CPSA_P_New Card Production Security AssessorCPSA Physical NewExam Question and Answers

The PCI SSC (Payment Card Industry Security Standards Council) is the organization that develops and maintains the PCI Card Production Standards and related validation requirements, programs, and supporting documentation. The PCI SSC also provides training and qualification for CPSA Companies and CPSA Employees to perform PCI Card Production Assessments. The PCI SSC is the best source of guidance and clarification for any questions or issues related to the assessment process, testing methods, reporting requirements, and interpretation of the standards. The assessor can contact the PCI SSC by email, phone, or online form, as specified in the CPSA Program Guide1. The payment brands, issuing banks, and vendors are not responsible for defining or explaining the assessment requirements or testing methods, and may not have the same level of expertise or authority as the PCI SSC. References:

• Card Production Security Assessor (CPSA) Program Guide, Section 2.1 and 5.1
• Card Production Security Assessor (CPSA) Qualification Requirements, Section 1.1 and 2.1

According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must have a secure inner shipping delivery room that is equipped with an alarm system and an access-control system. The alarm system must be triggered when any door of the inner shipping delivery room is opened without proper authorization. The access-control system must only allow the opening of the last activated door to liberate a person detected inside of the inner shipping delivery room and stop the alarm. This is to prevent unauthorized access or exit from the inner shipping delivery room, and to ensure that only one door can be opened at a time. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 18-191

Host Card Emulation (HCE) provisioning is the process of creating and storing cardholder data in a virtual secure element hosted in a remote server, and generating a payment token that can be used by a mobile device to perform a contactless transaction. HCE provisioning is one of the methods of cloud-based provisioning, which does not require the use of a physical secure element on the mobile device. HCE provisioning is different from Secure Element (SE) provisioning, which involves loading cardholder data into a physical secure element embedded or attached to the mobile device. HCE provisioning is also different from Over-the-air (OTA) provisioning, which involves transmitting cardholder data from a remote server to a physical secure element on the mobiledevice using a wireless communication channel. In this scenario, the vendor hosts virtual secure elements holding cardholder information in their data center, and creates a payment token that is sent to the cardholder’s mobile device. This best describes the vendor’s activities as HCE provisioning. References:

• PCI Card Production and Provisioning Logical Security Requirements, v2.0, April 2019, page 8, section 1.3
• PCI Card Production and Provisioning Logical Security Requirements, v2.0, April 2019, page 9, section 1.4
• PCI Card Production and Provisioning Logical Security Requirements, v2.0, April 2019, page 10, section 1.5
• PCI Card Production and Provisioning Logical Security Requirements, v2.0, April 2019, page 43, Appendix A: Applicability of Requirements

The PCI SSC has a quality assurance (QA) program that monitors the performance and compliance of CPSA Companies and CPSA Employees. The QA program is based on eight guiding principles that the assessor community must adhere to, one of which is to maintain consistent assessor procedures and reporting. The PCI SSC reviews the reports submitted by the CPSA Companies and provides feedback on the quality and completeness of the reports. If a CPSA Company submits multiple reports that are incomplete and do not contain the information described in the reporting instructions, they may be violating the QA program and the CPSA Qualification Requirements. The PCI SSC may take corrective actions against the CPSA Company, such as issuing a warning, requiring additional training, imposing remediation, or revoking the CPSA Company status. Remediation is a process that requires the CPSA Company to improve in one or more areas of their operations and demonstrate compliance with the PCI SSC requirements. Revocation is a process that terminates the CPSA Company status and removes the CPSA Company from the list of qualified assessors on the PCI SSC website. The PCI SSC has the sole authority and discretion to determine the appropriate corrective actions for any non-compliance issues by the CPSA Companies or CPSA Employees. The payment brands do not have the power to put the CPSA Companies into remediation or revoke their status, nor do they have the power to fine them. The payment brands may, however, impose their own sanctions or penalties on the card production entities that are assessed by the CPSA Companies, based on their own contractual agreements and compliance programs. References:

• Card Production Security Assessor (CPSA) Program Guide, Section 3 and 5.1
• Card Production Security Assessor (CPSA) Qualification Requirements, Section 3.1 and 3.2
• CPSA Remediation Statement

 According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must test all alarms on external doors of the card production and provisioning vendor environment at least every month. The vendor must also document the results of the tests and retain them for at least one year. The vendor must also have procedures to respond to any alarms or incidents, and to report them to the relevant parties. The vendor must not test the alarms less frequently than every month, as this may compromise the security and integrity of the card production and provisioning vendor environment and increase the risk of unauthorized access or theft. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 9-101

The PCI SSC does not enforce compliance, nor does it mandate penalties for non-compliance. Compliance with the PCI Card Production Standards is enforced by the payment brands. The payment brands may have their own compliance programs and may apply penalties or fines to entities that are not compliant or suffer a breach. Therefore, a vendor who wants to know if they will be penalized if their vault is not compliant should ask the payment brands that they work with or are contracted by. References:

• Payment Card Industry (PCI) Card Production Security Assessors Program Guide, Version 1.0, April 2019, page 51
• PCI Card Production Security Assessor (CPSA) Qualification Requirements, Version 1.0, April 2019, page 62

 Card personalization is the process of transferring cardholder information, such as account number, name, expiration date, and other data, to a payment card. This can be done by various methods, such as magnetic stripe encoding, embossing, laser engraving, or chip programming. Chip programming is the method of personalizing a card that has an embedded microchip that can store and process data. Chip cards can support contact or contactless transactions, depending on the chip type and the terminal capabilities. Contact transactions require the card to be inserted into a reader, while contactless transactions use radio frequency (RF) communication between the card and the reader. The vendor in the question is performing card personalization by programming the chip and verifying the data on the card. References:

• Payment Card Industry (PCI) Card Production and Provisioning – Logical Security Requirements, Section 1.1.1
• Payment Card Industry (PCI) Card Production and Provisioning – Physical Security Requirements, Section 1.1.1
• Payment Card Industry (PCI) Card Production and Provisioning – Glossary of Terms, Abbreviations, and Acronyms, Definitions of Card Personalization, Chip Card, Contact Card, and Contactless Card

According to the PCI Card Production Physical Security Requirements, one of the security controls for card destruction is to ensure that misprinted, partially finished, or rejected cards are shredded only in the HSA destruction room. This is to prevent unauthorized access, theft, or misuse of the cards, which may contain sensitive data or features. The HSA destruction room should have adequate security measures, such as locks, alarms, cameras, etc., to protect the cards until they are shredded. The shredding process should render the cards unusable and unrecognizable, and the shredded material should be disposed of securely. References: PCI Card Production Physical Security Requirements, Version 1.0, April 2019, Section 1.1, Objective 5, Requirement 5.1.1, Page 111

The Attestation of Compliance (AOC) is the document that describes the results of a PCI Card Production Assessment, and is signed by both the CPSA and the vendor executive officer. The AOC is a summary of the findings and conclusions of the assessment, and indicates whether the vendor meets the PCI Card Production Logical Security Requirements and/or the PCI Card Production Physical Security Requirements. The AOC must be completed using the template provided by PCI SSC, and must be submitted to PCI SSC along with the Report on Compliance (ROC) and other supporting documents. The AOC must also be provided to the vendor’s clients upon request. References:

• PCI Card Production Security Assessor (CPSA) Qualification Requirements, v1.0, April 2019, page 11, requirement 7.1.1
• PCI Card Production and Provisioning Attestation of Compliance, v2.0, April 2019, page 1, section 1

According to the PCI Card Production Logical Security Requirements, a vendor’s HSA access must be enforced by a security turnstile that has a logical access-control system that ensures anti pass-back. This means that the system must prevent a person from using the same badge to enter or exit the HSA more than once without completing the access cycle. The access cycle is the process of entering or exiting the HSA through the turnstile, which may involve biometric verification, PIN entry, or other authentication methods. The status of the access must change upon initial presentation of an authorised badge, prior to completion of the access cycle, to prevent another person from using the same badge to enter or exit the HSA. For example, if a person presents an authorised badge to enter the HSA, the system must register that the badge is inside the HSA and deny access to anyone else who tries to use the same badge until the person exits the HSA with the same badge. References: PCI Card Production Logical Security Requirements, v2.0, April 2019, page 12

According to the PCI Card Production and Provisioning Physical Security Requirements, the vendor must ensure that all boxes containing card stock are sealed with tamper-evident tape or labels when stored in the vault. The vendor must also maintain a log of all card stock movements in and out of the vault, and reconcile the card stock inventory at least daily. The vendor must not leave any boxes containing card stock unsealed within the vault, regardless of the frequency of stock pulling, as this may compromise the security and integrity of the card stock and increase the risk of unauthorized access or theft. References: PCI Card Production and Provisioning Physical Security Requirements and Test Procedures v3.0, January 2022, pages 12-131

The best way to check that you are using the most current version of the Card Production requirements is to download it from PCI SSC’s Document Library. The PCI SSC’s Document Library is a repository of all the PCI standards, guidelines, and supporting documents that are developed and maintained by the PCI SSC. The Document Library is accessible to the public and provides the latest versions of the documents, as well as the summary of changes and the effective dates. The Document Library also allows you to search, filter, and sort the documents by category, type, date, and keyword. Therefore, by downloading the Card Production requirements from the Document Library, you can ensure that you have the most up-to-date and authoritative version of the requirements. The other options are not the best ways to check the version of the Card Production requirements, as they may not be reliable, efficient, or available. Having the CPSA Company’s point of contact request the document may not be feasible, as the point of contact may not have the authority, the access, or the time to do so. Emailing a request for the document to PCI SSC may not be effective, as the PCI SSC may not respond promptly or provide the document in the format that you need. Viewing the document directly via PCI SSC Assessor Portal may not be possible, as the Assessor Portal may not have the latest version of the document or may require a login credential that you do not have. References:

• PCI SSC Document Library1
• PCI Card Production Security Assessor (CPSA) Program Guide, Version 1.0, April 2019, page 52