assessor (CPSA) Qualification Requirements, Version 1.0, April 2019, page 10
• PCI Card Production and Provisioning Template for Report on Compliance, Version 1.0, April 2019, page 3
• PCI Card Production and Provisioning Attestation of Compliance, Version 1.0, April 2019, page 22

According to the PCI Card Production and Provisioning Logical Security Requirements, Secure Element (SE) provisioning is the process of adding cardholder account information to a secure element on a mobile device via an over-the-air or over-the-internet communication channel. A secure element is a tamper-resistant platform that can securely host applications and their confidential and cryptographic data. A SIM card is an example of a secure element that can be used for mobile payments. SE provisioning is different from Host Card Emulation (HCE) provisioning, which is the process of adding cardholder account information to a cloud-based server that emulates a secure element on a mobile device. SE provisioning is also different from card personalization, which is the process of adding cardholder account information to a physical card. Over-the-air (OTA) provisioning is a generic term that can refer to either SE or HCE provisioning, depending on the type of mobile payment system used. References: PCI Card Production and Provisioning Logical Security Requirements and Test Procedures v3.0, January 2022, pages 6-71