Pre-Winter Sale Special 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: ex2p65

Exact2Pass Menu

Question # 4

Which of the follow best describes a Technical FAQ?

A.

Technical FAQs only apply to the specific technology as the FAQ defines it

B.

Technical FAQs can be submitted to PCI SSC at any time

C.

Use of the Technical FAQs is mandatory, they shall be used during an assessment

D.

Use of the Technical FAQs is optional, they are considered guidance

Full Access
Question # 5

You wish to check that you are using the most current version of the Card Production requirements. What should you do?

A.

Have the CPSA Company’s point of contact request the document

B.

Download it from PCI SSC’s Document Library

C.

Email a request for the document to PCI SSC

D.

View it directly via PCI SSC Assessor Portal

Full Access
Question # 6

When must HSA motion detectors generate an alarm event?

A.

Each time movement is detected

B.

Each time movement is detected outside of regular business hours

C.

Each time movement is detected and the access-control system indicates the room is occupied

D.

Each time movement is detected and the access-control system indicates the room is not occupied

Full Access
Question # 7

A vendor has a list of pre-approved third parties which may be granted access to the facility. Under what circumstances can other third-parties be granted access?

A.

None, only people on the pre-approved list may enter

B.

When they are approved by the physical security manager or senior management

C.

When the third party s liability insurance covers the risk

D.

When no card production activities are taking place

Full Access
Question # 8

In relation to guards, which of the following must the vendor ensure?

A.

A clear segregation of duties is maintained between production staff and guards

B.

A clear segregation of duties is maintained between guard and reception related job functions

C.

There is always at least one guard on-site, including outside of working hours, to monitor security systems and premises

D.

There is always at least one guard in the HSA and one guard in the security control room at all times

Full Access
Question # 9

The vendor's technical documentation shows that the alarm system does not send alerts to the security control room. After a discussion you learn that the alarm works perfectly, and sends a clear signal to summon the local police every time an emergency exit is opened. Why might this cause a problem for their assessment?

A.

If the local police have not been issued with an exterior key. they will not be able to investigate the cause of the alarm and reset it

B.

During working hours, the alarm should be managed in the security control room, or by a central monitoring service

C.

If the local police receive too many false-positive alerts, they may not respond within 15 minutes of the alarm

D.

During busy times, the local police may not be able to respond

Full Access
Question # 10

In which of the following locations must the CCTV and access control servers be located?

A.

Within the Security Control Room (SCR)

B.

Within a room in the HSA with security controls equivalent to the SCR applied

C.

Within the SCR or a room with equivalent security

D.

Within the secure server room inside of the HSA

Full Access
Question # 11

During an assessment you ask to see employee records for employees with access to the HSA. The records include information about the screening process, including background information from the employee application process. The oldest background Information that is available is for an employee that left the vendor (terminated their contract) one year previously. You note this as non-compliant, why?

A.

Employee information, including background checks, must be stored for at least seven years

B.

Employee information must be securely destroyed (e.g. securely wiped) within 2 years (after termination of contract)

C.

The vendor must retain the background information for at least 18 months after termination of contract

D.

The vendor must only retain background information for all current employees, not for those that have been terminated

Full Access
Question # 12

After reviewing their completed ROC and AOC, which state that they are compliant, the vendor wishes to be listed on PCI SSC’s list of Compliant Card Vendors. How should you assist them with the listing process?

A.

Submit the full ROC to PCI SSC

B.

Submit only the AOC to PCI SSC

C.

Inform the vendor that PCI SSC does not list compliant vendors

D.

Inform the vendor that they must request a listing via the payment brand(s) that received their ROC

Full Access
Question # 13

For how long must a CPSA Company maintain workpapers and technical information obtained during an assessment?

A.

Until each applicable payment brand has accepted (and signed off) the ROC and AOC

B.

As long as the entity under assessment is a client of the CPSA Company

C.

3 years

D.

1 year

Full Access
Question # 14

Who performs regular AQM audits of CPSA companies?

A.

Issuing banks

B.

Payment brands

C.

PCI SSC

D.

Vendor

Full Access
Question # 15

A vendor receives cardholder information and keys from a bank. The vendor then performs the following:

* Uses its HSM to create keys

* Creates cardholder information specific to each cardholder, including name and PAN

* Formats the data for the hardware that will put it on a card

* Writes it to an encrypted file

Which of the following best describes this process?

A.

Data creation

B.

Data preparation

C.

Manufacture

D.

Pre-personalization

Full Access